Using views to restrict recursion

From Hackepedia
Jump to navigationJump to search

This is an example of a name server that does not do recursion for hosts outside of its network, but still servers zones to the world. 

//
// named.conf for Red Hat caching-nameserver 
//

acl "cooperix" { 192.139.46.0/24; };

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	
	allow-recursion { "cooperix"; };
	transfer-source 192.139.46.131;

	// query-source address * port 53;
	//recursion no;                // Do not provide recursive service

};


logging {
	channel "eastasia_local0" {
		syslog local0;
		severity info;
	};

     category "unmatched" { "null"; };
     category "default" { "eastasia_local0"; "default_debug"; };
};


// 
// a caching only nameserver config
// 
controls {
	inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

view "normal" {

  zone "." IN {
	type hint;
	file "named.ca";
  };

  zone "localdomain" IN {
	type master;
	file "localdomain.zone";
	allow-update { none; };
  };

  zone "localhost" IN {
	type master;
	file "localhost.zone";
	allow-update { none; };
  };

  zone "0.0.127.in-addr.arpa" IN {
	type master;
	file "named.local";
	allow-update { none; };
  };

  zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
	file "named.ip6.local";
	allow-update { none; };
  };

  zone "255.in-addr.arpa" IN {
	type master;
	file "named.broadcast";
	allow-update { none; };
  };

  zone "0.in-addr.arpa" IN {
	type master;
	file "named.zero";
	allow-update { none; };
  };

  //
  //
  // Public Secondaries
  //
  include "/home/russell/DNS/public-secondary.conf";
  include "/home/russell/DNS/sns.flora.ca.conf";
  include "/home/mcr/DNS/public-secondary.conf";
  include "/home/russell/DNS/jungle.ca-secondary.conf";

  //
  //
  // FLORA Secondaries
  //
  include "/home/russell/DNS/pns.flora.ca-secondary.conf";
  include "/home/russell/DNS/team.openconcept.ca-secondary.conf";
};

include "/etc/rndc.key";

view "hesiod" HS {
  zone "." HS {
        type slave;
        file "hesiod.zone.bak";
        masters {
                192.139.46.244; // pns.flora.ca
        };
  };

  include "/home/russell/DNS/public-hs-secondary.conf";
  include "/home/russell/DNS/flora-hesiod-secondary.conf";

};
Retrieved from "https://hackepedia.org/?title=Using_views_to_restrict_recursion&oldid=2642"