DNS Security

[Jim Reid]

>>>>> "Bill" == wwebb  <wwebb at adni.net> writes:

    Bill> Where there is a primary master zone with the server
    Bill> supporting one or more resolvers, a configuration
    Bill> recommended at: http://www.acmebw.com/securing/sld021.htm

    Bill> is as follows:

    Bill> acl internal { 206.168.119/24; };

    Bill> options {
    Bill>	 director "/var/named";
    Bill>	 recursion yes; //the default
    Bill>	allow-querry {internal; };
    Bill>};

    Bill> zone "acmebw.com" {
    Bill	type master;
    Bill>	file "db.acmebw";
    Bill>	allow-transfer {207.69.231.3; 209.86.147.1; };
    Bill>	allow-query { any; };
    Bill> };

    Bill> Irrespective of an option to allow queries only from the
    Bill> internal IP addresses, if a specific zone is set, such as
    Bill> acmebw.com as above, isn't the default to allow queries to
    Bill> that specific zone ?

Yes and no. If no access lists are used, anybody can query the server.
This is the default behaviour. When a zone has a zone-specific ACL,
then that ACL is used for lookups (or whatever) for that zone. If
there is a global ACL in the options{} statement, that is applied to
any zones that don't have their own ACLS. When there's both a global
and a zone-specific ACL, only the zone-specific one is applied.

    Bill> If so, then what is the purpose of the
    Bill> "allow-query { any; } entry above?

This entry means that there'a an ACL of "any" for the acmebw.com
zone. Anybody anywhere can send the name server queries for names in
that zone, which is how things generally should be. The zone-specific
ACL is applied instead of the global one. For lookups of any other
domains, the global ACL is applied. Presumably this restricts the name
server to handling lookups from acmebw.com's local resolvers. The
combination of the two ACLs means local users have free access to the
name server to lookup anything but the rest of the world can only use
it for queries about the acmebw.com zone.