Re: allow-query and version.bind

> ronan@noc.ulcc.ac.uk wrote:
>
> >> But now access to the bind chaos pseudo-zone is not allowed:
> >>
> >> $host -c chaos -t txt VERSION.BIND ns.bofh.it
> >> VERSION.BIND TXT record in class CH query refused
> >> $
> >>
> >> How can I work around this? I do not want to restrict access to it.
> >
> >Create an actual zone for version.bind. (or bind.) with an
> >"allow-query { any; }" on it?
> Sure, this would work. But then I would have to update it after every
> upgrade. This would be very annoying, and I would probably forget to
> update the zone half the times.
>
> I can't believe there is no other way to do this...
>
> --
> ciao, |
> Marco | * The Internet is full. Go away. -- Joel Furr *


Here's how we do this at HP Labs:

================================================== ==========
BIND 8
------

file `named.conf'
-----------------
zone "bind" chaos {
type master;
file "db.bind";
allow-query { authorized-nets; };
notify no;
};
zone "localhost" {
type master;
file "db.localhost";
notify no;
};

file `db.bind'
--------------
$TTL 2D
;
; This zone data file is present as a mechanism to restrict the ability
; to query for the version of BIND that is running on the localhost.
; Athough "security through obscurity" is not a robust policy, it's
; still required by the auditors to make the BIND version string a
; restricted item of information. The appropriate ACLs in the BIND
; configuration file make the restriction possible.
; This method is better than the alternative of using the option to
; hardcode the version string in the BIND configuration file since no
; selective access control is possible with that method.
;
; NOTE: Make sure that this name server is also authoritative
; for the appropriately-constructed "localhost" zone.
;
@ CHAOS SOA localhost. root.localhost. (
1 ; Serial
3H ; Refresh every 3 hours
1H ; Retry every hour
1W ; Expire after a week
30M ) ; Negative cache interval
NS localhost.

;
; NOTE: There is no need to include the TXT record for 'version.bind.'
; since it is automatically cached with the default version string
; in the RDATA field when the nameserver is started.
;

file `db.localhost'
-------------------
$TTL 2D
;
; Zone data file to stop queries for the absolute domain name
; `localhost.' from leaking to the Internet's root name servers.
; This generic but special domain name must be resolvable since
; it is defined in the DNS resource records for the following
; local zones:
;
; CHAOS bind.
; 0.in-addr.arpa.
; 0.0.127.in-addr.arpa.
; 127.in-addr.arpa.
; 255.in-addr.arpa.
; 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.ip6.arpa.
; 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0.0.0.ip6.int.
;
@ IN SOA localhost. root.localhost. (
1 ; Serial
3H ; Refresh every 3 hours
1H ; Retry every hour
1W ; Expire after a week
30M ) ; Negative cache interval
IN NS localhost.

IN A 127.0.0.1
;
; NOTE: If the localhost is *not* listening on an IPv6 network
; interface, leave the AAAA resource record commented out.
;
; IN AAAA ::1

================================================== ==========
BIND 9
------

view "refuse_chaos" chaos {
#
# The BIND name server defines an internal view called "_bind"
# in which data for the following special queries are coded
# directly into the `named' program:
#
# dig @localhost version.bind chaos txt +norec # BIND version
# dig @localhost authors.bind chaos txt +norec # BIND authors
#
# The site auditing policy requires that the BIND name server
# daemon not reveal it version information to outside parties.
# Since the internal "_bind" view is matched last, this view
# ("refuse_chaos") will match external queries for any RRs in
# the CHAOS class and return a status code of REFUSED.
#
match-clients { !authorized-nets;
any;
};
allow-query { none; };

zone "." { # Since BIND wants every view to have a
type hint; # root hint zone, this declaration will
file "/dev/null"; # stop a warning message in the syslog.
};

}; # end view "refuse_chaos"

================================================== ==========

Andris