diff options
author | Dan Theisen <djt@hxx.in> | 2018-07-06 00:13:54 -0700 |
---|---|---|
committer | Dan Theisen <djt@hxx.in> | 2018-07-06 02:34:42 -0700 |
commit | df1a5e501763e44127dc660b01fd036de5b94112 (patch) | |
tree | 1a52ba11a2f6872c17f25dea1fc6265538eb0f43 /user/bind/named.conf.recursive | |
parent | 5b7b4d541766dcaa27db11fc82a5114790828deb (diff) | |
download | packages-df1a5e501763e44127dc660b01fd036de5b94112.tar.gz packages-df1a5e501763e44127dc660b01fd036de5b94112.tar.bz2 packages-df1a5e501763e44127dc660b01fd036de5b94112.tar.xz packages-df1a5e501763e44127dc660b01fd036de5b94112.zip |
user/bind: import, take, clean up, update root zone
Diffstat (limited to 'user/bind/named.conf.recursive')
-rw-r--r-- | user/bind/named.conf.recursive | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/user/bind/named.conf.recursive b/user/bind/named.conf.recursive new file mode 100644 index 000000000..a068b22d7 --- /dev/null +++ b/user/bind/named.conf.recursive @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see /etc/bind/named.conf.authoritative. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; |