DNS Feature request

B

bbytes

Verified User
Joined
Feb 2, 2010
Messages
13
Is it possible to default add the following line into the zone template?

allow-query { any; }; allow-update { none; };

This way, only domains hosted on the server can be queried. Your DNS will not be an open DNS server, only for the domains it hosts.

The option "query-source address * port 53;" has to be excluded.

If somebody knows some security issues with this, please reply.
 
This is done in the main named.conf file and not in the zone files so modifying the template is not needed.

And I think what you really want is "recursion no" in the options.

This is from memory and maybe I misunderstood the request.
 
Floyd,

You are not entirely correct. The domain zonefile in named.conf are part of the template zone.conf. Every new domain added is conform this template.

recursion no depends on wether you have a /24 or not. We set the recursion to localnet.
 
All you have to do is edit named.conf

1. Create an acl for the ip blocks you want to allow recursion for.
Code: 
//ips who are allowed to use recursive dns
acl recurseallow { 127.0.0.1; ip-block-here; };

2. Change options section to only allow recursion to the acl zones.
Code: 
recursion yes;
allow-recursion { recurseallow; };
 
I knew everything needed was in the main named.conf file and not the zone files.

But even if you did need to edit the template for the zone, then just do it.
 
Correct me if I'm wrong SCSI but this is the same right?

allow-recursion { 127.0.0.1; localnets; };

So why use an acl ? It's handy for multiple instances of the same config, but otherwise I don't see the advantage here.
 
It might work that way. I only know from the guide I followed when I set it up.
 
Welcome to IT, where there are milions of roads to the same result.
Never the less, this doesn't solve the problem. Using recursion does not let you query de domains hosted on the server. You have to set the allow-query to do a nslookup or dig.

Oke now we have discussed the settings, what about the security level.
 
Last edited:
You must log in or register to reply here.
Back
Top