Trying to make bind secure
Ronald I. Nutter
ronald_nutter at georgetowncollege.edu
Mon Apr 25 20:08:02 UTC 2005
I am trying to make my bind server secure according to
http://www.cymru.com/Documents/secure-bind.template.html. I have tried
to follow it but when I start bind (v9.3.0) using the file I have
created, bind starts but wont give out any information. Here is my
file. I would appreciate any suggestions -
acl "xfer" {
none;
};
acl "trusted" {
68.208.176.0/24;
68.208.177.0/24;
68.208.178.0/24;
68.208.179.0/24;
68.208.180.0/24;
localhost;
};
acl "bogon" {
// Filter out BOGON networks. These are networks listed by IANA
// as test, RFC1918, Multicast, experimental, etc.
0.0.0.0/8;
1.0.0.0/8;
10.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.168.0.0/16;
224.0.0.0/3;
};
// Set options for security
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
// Prevent Dos attacks
notify no;
// Efficient zone transfers
transfer-format many-answers;
// Max zone transfer time
max-transfer-time-in 60;
// Disable interface status check
interface-interval 0;
allow-transfer {
// Zone transfers limited to members of "xfer" ACL
xfer;
};
allow-query {
// Allow queries from "trusted" ACL. Turns off free DNS
server.
trusted;
};
blackhole {
// Deny anything from the bogon networks
bogon;
};
};
view "internal-in" in {
// Internal "Trusted" view. Allow free access from internal
networks
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
// Link in the root server hint file.
type hint;
file "db.cache";
};
zone "0.0.127.in-addr-arpa" in {
// Allow queries for 127/8 networks but not zone
transfers
type master;
file "master/db.127.0.0";
allow-query {
any;
};
allow-transfer {
none;
};
};
};
view "external-in" in {
// External "Untrusted" view. Client access is permitted but no
recursion
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// Link in our zones
zone "georgetowncollege.edu" {
type slave;
file "georgetowncollege.edu.bk";
masters { 68.208.176.2; };
};
zone "ethic.org" {
type slave;
file "ethic.org.bk";
masters { 68.208.176.2; };
};
zone "fskentucky.org" {
type slave;
file "fskentucky.org.bk";
masters { 68.208.176.2; };
};
zone "ka4kyi.com" {
type slave;
file "ka4kyi.com.bk";
masters { 68.208.176.2; };
};
zone "kacrao.com" {
type slave;
file "kacrao.com.bk";
masters { 68.208.176.2; };
};
zone "nacu.org" {
type slave;
file "nacu.org.bk";
masters { 68.208.176.2; };
};
zone "signsofhistory.com" {
type slave;
file "signsofhistory.com.bk";
masters { 68.208.176.2; };
};
zone "meetinghouse.net" {
type slave;
file "meetinghouse.net.bk";
masters { 68.208.176.2; };
};
zone "gtown.org" {
type slave;
file "gtown.org.bk";
masters { 68.208.176.2; };
};
zone "kesda.org" {
type slave;
file "kesday.org.bk";
masters { 68.208.176.2; };
};
};
// Create a view for all cients perusing the CHAOS class. Good from a
support standpoint
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "master/db.bind";
allow-query {
trusted;
};
allow-transfer {
none;
};
};
};
--------------------------------------------------------------------
Ron Nutter ron_nutter at georgetowncollege.edu=20
Network Infrastructure & Security Manager
Information Technology Services (502)863-7002
Georgetown College =20
Georgetown, KY 40324-1696
--------------------------------------------------------------------
=20
More information about the bind-users
mailing list