summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--dns_wizard/Bind.pm141
1 files changed, 118 insertions, 23 deletions
diff --git a/dns_wizard/Bind.pm b/dns_wizard/Bind.pm
index a736a064..66e15102 100644
--- a/dns_wizard/Bind.pm
+++ b/dns_wizard/Bind.pm
@@ -379,10 +379,11 @@ EOF
# create named.conf file
sub crea_named_common {
output($WDIR . "/named.conf", <<EOF);
-key mykey {
- algorithm hmac-md5;
- secret "$DNSKEY";
-};
+// (oe) Loosely based on the document below and from production server configurations.
+// http://www.cymru.com/Documents/secure-bind-template.html
+
+// secret must be the same as in /etc/rndc.conf
+include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953
@@ -390,30 +391,123 @@ controls {
};
options {
- directory "$NAMED_DIR";
- pid-file "$NAMED_DIR/named.pid";
- version "Wizard drake";
- allow-query { any; };
- allow-transfer { any; };
+ version "";
+ directory "/var/named";
+ dump-file "/var/tmp/named_dump.db";
+ pid-file "/var/run/named.pid";
+ statistics-file "/var/tmp/named.stats";
+ zone-statistics yes;
+// datasize 256M;
+ coresize 100M;
+// fetch-glue no;
+// recursion no;
+// recursive-clients 10000;
+ auth-nxdomain yes;
+ query-source address * port *;
+ listen-on port 53 { any; };
+ cleaning-interval 120;
+ transfers-in 20;
+ transfers-per-ns 2;
+ lame-ttl 0;
+ max-ncache-ttl 10800;
+
+// forwarders { first_public_nameserver_ip; second_public_nameserver_ip; };
EOF
-
!$o->{var}{IPOFFORWARDER} or append_to_file($WDIR . "/named.conf", "\tforwarders { $o->{var}{IPOFFORWARDER}; };\n");
append_to_file($WDIR . "/named.conf", <<EOF);
+
+// allow-update { none; };
+// allow-transfer { any; };
+// Prevent DoS attacks by generating bogus zone transfer
+// requests. This will result in slower updates to the
+// slave servers (e.g. they will await the poll interval
+// before checking for updates).
+ notify no;
+// notify explicit;
+// also-notify { secondary_name_server };
+
+// Generate more efficient zone transfers. This will place
+// multiple DNS records in a DNS message, instead of one per
+// DNS message.
+ transfer-format many-answers;
+
+// Set the maximum zone transfer time to something more
+// reasonable. In this case, we state that any zone transfer
+// that takes longer than 60 minutes is unlikely to ever
+// complete. WARNING: If you have very large zone files,
+// adjust this to fit your requirements.
+ max-transfer-time-in 60;
+
+// We have no dynamic interfaces, so BIND shouldn't need to
+// poll for interface state {UP|DOWN}.
+ interface-interval 0;
+
+// Uncoment these to enable IPv6 connections support
+// IPv4 will still work
+// listen-on { none; };
+// listen-on-v6 { any; };
+
+ allow-query { any; };
+ allow-recursion { any; };
+
+// Deny anything from the bogon networks as
+// detailed in the "bogon" ACL.
+// blackhole { bogon; };
};
-zone "localhost" {
- type master;
- file "zone/db.localhost";
+// workaround stupid stuff... (OE: Wed 17 Sep 2003)
+zone "ac" { type delegation-only; };
+zone "cc" { type delegation-only; };
+zone "com" { type delegation-only; };
+zone "cx" { type delegation-only; };
+zone "lv" { type delegation-only; };
+zone "museum" { type delegation-only; };
+zone "net" { type delegation-only; };
+zone "nu" { type delegation-only; };
+zone "ph" { type delegation-only; };
+zone "sh" { type delegation-only; };
+zone "tm" { type delegation-only; };
+zone "ws" { type delegation-only; };
+
+zone "." IN {
+ type hint;
+ file "named.ca";
};
-zone "0.0.127.in-addr.arpa" {
- type master;
- file "zone/db.127.0.0.1";
+zone "localdomain" IN {
+ type master;
+ file "master/localdomain.zone";
+ allow-update { none; };
+};
+
+zone "localhost" IN {
+ type master;
+ file "master/localhost.zone";
+ allow-update { none; };
+};
+
+zone "0.0.127.in-addr.arpa" IN {
+ type master;
+ file "reverse/named.local";
+ allow-update { none; };
+};
+
+zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
+ type master;
+ file "reverse/named.ip6.local";
+ allow-update { none; };
+};
+
+zone "255.in-addr.arpa" IN {
+ type master;
+ file "reverse/named.broadcast";
+ allow-update { none; };
};
-zone "." {
- type hint;
- file "zone/root.hints";
+zone "0.in-addr.arpa" IN {
+ type master;
+ file "reverse/named.zero";
+ allow-update { none; };
};
EOF
@@ -618,8 +712,8 @@ sub save_old_config {
mkdir_p($REP_SAVE . '/dns');
system("cp -avf $ZONE_DIR/* $REP_SAVE/dns/");
# cp_af($_, "$REP_SAVE/dns/$_" . '-' . $DATE . '.sauv') foreach glob_($ZONE_DIR . "/*");
- if (-e "/etc/named.conf") {
- cp_af("/etc/named.conf", "$REP_SAVE/dns/named.conf-$DATE");
+ if (-e "$BIND_CHROOT/etc/named.conf") {
+ cp_af("$BIND_CHROOT/etc/named.conf", "$REP_SAVE/dns/named.conf-$DATE");
}
}
# end save old config
@@ -666,8 +760,9 @@ sub check_config {
# copy file correct place
sub copy_good {
mkdir_p($ZONE_DIR);
- cp_af($WDIR . '/named.conf', '/etc/named.conf');
- cp_af($WDIR . '/rndc.conf', '/etc/rndc.conf');
+ mkdir_p("$BIND_CHROOT/etc");
+ cp_af($WDIR . '/named.conf', "$BIND_CHROOT/etc/named.conf");
+ cp_af($WDIR . '/rndc.conf', "$BIND_CHROOT/etc/rndc.conf");
cp_af($WDIR . '/hosts', '/etc/hosts');
cp_af($WDIR . '/resolv.conf', '/etc/resolv.conf');
cp_af($WDIR . '/root.hints', $ZONE_DIR . '/');