Re: Bind 8 hardening {Scanned}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SW wrote:
| Hi folks,
|
| I'm in the process of setting up 2 dns servers and after reading various
| docs, I'm hoping someone can take a look at my /etc/named.conf's below
and
| tell me if I have everything I need to keep my servers safe from the
various
| bind exploits. The goal is to allow internal clients access and allow the
| world to be able to resolve local domains (ie our website, mail, etc).
| Anything else I want to block without breaking bind.
|
| Master 100.168.100.10 /etc/named.conf :
|
| acl internal { 192.168.100/24; 100.168.100/24; };
| acl slaves { 100.168.100.50; };

|
| Also, whenever I do a nslookup mydomain.com from a local client, I get
the
| following error:
| # nslookup yahoo.com
| *** Can't find server name for address 100.168.100.10: Non-existent
| host/domaine
| *** Can't find server name for address 100.168.100.50: Query refused
| *** Default servers are not available
|
| Thanks,
|
| SW

I'm probably not getting the question right,
and I'm probably trying answer the wrong issue,
but what subnet is the "local" client on?

If the local client is in the 192.168.100/24
range, what route gets the client to the 100.168.100/24
subnet?

Also 100.168.100.50 falls into that iana blackhole,
seems an odd choice.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFB0s0Da44x14FCa6ARAqglAKCUns+l3Z/FZ44Rp8DPlrSxmF6n3wCgqFo9
lh+9pRvmnNe+Om2be144ITA=
=z1kk
-----END PGP SIGNATURE-----