Can someone please tell me whether this configuration is still secure as far as not using views and instead using allow-recursion and query-cache only to localnets?
I have a primary and secondary server that hosts authoritative domains but also use the same servers for recursive queries for just a couple internal clients.
I use use "allow-recursion { localnets; localhost; }; therefore denying recursion to external clients but allowing recursion for the servers and a few internal clients.
Code:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
query-source address * port 53;
version "not currently available";
allow-recursion { localnets; localhost; };
allow-query-cache { localnets; };
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "/var/named/named.ca";
};
zone "168.192.in-addr.arpa" {
type master;
file "/var/named/192.168.rev";
};
zone "example.com" {
type master;
file "/var/named/example.com.hosts";
allow-transfer { 192.168.200.12; };
};
zone "example1.com" {
type master;
file "/var/named/example1.com.hosts";
allow-transfer { 192.168.200.12; };
};
zone "example2.com" {
type master;
file "/var/named/example2.com.hosts";
allow-transfer { 192.168.200.12; };
};
// continues to Example 30.
In testing the above it seems to be secure as I cannot perform recursion from external clients but I do see access denied for query cache from external clients. Since I am not sure whether this was the safest method I used the config below that is setup with internal and external views. The only problem with this method is some reason my internal clients are unable resolve the authoritative servers in the external zone.
Code:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
query-source address * port 53;
version "not currently available";
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal"
{
match-clients { localnets; };
allow-query { localnets; };
allow-query-cache { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "/var/named/named.ca";
};
zone "168.192.in-addr.arpa" {
type master;
file "/var/named/192.168.rev";
};
};
view "external"
{
zone "." IN {
type hint;
file "/var/named/named.ca";
};
match-clients { localnets; any; };
recursion no;
allow-recursion { localnets; };
zone "example.com" {
type master;
file "/var/named/example.com.hosts";
allow-transfer { 192.168.200.12; };
};
zone "example1.com" {
type master;
file "/var/named/example1.com.hosts";
allow-transfer { 192.168.200.12; };
};
zone "example2.com" {
type master;
file "/var/named/example2.com.hosts";
allow-transfer { 192.168.200.12; };
};
};
config is bind-9.5.1-2.P2.fc10.x86_64, Fedora FC10
Linear Mode
