Securing Named

Those look good to me.

Other then I don't know what those IP addresses resolve to? Upstream Internet connection provider hopefully?
 
jlasman said:
What you want is highspeed resolution. That's what you get on your local network.
Click to expand...

Yes most definately.


Do you misunderstand the purpose of /etc/resolv.conf? This is the list of nameservers THIS machine will use. If the local network fails the local machine isn't going to be able to get to an off-network nameserver anyway. Or anywhere else off-network, in fact.
Click to expand...

Possibly.

I've listed my two nameservers, one on the same network, the other not, in the resolv.conf file.


lists at least two nameservers, both of which are working servers on a network local to your server, and neither of which are actually your nameserver.
Click to expand...

So I should put in a couple of the nameservers that our colocation provider in the resolv.conf (has the penny dropped)?

regards
Jon
 
The best thing to do is ask your upstream (colo provider) what DNS servers you should use for resolution.

Put those into your /etc/resolv.conf file.

Jeff
 
Thanks. Will do.

Only problem is that their dns servers are not that reliable which is why I use my on nameservers. :eek:

Jon
 
Then search these forums for how to make your nameserver recursive for your your localhost but not for anyone else.

But .. generally if you have trouble reaching their nameservers it's because they're not available while they're restarting. And your localhost nameserver could have the same problem.

Jeff
 
If you need to make your localhost so it can use recursion, add the Red points below:
jw00dy said:
I do something similar, but use a little different. Just thought I'd post mine in case you want to control it a little differently.

Code: 
options {
        directory "/var/named";
        allow-transfer {
                "external_secondaries"; };
        [COLOR=red]allow-recursion {[/COLOR]
                "external_secondaries";
                [COLOR=red]"internal_addresses"; };[/COLOR]
        blackhole {
                "bogusnets"; };
        version "dilligaf";
        auth-nxdomain no;
        listen-on {
                "listen_ipaddress"; };
};      

logging {
        category notify { null; };
        category lame-servers { null; };
};

acl "external_secondaries" {
        <slave1IPAddr>;
        <slave2IPAddr>;
        <slave3IPAddr>;
};

[COLOR=red]acl "internal_addresses" {
        127.0.0.1;[/COLOR]
        <internalIPAddr1>; <internalIPAddr2>;
        <internalIPAddr3>; <internalIPAddr4>;
[COLOR=red]};[/COLOR]

acl "bogusnets" {
        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
        224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};

acl "listen_ipaddress" {
        <IPAddrofThisDNSServer>;
};

You could also add a "trusted" under the recursion section, and just add any ip addr that you want to be trusted to do recursion, but that doesn't do anything else.
Click to expand...
 
Last edited:
Old Thread but...
seems people are talking about "Secure your DNS Server"
I do see things in the logs that are pointing to the sever being an open relay, searched the net, and here, Of Course, more you read the more it seems it isnt a simple matter.
Reference Here

a how to.
but what would be an appropriate setup with a DA server?
How to Secure your DNS Server
To secure your dns server all you need to do is just add the following lines to your /etc/named.conf file.

1. First you should know the 2 Ips of your dns server. Just open /etc/nameserverips and there you will get the 2 dns ips.

tail /etc/nameserverips

2. Open /etc/named.conf

Look for options { line and above it add these lines

acl “trusted” {
x.x.x.x;
y.y.y.y;
};

where x and y are your 2 dns ips in step (1).

3. Look for line

// query-source address * port 53;

below it , insert the following lines.

version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This will disable dns recursion (preventing your server to be open dns server), prevent zone transfers and notification all restricted to your DNS only and not to outside queries. The version will hide the bind version.

Once all is complete, restart the named.

service named restart
Click to expand...
 
You're much better off not using your nameserver for both authoritative and non-authoritative nameservice.

This has been discussed on these forums ad nauseum, so I don't see any need to discuss it more. Others may differ ;).

Jeff
 
You must log in or register to reply here.
Back
Top