On Wed, 26 Mar 2008, dhull wrote:
> The following should keep me safe. I haven't tried it yet so no real world experience is included in this post.
>
> 1. recursion no;
> 2. allow-transfer {"none";};
>
> The above goes in the options section of the named.conf file. This only works for a "master" DNS server. Here's what I have.
>
> 1. Master DNS server for testing-linux.com
> 2. No slave servers
> 3. No real need to lookup things like google.com ( caching setup )
>
> If anyone wants to poke holes in this configuration feel free. If I need a caching server I'll stick that on the inside of my network.
If you want to use your authoritative server to also be a caching DNS
server for your local network you could do something similar to the
following:
// Local LAN subnets
acl lan {
10.0.0.0/24;
192.168.0.0/24;
};
// Slave DNS servers
acl slaves {
24.69.100.12;
24.69.100.13;
};
// Bogus networks (non-routables or multicast that we should
// *never* be queried by)
acl bogus {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
172.16.0.0/12;
192.0.2.0/24;
224.0.0.0/3;
};
options {
// Data directory
directory "/var/named";
// Enable caching for local lan only
allow-query { lan; };
allow-recursion { lan; };
// Blackhole bogus nets
blackhole { bogus; };
// Allow zone transfers for slaves and local LAN
allow-transfer { slaves; lan; };
};
Hopefully that will provide a decent example to start with.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Mar 26 20:59:52 2008
This archive was generated by hypermail 2.1.8 : Wed Mar 26 2008 - 20:59:52 AKDT