Nameserver (Again)

Help! (Home for newbies)
21

OK one last Update and One Last Question (For Now :sunglasses: )

Ok, I did the server reboot, all went fine, and actually pages coming up faster then beforeā€¦

I used a Global Propagation Checker for the NS (Multiple Location Check), and Internic has it exactly as I want it, So Iā€™m just going to leave that be, As It seems correctā€¦

Can one of you check this, My RESOLV.CONF and Verify Iā€™m not on any other NS then my own, I mean, Not on the Global Internet, To serve other Sitesā€¦

This Part:

If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface

I only want to serve my forum pagesā€¦ I Believe itā€™s right, I just want to verifyā€¦ Thanks

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. //

options {
listen-on port 53 {
any;
};
listen-on-v6 port 53 {
any;
};
directory ā€œ/var/namedā€;
dump-file ā€œ/var/named/data/cache_dump.dbā€;
statistics-file ā€œ/var/named/data/named_stats.txtā€;
memstatistics-file ā€œ/var/named/data/named_mem_stats.txtā€;

/* 
 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
   recursion. 
 - If your recursive DNS server has a public IP address, you MUST enable access 
   control to limit queries to your legitimate users. Failing to do so will
   cause your server to become part of large scale DNS amplification 
   attacks. Implementing BCP38 within your network would greatly
   reduce such attack surface 
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

};

logging {
channel default_debug {
file ā€œdata/named.runā€;
severity dynamic;
};
};

zone ā€œ.ā€ IN {
type hint;
file ā€œnamed.caā€;
};

include ā€œ/etc/named.rfc1912.zonesā€;
include ā€œ/etc/named.root.keyā€;

zone ā€œandroid-x86.netā€ {
type master;
file ā€œ/var/named/android-x86.net.hostsā€;
also-notify {
...; (*** NS1 IP CORRECT
};
allow-transfer {
...*; **** NS! IP CORRECT
};
notify yes;
};

Thanks, I think, Thatā€™d handle this for now, Iā€™ll check back later (Couple Days) to put in a final word on this but as of now it all looks goodā€¦

Mike

22

You need to be more specific about allowing recursion.

Something like:

acl "trustednets" { localhost; 127.0.0.1; 192.168.1.0/24; };

options {
allow-recursion { trustednets; };
recursion yes;
ā€¦other options hereā€¦
};
23

Ok on the 192.168.1.0/24, I actually know what the 0/24 Means Blocking IPs In HTACCESS, But should I use that for my Single Name Server IP?? Iā€™m Guessing here, itā€™s just to span the IP?? Or should I use it as you posted, and Put my NS server IP In?? Sorry, I AM Learning LOL

And I Get the Allow-recursion , Makes Sense!

Mike

And actually isnā€™t:

1.1.1.0/8
1.1.0.0/016
1.0.0.0/32
1.1.1.1.0//64

N/M I forgot the span for the IPā€™s, Oldtimers sucks guys, Iā€™ll get back in the morning, Seems Clearer with a good cup of coffeeā€¦ :sunglasses:

Or am I wrong again?? Really donā€™t like to Expound my stupidā€™ness,

24

Ok, I messed up, I thought I had purchased the IP, But apparently not, As The Server Reboot Changed the IP, Iā€™ve fixed that, But since I had to Redo Everything, I decided to go Back to the Pre-Namserver Settings Image and redo everything with the New IP, And Less Editsā€¦

Would ā€œallow-queryā€ work the same as your post?? Or both or just what you said above??

Thanks, Mike

UPDATE:

Ok Done again, and propagating, With ALOT less edits to the files, just what was advised on your blog, Feel better about it that wayā€¦

I didnā€™t add the above ā€œaclā€ stuff, as I was thinking the:

allow-query { localhost; 116.NS1 IP ADDRESS;};
type master;
file ā€œ/var/named/android-x86.net.hostsā€;
also-notify {
116.NS1 IP ADDRESS;
};
allow-transfer {
127.0.0.1;
localnets;
};
notify yes;
};

If you still advise adding it I will, I didnā€™t realize that that IP range you have is localā€¦

Mike