Securing BIND9

Do not use query-source, if you not have to.

Define ACL:

acl "lan_ip" { 192.168.200.0/24; 127.0.0.1; };

For multihomed server, define views:

view "lan" {
        match-clients { lan_ip; } ;
        allow-query { lan_ip; } ;
        allow-recursion { lan_ip; };
....
};

view "external" {
        match-clients { !lan_ip ; any; } ;
        allow-recursion { none; };
        allow-query { none; } ;

	zone "myzone" IN {
		....
		allow-query { any ; } ;
	}
};

Allow query on particular zone, not globally.


If this was helpfull, please donate
Updated on Tue Apr 10 13:20:46 IDT 2012 by Oleg Volkov More documentations here