First time DNS setup

Sat Feb 12 01:04:26 UTC 2005

You should generally stay away from forwarding, if you have any choice 
in the matter.

Double-check that your hints file is current.

named will by default listen on all configured interfaces, so unless you 
have other interfaces that you specifically *don't* want named to listen 
on, you don't need that listen-on statement. Also, if you have no 
dynamic interfaces, you could set "interface-interval 0" in your 
"options" block to stop named from periodically scanning for them.

"query-source * port 53" is unnecessary unless you have to circumvent 
some sort of firewall issue.

Obscuring your version number, although often touted as a sensible 
security measure, really does little to hide your version from the 
curious, since they can just run "fingerprinting" utilities against your 
server. But if it gives one a _feeling_ of security, hey, who am I to 
recommend against it?

The default is for named to honor recursion to all clients. You probably 
don't want this on an Internet-facing box, since it means people could 
mooch off your nameserver, poison your cache, etc. Generally what people 
do is either run a separate "view", with recursion completely disabled, 
for Internet clients, or, more simply, they use "allow-recursion" to 
limit what clients can recurse. With simple "allow-recursion", though, 
be aware that Internet clients will still be able to retrieve anything 
that's in your cache (since it doesn't require recursion to satisfy such 
queries) -- probably you don't care about that, maybe you do: for 
instance, if you don't want outsiders to know that you've recently 
queried some particular website name, then you need to implement some 
combination of allow-query/allow-recursion (queries globally disallowed 
for Internet clients, then selectively allowed for the zone(s) you 
host), or go the full separate-view route. Note that if you use NAT, you 
may decide to use separate views anyway, because that way your internal 
clients can access services you host using different addresses than the 
ones used by Internet clients.

- Kevin

kilim wrote:

>Hello,
>
>I'm trying to set up my DNS server and before I go ahead I wanna ask
>you to tell me if my config is right.
>
>Thank you.
>
>This is my setup:
>
>FreeBSD 5.3 with Bind 9.3
>My Static IP: 123.456.789.999 (example only, obviously)
>My domain name: really-cool-domain.com
>
>my named.conf:
>
>
>options {
>        directory       "/etc/namedb";
>        pid-file        "/var/run/named/pid";
>        dump-file       "/var/dump/named_dump.db";
>        statistics-file "/var/stats/named.stats";
>        version         "None of your business";        
>
>        listen-on       { 127.0.0.1; 123.456.789.999 };
>
>        // is this ok ?
>        
>
>        forwarders {
>                My_ISPs_DNS1;
>                My_ISPs_DNS2;
>        };
>
>        query-source address * port 53;
>        };
>
>zone "." {
>        type hint;
>        file "named.root";
>};
>
>// whats going on here below
>// whats going on here below
>
>zone "0.0.127.IN-ADDR.ARPA" {
>        type master;
>        file "master/localhost.rev";
>};
>
>// IPv6 stuff omited !
>
>zone "really-cool-domain.com" {
>        type master;
>        file "master/really-cool-domain.com";
>};
>
>Thank you
>
>
>
>
>
>  
>