13

I have this in /etc/named.conf, I commented the default values and set my own under it. My domain would not load in browser unless I set allow-query to "any", is this OK, what should I edit? If is localhost or 127.0.0.1; 10.0.1.0/24; domain would not load. I tried the 127.. thing because it mentioned it here: http://wiki.mandriva.com/en/Testing:Bind

Bind version is 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 OS is CentOS 6.0.

options {
        // listen-on port 53 { 127.0.0.1; };
        listen-on port 53 { any; };
        //listen-on-v6 port 53 { ::1; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        allow-query     { any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
};
Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
adrianTNT
  • 1,007
  • 5
  • 21
  • 41

3 Answers3

13

When you listen-on 127.0.0.1 or localhost or ::1, and/or allow-query from localhost only, bind will answer only to queries originating from the same computer that runs bind. (It set this way in "testing" probably because they probably just meant to test that bind works without opening it to outside for security reasons.)

It is normal to set those to "any" so that it will be accessible from outside.

Sandman4
  • 4,045
  • 2
  • 20
  • 27
  • Some online articles mentioned that it might be exposed to DOS attacks if "any". If I understood correctly. – adrianTNT Nov 12 '11 at 17:49
  • 1
    Well, even if that's true, without "any" it won't work ;) – Sandman4 Nov 12 '11 at 18:15
  • 1
    Btw, what your server purpose is ? Is it only authoritative for some your zone ? Who should be able to access your server ? – Sandman4 Nov 12 '11 at 18:17
  • It is an image hosting site, it will host multiple domains on same IP. Domain is at godaddy where I set two "hosts" ns1.domain ns2.domain and associated these NS with my server IP. – adrianTNT Nov 12 '11 at 19:56
  • 1
    Ok, so it should be accessible from outside. Thus it must be "any". And you better set "recursion no" if you afraid of attacks. But doesn't godaddy provide nameservers for you ? – Sandman4 Nov 12 '11 at 20:04
  • At Godaddy I just set 2 "hosts" ns1.domain and ns2.domain, I added the A records and cnames at my server, I want not to depend on other services as much as possible. I will now look into recursion options because I have no idea what it does. – adrianTNT Nov 13 '11 at 11:04
3

If your DNS server is a local caching server, set

allow-query { <your subnet>; };

in options. And, in each zone:

allow-query { any; };

If you are not using it as a caching server, set it on options to none;

allow-query { none; };

Basically, you don't want your server answering to domains you are not authoritative.

rsd
  • 31
  • 2
-3

Be careful - this is not true:

If you are not using it as a caching server, set it on options to none;

allow-query { none; };

Such a server doesn't reply to any packet even for domains it is authoritative for.

Dalibor Straka
  • 1