0

My file with zone

My /etc/bind/db.piduna.org

;
; BIND data file for local loopback interface
;
$TTL    604800
$ORIGIN piduna.org.
@       IN      SOA     ns1.piduna.org. root.piduna.org. (
                     2018031701         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.piduna.org.
@       IN      NS      ns2.piduna.org.
@       IN      A       192.168.110.15

ns1     IN      A       192.168.110.15
ns2     IN      A       192.168.110.14

abc100  IN      A       192.168.110.1
abc101  IN      A       192.168.110.2
abc102  IN      A       192.168.110.3
abc103  IN      A       192.168.110.4
abc104  IN      A       192.168.110.5
abc105  IN      A       192.168.110.6
abc106  IN      A       192.168.110.7
abc107  IN      A       192.168.110.8
abc108  IN      A       192.168.110.9
abc109  IN      A       192.168.110.10
abc110  IN      A       192.168.110.11
abc111  IN      A       192.168.110.12
abc112  IN      A       192.168.110.13
abc113  IN      A       192.168.110.14
abc114  IN      A       192.168.110.15

gitlab  IN      A       192.168.110.14
redmine IN      A       192.168.110.14

*       IN      CNAME   piduna.org.

192.168.110.* of course is not real ip addresses. instead them i am using real ip addresses of vps-s.

My /etc/bind/named.conf.local:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "abchosting.org" {
     type master;
     file "/etc/bind/db.piduna.org";
};

My /etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        listen-on port 53 {
        127.0.0.1;
        192.168.110.15;
        };

        forwarders {
        8.8.8.8;
        8.8.4.4;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

So, i have tested it. Everything is ok. Works. But i have doubts about my configuration of /etc/bind/db.piduna.org. Is everything is ok. Maybe some advices according to security ? I am repeating, i made this for external domain. I need:
- 15 A-records for my vps-s;
- two A-records for my services, like gitlab and redmine;
- ping sub-domain from 192.168.110.15
Thanks for your understanding and help.

Piduna
  • 501
  • 3
  • 10
  • 23
  • Use RFC5737 when you want to obfuscate IP addresses – Patrick Mevzek Mar 17 '18 at 20:53
  • you are going to have issues when you say that for the zone `abchosting.org` you are serving up a zone file that specifies `piduna.org`. Note that you can check named.conf* syntax wtih `named-checkconf` and zone file syntax with `named-checkzone example.com /path/to/zone/file/for/example.com` – ivanivan Mar 17 '18 at 23:57

1 Answers1

0

You say you have tested it, so what did you do exaclty? named-checkzone? Any kind of online troubleshooting tool?

What are you doubts? Your question is too broad. What security do you talk about?

I see various problems though:

  • you are using a wildcard record. Do you really need it? If not, I recommend to remove it as it creates far more problems than solutions
  • so you seem to have an authoritative nameserver since you define a zone, but it listens only on local/internal IP addresses. Does that mean it is not globally reachable (which would be a bad idea for an authoritative nameserver) or you have some NAT setup in front of it, which is also a very bad idea for a nameserver?
  • so you seem to have an authoritative nameserver, but you forward queries externally. It seems you mix recursive and authoritative functions in the same server, which is a very bad idea security-wise (and one could also say that in any case forwarding to Google Public DNS is not a good idea security-wise, you should have your own local recursive nameserver)
Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • 1) yes, i need wildcard, because i will use for hosting this. 2) 192.168.110.* means not local address, i have external instead these ip addreses, i just not wrote them, because i don't want to show pool with my external ip-s – Piduna Mar 17 '18 at 21:20
  • This is exactly why you should choose RFC5737 when you obfuscate IP addresses instead of using IPs used for something else as defined in RFC1918 – Patrick Mevzek Mar 17 '18 at 21:22
  • And you can do hosting without a DNS wildcard. – Patrick Mevzek Mar 17 '18 at 21:23