From owner-freebsd-security Tue Jan 30 19:56:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id C5B8137B6B1 for ; Tue, 30 Jan 2001 19:56:13 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id f0V3uD411610 for ; Tue, 30 Jan 2001 19:56:13 -0800 (PST) Date: Tue, 30 Jan 2001 19:56:13 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Bind: unapproved query (version.bind) Script kiddies? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David La Croix wrote: > It's not so much blocking queries to version.bind, so much as refusing to > answer queries to an untrusted host, about domains it does not host. Alternately, you could define the "allow-recursion" and "version" options: options { directory "/etc/namedb"; version "none.of.your.business"; pid-file "/var/run/named.pid"; listen-on { localhost; YOUR_IP; }; query-source address YOUR_IP port 53; transfer-source YOUR_IP; allow-recursion { localhost; YOUR_SUBNET; }; }; -- Roger Marquis Roble Systems Consulting http://www.roble.com/ > options { > directory "/etc/namedb"; > allow-query { > 127.0.0.1; > localnets; > }; > allow-transfer { > 0.0.0.0; /* IPs changed */ > 0.0.0.0; /* secondary DNS servers */ > }; > forwarders { > 0.0.0.0; 0.0.0.0; > }; > }; > > and then further down all my zone definitions look like: > > zone "mydomain.com" { > type master; > file "zones/mydomain.com"; > allow-query { any; }; > }; > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message