RE: [Odns-devel] Security Suggestions ...
Brought to you by:
swix
Menu
▾
▴
RE: [Odns-devel] Security Suggestions ...
|
From: Steve S. <st...@zi...> - 2001-03-23 05:30:48
|
I agree that's a great idea !!
Steve Searles
-----Original Message-----
From: odn...@li...
[mailto:odn...@li...] On Behalf Of Michael Dunne
Sent: Thursday, March 22, 2001 6:26 PM
To: odn...@li...
Subject: [Odns-devel] Security Suggestions ...
I know oDNS generates a default named.conf from a perl script, which can be
edited to include the information below here, but why not make the
named.conf dynamic, and include it in the PHP interface so that people can
have a little control over security of the DNS while creating it.
Obviously, all the named.conf options (ever done a man named.conf lately ?)
can be included in the PHP interface allowing people to add and edit
various features of the DNS server configuration, making the named.conf PHP
configurable would be the logical next step =)
In the options of named.conf (at the start of it) add in the following)
options {
directory "/var/cache/bind";
allow-recursion {
localhost;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
etc
}
allow-query {
localhost;
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
etc
}
forwarders {
yyy.yyy.yyy.yyy;
etc
}
}
Where xxx.xxx.xxx.xxx is the ip address of any machines allowed to query
the name server to get information, prevents domain ripping etc.
yyy.yyy.yyy.yyy is any machine that the name server uses as a query source
of course.
Inside the zones config of named.conf:
allow-query {
any;
}
allow-transfer {
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
}
xxx.xxx.xxx.xxx is the secondary or tertiary name servers you want to allow
axfr's from.
Just some basic domain server security to prevent spoofing etc. These would
go a long way in preventing some of the attacks against name servers
running round the place. The allow-query any allows anyone in the world to
look and resolve domains, thus not breaking the name server in the previous
options statements. The allow Transfer prevents people from using a name
server or dig to rip domain information from you, keeping the name server
information private.
This is about the only thing stopping me from moving from hand editing DNS,
and moving to oDNS
_______________________________________________
Odns-devel mailing list
Odn...@li...
http://lists.sourceforge.net/lists/listinfo/odns-devel
|
