Trying to make bind secure

Ronan Flood ronan at noc.ulcc.ac.uk
Tue Apr 26 17:53:38 UTC 2005 

(I'm top-posting because the quote is so large)

Doesn't your allow-query {trusted;} apply to everything?
I think you need to either remove that allow-query from
the general options, or have an allow-query {any;} in the
external view(s).

Also you might need to include your slaved zones in the
internal view as well as the external.


On Mon, 25 Apr 2005 16:08:02 -0400,
"Ronald I. Nutter" <ronald_nutter at georgetowncollege.edu> wrote:

> I am trying to make my bind server secure according to
> http://www.cymru.com/Documents/secure-bind.template.html.  I have tried
> to follow it but when I start bind (v9.3.0) using the file I have
> created, bind starts but wont give out any information.  Here is my
> file.  I would appreciate any suggestions -
> 
> acl "xfer" {
>         none;
> };
> 
> acl "trusted" {
>         68.208.176.0/24;
>         68.208.177.0/24;
>         68.208.178.0/24;
>         68.208.179.0/24;
>         68.208.180.0/24;
>         localhost;
> };
> 
> acl "bogon" {
>         // Filter out BOGON networks.  These are networks listed by IANA
>         // as test, RFC1918, Multicast, experimental, etc.
>         0.0.0.0/8;
>         1.0.0.0/8;
>         10.0.0.0/8;
>         169.254.0.0/16;
>         172.16.0.0/12;
>         192.168.0.0/16;
>         224.0.0.0/3;
> };
> 
> // Set options for security
> options {
>         directory "/var/named";
>         pid-file "/var/named/named.pid";
>         statistics-file "/var/named/named.stats";
>         dump-file "/var/adm/named.dump";
>         zone-statistics yes;
>         // Prevent Dos attacks
>         notify no;
>         // Efficient zone transfers
>         transfer-format many-answers;
>         // Max zone transfer time
>         max-transfer-time-in 60;
>         // Disable interface status check
>         interface-interval 0;
> 
>         allow-transfer {
>                 // Zone transfers limited to members of "xfer" ACL
>                 xfer;
>         };
> 
>         allow-query {
>                 // Allow queries from "trusted" ACL. Turns off free DNS
> server.
>                 trusted;
>         };
> 
>         blackhole {
>                 // Deny anything from the bogon networks
>                 bogon;
>         };
> };
> 
> view "internal-in" in {
>         // Internal "Trusted" view.  Allow free access from internal
> networks
> 
>         match-clients { trusted; };
>         recursion yes;
>         additional-from-auth yes;
>         additional-from-cache yes;
> 
>         zone "." in {
>                 // Link in the root server hint file.
>                 type hint;
>                 file "db.cache";
>         };
> 
>         zone "0.0.127.in-addr-arpa" in {
>                 // Allow queries for 127/8 networks but not zone
> transfers
>                 type master;
>                 file "master/db.127.0.0";
> 
>                 allow-query {
>                         any;
>                 };
> 
>                 allow-transfer {
>                         none;
>                 };
>         };
> 
> };
> 
> view "external-in" in {
>         // External "Untrusted" view.  Client access is permitted but no
> recursion
> 
>         match-clients { any; };
>         recursion no;
>         additional-from-auth no;
>         additional-from-cache no;
> 
>         // Link in our zones
>         zone "georgetowncollege.edu" {
>                 type slave;
>                 file "georgetowncollege.edu.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "ethic.org" {
>                 type slave;
>                 file "ethic.org.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "fskentucky.org" {
>                 type slave;
>                 file "fskentucky.org.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "ka4kyi.com" {
>                 type slave;
>                 file "ka4kyi.com.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "kacrao.com" {
>                 type slave;
>                 file "kacrao.com.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "nacu.org" {
>                 type slave;
>                 file "nacu.org.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "signsofhistory.com" {
>                 type slave;
>                 file "signsofhistory.com.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "meetinghouse.net" {
>                 type slave;
>                 file "meetinghouse.net.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "gtown.org" {
>                 type slave;
>                 file "gtown.org.bk";
>                 masters { 68.208.176.2; };
>         };
> 
>         zone "kesda.org" {
>                 type slave;
>                 file "kesday.org.bk";
>                 masters { 68.208.176.2; };
>         };
> };
> 
> // Create a view for all cients perusing the CHAOS class.  Good from a
> support standpoint
> 
> view "external-chaos" chaos {
>         match-clients { any; };
>         recursion no;
> 
>         zone "." {
>                 type hint;
>                 file "/dev/null";
>         };
> 
>         zone "bind" {
>                 type master;
>                 file "master/db.bind";
> 
>                 allow-query {
>                         trusted;
>                 };
> 
>                 allow-transfer {
>                         none;
>                 };
>         };
> };
-- 
                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)

More information about the bind-users mailing list