diff options
-rw-r--r-- | main/bind/APKBUILD | 26 | ||||
-rw-r--r-- | main/bind/named.conf | 53 | ||||
-rw-r--r-- | main/bind/named.conf.authoritative | 56 | ||||
-rw-r--r-- | main/bind/named.conf.recursive | 104 | ||||
-rw-r--r-- | main/bind/named.initd | 2 |
5 files changed, 177 insertions, 64 deletions
diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index c14e77011e..7b64031a2f 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -5,7 +5,7 @@ pkgver=9.10.1 _ver=${pkgver%_p*} _p=${pkgver#*_p} [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" -pkgrel=0 +pkgrel=1 pkgdesc="The Berkeley Internet Name Domain Name Server and tools" url="http://www.isc.org" arch="all" @@ -20,7 +20,8 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz bind.so_bsdcompat.patch named.initd named.confd - named.conf + named.conf.authoritative + named.conf.recursive 127.zone localhost.zone named.ca @@ -88,8 +89,10 @@ package() { "$pkgdir"/etc/init.d/named || return 1 install -Dm644 "$srcdir"/named.confd \ "$pkgdir"/etc/conf.d/named || return 1 - install -Dm644 "$srcdir"/named.conf \ - "$pkgdir"/etc/bind/named.conf || return 1 + install -Dm644 "$srcdir"/named.conf.authoritative \ + "$pkgdir"/etc/bind/named.conf.authoritative || return 1 + install -Dm644 "$srcdir"/named.conf.recursive \ + "$pkgdir"/etc/bind/named.conf.recursive || return 1 install -Dm644 "$srcdir"/named.ca \ "$pkgdir"/var/bind/named.ca || return 1 install -Dm644 "$srcdir"/127.zone \ @@ -111,25 +114,28 @@ tools() { md5sums="82a69faf01b569568d9233f2666e744d bind-9.10.1.tar.gz f270a5b0a28ab6e818840c5c368ddbcc bind.so_bsdcompat.patch -216a2e5cd7c5406f18b648a4d877b750 named.initd +4a5322cd4df5b33283b19b6010a5c024 named.initd 418a367cecfdf8760c92235d3967867e named.confd -be5fd752bdbd59385f2a559d603098d5 named.conf +a9de5fb1c027a7eedf440bf187594f07 named.conf.authoritative +886fe73bf37335df1ef15ff842b568b3 named.conf.recursive a7455b009b7fccd74ac6f6eaa6902a00 127.zone c3220168fabfb31a25e8c3a545545e34 localhost.zone a94e29ac677846f3d4d618c50b7d34f1 named.ca" sha256sums="5361eca2b8b6bc0b13904b0f964336a478dfbc165711547f6cc3f8752ac60181 bind-9.10.1.tar.gz 4c5dc352da0a12bdda2644e835f7eabde4f5687f1a98acd65b22be4ee587c086 bind.so_bsdcompat.patch -474088616d1c4a5fc835d3c64ba30264a72b7e107865a35a711149dde4443b6b named.initd +058d9d1d6c35f79bc704e87186072d0a79f9a4f269363a8c367885dabf016913 named.initd c0e7b365dca072dc96a97c8f81dff012aff7fe57337c10b63cd9f292d03c207d named.confd -ab2f7305e9a1d30406528c5ef079beb4970c89572e90d57bb5ddb27b8126ad13 named.conf +28fa20e9c744bd0cd57e0015823362af9bc7311a42cc7f3eae67826a60d6acdc named.conf.authoritative +633f1b97fbf509880c278e92adedc85fd72d519f7a5b1ecd6b3fb727722f5098 named.conf.recursive 65b909fc1398dfa5b532ab395d6920758937093cf7e5b5bec8242dff4fe15e89 127.zone b6dff70386920adb21883566610b0a45b9de5a3847a870e4ad1902c5c7900399 localhost.zone 0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca" sha512sums="16b05e3dbda72b6f5b7436271dd9cadbe0da9207b65b5ecbb6abe7042436c1baf740fb04ecaeefcff5f14e9f4747150faf9251deac68437323f05e80631e8723 bind-9.10.1.tar.gz f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3 bind.so_bsdcompat.patch -de7c25cd8faa67355218c86a798ac803eb418a67c996490fdc3216e74ee4afaddc4113f8398217d385035ac286a17fce7b1d7b9f485db87ec0dec0de916b7e69 named.initd +8ccc944eb35cd5523b63fabc912b63e60e3d97abebc81e2edcae557dbde6a9b2fc3da71ecaed8c991cffaf73061f59a76ab339ce90f8412b5516744c47887712 named.initd 127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd -64d95e7171c990f3191455bfe88acc53ee7dc7e38b87c8317b0bbcffa3a0117337e8da5f74cd33e7c3cb23a5003ac26eb172fd744f580aa20d3f8aab90c1f279 named.conf +d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative +3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca" diff --git a/main/bind/named.conf b/main/bind/named.conf deleted file mode 100644 index d58c61bde0..0000000000 --- a/main/bind/named.conf +++ /dev/null @@ -1,53 +0,0 @@ -options { - directory "/var/bind"; - - // uncomment the following lines to turn on DNS forwarding, - // and change the forwarding ip address(es) : - //forward first; - //forwarders { - // 123.123.123.123; - // 123.123.123.123; - //}; - - listen-on-v6 { none; }; - listen-on { 127.0.0.1; }; - - // to allow only specific hosts to use the DNS server: - //allow-query { - // 127.0.0.1; - //}; - - // if you have problems and are behind a firewall: - //query-source address * port 53; - pid-file "/var/run/named/named.pid"; -}; - -// Briefly, a zone which has been declared delegation-only will be effectively -// limited to containing NS RRs for subdomains, but no actual data beyond its -// own apex (for example, its SOA RR and apex NS RRset). This can be used to -// filter out "wildcard" or "synthesized" data from NAT boxes or from -// authoritative name servers whose undelegated (in-zone) data is of no -// interest. -// See http://www.isc.org/products/BIND/delegation-only.html for more info - -//zone "COM" { type delegation-only; }; -//zone "NET" { type delegation-only; }; - -zone "." IN { - type hint; - file "named.ca"; -}; - -zone "localhost" IN { - type master; - file "pri/localhost.zone"; - allow-update { none; }; - notify no; -}; - -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - allow-update { none; }; - notify no; -}; diff --git a/main/bind/named.conf.authoritative b/main/bind/named.conf.authoritative new file mode 100644 index 0000000000..71e98ddc7c --- /dev/null +++ b/main/bind/named.conf.authoritative @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see /etc/bind/named.conf.recursive. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; diff --git a/main/bind/named.conf.recursive b/main/bind/named.conf.recursive new file mode 100644 index 0000000000..a068b22d76 --- /dev/null +++ b/main/bind/named.conf.recursive @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see /etc/bind/named.conf.authoritative. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; diff --git a/main/bind/named.initd b/main/bind/named.initd index 812dfa90c6..a724848c1f 100644 --- a/main/bind/named.initd +++ b/main/bind/named.initd @@ -21,7 +21,7 @@ checkconfig() { ebegin "Checking named configuration" if [ ! -f "${NAMED_CONF}" ] ; then - eerror "No ${NAMED_CONF} file exists!" + eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind." return 1 fi |