Trying to make bind secure
Ronan Flood
ronan at noc.ulcc.ac.uk
Tue Apr 26 17:53:38 UTC 2005
(I'm top-posting because the quote is so large)
Doesn't your allow-query {trusted;} apply to everything?
I think you need to either remove that allow-query from
the general options, or have an allow-query {any;} in the
external view(s).
Also you might need to include your slaved zones in the
internal view as well as the external.
On Mon, 25 Apr 2005 16:08:02 -0400,
"Ronald I. Nutter" <ronald_nutter at georgetowncollege.edu> wrote:
> I am trying to make my bind server secure according to
> http://www.cymru.com/Documents/secure-bind.template.html. I have tried
> to follow it but when I start bind (v9.3.0) using the file I have
> created, bind starts but wont give out any information. Here is my
> file. I would appreciate any suggestions -
>
> acl "xfer" {
> none;
> };
>
> acl "trusted" {
> 68.208.176.0/24;
> 68.208.177.0/24;
> 68.208.178.0/24;
> 68.208.179.0/24;
> 68.208.180.0/24;
> localhost;
> };
>
> acl "bogon" {
> // Filter out BOGON networks. These are networks listed by IANA
> // as test, RFC1918, Multicast, experimental, etc.
> 0.0.0.0/8;
> 1.0.0.0/8;
> 10.0.0.0/8;
> 169.254.0.0/16;
> 172.16.0.0/12;
> 192.168.0.0/16;
> 224.0.0.0/3;
> };
>
> // Set options for security
> options {
> directory "/var/named";
> pid-file "/var/named/named.pid";
> statistics-file "/var/named/named.stats";
> dump-file "/var/adm/named.dump";
> zone-statistics yes;
> // Prevent Dos attacks
> notify no;
> // Efficient zone transfers
> transfer-format many-answers;
> // Max zone transfer time
> max-transfer-time-in 60;
> // Disable interface status check
> interface-interval 0;
>
> allow-transfer {
> // Zone transfers limited to members of "xfer" ACL
> xfer;
> };
>
> allow-query {
> // Allow queries from "trusted" ACL. Turns off free DNS
> server.
> trusted;
> };
>
> blackhole {
> // Deny anything from the bogon networks
> bogon;
> };
> };
>
> view "internal-in" in {
> // Internal "Trusted" view. Allow free access from internal
> networks
>
> match-clients { trusted; };
> recursion yes;
> additional-from-auth yes;
> additional-from-cache yes;
>
> zone "." in {
> // Link in the root server hint file.
> type hint;
> file "db.cache";
> };
>
> zone "0.0.127.in-addr-arpa" in {
> // Allow queries for 127/8 networks but not zone
> transfers
> type master;
> file "master/db.127.0.0";
>
> allow-query {
> any;
> };
>
> allow-transfer {
> none;
> };
> };
>
> };
>
> view "external-in" in {
> // External "Untrusted" view. Client access is permitted but no
> recursion
>
> match-clients { any; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
>
> // Link in our zones
> zone "georgetowncollege.edu" {
> type slave;
> file "georgetowncollege.edu.bk";
> masters { 68.208.176.2; };
> };
>
> zone "ethic.org" {
> type slave;
> file "ethic.org.bk";
> masters { 68.208.176.2; };
> };
>
> zone "fskentucky.org" {
> type slave;
> file "fskentucky.org.bk";
> masters { 68.208.176.2; };
> };
>
> zone "ka4kyi.com" {
> type slave;
> file "ka4kyi.com.bk";
> masters { 68.208.176.2; };
> };
>
> zone "kacrao.com" {
> type slave;
> file "kacrao.com.bk";
> masters { 68.208.176.2; };
> };
>
> zone "nacu.org" {
> type slave;
> file "nacu.org.bk";
> masters { 68.208.176.2; };
> };
>
> zone "signsofhistory.com" {
> type slave;
> file "signsofhistory.com.bk";
> masters { 68.208.176.2; };
> };
>
> zone "meetinghouse.net" {
> type slave;
> file "meetinghouse.net.bk";
> masters { 68.208.176.2; };
> };
>
> zone "gtown.org" {
> type slave;
> file "gtown.org.bk";
> masters { 68.208.176.2; };
> };
>
> zone "kesda.org" {
> type slave;
> file "kesday.org.bk";
> masters { 68.208.176.2; };
> };
> };
>
> // Create a view for all cients perusing the CHAOS class. Good from a
> support standpoint
>
> view "external-chaos" chaos {
> match-clients { any; };
> recursion no;
>
> zone "." {
> type hint;
> file "/dev/null";
> };
>
> zone "bind" {
> type master;
> file "master/db.bind";
>
> allow-query {
> trusted;
> };
>
> allow-transfer {
> none;
> };
> };
> };
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the bind-users
mailing list