[Chapter 10] Advanced Features and Security

DNS & BIND

DNS & BINDSearch this book
Previous: 9.8 The Life of a ParentChapter 10Next: 10.2 DNS NOTIFY (Zone Change Notification)
 

10. Advanced Features and Security

Contents:
Address Match Lists and ACLs
DNS NOTIFY (Zone Change Notification)
DNS Dynamic Update
System Tuning
Name Server Address Sorting
Preferring Name Servers on Certain Networks
Building Up a Large Site-wide Cache with Forwarders
A More Restricted Name Server
A Nonrecursive Name Server
Avoiding a Bogus Name Server
Securing Your Name Server
Load Sharing Between Mirrored Servers

"What's the use of their having names," the Gnat said, "if they won't answer to them?"

The latest BIND name server, version 8.1.2, has lots of new features. Two of the most prominent introductions are support for asynchronous zone change notification (DNS NOTIFY) and DNS Dynamic Update. Of the rest, the most important are related to security: they'll let you tell your name server whom to answer queries from, whom to offer zone transfers to, and whom to permit dynamic updates from. Many of the security features aren't necessary inside a corporate network, but the other mechanisms will help out the administrators of any name servers.

In this chapter, we'll cover these features and suggest how they might come in handy in your DNS infrastructure. (We do save some of the hard-core firewall material 'til the last chapter, though.)

10.1 Address Match Lists and ACLs

Before we introduce many of the new features, however, we'd better cover address match lists. BIND 8 uses address match lists for nearly every security feature, and for some features that aren't security-related at all.

An address match list is a list (what else?) of terms that specify one or more IP addresses. The elements in the list can be individual IP addresses, IP prefixes, or a named access control list. An IP prefix has the format:

network in dotted-octet format/bits in netmask

For example, the network 15.0.0.0, with the network mask 255.0.0.0 (eight contiguous ones), would be written 15/8. Traditionally, this would have been thought of as the "class A" network 15. The network consisting of IP addresses 192.168.1.192 through 192.168.1.255, on the other hand, would be written 192.168.1.192/26 (network 192.168.1.192 with the netmask 255.255.255.192, which has 26 contiguous ones).

A named ACL must have been previously defined with an acl statement. The acl statement has a simple structure:

acl "name" {
                { address_match list; };
};

Any time you're going to use one or more terms in a few access lists, it's a good idea to use an acl statement to associate them with a name. You can then refer to the name in the address match list. For example, let's call 15/8 what it is: HP-NET. And we'll call 192.168.1.192/26 "internal":

acl "HP-NET" {
                { 15/8; };
};

acl "internal" {
                { 192.168.1.192/26; };
};

Now we can refer to these ACLs by name in address match lists.

There are also four predefined access lists:

None

No IP addresses

Any

All IP addresses

Localhost

Any of the local host's IP addresses

Localnets

Any of the networks the local host has a network interface on (found by using each network interface's IP address and using the netmask to mask off the host bits in the address)


Previous: 9.8 The Life of a ParentDNS & BINDNext: 10.2 DNS NOTIFY (Zone Change Notification)
9.8 The Life of a ParentBook Index10.2 DNS NOTIFY (Zone Change Notification)