
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
182
|
Chapter 6: Securing Domain Name Services (DNS)
Securing named.conf
Running named in a padded cell is appropriately paranoid and admirable in itself.
But that’s just the beginning! BIND’s configuration file, named.conf, has a large num-
ber of parameters that allow you to control named with a great deal of granularity.
Consider the sample named.conf file listed in Example 6-3.
The hypothetical server whose configuration file is represented here is an external
DNS server. Since its role is to provide information to the outside world about
Example 6-3. An example named.conf file for external DNS server
# By the way, comments in named.conf can look like this...
// or like this...
/* or like this. */
acl trustedslaves { 192.168.20.202; 192.168.10.30};
acl bozos { 10.10.1.17; 10.10.2.0/24; };
acl no_bozos { localhost; !bozos; };
options {
directory "/";
listen-on { 192.168.100.254; };
recursion no; fetch-glue no;
allow-transfer { trustedslaves; };
};
logging {
channel seclog {
file "var/log/sec.log" versions 5 size 1m;
print-time yes; print-category yes;
};
category xfer-out { seclog; };
category panic { seclog; };
category security { seclog; };
category insist { seclog; };
category response-checks { seclog; };
};
zone "coolfroods.ORG" {
type master;
file "master/coolfroods.hosts";
};
zone ...