jlasman said:What you want is highspeed resolution. That's what you get on your local network.
Do you misunderstand the purpose of /etc/resolv.conf? This is the list of nameservers THIS machine will use. If the local network fails the local machine isn't going to be able to get to an off-network nameserver anyway. Or anywhere else off-network, in fact.
lists at least two nameservers, both of which are working servers on a network local to your server, and neither of which are actually your nameserver.
jw00dy said:I do something similar, but use a little different. Just thought I'd post mine in case you want to control it a little differently.
Code:options { directory "/var/named"; allow-transfer { "external_secondaries"; }; [COLOR=red]allow-recursion {[/COLOR] "external_secondaries"; [COLOR=red]"internal_addresses"; };[/COLOR] blackhole { "bogusnets"; }; version "dilligaf"; auth-nxdomain no; listen-on { "listen_ipaddress"; }; }; logging { category notify { null; }; category lame-servers { null; }; }; acl "external_secondaries" { <slave1IPAddr>; <slave2IPAddr>; <slave3IPAddr>; }; [COLOR=red]acl "internal_addresses" { 127.0.0.1;[/COLOR] <internalIPAddr1>; <internalIPAddr2>; <internalIPAddr3>; <internalIPAddr4>; [COLOR=red]};[/COLOR] acl "bogusnets" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; acl "listen_ipaddress" { <IPAddrofThisDNSServer>; };
You could also add a "trusted" under the recursion section, and just add any ip addr that you want to be trusted to do recursion, but that doesn't do anything else.
How to Secure your DNS Server
To secure your dns server all you need to do is just add the following lines to your /etc/named.conf file.
1. First you should know the 2 Ips of your dns server. Just open /etc/nameserverips and there you will get the 2 dns ips.
tail /etc/nameserverips
2. Open /etc/named.conf
Look for options { line and above it add these lines
acl “trusted” {
x.x.x.x;
y.y.y.y;
};
where x and y are your 2 dns ips in step (1).
3. Look for line
// query-source address * port 53;
below it , insert the following lines.
version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
This will disable dns recursion (preventing your server to be open dns server), prevent zone transfers and notification all restricted to your DNS only and not to outside queries. The version will hide the bind version.
Once all is complete, restart the named.
service named restart