diff options
author | Hugo Landau <hlandau@devever.net> | 2014-10-16 16:52:17 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-10-16 19:05:10 +0000 |
commit | 10f550c471adec9b04d66ceb81eddf88f95c7598 (patch) | |
tree | 80cdcda501f3aff43b71636773af7c54775d86a4 /main/bind/named.conf | |
parent | cddbf13cfdf463498f1619cb11a6e665650b3563 (diff) | |
download | aports-10f550c471adec9b04d66ceb81eddf88f95c7598.tar.bz2 aports-10f550c471adec9b04d66ceb81eddf88f95c7598.tar.xz |
bind: Modify default config to be more secure
By default BIND will happily serve as both an authoritative nameserver
and recursive resolver, but this is no longer a recommended or desirable
configuration. The previous default configuration did not draw attention
to this fact and the issues involved.
Users are now made to rename one of two sample configuration files,
named.conf.authoritative or named.conf.recursive. Comments inside either
file advise DNS administrators of the most prevalent security issues.
This ensures that users setting up an authoritative nameserver do not
unwittingly also operate a resolver. In the previous default
configuration, BIND would happily perform recursive resolution for
localhost, which means that the local machine may receive
non-authoritative data from what is supposed to be an authoritative
nameserver.
Both default configurations disable zone transfers by default, as BIND
defaults to enabling them for any host (!).
Diffstat (limited to 'main/bind/named.conf')
-rw-r--r-- | main/bind/named.conf | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/main/bind/named.conf b/main/bind/named.conf deleted file mode 100644 index d58c61bde0..0000000000 --- a/main/bind/named.conf +++ /dev/null @@ -1,53 +0,0 @@ -options { - directory "/var/bind"; - - // uncomment the following lines to turn on DNS forwarding, - // and change the forwarding ip address(es) : - //forward first; - //forwarders { - // 123.123.123.123; - // 123.123.123.123; - //}; - - listen-on-v6 { none; }; - listen-on { 127.0.0.1; }; - - // to allow only specific hosts to use the DNS server: - //allow-query { - // 127.0.0.1; - //}; - - // if you have problems and are behind a firewall: - //query-source address * port 53; - pid-file "/var/run/named/named.pid"; -}; - -// Briefly, a zone which has been declared delegation-only will be effectively -// limited to containing NS RRs for subdomains, but no actual data beyond its -// own apex (for example, its SOA RR and apex NS RRset). This can be used to -// filter out "wildcard" or "synthesized" data from NAT boxes or from -// authoritative name servers whose undelegated (in-zone) data is of no -// interest. -// See http://www.isc.org/products/BIND/delegation-only.html for more info - -//zone "COM" { type delegation-only; }; -//zone "NET" { type delegation-only; }; - -zone "." IN { - type hint; - file "named.ca"; -}; - -zone "localhost" IN { - type master; - file "pri/localhost.zone"; - allow-update { none; }; - notify no; -}; - -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - allow-update { none; }; - notify no; -}; |