Re: Troubleshooting Information

Reindl Harald Wed, 26 Aug 2015 03:44:01 -0700

one problem is that you need to change your whole configuration if you don't need views because dedicated servers for external and internal DNS

allow-chaos {localhost; localnets;} defaulting to 127.0.0.1 as global option would be helpful

BTW: what i don't understand is why "status: NOERROR" instead "status: REFUSED" in case of "none" is configured


Am 26.08.2015 um 12:28 schrieb Bob McDonald:

That's brilliant! Thanks.

I'd still include the hint zone (as I'm partial to not having
unnecessary warnings on startup).

Also a lot of folks use localhost and/or localnets in DNS configuration.
Just from a security standpoint, I prefer to be more specific. localhost
and/or localnets can be much more template friendly, I know.

However, your suggestion changes my response for excluded addresses from
SERVFAIL to REFUSED. Much better.

Cheers!

On Wed, Aug 26, 2015 at 5:02 AM, Tony Finch <d...@dotat.at
<mailto:d...@dotat.at>> wrote:

    Bob McDonald <bmcdonal...@gmail.com <mailto:bmcdonal...@gmail.com>>
    wrote:

    > To further lock this information down I would suggest adding the
    > following view statements to any internet facing DNS device configuration:
    >
    > view "outsiders" chaos {
    >         match-clients { !127.0.0.1; !your-inside--nets; any; };
    >         allow-query { none; };
    > # we need a zone within a view and Bind complains on startup if there is 
no hint file in classes
    > #  other than internet. (it is provided with the software for the 
internet class)
    >         zone "." chaos {
    >                 type hint;
    >                 file "/dev/null";  // or any empty file
    >         };
    >
    > };

    Another way is to use BIND's syntax for explicitly configuring the
    special
    server information zones, like below. This view handles all queries for
    the chaos class, and rejects queries from nonlocal clients.

       view bind chaos {
         recursion no;
         allow-query { localhost; localnets; };
         zone  authors.bind ch { type master; database "_builtin
    authors";  };
         zone hostname.bind ch { type master; database "_builtin
    hostname"; };
         zone  version.bind ch { type master; database "_builtin
    version";  };
         zone     id.server ch { type master; database "_builtin id";
        };
       };

    Tony.
    --
    f.anthony.n.finch  <d...@dotat.at <mailto:d...@dotat.at>> http://dotat.at/
    Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
    moderate, but rough in southwest Viking. Showers later. Good,
    occasionally
    poor later.

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting Information

Reply via email to