[H-GEN] local dns only
Tony Nugent
tony at linuxworks.com.au
Thu Dec 5 03:47:29 EST 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Thu Dec 05 2002 at 18:07, Sandra Milne wrote:
> I'd like to use bind to run a local dns, non-caching, just for forwarding.
> However, I don't want to have it exploited from the outside world. Is there
> an easy way (other than hosts.deny) to keep the outside world from seeing
> it and using it?
The named daemon does not use tcp_wrappers (/etc/hosts.{allow,deny})
for access control, it has its own internal mechanisms.
The easiest way perhaps is to firewall the port...
iptables -I INPUT -p tcp --syn --dport 53 -j DROP
iptables -I INPUT -p udp --dport 53 -m state --state NEW -j DROP
(or similar rules that do the same thing)
Alternatively (or additionally), add some access control lists to
/etc/named.conf so that all your internal hosts (and localhost) are
in an ACL name of, say, "internal" with "external" being "! internal"
(everything not internal).
acl internal { 127.0.0.1/8; 192.168.0.0/24; };
acl external { ! internal; };
Then in the options section, you only allow "internal" for queries
(and perhaps transers, erecursion and so on)...
options {
...
allow-query { internal; };
allow-transfer { internal; }; // who can be given zone transfers
allow-recursion { internal; }; // who gets full DNS lookups
...
};
> Sandra.
Cheers
Tony
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list