Subj : DNS To : Bj”rn Felten From : Alexey Vissarionov Date : Sat Dec 06 2014 12:00:00 Good ${greeting_time}, Bj”rn! 06 Dec 2014 01:12:44, you wrote to Tommi Koivula: TK>> Yes. I have been running Bind for a long time. BF> Setting up a Bind server is really easy. Getting it properly set-up BF> is not. It's estimated that somewhere around 98% of all traffic to BF> DNS servers is caused by badly configured Bind servers. Also, significant part of that traffic is the amplification of DDoS attacks. BF> If you care to write an article for the Fidonews about this, I know BF> it would be highly appreciated. About configuring BIND? I ever doubt whether it worth quoting configuration files... % cat /etc/named/named.conf acl "secondaries" { 127.0.0.1; 10.10.10.10; 10.20.20.20; }; acl "clients" { 127.0.0.1; 192.168.0.0/16; 172.16.32.0/12; 10.0.0.0/8; }; options { version "unknown"; directory "/etc/named"; listen-on { 192.0.2.123; 2001:0DB8:1:2::123; }; allow-transfer { secondaries; }; allow-recursion { clients; }; }; logging { category lame-servers { null; }; }; include "key.conf"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; view "common" { match-clients { any; }; zone "." in { type hint; file "root.hint"; }; include "primaries.conf"; include "secondaries.conf"; }; % perl -e 'my $key=`head -c18 < /dev/urandom | openssl base64`; chomp $key; print("key \"rndc-key\"\n{\n\talgorithm hmac-sha2-512;\n\tsecret \"$key\";\n};\n");' > /etc/named/key.conf % cat /etc/named/key.conf key "rndc-key" { algorithm hmac-sha2-512; secret "an1DY/ukB8ArIWlTjMxHz5+Q"; }; % cat /etc/named/rndc.conf include "/etc/named/key.conf"; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; % dig . ns | egrep -v '^($|;)' > /etc/named/root.hint % cat /etc/named/primaries.conf zone "example.net" in { type master; file "zones/primary/example.net.zone"; }; % cat /etc/named/secondaries.conf // zone "some-secondary-domain.net" in { type slave; file "zones/secondary/some-secondary-domain.net.zone"; masters { 10.20.30.40; }; }; Bonus - example of zone specification: @ IN SOA ns.example.net. root.example.net. ( 2014120611 ; Serial 1H ; Refresh 15M ; Retry 4w ; Expire 1H ) ; Minimum IN NS ns0 IN NS ns1 IN A 192.0.2.123 IN AAAA 2001:0DB8:1:2::123 IN MX 10 mail IN TXT "v=spf1 +mx ~all" ns0 IN A 192.0.2.123 IN AAAA 2001:0DB8:1:2::123 ns1 IN A 192.0.2.12 IN AAAA 2001:0DB8:1::12 ns IN A 192.0.2.123 IN A 192.0.2.12 IN AAAA 2001:0DB8:1:2::123 IN AAAA 2001:0DB8:1::12 mail IN A 192.0.2.123 IN AAAA 2001:0DB8:1:2::123 ; IPv4-only example myipv6only IN AAAA 2001:0DB8:1:2::123 ; IPv6-only example myipv4only IN A 192.0.2.123 * IN A 192.0.2.123 IN AAAA 2001:0DB8:1:2::123 -- Alexey V. Vissarionov aka Gremlin from Kremlin gremlin.ru!gremlin; +vii-cmiii-cmlxxvii-mmxlviii .... god@universe:~ # cvs up && make world --- /bin/vi * Origin: http://openwall.com/Owl (2:5020/545) .