FW: First time config - room for improvement?
Paul Cocker
paul.cocker at tntpost.co.uk
Thu Aug 28 09:36:41 UTC 2008
Missing from the list
________________________________
From: Dawn Connelly [mailto:dawn.connelly at gmail.com]
Sent: 27 August 2008 18:02
To: Paul Cocker
Subject: Re: First time config - room for improvement?
I didn't run a named-checkconf but it looks good. The only thing I would
maybe recommend is jailing your named directory.
On Wed, Aug 27, 2008 at 9:46 AM, Paul Cocker <paul.cocker at tntpost.co.uk>
wrote:
While I have worked with BIND 9.x before, I've never had to set
it up
from scratch. Due to a server migration I need to setup a new
instance
of BIND, but would prefer to start afresh due to the old config
being a
mish-mash of various BIND versions.
Running on CentOS 5.2 I am using BIND 9.3.4 running within a
chroot
environment. I've confirmed that the service can start so all
looks well
having used the BIND samples under /usr/share/doc as a starting
point,
but what I want to check is whether the config can be improved,
have I
missed any settings necessary to run a secure system (especially
important to me), is there anything here which might bite me in
the ass
later on, etc.
I should note that the role of the BIND service is two-folder,
in one
instance it is acting as the authoritative name server for a
domain, in
the other it is acting as a name cache for localhost.
acl slaves
{
IPAddress;
IPAddress2;
};
options
{
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
version "random text";
};
logging
{
channel default_debug {
file "data/named.run" versions 5 size 2M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category lame-servers { null; };
};
view "localhost_resolver"
{
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.root.hints";
include "/etc/named.rfc1912.zones";
};
view "external"
{
match-clients { any; };
match-destinations { any; };
recursion no;
include "/etc/named.root.hints";
zone "domain.co.uk.zone" {
type master;
file "domain.co.uk.zone.db";
allow-transfer { slaves; };
};
zone "#.#.#.#.in-addr.arpa" {
type master;
file "domain.co.uk.arpa.db";
allow-transfer { slaves; };
};
};
Many thanks,
Paul Cocker
TNT Post is the trading name for TNT Post UK Ltd (company
number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post
Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South
West Ltd (05983401). Emma's Diary and Lifecycle are trading names for
Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are
registered in England and Wales; registered address: 1 Globeside
Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.
More information about the bind-users
mailing list