Monthly Archives: June 2008

Tightening up BIND9

I’ve been aware for some time that my DNS isn’t quite as securely configured as I’d like. looks pretty good, but the two main issues bugging me were:

  1. Anyone could do a ‘dig AXFR’ to retrieve a listing of all my DNS records – not great from a security point of view. This is a capability that should only be turned on for secondary DNS servers which need to fetch from the master.
  2. The server would perform arbitrary lookups [for any domain] on request. This means it’s operating in ‘recursive mode’, which is a Bad Thing for various reasons.

The solutions were:

  1. Add “allow-transfer { “slaves”; };” (without the double quotes) to the section of the configuration beginning “zone ‘'”. Then add a section defining the “slaves” access control list to be the local server, plus the secondaries: “acl slaves {;; }” replacing by the IP address(es) of your secondary nameserver(s).
  2. Add “recursion: no;” to the “options” section of the configuration.

Then restart the BIND9 service – on Debian, this is “/etc/init.d/bind9 restart”.

Health warning: Don’t do (2) above if you rely on your server to do its own DNS resolution – follow the crashrecovery tutorial above instead.