Basic on named default setting, here just highlight the additional option/setting for security issue. FYI :-)
option {
......
......
version "invisible dns version"; //Hide the dns version
minimal-responses yes; //For detail, see https://www.isc.org/software/bind/advisories/cve-2012-5166
allow-recursion {192.168.1.0/24;}; // or you can set recursion no
allow-transfer {none;}; //For master, allow slave dns to get the record
allow-notify {192.168.1.135;}; //For slave, allow master dns to update the record
};
logging {
channel default_log {
file "data/named.run";
severity dynamic;
print-time yes;
};
channel audit_log {
file "/var/log/named/audit_log";
severity debug;
print-time yes;
};
channel queries_log {
file "/var/log/named/queries.log"
severity dynamic;
print-time yes; };
category default {default_log;};
category general {default_log;};
category security {audit_log;};
category config {audit_log;};
category notify {audit_log;};
category queries {queries_log;};
};
view inner {
match-client {192.168.1.0/24;};
zone mydomain.com {
......
allow-transfer {192.168.1.246;}; //For master, allow slave dns to get the record
};
zone localhost {
......
allow-update {none;};
};
}; //inner
view outer { match-client {any;};
zone mydomain.com {
......
};
}; //outer
發表文章
