[H-GEN] local dns only

Douglas C chexsum at optusnet.com.au
Thu Dec 5 07:40:18 EST 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

> The easiest way perhaps is to firewall the port...
>
>   iptables -I INPUT -p tcp --syn --dport 53 -j DROP
>   iptables -I INPUT -p udp --dport 53 -m state --state NEW -j DROP
>
> (or similar rules that do the same thing)
>
> Alternatively (or additionally), add some access control lists to
> /etc/named.conf so that all your internal hosts (and localhost) are
> in an ACL name of, say, "internal" with "external" being "! internal"
> (everything not internal).
>
> acl internal { 127.0.0.1/8; 192.168.0.0/24; };
> acl external { ! internal; };
>
> Then in the options section, you only allow "internal" for queries
> (and perhaps transers, erecursion and so on)...
>
> options {
>   ...
>   allow-query     { internal; };
>   allow-transfer  { internal; };    // who can be given zone transfers
>   allow-recursion { internal; };    // who gets full DNS lookups
>   ...
> };

This is the way I have my dnscache/forwarder set up *although I skip the acl
part and put the ips straight into the options part*. If youre interested
theres a dnsmasq package available which is made for this job although I
have no idea how good it is as Ive only used BIND. =)

BTW look for listen-on *or similar* option to use also as Im sure theres
that option also which will bind the server to an interface of your choice
*ie internal only* if you want that. I actually only use the allow-query
option from the above three and listen-on.

NB. If Im wrong about the listen-on then I might be thinking of something
else *wonders about posting this or not - heh*. :P


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/02


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list