Named

WARNING: key file (rndc.key) exists, but using default configuration file (rndc.conf)

800

Update bind versi 9.8 Menemukan permasalahan seperti dibawah ini :

WARNING: key file (rndc.key) exists, but using default configuration file (rndc.conf)

Yang harus dilakukan adalah sbb :

File rndc.key pada saat instalasi tidak dibuat secara otomatis, jadi jalankan perintah :
"rndc-confgen -a" untuk membuat rndc.key

(more…)

Error Named 9.6 di FreeBSD 8.x

1391

Baru fresh instalasi FreeBSD 8.2 terus konfigurasi named.

  • Sekarang named untuk link file domain harus full link (beserta foldernya) kalo tidak muncul error *file not found*
  • Jangan lupa di named.conf matikan komentar 127.0.0.1 dan forwarder 😀

terus saya menemukan error seperti dibawah ini :

(more…)

Secure Bind Template Version 6.3 27 MAY 2008

48

Hari ini mood g lagi enak. Pengen bikin Secure bind diserver kantor. Trus g tanya om goggle ternyata g temukan template yg sudah siap tinggal dicustom agar sesuai dgn keinginan kita.

Ketentuan dari template ini, sbb:

“For our purposes, we will assume that our external (visible to the Internet) network is 8.8.8.0/24. Our internal network is 7.7.7.0/24. In your network, this may be a netblock from the RFC1918 address space. Our name server has the IP address 8.8.8.1.”

Dibawah ini adalah isi dari named.conf

// @(#)named.conf 02 OCT 2001 Rob Thomas noc@cymru.com
// Set up our ACLs
// In BIND 8, ACL names with quotes were treated as different from
// the same name without quotes. In BIND 9, both are treated as
// the same.
acl “xfer” {
none; // Allow no transfers. If we have other
// name servers, place them here.

};

acl “trusted” {

// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
8.8.8.0/24;
localhost;

};

acl “bogon” {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
10.0.0.0/8;
14.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
46.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
198.18.0.0/15;
223.0.0.0/8;
224.0.0.0/3;
};

logging {

channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity debug;

};

channel audit_log {
// Send the security related messages to a separate file.
file “/var/named/bind/named.log”;
severity debug;
print-time yes;

};

category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };

};

// Set options for security
options {
directory “/var/named”;
pid-file “/var/named/named.pid”;
statistics-file “/var/named/named.stats”;
memstatistics-file “/var/named/named.memstats”;
dump-file “/var/adm/named.dump”;
zone-statistics yes;

// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;

// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;

// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn’t need to
// poll for interface state {UP|DOWN}.
interface-interval 0;

allow-transfer {
// Zone tranfers limited to members of the
// “xfer” ACL.
xfer;
};

allow-query {
// Accept queries from our “trusted” ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};

allow-query-cache {
// Accept queries of our cache from our “trusted” ACL.
trusted;
};

blackhole {
// Deny anything from the bogon networks as
// detailed in the “bogon” ACL.
bogon;
};
};

view “internal-in” in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.

match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;

zone “.” in {
// Link in the root server hint file.
type hint;
file “db.cache”;
};

zone “0.0.127.in-addr.arpa” in {
// Allow queries for the 127/8 network, but not zone transfers.
// Every name server, both slave and master, will be a master
// for this zone.
type master;
file “master/db.127.0.0”;

allow-query {
any;
};

allow-transfer {
none;
};
};

zone “internal.ournetwork.com” in {
// Our internal A RR zone. There may be several of these.
type master;
file “master/db.internal”;
};

zone “7.7.7.in-addr.arpa” in {
// Our internal PTR RR zone. Again, there may be several of these.
type master;
file “master/db.7.7.7”;
};

};

// Create a view for external DNS clients.
view “external-in” in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.

match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;

// Link in our zones
zone “.” in {
type hint;
file “db.cache”;
};

zone “ournetwork.net” in {
type master;
file “master/db.ournetwork”;

allow-query {
any;
};
};

zone “8.8.8.in-addr.arpa” in {
type master;
file “master/db.8.8.8”;

allow-query {
any;
};
};

};

// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.

view “external-chaos” chaos {
match-clients { any; };
recursion no;

zone “.” {
type hint;
file “/dev/null”;
};

zone “bind” {
type master;
file “master/db.bind”;

allow-query {
trusted;
};
allow-transfer {
none;
};
};

};

Selesai sudah named.conf dan jangan lupa edit beberapa baris sesuai dgn keinginan kita. Untuk lebih jelasnya silakan ikuti link sources dari template ini.  :mrgreen:
(Sources : Secure Bind )

Go to Top