Zone Transfer Issues
Hi all.
Intro: I am new to BIND. We are using it as our nameservers within the organization. I have never been a DNS admin at this level before and am struggling with securing the server.
Problem: A quick MXToolbox lookup shows that we are allowing for zone transfers from the outside. I want to restrict this to at least our slave DNS server.
Attempted Solution: After googling around I found the entry for the named.conf file and made the appropriate changes to the options section on our primary nameserver. However, the full ns1 zone is still transferable.
Tell me what I did wrong here:
options {
listen-on port 53 {
127.0.0.1; XXX.XXX.XXX.XXX; xxx.xxx.xxx.xxx;
};
listen-on-v6 port 53 {
::1;
};
allow-transfer {
"none";
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
pid-file "/var/named.pid";
statistics-file "/var/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {
any;
};
allow-recursion {
none;
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "example1.com," in {
type master;
file "db.example1.com";
};
zone "example2.com" in {
type master;
file "db.example2.com";
};
zone "xxx.xxx.xxx.in-addr.arpa" in {
type master;
file "db.xxx.xxx.xxx";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.0.0.127";
};
zone "." in {
"named.conf" 65L, 1314C
-
Hello, It's possible the alert you see on that utility is a false positive, as the default /etc/named.conf configuration should already block zone transfers: ]# grep allow-transfer /etc/named.conf allow-transfer { "none"; };
If you want to reset your /etc/named.conf configuration, you can use the following commands:mv /etc/named.conf /etc/named.conf.backup1 /scripts/rebuilddnsconfig
Thank you.0
Please sign in to leave a comment.
Comments
1 comment