diff options
| author | Hugo Landau <hlandau@devever.net> | 2014-10-16 16:52:17 +0100 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-16 19:05:10 +0000 |
| commit | 10f550c471adec9b04d66ceb81eddf88f95c7598 (patch) | |
| tree | 80cdcda501f3aff43b71636773af7c54775d86a4 /main/bind/named.conf.authoritative | |
| parent | cddbf13cfdf463498f1619cb11a6e665650b3563 (diff) | |
| download | aports-10f550c471adec9b04d66ceb81eddf88f95c7598.tar.bz2 aports-10f550c471adec9b04d66ceb81eddf88f95c7598.tar.xz | |
bind: Modify default config to be more secure
By default BIND will happily serve as both an authoritative nameserver
and recursive resolver, but this is no longer a recommended or desirable
configuration. The previous default configuration did not draw attention
to this fact and the issues involved.
Users are now made to rename one of two sample configuration files,
named.conf.authoritative or named.conf.recursive. Comments inside either
file advise DNS administrators of the most prevalent security issues.
This ensures that users setting up an authoritative nameserver do not
unwittingly also operate a resolver. In the previous default
configuration, BIND would happily perform recursive resolution for
localhost, which means that the local machine may receive
non-authoritative data from what is supposed to be an authoritative
nameserver.
Both default configurations disable zone transfers by default, as BIND
defaults to enabling them for any host (!).
Diffstat (limited to 'main/bind/named.conf.authoritative')
| -rw-r--r-- | main/bind/named.conf.authoritative | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/main/bind/named.conf.authoritative b/main/bind/named.conf.authoritative new file mode 100644 index 0000000000..71e98ddc7c --- /dev/null +++ b/main/bind/named.conf.authoritative @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see /etc/bind/named.conf.recursive. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; |