Question : is my BIND Setting correct?

Hi guys,

below is the layout of named.conf and Zone files for my BIND server. Before putting this into a real life environment, I wanted to show you the named.conf file and ask for your opinion if I am missing something, especially in regard to security.

Have a look at db.testserver.org zone file, I have divided sub-domain using $ORIGIN, is this how it suppose to be?
$ORIGIN personnel.testserver.org.
$ORIGIN testserver.org.


Named.conf

options {
 directory "/var/named";
 version "Not Available";
 query-source address * port *;
 allow-recursion {10.1.0.0/16;};
 dump-file "/var/named/named_dump.db";
 statistics-file "/var/named/data/named_stats.txt";

};
  logging{
    channel example_log{
       file "/var/log/example.log" versions 3 size 2m;
        severity debug 1;
        print-severity yes;
        print-time yes;
        print-category yes;
 };
  category default{
     example_log;
 };
};

zone "." {
   type hint;
   file "named.root";
   };
zone "testserver.org" in {
   type master;
   file "db.testserver.org";
   allow-update { none; };
   allow-transfer { 10.1.3.176; };
   };

zone "3.1.10.in-addr.arpa" in{
  type master;
  allow-update { none; };
  file "db.10.1.3";
  allow-transfer { 10.1.3.176; };
  };

# loopback address
zone "localhost" in {
    …etc
    };
zone "0.0.127.in-addr.arpa." IN {
            …etc
};
zone "255.in-addr.arpa." IN {
    …etc
};
zone "0.in-addr.arpa." IN {
    …etc
};
include "/etc/tsig.key";


Zone files

db.testserver.org
$TTL    86400    ;24 hours it can be written 24h or 1d
$ORIGIN testserver.org.
@               IN SOA  testserver.org. dns-admin.testserver.org. (
                                        20100726       ; serial
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                   IN NS           ns1.testserver.org.
                   IN NS           ns2.testserver.org.
ns1             IN A            10.1.3.30
ns2             IN A            10.1.3.176
testserver.org. IN A            10.1.3.30
agent           IN A            192.168.1.129
agent           IN TXT          "Rawand AUIS"
$ORIGIN personnel.testserver.org.
brazil          IN A            10.1.3.173
db              IN CNAME        brazil.personnel.testserver.org.
$ORIGIN testserver.org.
web           IN A            10.1.3.176
service       IN A            10.1.0.21

db.10.1.3
$TTL    86400
;$ORIGIN        3.1.10.IN-ADDR.ARPA.
@              IN SOA  testserver.org. admin.testserver.org. (
                                        20100723        ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
; server host definitions
          IN  NS          ns1.testserver.org.
30      IN  PTR         testserver.org.
21      IN  PTR         service.testserver.org.
Web   IN  PTR         web.testserver.org
….etc

Answer : is my BIND Setting correct?

> This is just for local user, I am thinking to create a views for internal and external this way
> I can have different policy for each views, do you recommend that?

My preference is for completely separate internal and external services. However, needs must and Views is a perfectly good way to approach things.

> am I missing anything, in term of security or performance?

It's simple, simple is good :)

If you're running 9.4 you might add allow-query-cache to complement allow-recursion. e.g.

acl "internalnet" { 10.1.0.0/16; };

options {
  ...
  allow-query { any; };
  allow-recursion { internalnet; }
  allow-query-cache { internalnet; }
  ...
};

I'd have the acl because it makes maintenance easier, and I'd have an acl for use with allow-transfer for the same reason.

> And finally that is how you do submitting?, within a single zone?

You don't need the first $ORIGIN, it's implicit from named.conf.

Otherwise it's fine. Sometimes it's better to make everything relative to the zone name, it just depends on what you use the zone for. Certainly nothing wrong with your usage here.

If you want more there's a guide here, you're not missing much though:

http://www.cymru.com/Documents/secure-bind-template.html

Chris
Random Solutions  
 
programming4us programming4us