Subj : DNS
To   : Alexey Vissarionov
From : Markus Reschke
Date : Sat Dec 06 2014 11:29:30

Hello Alexey!

Dec 06 12:00 2014, Alexey Vissarionov wrote to BjFrn Felten:

 AV> About configuring BIND? I ever doubt whether it worth quoting 
 AV> configuration files...

 AV> acl "clients"
 AV> {
 AV>  127.0.0.1;
 AV>  192.168.0.0/16;
 AV>  172.16.32.0/12;
 AV>  10.0.0.0/8;
 AV> };

No IPv6 clients? ;)

 AV> options
 AV> {
 AV>  version "unknown";
 AV>  directory "/etc/named";
 AV>  listen-on { 192.0.2.123; 2001:0DB8:1:2::123; };
 AV>  allow-transfer { secondaries; };
 AV>  allow-recursion { clients; };
 AV> };

I'd recommend to set up DNSsec and to add some query limits.

And for the paranoid to prevent fingerprinting:

view "chaosnet" CHAOS {
  match-clients { any; };
  recursion no;
  allow-recursion { none; };
  dnssec-lookaside auto;

  zone "." {
    type hint;
    file "/dev/null";
  };

  zone "bind" {
    type master;
    file "local/bind";
    allow-query { my-clients; };
    allow-transfer { none; };
    allow-update { none; };
  }; 
};


local/bind:

$ORIGIN bind.
$TTL    1D
@       1D CH SOA       @ root (
                        42              ; serial
                        3H              ; refresh
                        15M             ; retry
                        1W              ; expiry
                        1D )            ; minimum

        CH NS   localhost.

version         CH TXT  "None of your business!"
authors         CH TXT  "are better coders than I am. :)"


Regards,
Markus

--- 
 * Origin: *** theca tabellaria *** (2:240/1661)

.