Question : is my BIND Setting correct?

Hi guys,

below is the layout of named.conf and Zone files for my BIND server. Before putting this into a real life environment, I wanted to show you the named.conf file and ask for your opinion if I am missing something, especially in regard to security.

Have a look at db.testserver.org zone file, I have divided sub-domain using $ORIGIN, is this how it suppose to be?
$ORIGIN personnel.testserver.org.
$ORIGIN testserver.org.

Named.conf

options {
directory "/var/named";
version "Not Available";
query-source address * port *;
allow-recursion {10.1.0.0/16;};
dump-file "/var/named/named_dump.db";
statistics-file "/var/named/data/named_stats.txt";

};
logging{
channel example_log{
file "/var/log/example.log" versions 3 size 2m;
severity debug 1;
print-severity yes;
print-time yes;
print-category yes;
};
category default{
example_log;
};
};

zone "." {
type hint;
file "named.root";
};
zone "testserver.org" in {
type master;
file "db.testserver.org";
allow-update { none; };
allow-transfer { 10.1.3.176; };
};

zone "3.1.10.in-addr.arpa" in{
type master;
allow-update { none; };
file "db.10.1.3";
allow-transfer { 10.1.3.176; };
};

# loopback address
zone "localhost" in {
…etc
};
zone "0.0.127.in-addr.arpa." IN {
…etc
};
zone "255.in-addr.arpa." IN {
…etc
};
zone "0.in-addr.arpa." IN {
…etc
};
include "/etc/tsig.key";

Zone files

db.testserver.org
$TTL 86400 ;24 hours it can be written 24h or 1d
$ORIGIN testserver.org.
@ IN SOA testserver.org. dns-admin.testserver.org. (
20100726 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

IN NS ns1.testserver.org.
IN NS ns2.testserver.org.
ns1 IN A 10.1.3.30
ns2 IN A 10.1.3.176
testserver.org. IN A 10.1.3.30
agent IN A 192.168.1.129
agent IN TXT "Rawand AUIS"
$ORIGIN personnel.testserver.org.
brazil IN A 10.1.3.173
db IN CNAME brazil.personnel.testserver.org.
$ORIGIN testserver.org.
web IN A 10.1.3.176
service IN A 10.1.0.21

db.10.1.3
$TTL 86400
;$ORIGIN 3.1.10.IN-ADDR.ARPA.
@ IN SOA testserver.org. admin.testserver.org. (
20100723 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; server host definitions
IN NS ns1.testserver.org.
30 IN PTR testserver.org.
21 IN PTR service.testserver.org.
Web IN PTR web.testserver.org
….etc

Answer : is my BIND Setting correct?

> This is just for local user, I am thinking to create a views for internal and external this way
> I can have different policy for each views, do you recommend that?

My preference is for completely separate internal and external services. However, needs must and Views is a perfectly good way to approach things.

> am I missing anything, in term of security or performance?

It's simple, simple is good :)

If you're running 9.4 you might add allow-query-cache to complement allow-recursion. e.g.

acl "internalnet" { 10.1.0.0/16; };

options {
...
allow-query { any; };
allow-recursion { internalnet; }
allow-query-cache { internalnet; }
...
};

I'd have the acl because it makes maintenance easier, and I'd have an acl for use with allow-transfer for the same reason.

> And finally that is how you do submitting?, within a single zone?

You don't need the first $ORIGIN, it's implicit from named.conf.

Otherwise it's fine. Sometimes it's better to make everything relative to the zone name, it just depends on what you use the zone for. Certainly nothing wrong with your usage here.

If you want more there's a guide here, you're not missing much though:

http://www.cymru.com/Documents/secure-bind-template.html

Chris

Random Solutions

Jmagick how to resample when changing DPI

Stupid mistake of Installing UBUNTU - Now "GRUB: No Such Disk"

Virus and/or Malware redirecting my links

Windows 7 best practices for VMware view

Why centos live cd so slow, and can not mount local HDD?

Inventory System (Freeware) Recommendation

From where I can download HP Smartstart version 8.40

Unable to upgrade firmware Netgear GS724TS

Checklist for Windows 2003 AD upgrade to Window 2008 AD

offline files for Mac?