Labels

Linux (46) network (13) troubleshoot (13) command (10) virtualization (10) ubuntu (9) Windows (8) cisco (7) security (7) router (6) Tools (5) software (5) vmware (5) ospf (3) eigrp (1) zimbra (1)

2013年3月28日

DNS additional options for security issue


Basic on named default setting, here just highlight the additional option/setting for security issue. FYI :-)

 option {
......
......
version "invisible dns version"; //Hide the dns version
minimal-responses yes; //For detail, see https://www.isc.org/software/bind/advisories/cve-2012-5166
allow-recursion {192.168.1.0/24;}; // or you can set recursion no
allow-transfer {none;}; //For master, allow slave dns to get the record
allow-notify {192.168.1.135;}; //For slave, allow master dns to update the record
};
logging {
        channel default_log {
                file "data/named.run";
                severity dynamic;
                print-time yes;
        };
        channel audit_log {
                file "/var/log/named/audit_log";
                severity debug;
                print-time yes;
        };
channel queries_log {
                file "/var/log/named/queries.log"
                severity dynamic;
                print-time yes; };

        category default {default_log;};
        category general {default_log;};
        category security {audit_log;};
        category config {audit_log;};
        category notify {audit_log;};
        category queries {queries_log;};
};

 view inner {
 match-client {192.168.1.0/24;};
 zone mydomain.com {
 ......
 allow-transfer {192.168.1.246;}; //For master, allow slave dns to get the record
 };

  zone localhost {
 ......
 allow-update {none;};
 };
}; //inner

 view outer { match-client {any;};
 zone mydomain.com {
 ......
 };
}; //outer
at

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)