Previous Page | Next Page

  1. Agustin's Linux Manual
  2. Networks & Servers
  3. About the Author
  4. Table of Contents
  5. IP Addresses Networks and Subnets
  6. Network Classes
  7. IP Address in Decimal Notation
  8. Sub-netting
  9. Designing Subnets
  10. Allocating Subnets
  11. Defining Host Addresses
  12. Variable Length Subnet Mask
  13. Routing Protocols
  14. Classless Internet Domain Routing
  15. Servers - Chapter 9
  16. Apache Web Server
  17. Configuring Apache
  18. Uploading Web Pages
  19. Apache Overview
  20. MIMEMagic
  21. DNS Servers
  22. Welcome to Webmin
  23. Creating the Master Domain
  24. Adding the Reverse Zone
  25. Querying the DNS server
  26. Adding Virtual Domain to DNS Server
  27. Reverse Zone for Virtual Zone
  28. Binding IP Address for Virtual Domain
  29. Virtual Web Hosting
  30. DNS Security Options
  31. FTP Server
  32. Securing the FTP Server
  33. Email Server
  34. Postfix Configuration
  35. Dealing with Identical Users
  36. Configuring Email Clients
  37. Configuring Outlook
  38. Samba Server
  39. Configuring SAMBA Server
  40. The smb.conf File
  41. smb.conf Analysis
  42. Adding Users to Samba

DNS Security Options

Note that anything that is occurring to the zones within the DNS server is controlled from the options directive in named.conf, anything applied to it applies to all zones. Unless you apply a directive within the zone, it will only apply to that zone.

A good practice is restricting zone transfer, and allow transfer to only those servers that it is designated to. In this case the slave must be able to transfer the data required (your domain name) for the slave to be able to answer to queries from other servers asking for your domain.

If you wanted to allow transfer to a name server sitting at: 192.168.1.50 you would do it as follow. 

zone	“netcontrol.org” {
allow-transfer {192.168.1.50; localhost;};
	};

This ensures that only the information that is requested will be available. That will avoid transferring detailed information about your configurations.

Protecting against spoofing

Probably this might be obvious to you… First you will need to disable queries for domains you don't own, and allow queries for only those you want such as your internal network. 


	options {
		allow-query {192.168.1.0/24; localhost;};
	};


	zone “netcontrol.org”{
		allow-query {any;};
	};

	zone	“26.34.168.in-addr.arpa”{
		allow-query {any;};
The last thing would be to disable recursive queries, but allow your internal network. 
 	options {
		Allow-query {192.168.1.0/24; localhost;};
	};
That's all folks enjoy!