NS Lock Down

[kcmedia]

Hi all

is there a way that you can lock down your name server on directadmin so no one can do a nslookup and ls search on your server to find all a and ns records we will have a very secure site on the server and we need to hide all the ns and a records for the domain.

thanks

 

[matrixx]

've never heard of this - surely the whois would show the nameservers and from there the nameserver IP's and a records or the domain wouldn't resolve and be accessable from anywhere?

Maybe Jeff has some suggestions?

Rob

 

[nobaloney]

Sure...

You can disallow zone transfers from all IP#s except the ones hosting your slave DNS service:

The allow-transfer option (see man named.conf) specifies which hosts are allowed to receive zone transfers from the server.

You can also specify the allow-transfer option in the zone statement, in which case it overrides the options allow-transfer statement.

If you don't specify the allow-transfer option, the default is to allow transfers from all hosts.

Of course that won't stop ordinary nslookup or get requests if the user already knows the names he's trying to get the A records for. You can't block those, or DNS fails to work at all.

Jeff

 

[skruf]

Hey,

Like Jeff mentioned you can put something like this:

also-notify { 192.168.1.31; };
allow-transfer { 192.168.1.31; };

in the "Options" section of the named.conf" file.

In this example, 192.168.1.31 would be your slave server.

David