[dns-operations] Best Practices in DNS security
Paul Vixie
paul at vix.com
Fri Mar 17 17:57:29 UTC 2006
# otherwise, i'd be inclined to suggest that its much easier (based on
# available documentation and howtos) to simply have BIND 9 do the same thing.
indeed, this is just not that hard to get set up and keep working properly:
---
[sa:amd64] grep named /etc/rc.local
echo -n ' named-sa'; daemon -c -f sh /var/local/named/named-nanny.sh sa
echo -n ' named-ns'; daemon -c -f sh /var/local/named/named-nanny.sh ns
[sa:amd64] cat named-nanny.sh
#!/bin/sh
umask 2
x=${1-foo}
while :; do
/usr/local/sbin/named -n 3 -f -c /var/local/named/named.$x.conf \
>> /var/local/named/log/named.$x 2>&1 < /dev/null
/usr/bin/logger -p emerg "named $x restart"
sleep 5
done
exit
[sa:amd64] egrep 'listen-on|recursion|allow-query' named.sa.conf
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; 204.152.187.1; };
allow-query { 204.152.184/21; 2001:4f8::/32; ::1/128; 127.0.0.1/32; };
recursion yes;
[sa:amd64] egrep 'listen-on|recursion|allow-query' named.ns.conf
recursion no;
listen-on { 204.152.184.135; };
listen-on-v6 { 2001:4f8:3::9; };
allow-query { any; };
[sa:amd64] ifconfig | egrep '^[a-z]|127.0.0|::|204.152'
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::1%bge0 prefixlen 64 scopeid 0x1
inet 204.152.187.1 netmask 0xffffff00 broadcast 204.152.187.255
inet6 2001:4f8:3:bb::1 prefixlen 64 autoconf
bge1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
nge0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 204.152.184.135 netmask 0xffffffff
inet 204.152.184.99 netmask 0xffffffff
inet6 2001:4f8:3::9 prefixlen 128
---
More information about the dns-operations
mailing list