Re: acl misunderstanding?

This is a discussion on Re: acl misunderstanding? within the Bind Users forums, part of the DNS and Related Forums category; On Wed, 4 Aug 2004, Bill Larson wrote: > I'm really not sure what you are trying to accomplish ...


Go Back   Usenet Forums > DNS and Related Forums > Bind Users

Reload this Page Re: acl misunderstanding?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-04-2004
Mipam
 
Posts: n/a
Default Re: acl misunderstanding?
On Wed, 4 Aug 2004, Bill Larson wrote:

> I'm really not sure what you are trying to accomplish here with the
> definition of your root/hints zone, but ... (It looks like you are
> trying to stop people from outside your network from getting the root
> servers from your system. But this won't stop it from serving "as dns
> for the whole world".)
>
> Take a look at the "Secure BIND Template" at
> http://www.cymru.com/Documents/secur...-template.html. I believe
> that this will provide you with a very good starting point for
> configuring a good name server.
>
> On your firewall, be very careful with the configuration. You may
> easily cause problems here that have nothing to do with your DNS
> server. One point that I'm sure someone will tell you about is that
> DNS isn't necessarily limited to just UDP, TCP can also be used for DNS
> queries. Trying to limit yourself to only UDP may cause definite
> problems. I would suggest also opening up TCP also. If you think that
> TCP is only used for zone transfers and want to block these, you can
> easily set up this blocking in the configuration and the "Secure BIND
> Template" explains how.

Thanks, i've read the template and see now how to stop being a dns for the
mass. Indeed, tcp port 53 is also valid but only for zone transfers but
not for queueries (or isnt this true??).

A second question would be: suppose i wish another server only as caching
nameserver for internal clients. I could only allow my internal network
for queueries. However, wouldnt it be more logical to only listen on
127.0.0.1 and ip_internal_nic so that named doesnt even listen on the
outside interface?

Third question is: I noticed that in bind 9 named-xfer is gone.
I guess i have to use dig instead? The thing is that i was able to specify
the serial in named-xfer. The advantage of this was that "If the SOA RR we
get from the primary server does not have a serial number higher than
this, the transfer will be aborted."
Since dig doesnt have such a functionality a transfer is always done ..
:-(
Bye,

Mipam.

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:40 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0