Question : is my BIND Setting correct?

Hi guys,

below is the layout of named.conf and Zone files for my BIND server. Before putting this into a real life environment, I wanted to show you the named.conf file and ask for your opinion if I am missing something, especially in regard to security.

Have a look at db.testserver.org zone file, I have divided sub-domain using $ORIGIN, is this how it suppose to be?
$ORIGIN personnel.testserver.org.
$ORIGIN testserver.org.

Named.conf

options {
directory "/var/named";
version "Not Available";
query-source address * port *;
allow-recursion {10.1.0.0/16;};
dump-file "/var/named/named_dump.db";
statistics-file "/var/named/data/named_stats.txt";

};
logging{
channel example_log{
file "/var/log/example.log" versions 3 size 2m;
severity debug 1;
print-severity yes;
print-time yes;
print-category yes;
};
category default{
example_log;
};
};

zone "." {
type hint;
file "named.root";
};
zone "testserver.org" in {
type master;
file "db.testserver.org";
allow-update { none; };
allow-transfer { 10.1.3.176; };
};

zone "3.1.10.in-addr.arpa" in{
type master;
allow-update { none; };
file "db.10.1.3";
allow-transfer { 10.1.3.176; };
};

# loopback address
zone "localhost" in {
…etc
};
zone "0.0.127.in-addr.arpa." IN {
…etc
};
zone "255.in-addr.arpa." IN {
…etc
};
zone "0.in-addr.arpa." IN {
…etc
};
include "/etc/tsig.key";

Zone files

db.testserver.org
$TTL 86400 ;24 hours it can be written 24h or 1d
$ORIGIN testserver.org.
@ IN SOA testserver.org. dns-admin.testserver.org. (
20100726 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

IN NS ns1.testserver.org.
IN NS ns2.testserver.org.
ns1 IN A 10.1.3.30
ns2 IN A 10.1.3.176
testserver.org. IN A 10.1.3.30
agent IN A 192.168.1.129
agent IN TXT "Rawand AUIS"
$ORIGIN personnel.testserver.org.
brazil IN A 10.1.3.173
db IN CNAME brazil.personnel.testserver.org.
$ORIGIN testserver.org.
web IN A 10.1.3.176
service IN A 10.1.0.21

db.10.1.3
$TTL 86400
;$ORIGIN 3.1.10.IN-ADDR.ARPA.
@ IN SOA testserver.org. admin.testserver.org. (
20100723 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
; server host definitions
IN NS ns1.testserver.org.
30 IN PTR testserver.org.
21 IN PTR service.testserver.org.
Web IN PTR web.testserver.org
….etc

Answer : is my BIND Setting correct?

> This is just for local user, I am thinking to create a views for internal and external this way
> I can have different policy for each views, do you recommend that?

My preference is for completely separate internal and external services. However, needs must and Views is a perfectly good way to approach things.

> am I missing anything, in term of security or performance?

It's simple, simple is good :)

If you're running 9.4 you might add allow-query-cache to complement allow-recursion. e.g.

acl "internalnet" { 10.1.0.0/16; };

options {
...
allow-query { any; };
allow-recursion { internalnet; }
allow-query-cache { internalnet; }
...
};

I'd have the acl because it makes maintenance easier, and I'd have an acl for use with allow-transfer for the same reason.

> And finally that is how you do submitting?, within a single zone?

You don't need the first $ORIGIN, it's implicit from named.conf.

Otherwise it's fine. Sometimes it's better to make everything relative to the zone name, it just depends on what you use the zone for. Certainly nothing wrong with your usage here.

If you want more there's a guide here, you're not missing much though:

http://www.cymru.com/Documents/secure-bind-template.html

Chris

Random Solutions

Filemaker Scheduled Import of Tab Delimited File Not Working

Create linked server from MS Sql to oracle server

Cannot RDP to W2008R2 Server 'Computer Name' but can to its IP Address

How to Populate a ListBox Control with Values from an Access Database Table

Server 2008 NLB problem

UV spectroscopy and exponential decay of tranmission

General question regarding Anti-Virus, anti-malware on LAN

Remote Software Installation - Silent

Incorrect function. error