Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind Privacy Feedback

Configuring DNS on Linux

If you're going to run Bind on your Linux box, you might as well take the time to secure it, especially if it's going to be exposed to the Internet. 

Before even getting started on zone files, you'll have to go through the /etc/named.conf file and make a lot of changes and additions. The default settings will work, but there's no security configured by default. 

First thing we want to do is define the networks we do trust. That is normally your own LAN, but can also include other LANs in the event that you have VPN connections, VLANs or other LANs connected to your LAN. 

acl trusted {
  192.168.33.0/24;
  localhost;
};

Next, in the Options section, we specify who are allowed to do queries and other stuff. Also in the Options section, the base directory for all files are specific. 

options {
  directory "/var/named";
  allow-query { trusted; };
  allow-transfer { trusted; };
}

If you have one of these broadband routers that acts as a DNS proxy, you may want to have your DNS server forward all requests to this router. The reason being that it'll forward the requests to the DNS servers specified by your ISPs DHCP server. If you don't do this, lookups for IPs specific to your ISP may give you the wrong answer. There's two ways of knowing if your router does DNS proxying: 1) Send a DNS query to your router (i.e. dig @gw-addr www.yahoo.com), or 2) see if the routers DHCP server gives out its own address as DNS server. 

To set up this forwarding, add the following two lines to the Options section:

  forward only;
  forwarders { 192.168.33.1; }; // assumes this is the IP of your router

Logging is another nice feature. There is very little logging by default, but it's fairly easy to change. The first step is to change where it sends log data, and then what to log. The "default_syslog" channel is used by default for most logging categories. With the default settings, it'll end up in /var/log/messages file. Luckily we can change this:

logging {
  channel default_syslog {
    syslog local2;
    severity info;
  };
};

This will log only events of type info (and higher) to the local2 facility. With the proper setup in the syslog.conf file, you'll get the output to the file of your choice. Next, selecting what to log and what not to log depends on your situation. For a simple caching DNS server at home, there shouldn't be a need to log too much. However, if you're running a master with one or more slaves, and/or allow external access to your DNS server, you should probably consider logging more, just to be on the safe side. Here's a few suggestions:

logging {
  channel default_syslog {
    syslog local2;
    severity info;
  };

  category lame-servers {null;}; // don't log these ...
  category queries  {default_syslog;};
  category config   {default syslog;};
  category security {default syslog;};
};

Next are the zone files information. If you are allowing both internal and external clients to access this DNS server, you may want to use Views to separate the two. 

view "internal-in" {
  // internal clients only

  match-clients {trusted;};
  recursion yes;
  additional-from-auth yes;
  additional-from-cache yes;

  zone "." in {  // How to locate root servers
    type hint;
    file "named.ca";
  };

  zone "hansenonline.net" in { // The Hansenonline.net zone
    type master;
    file "hansenonline.net.zone";
    allow-update {none;};
  };

  zone "33.168.192.in-addr.arpa" in { // the reverse zone
    type master;
    file "hansenonline.net.rr.zone";
    allow-update {none;};
  };
};

view "external-in" {
  // external clients

  match-clients {any;};
  recursion no; // no recursive lookups for external clients
  additional-from-auth no;
  additional-from-cache no; // don't want them accessing the cache either.

  zone "hansenonline.net" in { // The Hansenonline.net zone
    type master;
    file "hansenonline.net.ext.zone";
    allow-update { none;};
  };
};

If all your queries are from internal clients, you can drop the use of the Views ... however, it's neat to do as an exercise. May be difficult to test, but still.

This should give you a fairly safe DNS server. Access from non-trusted networks are restricted. They may query on your domain name only, and that's pretty much it. If you have a broadband router or firewall, external clients may not be able to get to your server at all, which is even more secure ... 

Next I'll tackle zone files ... 

Sources:

• cpqlinux.com
• Rob Thomas at cymru.com

 

© 1999 - 2005 Lars M. Hansen