Bv9ARM.6.html revision 9c3531d72aeaad6c5f01efe6a1c82023e1379e4d
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer - Copyright (C) 2000 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer - copyright notice and this permission notice appear in all copies.
70e5a7403f0e0a3bd292b8287c5fed5772c15270Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer - ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer - OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer - CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
dcfc52bbba3307901b9c01d4c54adb88d998243aAndreas Gustafsson - DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
f621719829356f27e831507b75e88e8a655e48d8Danny Mayer - PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
e61793f0865117ad87a19d6e245bea8f3b712d1bDanny Mayer - ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
e61793f0865117ad87a19d6e245bea8f3b712d1bDanny Mayer<!-- $Id: Bv9ARM.6.html,v 1.5 2000/06/22 21:53:44 tale Exp $ -->
Access Control Lists (ACLs), are address match lists that you can set up and nickname for future use in <CODE CLASS="Program-Process">
Using ACLs allows you to have finer control over who can access your nameserver, without cluttering up your config files with huge lists of IP addresses.</P>
to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and DoS attacks against your server.</P>
<CODE CLASS="grammar_literal">acl</CODE> <KBD CLASS="Literal-user-input">bogusnets</KBD> <CODE CLASS="grammar_literal">{</CODE> 0.0.0.0/8<CODE CLASS="grammar_literal">;</CODE> 1.0.0.0/8<CODE CLASS="grammar_literal">;</CODE> 2.0.0.0/8<CODE CLASS="grammar_literal">;</CODE> 192.0.2.0/24<CODE CLASS="grammar_literal">;</CODE>
224.0.0.0/3<CODE CLASS="grammar_literal">;</CODE> 10.0.0.0/8<CODE CLASS="grammar_literal">;</CODE> 172.16.0.0/12<CODE CLASS="grammar_literal">;</CODE> 192.168.0.0/16<CODE CLASS="grammar_literal">; };</CODE>
<CODE CLASS="grammar_literal">acl</CODE> <EM CLASS="variable">our-nets</EM> <CODE CLASS="grammar_literal">{ </CODE>x.x.x.x/24<CODE CLASS="grammar_literal">;</CODE> x.x.x.x/21; <CODE CLASS="grammar_literal">};</CODE> </PRE>
<CODE CLASS="grammar_literal">allow-query { </CODE><EM CLASS="variable">our-nets</EM><CODE CLASS="grammar_literal">; };</CODE>
<CODE CLASS="grammar_literal">allow-recursion {</CODE> <EM CLASS="variable">our-nets</EM><CODE CLASS="grammar_literal">; };</CODE>
<CODE CLASS="grammar_literal">blackhole {</CODE> <KBD CLASS="Literal-user-input">bogusnets</KBD><CODE CLASS="grammar_literal">; };</CODE>
<CODE CLASS="grammar_literal">zone</CODE> "<EM CLASS="pathname">example.com</EM>" <CODE CLASS="grammar_literal">{</CODE>
<CODE CLASS="grammar_literal">type</CODE> <EM CLASS="variable">master</EM><CODE CLASS="grammar_literal">;</CODE>
<CODE CLASS="grammar_literal">file</CODE> <KBD CLASS="Literal-user-input">"m/example.com"</KBD><CODE CLASS="grammar_literal">;</CODE>
<CODE CLASS="grammar_literal">allow-query</CODE> <CODE CLASS="grammar_literal">{</CODE> <EM CLASS="variable">any</EM><CODE CLASS="grammar_literal">; };
This allows recursive queries of the server from the outside unless recursion has been previously disabled.</P>
<A HREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A></EM>
' option. This can help improve system security by placing BIND in a "sandbox," which will limit the damage done if a server is compromised.</P>
Another useful feature in the UNIX version of BIND is the ability to run the daemon as a nonprivileged user ( <CODE CLASS="Program-Process">
), you will need to set up an environment that includes everything BIND needs to run. From BIND's point of view, <EM CLASS="pathname">
, and any library directories and files that BIND needs to run on your system. Please consult your operating system's instructions if you need help figuring out which library files you need to copy over to the <CODE CLASS="Program-Process">
If you are running an operating system that supports static binaries, you can also compile BIND statically and avoid the need to copy system libraries over to your <CODE CLASS="Program-Process">
Access to the dynamic update facility should be strictly limited. In earlier versions of BIND the only way to do this was based on the IP address of the host requesting the update. BINDv9 also supports authenticating updates cryptographically by means of transaction signatures (TSIG). The use of TSIG is strongly recommended.</P>