aboutsummaryrefslogtreecommitdiffstats
path: root/main/bind/named.conf
diff options
context:
space:
mode:
authorHugo Landau <hlandau@devever.net>2014-10-16 16:52:17 +0100
committerNatanael Copa <ncopa@alpinelinux.org>2014-10-16 19:05:10 +0000
commit10f550c471adec9b04d66ceb81eddf88f95c7598 (patch)
tree80cdcda501f3aff43b71636773af7c54775d86a4 /main/bind/named.conf
parentcddbf13cfdf463498f1619cb11a6e665650b3563 (diff)
downloadaports-10f550c471adec9b04d66ceb81eddf88f95c7598.tar.bz2
aports-10f550c471adec9b04d66ceb81eddf88f95c7598.tar.xz
bind: Modify default config to be more secure
By default BIND will happily serve as both an authoritative nameserver and recursive resolver, but this is no longer a recommended or desirable configuration. The previous default configuration did not draw attention to this fact and the issues involved. Users are now made to rename one of two sample configuration files, named.conf.authoritative or named.conf.recursive. Comments inside either file advise DNS administrators of the most prevalent security issues. This ensures that users setting up an authoritative nameserver do not unwittingly also operate a resolver. In the previous default configuration, BIND would happily perform recursive resolution for localhost, which means that the local machine may receive non-authoritative data from what is supposed to be an authoritative nameserver. Both default configurations disable zone transfers by default, as BIND defaults to enabling them for any host (!).
Diffstat (limited to 'main/bind/named.conf')
-rw-r--r--main/bind/named.conf53
1 files changed, 0 insertions, 53 deletions
diff --git a/main/bind/named.conf b/main/bind/named.conf
deleted file mode 100644
index d58c61bde0..0000000000
--- a/main/bind/named.conf
+++ /dev/null
@@ -1,53 +0,0 @@
-options {
- directory "/var/bind";
-
- // uncomment the following lines to turn on DNS forwarding,
- // and change the forwarding ip address(es) :
- //forward first;
- //forwarders {
- // 123.123.123.123;
- // 123.123.123.123;
- //};
-
- listen-on-v6 { none; };
- listen-on { 127.0.0.1; };
-
- // to allow only specific hosts to use the DNS server:
- //allow-query {
- // 127.0.0.1;
- //};
-
- // if you have problems and are behind a firewall:
- //query-source address * port 53;
- pid-file "/var/run/named/named.pid";
-};
-
-// Briefly, a zone which has been declared delegation-only will be effectively
-// limited to containing NS RRs for subdomains, but no actual data beyond its
-// own apex (for example, its SOA RR and apex NS RRset). This can be used to
-// filter out "wildcard" or "synthesized" data from NAT boxes or from
-// authoritative name servers whose undelegated (in-zone) data is of no
-// interest.
-// See http://www.isc.org/products/BIND/delegation-only.html for more info
-
-//zone "COM" { type delegation-only; };
-//zone "NET" { type delegation-only; };
-
-zone "." IN {
- type hint;
- file "named.ca";
-};
-
-zone "localhost" IN {
- type master;
- file "pri/localhost.zone";
- allow-update { none; };
- notify no;
-};
-
-zone "127.in-addr.arpa" IN {
- type master;
- file "pri/127.zone";
- allow-update { none; };
- notify no;
-};