Bind 8 hardening {Scanned}
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Thu Dec 30 13:19:08 UTC 2004
SW <wppiphoto at wppi.com> wrote:
> Hi folks,
> I'm in the process of setting up 2 dns servers and after reading various
> docs, I'm hoping someone can take a look at my /etc/named.conf's below and
> tell me if I have everything I need to keep my servers safe from the various
> bind exploits. The goal is to allow internal clients access and allow the
> world to be able to resolve local domains (ie our website, mail, etc).
> Anything else I want to block without breaking bind.
> Master 100.168.100.10 /etc/named.conf :
> acl internal { 192.168.100/24; 100.168.100/24; };
> acl slaves { 100.168.100.50; };
> options {
> directory "/hsphere/local/var/named";
> listen-on { 127.0.0.1; 100.168.100.10; };
> allow-transfer { 100.168.100.50; };
> allow-query { internal; };
> allow-recursion { internal; };
> recursion no;
> fetch-glue no;
> use-id-pool yes;
> version "NA";
> transfer-source 127.0.0.1;
> pid-file "/hsphere/local/var/named/named.pid";
> };
> Slave 100.168.100.50 /etc/named.conf:
As a non-dns issue but still importent ; you should not use
ip 100.168.100.50, it's unassigned and will very likley hit
you in the future. Use "real" assigned ones or rfc-1918 ones.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list