[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Recursive Queries (was: Running Bind as non Root)

Subject: Re: [cobalt-users] Recursive Queries (was: Running Bind as non Root)
From: flash22@xxxxxxx
Date: Sat Sep 1 05:28:05 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Fri, 31 Aug 2001, Barbara - wrote:

> Hi List,
> 
> Could someone please give me some pointers for turning
> recursion off on ns queries on my RaQ3 to tighten down
> security a bit? I still need my nameserver to answer
> queries for domains on my box, but I want to reject
> unauthorized queries for domains I don't host. 
> 
> I tried to follow tips (instructions) from a book I
> purchased from OpenNA to secure BIND, by adding the
> following to named.conf
> 
> options {
> directory "/etc/named";
> allow-transfer { MY SECONDARY DNS IP; };
> allow-query { 192.168.1.0/24; 207.35.78.0/24;
> localhost; };
> allow-recursion { 192.168.1.0/24; 207.35.78.0/24;
> localhost; };
> version "Go away!";
> };
> 
> But it seems the info in the book is for an
> implementation of BIND that's different from the setup
> on the RaQ's (their method doesn't have the "records"
> file either). So I just ended up with my logs full of
> denied querys from IP's trying to access sites on the
> server  :-(
> 
> I saw this post regarding "Running Bind as non Root"
> with a pkg of a tighter version of BIND, but I've
> already implemented many of these changes except the
> one for the ns querys. How can this be accomplished?
> Thank you for your help

You have answered your own question, tho you don't realize it, to allow
*your* domains to be resolved, you need to allow anyone to make queries,
you are trying to deny that also, all you want to refuse/restrice is
recursion, since looking up domain names *other thanyour own* requires a
recursive lookup....

Having said that, be aware that the named.conf file is generared on Raq's
by the graphic interface, it gets wiped out every time you make/save
changes to your DNS config via the web page.....

ps: the 'records' file has nothing to do with bind , which is in fact
quite standard onm the raq's for the most part, records contains the list
of domains the GUI will use top build the zone files and the named.conf
file, and it is in fact what is used for data when you edit dns via the
GUI, not the actual zone files which the interface will happily trash and
rebuild from scratch....

pps: you shouldn't really use 'localhost' anywhere in bind's
configuration, regardless of what some silly books recomment, the name->IP
mapping of localhost can be compromised, use 127.0.0.1

gsh

References:
- [cobalt-users] Recursive Queries (was: Running Bind as non Root)
  - From: Barbara -

Prev by Date: Re: [cobalt-users] Unknown /etc/named/db.127.0.0.1
Next by Date: RE: [cobalt-users] Server wide Webmail for RaQ4, suggestions please
Previous by thread: [cobalt-users] Recursive Queries (was: Running Bind as non Root)
Next by thread: [cobalt-users] Recursive Queries (was: Running Bind as non Root)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index