 |  |  |  |  |  |  |  |
Restrict DNS to Respond Only for Our Domains
 |
Hi,
I would like to look at restricting our external DNS servers to only respond for the domains that we own. Firstly, I would like to ask if this is the convention, or does everybody set their DNS to answer all queries for everyone?
Assuming not, we will still want our externals to do recursive lookups for our internal traffic so we will need an ACL to identify internal networks and allow recursion.
Would I also need a 'zone "." recursion no' stanza, so that all other traffic will be denied or would the ACL be enough?
Looking at my named.conf, it looks like it has been set up like this in the past, but this has been commented out.
named.conf: (truncated)
I would like to look at restricting our external DNS servers to only respond for the domains that we own. Firstly, I would like to ask if this is the convention, or does everybody set their DNS to answer all queries for everyone?
Assuming not, we will still want our externals to do recursive lookups for our internal traffic so we will need an ACL to identify internal networks and allow recursion.
Would I also need a 'zone "." recursion no' stanza, so that all other traffic will be denied or would the ACL be enough?
Looking at my named.conf, it looks like it has been set up like this in the past, but this has been commented out.
named.conf: (truncated)
acl dns_servers { internal_dns_ip; internal_dns_ip; };
options {
directory "/var/named" ;
allow-query { any; };
# allow-query { dns_servers; 127.0.0.1; };
# allow-recursion { dns_servers; 127.0.0.1; };
allow-recursion { any; };
allow-transfer { none; };
allow-notify {master_dns_ip; };
listen-on-v6 { none; };
recursive-clients 3500;
version none;
zone-statistics yes;
notify no;
auth-nxdomain no;
};
view external {
match-clients { any; };
zone "orgname.com" {
type slave;
file "/var/named/slave/external/orgname.com";
masters { master_dns_ip; };
allow-notify { master_dns_ip; };
allow-query { any; };
};
... more zones ...
};
0
#2 Oct 7th, 2009
>>I would like to look at restricting our external DNS servers to only respond for the domains that we own. Firstly, I would like to ask if this is the convention, or does everybody set their DNS to answer all queries for everyone?
Typically you allow all queries for domain you are the authority over and block all other external traffic. If this server is located inside a LAN it is common to allow internal traffic to do recursive lookups on any domain.
A domain I own (or used to, it lapsed and someone bought it
). I allow transfer and set also-notify for my other nameservers
For my options configuration to deny queries:
You can see I also set a version in my options. I do this to hide the version of BIND because in the past there have been numerous bind exploits that would allow a remote user to become root. You can test this:
Typically you allow all queries for domain you are the authority over and block all other external traffic. If this server is located inside a LAN it is common to allow internal traffic to do recursive lookups on any domain.
A domain I own (or used to, it lapsed and someone bought it
). I allow transfer and set also-notify for my other nameservers text Syntax (Toggle Plain Text)
For my options configuration to deny queries:
text Syntax (Toggle Plain Text)
You can see I also set a version in my options. I do this to hide the version of BIND because in the past there have been numerous bind exploits that would allow a remote user to become root. You can test this:
sk@sk:/tmp$ dig @localhost version.bind chaos txt ; <<>> DiG 9.4.0 <<>> @localhost version.bind chaos txt ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62932 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "NO INFORMATION" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Oct 7 06:44:29 2009 ;; MSG SIZE rcvd: 71
|
Similar Threads
- OpenVZ Vps Servers With Hypervm Control Panel - VPS on Xeon Servers from $10 Only (Web Hosting Deals)
- Optimum Online Web Hosting. (Networking Hardware Configuration)
- Dotstrar Shared Hosting / Master Reseller (Free Site Builder/Installatron) 30% off! (Web Hosting Deals)
- $8 -- >> 35GB Hard Disk | 756MB RAM | 1500GB Bandwidth | 50% OFF | OpenVz | Hot Deal! (Web Hosting Deals)
- Virtual Private Servers - 50% OFF - Starting from $8.48 - Cheapest VPS (Web Hosting Deals)
- 50% OFF --> 756MB RAM | 35GB HD | 1500GB Bandwidth | OpenVZ Technology | Hot Deal (Web Hosting Deals)
- $16/mo VPS --> 512MB Ram | 35GB HD | 1500GB Bandwidth! Hot Deals! Linux VPS (Web Hosting Deals)
- ComCast woes - no mail or sites, malformed names (Domains and DNS)
- Apache redirection? (Linux Servers and Apache)
- dynamic IP's and Websites (Domains and DNS)
Other Threads in the Domains and DNS Forum
- Previous Thread: DNS Cache-Only Config Advice
- Next Thread: cant ping hostname
Views: 1040 | Replies: 1
| Thread Tools | Search this Thread |
Latest Domains and DNS Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Domains and DNS
2010 apps brands broadband business cable comcast copyright country cybersquatting dns dnsservers domain domain-name domainname domains economy fail failed flake gay google government hacker hacking icann intellectual internet internet_access ip ipv6 kaminsky legal mapping marketing measurment microsoft nbc networking news payperclick phishing property registration routers rural security securityflaw size strider terrorism top10 torix tracert trademark typo-squatting verisign web zone
