Troubleshooting Information

Reindl Harald h.reindl at thelounge.net
Wed Aug 26 10:43:06 UTC 2015 

one problem is that you need to change your whole configuration if you 
don't need views because dedicated servers for external and internal DNS

allow-chaos {localhost; localnets;} defaulting to 127.0.0.1 as global 
option would be helpful

BTW: what i don't understand is why "status: NOERROR" instead "status: 
REFUSED" in case of "none" is configured

Am 26.08.2015 um 12:28 schrieb Bob McDonald:
> That's brilliant! Thanks.
>
> I'd still include the hint zone (as I'm partial to not having
> unnecessary warnings on startup).
>
> Also a lot of folks use localhost and/or localnets in DNS configuration.
> Just from a security standpoint, I prefer to be more specific. localhost
> and/or localnets can be much more template friendly, I know.
>
> However, your suggestion changes my response for excluded addresses from
> SERVFAIL to REFUSED. Much better.
>
> Cheers!
>
> On Wed, Aug 26, 2015 at 5:02 AM, Tony Finch <dot at dotat.at
> <mailto:dot at dotat.at>> wrote:
>
>     Bob McDonald <bmcdonaldjr at gmail.com <mailto:bmcdonaldjr at gmail.com>>
>     wrote:
>
>     > To further lock this information down I would suggest adding the
>     > following view statements to any internet facing DNS device configuration:
>     >
>     > view "outsiders" chaos {
>     >         match-clients { !127.0.0.1; !your-inside--nets; any; };
>     >         allow-query { none; };
>     > # we need a zone within a view and Bind complains on startup if there is no hint file in classes
>     > #  other than internet. (it is provided with the software for the internet class)
>     >         zone "." chaos {
>     >                 type hint;
>     >                 file "/dev/null";  // or any empty file
>     >         };
>     >
>     > };
>
>     Another way is to use BIND's syntax for explicitly configuring the
>     special
>     server information zones, like below. This view handles all queries for
>     the chaos class, and rejects queries from nonlocal clients.
>
>        view bind chaos {
>          recursion no;
>          allow-query { localhost; localnets; };
>          zone  authors.bind ch { type master; database "_builtin
>     authors";  };
>          zone hostname.bind ch { type master; database "_builtin
>     hostname"; };
>          zone  version.bind ch { type master; database "_builtin
>     version";  };
>          zone     id.server ch { type master; database "_builtin id";
>         };
>        };
>
>     Tony.
>     --
>     f.anthony.n.finch  <dot at dotat.at <mailto:dot at dotat.at>> http://dotat.at/
>     Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
>     moderate, but rough in southwest Viking. Showers later. Good,
>     occasionally
>     poor later.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150826/e2ca366e/attachment.bin>

More information about the bind-users mailing list