diff options
-rw-r--r-- | dns_wizard/Bind.pm | 141 |
1 files changed, 118 insertions, 23 deletions
diff --git a/dns_wizard/Bind.pm b/dns_wizard/Bind.pm index a736a064..66e15102 100644 --- a/dns_wizard/Bind.pm +++ b/dns_wizard/Bind.pm @@ -379,10 +379,11 @@ EOF # create named.conf file sub crea_named_common { output($WDIR . "/named.conf", <<EOF); -key mykey { - algorithm hmac-md5; - secret "$DNSKEY"; -}; +// (oe) Loosely based on the document below and from production server configurations. +// http://www.cymru.com/Documents/secure-bind-template.html + +// secret must be the same as in /etc/rndc.conf +include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 @@ -390,30 +391,123 @@ controls { }; options { - directory "$NAMED_DIR"; - pid-file "$NAMED_DIR/named.pid"; - version "Wizard drake"; - allow-query { any; }; - allow-transfer { any; }; + version ""; + directory "/var/named"; + dump-file "/var/tmp/named_dump.db"; + pid-file "/var/run/named.pid"; + statistics-file "/var/tmp/named.stats"; + zone-statistics yes; +// datasize 256M; + coresize 100M; +// fetch-glue no; +// recursion no; +// recursive-clients 10000; + auth-nxdomain yes; + query-source address * port *; + listen-on port 53 { any; }; + cleaning-interval 120; + transfers-in 20; + transfers-per-ns 2; + lame-ttl 0; + max-ncache-ttl 10800; + +// forwarders { first_public_nameserver_ip; second_public_nameserver_ip; }; EOF - !$o->{var}{IPOFFORWARDER} or append_to_file($WDIR . "/named.conf", "\tforwarders { $o->{var}{IPOFFORWARDER}; };\n"); append_to_file($WDIR . "/named.conf", <<EOF); + +// allow-update { none; }; +// allow-transfer { any; }; +// Prevent DoS attacks by generating bogus zone transfer +// requests. This will result in slower updates to the +// slave servers (e.g. they will await the poll interval +// before checking for updates). + notify no; +// notify explicit; +// also-notify { secondary_name_server }; + +// Generate more efficient zone transfers. This will place +// multiple DNS records in a DNS message, instead of one per +// DNS message. + transfer-format many-answers; + +// Set the maximum zone transfer time to something more +// reasonable. In this case, we state that any zone transfer +// that takes longer than 60 minutes is unlikely to ever +// complete. WARNING: If you have very large zone files, +// adjust this to fit your requirements. + max-transfer-time-in 60; + +// We have no dynamic interfaces, so BIND shouldn't need to +// poll for interface state {UP|DOWN}. + interface-interval 0; + +// Uncoment these to enable IPv6 connections support +// IPv4 will still work +// listen-on { none; }; +// listen-on-v6 { any; }; + + allow-query { any; }; + allow-recursion { any; }; + +// Deny anything from the bogon networks as +// detailed in the "bogon" ACL. +// blackhole { bogon; }; }; -zone "localhost" { - type master; - file "zone/db.localhost"; +// workaround stupid stuff... (OE: Wed 17 Sep 2003) +zone "ac" { type delegation-only; }; +zone "cc" { type delegation-only; }; +zone "com" { type delegation-only; }; +zone "cx" { type delegation-only; }; +zone "lv" { type delegation-only; }; +zone "museum" { type delegation-only; }; +zone "net" { type delegation-only; }; +zone "nu" { type delegation-only; }; +zone "ph" { type delegation-only; }; +zone "sh" { type delegation-only; }; +zone "tm" { type delegation-only; }; +zone "ws" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; }; -zone "0.0.127.in-addr.arpa" { - type master; - file "zone/db.127.0.0.1"; +zone "localdomain" IN { + type master; + file "master/localdomain.zone"; + allow-update { none; }; +}; + +zone "localhost" IN { + type master; + file "master/localhost.zone"; + allow-update { none; }; +}; + +zone "0.0.127.in-addr.arpa" IN { + type master; + file "reverse/named.local"; + allow-update { none; }; +}; + +zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { + type master; + file "reverse/named.ip6.local"; + allow-update { none; }; +}; + +zone "255.in-addr.arpa" IN { + type master; + file "reverse/named.broadcast"; + allow-update { none; }; }; -zone "." { - type hint; - file "zone/root.hints"; +zone "0.in-addr.arpa" IN { + type master; + file "reverse/named.zero"; + allow-update { none; }; }; EOF @@ -618,8 +712,8 @@ sub save_old_config { mkdir_p($REP_SAVE . '/dns'); system("cp -avf $ZONE_DIR/* $REP_SAVE/dns/"); # cp_af($_, "$REP_SAVE/dns/$_" . '-' . $DATE . '.sauv') foreach glob_($ZONE_DIR . "/*"); - if (-e "/etc/named.conf") { - cp_af("/etc/named.conf", "$REP_SAVE/dns/named.conf-$DATE"); + if (-e "$BIND_CHROOT/etc/named.conf") { + cp_af("$BIND_CHROOT/etc/named.conf", "$REP_SAVE/dns/named.conf-$DATE"); } } # end save old config @@ -666,8 +760,9 @@ sub check_config { # copy file correct place sub copy_good { mkdir_p($ZONE_DIR); - cp_af($WDIR . '/named.conf', '/etc/named.conf'); - cp_af($WDIR . '/rndc.conf', '/etc/rndc.conf'); + mkdir_p("$BIND_CHROOT/etc"); + cp_af($WDIR . '/named.conf', "$BIND_CHROOT/etc/named.conf"); + cp_af($WDIR . '/rndc.conf', "$BIND_CHROOT/etc/rndc.conf"); cp_af($WDIR . '/hosts', '/etc/hosts'); cp_af($WDIR . '/resolv.conf', '/etc/resolv.conf'); cp_af($WDIR . '/root.hints', $ZONE_DIR . '/'); |