0

My file with zone

My /etc/bind/db.piduna.org

;
; BIND data file for local loopback interface
;
$TTL    604800
$ORIGIN piduna.org.
@       IN      SOA     ns1.piduna.org. root.piduna.org. (
                     2018031701         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      ns1.piduna.org.
@       IN      NS      ns2.piduna.org.
@       IN      A       192.168.110.15

ns1     IN      A       192.168.110.15
ns2     IN      A       192.168.110.14

abc100  IN      A       192.168.110.1
abc101  IN      A       192.168.110.2
abc102  IN      A       192.168.110.3
abc103  IN      A       192.168.110.4
abc104  IN      A       192.168.110.5
abc105  IN      A       192.168.110.6
abc106  IN      A       192.168.110.7
abc107  IN      A       192.168.110.8
abc108  IN      A       192.168.110.9
abc109  IN      A       192.168.110.10
abc110  IN      A       192.168.110.11
abc111  IN      A       192.168.110.12
abc112  IN      A       192.168.110.13
abc113  IN      A       192.168.110.14
abc114  IN      A       192.168.110.15

gitlab  IN      A       192.168.110.14
redmine IN      A       192.168.110.14

*       IN      CNAME   piduna.org.

192.168.110.* of course is not real ip addresses. instead them i am using real ip addresses of vps-s.

My /etc/bind/named.conf.local:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "abchosting.org" {
     type master;
     file "/etc/bind/db.piduna.org";
};

My /etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        listen-on port 53 {
        127.0.0.1;
        192.168.110.15;
        };

        forwarders {
        8.8.8.8;
        8.8.4.4;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
};

So, i have tested it. Everything is ok. Works. But i have doubts about my configuration of /etc/bind/db.piduna.org. Is everything is ok. Maybe some advices according to security ? I am repeating, i made this for external domain. I need:
- 15 A-records for my vps-s;
- two A-records for my services, like gitlab and redmine;
- ping sub-domain from 192.168.110.15
Thanks for your understanding and help.

2
  • Use RFC5737 when you want to obfuscate IP addresses Commented Mar 17, 2018 at 20:53
  • you are going to have issues when you say that for the zone abchosting.org you are serving up a zone file that specifies piduna.org. Note that you can check named.conf* syntax wtih named-checkconf and zone file syntax with named-checkzone example.com /path/to/zone/file/for/example.com
    – ivanivan
    Commented Mar 17, 2018 at 23:57

1 Answer 1

0

You say you have tested it, so what did you do exaclty? named-checkzone? Any kind of online troubleshooting tool?

What are you doubts? Your question is too broad. What security do you talk about?

I see various problems though:

  • you are using a wildcard record. Do you really need it? If not, I recommend to remove it as it creates far more problems than solutions
  • so you seem to have an authoritative nameserver since you define a zone, but it listens only on local/internal IP addresses. Does that mean it is not globally reachable (which would be a bad idea for an authoritative nameserver) or you have some NAT setup in front of it, which is also a very bad idea for a nameserver?
  • so you seem to have an authoritative nameserver, but you forward queries externally. It seems you mix recursive and authoritative functions in the same server, which is a very bad idea security-wise (and one could also say that in any case forwarding to Google Public DNS is not a good idea security-wise, you should have your own local recursive nameserver)
3
  • 1) yes, i need wildcard, because i will use for hosting this. 2) 192.168.110.* means not local address, i have external instead these ip addreses, i just not wrote them, because i don't want to show pool with my external ip-s
    – Piduna
    Commented Mar 17, 2018 at 21:20
  • This is exactly why you should choose RFC5737 when you obfuscate IP addresses instead of using IPs used for something else as defined in RFC1918 Commented Mar 17, 2018 at 21:22
  • And you can do hosting without a DNS wildcard. Commented Mar 17, 2018 at 21:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .