Implementing the bogon list

Doug Barton dougb at dougbarton.us
Sat Apr 10 05:32:33 UTC 2010 

On 04/09/10 20:50, Alex wrote:
> Hi,
> 
>> Let's be clear on what "this" is please, since I don't think the OP's
>> post was clear about what he wanted to implement. :)
> 
> I'm really interested in security, reducing resources, and making sure
> the server is current with today's standards. I'd like to make sure
> it's properly set up and there aren't any configuration errors and
> that anything I can do to improve it's overall performance is being
> done.

EMARKETINGHYPE :)  You still haven't specified what exactly you want to
implement. ACLs? Empty zones for things that should not resolve?
Something else? And more importantly, what is the _reason_ you're trying
to do what you're trying to do?

>> In any case, I welcome comments and suggestions on improving this config.
>>
>>> You can see the config at:
>>> http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/etc/namedb/named.conf?rev=1.31;content-type=text%2Fplain
> 
> It's very good, but I think it also depends on what you're trying to
> achieve.

My point exactly. :)  Your suggestions were all good, but go well beyond
the goal of "good default configuration for a local resolver with some
basic guidance on other common tasks." I'm not aiming for a
comprehensive DNS howto in the conf file.

>>> You can add the unassigned space to those fairly easily, but make sure
>>> that you update it as space is assigned.
>>
>> Yes, this is worth saying again, and I agree with it (again). :)
> 
> Yes, that's why the zone transfer idea was so compelling to me, or
> perhaps even a once-monthly rsync of the config file?

This is where I continue to be confused. I have no idea what a zone
transfer would accomplish in this context.

It seems from other posts that you want to implement ACLs of some sort
related to "bogons." My suggestion is that unless you have a really
clear idea of a specific security goal that will be served by doing this
that you don't do it.


hth,

Doug

-- 

	... and that's just a little bit of history repeating.
			-- Propellerheads

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/

More information about the bind-users mailing list