________________________________
From: Dawn Connelly [mailto:dawn.connelly@gmail.com]
Sent: 27 August 2008 18:03
To: Paul ****er
Subject: Re: First time config - room for improvement?


Doh! didn't read the whole email. You already did that. Nice stealth
master set up. Kudos for doing that. Not enough people do that.


On Wed, Aug 27, 2008 at 10:01 AM, Dawn Connelly
wrote:


I didn't run a named-checkconf but it looks good. The only thing
I would maybe recommend is jailing your named directory.


On Wed, Aug 27, 2008 at 9:46 AM, Paul ****er
wrote:


While I have worked with BIND 9.x before, I've never had
to set it up
from scratch. Due to a server migration I need to setup
a new instance
of BIND, but would prefer to start afresh due to the old
config being a
mish-mash of various BIND versions.

Running on CentOS 5.2 I am using BIND 9.3.4 running
within a chroot
environment. I've confirmed that the service can start
so all looks well
having used the BIND samples under /usr/share/doc as a
starting point,
but what I want to check is whether the config can be
improved, have I
missed any settings necessary to run a secure system
(especially
important to me), is there anything here which might
bite me in the ass
later on, etc.

I should note that the role of the BIND service is
two-folder, in one
instance it is acting as the authoritative name server
for a domain, in
the other it is acting as a name cache for localhost.

acl slaves
{
IPAddress;
IPAddress2;
};

options
{
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file
"data/named_mem_stats.txt";
version "random text";
};
logging
{
channel default_debug {
file "data/named.run" versions 5 size 2M;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category lame-servers { null; };
};

view "localhost_resolver"
{
match-clients { localhost; };
match-destinations { localhost; };

recursion yes;

include "/etc/named.root.hints";
include "/etc/named.rfc1912.zones";
};

view "external"
{
match-clients { any; };
match-destinations { any; };

recursion no;

include "/etc/named.root.hints";

zone "domain.co.uk.zone" {
type master;
file "domain.co.uk.zone.db";
allow-transfer { slaves; };
};

zone "#.#.#.#.in-addr.arpa" {
type master;
file "domain.co.uk.arpa.db";
allow-transfer { slaves; };
};

};

Many thanks,

Paul ****er




TNT Post is the trading name for TNT Post UK Ltd
(company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278),
TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT
Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading
names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All
companies are registered in England and Wales; registered address: 1
Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7
1HY.










TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY.