Skip to end of metadata
Go to start of metadata

Symptom:

Request: what is the best configuration for a caching only DNS Server (BIND) 

Problem:

there is no "on size fits all" preferred configuration for any DNS Server, including a caching-only nameserver.

The configuration depends on the version of the BIND nameserver that is used, if there are any local zones that need to be configured using stub-zones or forwarding zones.

As a general rule for a caching DNS Server:
  • no authoritative zones except empty zones to block local traffic (the exact names and number of these zones depend on the Version of BIND, as newer version block RFC 1918 reverse zones by default, and the use of any "local" domain space in your organization such as ".local" for DNS-SD/Ahavi/Bonjour/mDNS)
  • stub zones or forward zones to redirecting traffic to any local authoritative zones that are not delegated from the Internet Root down
  • restrict recursion to a list of internal network
  • configuration of DNSSEC trust anchors and DLV (DNSSEC Lookaside validation)
  • disable notify and zonetransfer (not needed on caching nameserver)a
below is an example template named.conf for an caching only DNS Server, based on Rob Thomas Secure BIND template ( http://www.cymru.com/Documents/secure-bind-template.html ). This files must be customized for your environment. This template assumes a recent BIND nameserver, BIND 9.6.0 or newer.

 

Solution

acl "xfer" {
    none;   // Allow no transfers.  If we have other 
            // name servers, place them here. 
}; 

acl "trusted" { 

// Place our internal and DMZ subnets in here so that 
// intranet and DMZ clients may send DNS queries.  This 
// also prevents outside hosts from using our name server 
// as a resolver for other domains. 
192.0.2.0/24; 
localhost; 

}; 


trusted-keys {
  // Trusted key for ISC DLV Service for DNSSEC validation
  // this need to be revied for BIND 9.7 and up
 dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+ju
 oZrW3euWEn4MxDCE1+lLy2brhQv5rN32RKtMzX6Mj70jdzeND4XknW58
 dnJNPCxn8+jAGl2FZLK8t+1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0
 PG73Te9fZ2kJb56dhgMde5ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTw
 FlgPe+jnGxPPEmHAte/URkY62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOw
 IeU/Rw/mRx/vwwMCTgNboMQKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZ
 fSav/4NWLKjHzpT59k/VStTDN0YUuWrBNh";
};

logging {
 channel mmsuite_log { file "/var/named/mmsuite.log" size 200M versions 10; severity notice; print-category yes; print-severity yes; print-time yes; };
 channel mmsuite_syslog { syslog daemon; severity info; print-category yes; print-severity yes; print-time yes; };
 channel dnssec_log { file "/var/named/dnssec.log" size 200m versions 10; print-time yes; print-category yes; print-severity yes; severity debug 3; };
 category dnssec { dnssec_log; };
 category client { mmsuite_log; };
 category config { mmsuite_log; };
 category database { mmsuite_log; };
 category default { mmsuite_log; mmsuite_syslog; };
 category dispatch { null; };
 category dnssec { mmsuite_log; };
 category general { mmsuite_log; };
 category lame-servers { null; };
 category network { null; };
 category notify { mmsuite_log; };
 category queries { null; };
 category resolver { mmsuite_log; };
 category security { mmsuite_log; };
 category unmatched { null; };
 category update { mmsuite_log; };
 category update-security { mmsuite_log; mmsuite_syslog; };
 category xfer-in { mmsuite_log; };
 category xfer-out { mmsuite_log; };
};

// Set options for security 
options { 
    directory "/var/named"; 
    pid-file "/var/named/named.pid"; 
    statistics-file "/var/named/named.stats"; 
    memstatistics-file "/var/named/named.memstats"; 
    dump-file "/var/adm/named.dump"; 
    zone-statistics yes; 

    // enable DNSSEC
    dnssec-enable yes; // All BIND 9 versions
    dnssec-validation yes; // BIND 9.4.3-P2 and later

    // DNSSEC Lookaside Validation
    dnssec-lookaside . trust-anchor dlv.isc.org.;

    // Prevent DoS attacks by generating bogus zone transfer 
    // requests.  This will result in slower updates to the 
    // slave servers (e.g. they will await the poll interval 
    // before checking for updates). 
    notify no; 

    // Generate more efficient zone transfers.  This will place 
    // multiple DNS records in a DNS message, instead of one per 
    // DNS message. 
    transfer-format many-answers; 

    // Set the maximum zone transfer time to something more 
    // reasonable.  In this case, we state that any zone transfer 
    // that takes longer than 60 minutes is unlikely to ever 
    // complete.  WARNING:  If you have very large zone files, 
    // adjust this to fit your requirements. 
    max-transfer-time-in 60; 

    // We have no dynamic interfaces, so BIND shouldn't need to 
    // poll for interface state {UP|DOWN}. 
    interface-interval 0; 

    allow-transfer { 
        // Zone tranfers limited to members of the 
        // "xfer" ACL. 
        xfer; 
    }; 

    allow-query { 
        // Accept queries from our "trusted" ACL.  We will 
        // allow anyone to query our master zones below. 
        // This prevents us from becoming a free DNS server 
        // to the masses. 
        trusted; 
    }; 

    allow-query-cache { 
        // Accept queries of our cache from our "trusted" ACL.  
        trusted; 
    }; 
}; 


view "internal-in" in { 
    // Our internal (trusted) view. We permit the internal networks 
    // to freely access this view. We perform recursion for our 
    // internal hosts, and retrieve data from the cache for them.

    match-clients { trusted; }; 
    recursion yes; 
    additional-from-auth yes; 
    additional-from-cache yes; 


zone "0.0.127.in-addr.arpa" in { 
    // Allow queries for the 127/8 network, but not zone transfers. 
    // Every name server, both slave and master, will be a master 
    // for this zone. 
    type master; 
    file "master/db.127.0.0"; 

    allow-query { 
        any; 
    }; 

    allow-transfer { 
        none; 
    }; 
}; 

zone "internal.ournetwork.com" in { 
    // Our internal A RR zone. There may be several of these. 
    // because this is a caching only DNS Server, we've forwarding to the
    // authoritative DNS Servers
    type forward; 
 forward only;
 forwarders { 192.0.2.10; 192.0.2.100; };
   }; 
   
   zone "7.7.7.in-addr.arpa" in { 
       // Our internal PTR RR zone. Again, there may be several of these. 
       // because this is a caching only DNS Server, we've forwarding to the
       // authoritative DNS Servers
       type forward; 
    forward only;
    forwarders { 192.0.2.10; 192.0.2.100; };
   }; 
   
   zone "local" in {
    // special "empty" zone to stop traffic that only appears local to be
    // leaked into the Internet. The exact names and numbers of this zones 
    // need to be evaluated by using DNS monitoring tools, such as the
    // Men & Mice Traffic Monitor, dnstop or tcpdump
    type master;
    file "hosts/masters/empty-zone.hosts";
   };
    
   }; // end of view
   
   // Create a view for all clients perusing the CHAOS class.
   // We allow internal hosts to query our version number.
   // This is a good idea from a support point of view.
   
   view "external-chaos" chaos { 
       match-clients { any; }; 
       recursion no; 
   
       zone "." { 
           type hint; 
           file "/dev/null"; 
       }; 
   
       zone "bind" { 
           type master; 
           file "hosts/masters/db.bind"; 
   
           allow-query { 
               trusted; 
           }; 
           allow-transfer { 
               none; 
           }; 
       }; 
   
   };
   
   -------- (empty-zone.hosts) --------------
   
   ;; special "empty" zonefile to be used to stop local traffic on caching nameservers
   ;; to be leaked into the Internet
   ;; adjust the hostnames according to your environment
   
   $TTL 86400
   @ IN SOA  hostname.of.master.nameserver hostmaster.example.com. 2010011501 30d 1d 40w 8h
   @   IN NS  hostname.of.master.nameserver
   @   IN NS  hostname.of.secondary.nameserver
   
   -------- (db.bind) --------------
   
   $TTL    1D 
   $ORIGIN bind. 
   @       1D      CHAOS   SOA     localhost. root.localhost. ( 
                   2010012001      ; serial 
                   3H              ; refresh 
                   1H              ; retry 
                   1W              ; expiry 
                   1D )            ; minimum 
           CHAOS NS        localhost. 
   
   version.bind.   CHAOS  TXT "a DNS Server Version 1" 
   authors.bind.   CHAOS  TXT "are better coders than I. :)"