Re: Troubleshooting Information

Wed, 26 Aug 2015 03:29:07 -0700 

That's brilliant! Thanks.

I'd still include the hint zone (as I'm partial to not having unnecessary
warnings on startup).

Also a lot of folks use localhost and/or localnets in DNS configuration.
Just from a security standpoint, I prefer to be more specific. localhost
and/or localnets can be much more template friendly, I know.

However, your suggestion changes my response for excluded addresses from
SERVFAIL to REFUSED. Much better.

Cheers!

On Wed, Aug 26, 2015 at 5:02 AM, Tony Finch <d...@dotat.at> wrote:

> Bob McDonald <bmcdonal...@gmail.com> wrote:
>
> > To further lock this information down I would suggest adding the
> > following view statements to any internet facing DNS device
> configuration:
> >
> > view "outsiders" chaos {
> >         match-clients { !127.0.0.1; !your-inside--nets; any; };
> >         allow-query { none; };
> > # we need a zone within a view and Bind complains on startup if there is
> no hint file in classes
> > #  other than internet. (it is provided with the software for the
> internet class)
> >         zone "." chaos {
> >                 type hint;
> >                 file "/dev/null";  // or any empty file
> >         };
> >
> > };
>
> Another way is to use BIND's syntax for explicitly configuring the special
> server information zones, like below. This view handles all queries for
> the chaos class, and rejects queries from nonlocal clients.
>
>   view bind chaos {
>     recursion no;
>     allow-query { localhost; localnets; };
>     zone  authors.bind ch { type master; database "_builtin authors";  };
>     zone hostname.bind ch { type master; database "_builtin hostname"; };
>     zone  version.bind ch { type master; database "_builtin version";  };
>     zone     id.server ch { type master; database "_builtin id";       };
>   };
>
> Tony.
> --
> f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
> Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
> moderate, but rough in southwest Viking. Showers later. Good, occasionally
> poor later.
>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to