Jinovich
Thu 15th Jun '06, 5:18am
Server Type: Owned Dedicated
OS: Linux
Bind Version: Not Sure.
Control Panel: Vhcs2
Our DNS server is currently set to open and it seems that it would allow anyone to run a recursive query on our server. As our domain is often targetted by haters trying to DDoS us I would like to patch this.
I am running one root root and one reseller under the root domain
How would I go about securing the recursive?
Would I just modify my named.conf.options with,
allow-query { localnets; };
added under
options {
directory "/var/cache/bind"; ?
Below is a copy of my named.conf file I have replaced my actual domain name with mysite.com for security while I am trying to patch this.
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the "root-delegations-only" feature which applies delegation-only
// logic to all top level domains, and to the root domain. An exception list
// should be specified, including "MUSEUM" and "DE", and any other top level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
include "/etc/bind/named.conf.local";
// bind Data BEGIN.
// dmn [mysite.com] cfg entry BEGIN.
zone ",mysite.com" {
type master;
file "/var/cache/bind/mysite.com.db";
};
// dmn [mysite.com] cfg entry END.
// dmn [{DMN_NAME}] cfg entry BEGIN.
// dmn [{DMN_NAME}] cfg entry END.
// bind Data END.
OS: Linux
Bind Version: Not Sure.
Control Panel: Vhcs2
Our DNS server is currently set to open and it seems that it would allow anyone to run a recursive query on our server. As our domain is often targetted by haters trying to DDoS us I would like to patch this.
I am running one root root and one reseller under the root domain
How would I go about securing the recursive?
Would I just modify my named.conf.options with,
allow-query { localnets; };
added under
options {
directory "/var/cache/bind"; ?
Below is a copy of my named.conf file I have replaced my actual domain name with mysite.com for security while I am trying to patch this.
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the "root-delegations-only" feature which applies delegation-only
// logic to all top level domains, and to the root domain. An exception list
// should be specified, including "MUSEUM" and "DE", and any other top level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
include "/etc/bind/named.conf.local";
// bind Data BEGIN.
// dmn [mysite.com] cfg entry BEGIN.
zone ",mysite.com" {
type master;
file "/var/cache/bind/mysite.com.db";
};
// dmn [mysite.com] cfg entry END.
// dmn [{DMN_NAME}] cfg entry BEGIN.
// dmn [{DMN_NAME}] cfg entry END.
// bind Data END.