First time DNS setup
Kevin Darcy
kcd at daimlerchrysler.com
Sat Feb 12 01:04:26 UTC 2005
You should generally stay away from forwarding, if you have any choice
in the matter.
Double-check that your hints file is current.
named will by default listen on all configured interfaces, so unless you
have other interfaces that you specifically *don't* want named to listen
on, you don't need that listen-on statement. Also, if you have no
dynamic interfaces, you could set "interface-interval 0" in your
"options" block to stop named from periodically scanning for them.
"query-source * port 53" is unnecessary unless you have to circumvent
some sort of firewall issue.
Obscuring your version number, although often touted as a sensible
security measure, really does little to hide your version from the
curious, since they can just run "fingerprinting" utilities against your
server. But if it gives one a _feeling_ of security, hey, who am I to
recommend against it?
The default is for named to honor recursion to all clients. You probably
don't want this on an Internet-facing box, since it means people could
mooch off your nameserver, poison your cache, etc. Generally what people
do is either run a separate "view", with recursion completely disabled,
for Internet clients, or, more simply, they use "allow-recursion" to
limit what clients can recurse. With simple "allow-recursion", though,
be aware that Internet clients will still be able to retrieve anything
that's in your cache (since it doesn't require recursion to satisfy such
queries) -- probably you don't care about that, maybe you do: for
instance, if you don't want outsiders to know that you've recently
queried some particular website name, then you need to implement some
combination of allow-query/allow-recursion (queries globally disallowed
for Internet clients, then selectively allowed for the zone(s) you
host), or go the full separate-view route. Note that if you use NAT, you
may decide to use separate views anyway, because that way your internal
clients can access services you host using different addresses than the
ones used by Internet clients.
- Kevin
kilim wrote:
>Hello,
>
>I'm trying to set up my DNS server and before I go ahead I wanna ask
>you to tell me if my config is right.
>
>Thank you.
>
>This is my setup:
>
>FreeBSD 5.3 with Bind 9.3
>My Static IP: 123.456.789.999 (example only, obviously)
>My domain name: really-cool-domain.com
>
>my named.conf:
>
>
>options {
> directory "/etc/namedb";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> version "None of your business";
>
> listen-on { 127.0.0.1; 123.456.789.999 };
>
> // is this ok ?
>
>
> forwarders {
> My_ISPs_DNS1;
> My_ISPs_DNS2;
> };
>
> query-source address * port 53;
> };
>
>zone "." {
> type hint;
> file "named.root";
>};
>
>// whats going on here below
>// whats going on here below
>
>zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "master/localhost.rev";
>};
>
>// IPv6 stuff omited !
>
>zone "really-cool-domain.com" {
> type master;
> file "master/really-cool-domain.com";
>};
>
>Thank you
>
>
>
>
>
>
>
More information about the bind-users
mailing list