[rescue] BIND 9 conf file example needed...
rescue at sunhelp.org
rescue at sunhelp.org
Sun Dec 22 23:03:15 CST 2002
> > I'd really hate to bork it and cause something like
> > say...sunhelp.org...to not be seen. *grin*
> You don't have to worry about that. DNS only gives you enough rope
> to hang yourself with--but not enough to hang all of us. :)
Well, yeah, but he could easily bork up his DNS badly enough that
he wouldn't be able to "find" sunhelp.org by name.
> BTW, here's my config file:
A reasonable starting point JP.
My comments are all along the lines of "this works but it's a bad idea,
or at least could be done better." A few key things:
1. If you're running BIND 9, you need a controls{} section for rndc.
I'm ass-u-ming that you just have an rndc.key file in the same
directory as named.conf and everything's using that.
2. Don't run both recursive and authoritative on the same box unless
you *really* need to...from a security perspective it's a bad idea.
If you *are* going to run both on the same box for a small network,
then at least put some access controls on the recursive function
with the allow-recursion{} directive.
Below is an example from a production-but-still-testing nameserver.
Very slightly obfuscated for several reasons. Note that I have some
absolutely ridiculous logging turned on since this is a test box--I
left it in there because the default logging just dumps a few things
to syslog, and this logging actually doesn't take up that much extra
space on disk. (The testing.log file mostly ends up with stuff in
it that only a DNS geek or developer could possibly consider interesting.)
Other notes:
- This is based on several years of BIND 9 usage, but incorporates
things both from the Secure BIND Template and from the Debian
"stock" BIND 9 named.conf in addition to my own preferences.
- I chose to use "views" so that I could allow trusted clients to
query for running BIND version while keeping external clients
from doing the same. Note that as soon as you put *any* zones
into a view, then *all* zones need to be in views. The good news
is that it is possible to reference a single zone file from both
the "internal" and "external" view if that's your choice.
- I chose to run both recursive and authoritative on this server
for specific reasons I won't go into. It has several layers of
protection and monitoring, but I *still* am considering turning
off recursion even for local clients.
- I have a whole directory structure under /var/named rather than
just putting everything in one directory. Not a big deal for
a one-person operation, but with several dozen master and slave
zones you'd want to have a little more organization--so my stock
config starts out with a directory structure that might be
overkill for a home network.
- Just because It Works For Me doesn't mean it's perfect, or that
it will work for you. Caveat Emptor. Don't forget to use the
handy-dandy named-checkconf tool on whatever you produce...
If anyone has questions, drop me a line off-list and I'll try to help.
--Rip
=-=-=-=-=
//trusted-keys
//{
//"ds.tislabs.com." 256 3 1 "AQPcNhothOErkeXWu2aCtzxkUpDnUef9AF9KC6Squ0
// FL2gpDSoaTU2lC Ia5RnHyuGRfrKEUcbcYcYvPoOvNe0MqS1slSg5hJGBiSZNJVkuh1ys0ki
// BIoutl8hf13Hih5i3fvzCVEA5yxVyKQkjqzeYDyY9LgH1MpC3B/hx3Jv JKYbmw==";
//};
key "rndc-key" {
algorithm hmac-md5;
secret "Yeahrightputmysecretkeyhereforyoutoread=";
};
acl "trusted-nets" {
127.0.0.1;
10.1.2.3/28;
};
key "my-ns-key" {
algorithm hmac-md5;
secret "Yeahrightputmysecretkeyhereforyoutoread=";
};
acl "my-ns" {
127.0.0.1;
205.166.226.38; //ns1.granitecanyon.com, currently non-responsive
65.102.83.43; //ns2.granitecanyon.com, currently non-responsive
key flagon-ns-key;
};
server 216.98.150.33 {
// ns1.domainmonger.com, TSIG-capable for AXFR
// DO NOT put a TSIG key for a server that is not TSIG-capable!
// Get zone transfers working first without TSIG, and *then*
// figure out whether to enable TSIG.
keys { my-ns-key; };
};
server 207.228.252.99 {
// ns2.domainmonger.com, TSIG-capable for AXFR
keys { my-ns-key; };
};
// Next we set up some global options and configuration
options {
directory "/var/named";
allow-recursion { trusted-nets; };
allow-query {
// This just establishes a default; below we specifically
// configure each master/slave zone to allow queries.
trusted-nets;
};
transfer-format many-answers;
};
logging {
// Setting "size 10m" means that none of these logs will ever get
// larger than 10MB in a single file.
channel dnssec_log {
// Gets anything related to DNSSEC signed zones and crypto
file "logs/dnssec.log" size 10m; print-time yes;
print-category yes; print-severity yes; severity debug 3;
};
channel security_log {
// Gets anything that appears to be security relevant
// (other than DNSSEC signed zone stuff)
file "logs/security.log" size 10m; print-time yes;
print-category yes; print-severity yes; severity debug 3;
};
channel recursive_log {
// Gets everything related to recursive queries
file "logs/recursive.log" size 10m; print-time yes;
print-category yes; print-severity yes; severity debug 3;
};
channel testing_log {
// Gets *everything* of interest
file "logs/testing.log" size 10m; print-time yes;
print-category yes; print-severity yes; severity debug 3;
};
category dnssec { "dnssec_log"; "default_syslog"; "testing_log";
"default_debug"; };
category security { "security_log"; "default_syslog"; "testing_log";
"default_debug"; };
category resolver { "recursive_log"; "default_syslog";
"testing_log"; "default_debug"; };
category queries { "default_syslog"; "testing_log"; "default_debug";
};
category database { "default_syslog"; "testing_log";
"default_debug"; };
category client { "default_syslog"; "testing_log"; "default_debug";
};
category general { "default_syslog"; "testing_log"; "default_debug";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted-nets; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
// There are certain standard zones (the localhost forward and reverse
zones,
// and broadcast zones as per RFC 1912) for which every nameserver should
// be authoritative.
zone "localhost" {
type master;
file "standard/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "standard/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "standard/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "standard/db.255";
};
// We provide a "hint" zone that allows the local nameserver to contact
// the authoritative root servers.
zone "." {
type hint;
file "standard/db.root-cache";
};
// And now for the *real* zones...
zone "sample.test" {
type master;
//file "master/db.sample.test-ds.signed";
allow-transfer { "my-ns"; };
allow-query { any; };
file "master/db.sample.test-ds";
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// We provide a "hint" zone that allows the local nameserver to contact
// the authoritative root servers.
zone "." {
type hint;
file "standard/db.root-cache";
};
zone "sample.test" {
type master;
//file "master/db.sample.test-ds.signed";
allow-transfer { "my-ns"; };
allow-query { any; };
file "master/db.sample.test-ds";
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This could possibly be a good idea from a support point of view,
// but of course the db.bind file probably just says "9.something"
// for version.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "master/db.bind";
allow-query {
trusted-nets;
};
allow-transfer {
none;
};
};
More information about the rescue
mailing list