Bind 보안

named.conf 보안설정

logging 설정시 Bind버전에 따라 제공되는 옵셥값들이 다릅니다.

일부버전(BIND 9.2.4 등)은  없는 옵션이 있을때 오류가 생겨 데몬이 안뜨니 주의하세요!!

logging때문에 데몬이 안뜰시 logging관련 옵션에러 나오는것을 삭제하고 데몬을 띠워주시면됩니다.

BIND 9.3.4-P1 은 데몬은 잘뜸.  특정로그는 버전에 따라 틀려 로그가 남지 않습니다.  ignore됨

 

1. named.conf 설정예제 - logging부분은 필요시만 설정하세요

 

[@ns2 etc]$ more named.conf

// Set up our ACLs

acl "xfer" {

        none;   // Allow no transfers. If we have other

                        // name servers, place them here.

};

acl "trusted" {

        200.1.1.0/24;

        192.168.0.0/24;

        127.0.0.1;

};

 

options {

    directory "/var/named";

 //   pid-file "/var/named/named.pid";

//    statistics-file "/var/named/named.stats";

//    memstatistics-file "/var/named/named.memstats";

    //dump-file "/var/named/named.dump";

    version "No!!";

 

// query-source address * port 53;

    // Prevent DoS attacks by generating bogus zone transfer

    // requests.  This will result in slower updates to the

    // slave servers (e.g. they will await the poll interval

    // before checking for updates).

    notify no;

 

    // Generate more efficient zone transfers.  This will place

    // multiple DNS records in a DNS message, instead of one per

    // DNS message.

    transfer-format many-answers;

 

    // Set the maximum zone transfer time to something more

    // reasonable.  In this case, we state that any zone transfer

    // that takes longer than 60 minutes is unlikely to ever

    // complete.  WARNING:  If you have very large zone files,

    // adjust this to fit your requirements.

    max-transfer-time-in 60;

 

    // We have no dynamic interfaces, so BIND shouldn't need to

    // poll for interface state {UP|DOWN}.

    interface-interval 0;

 

    allow-transfer {

        // Zone tranfers limited to members of the

        // "xfer" ACL.

        xfer;

    };

 

    allow-query {

        // Accept queries from our "trusted" ACL.  We will

        // allow anyone to query our master zones below.

        // This prevents us from becoming a free DNS server

        // to the masses.

        //trusted;     // trusted 설정시 반드시 모든 도메인에 allow-query { any; }; 설정필요

        any;

    };

 

blackhole {

        // Deny anything from the bogon networks as   detailed in the "bogon" ACL.

    //    bogon;

        203.237.102.12;

    };

};

 

logging {

    channel "__default_syslog" {

        // Send most of the named messages to syslog.

        syslog local2;  // ( kern | user | mail | daemon | auth |

                        // syslog | lpr | new | uucp | cron |

                        // authpriv | ftp | local0 | local1 |

                        // local2 | local3 | local4 | local5 |

                        // local6 | local7 )

        severity debug; // ( critical | error | warning | notice |

                        // info | debug [ level ] | dynamic )

    };

 

 

        //

        // log channel list

        //

 

    channel ch_default_log {

        file "/var/named/log/ch_default.log";

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_config_log {

        file "/var/named/log/ch_config.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_parser_log {

        file "/var/named/log/ch_parser.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_queries_log {

        file "/var/named/log/ch_queries.log"  versions 5 size 30m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_lame-servers_log {

        file "/var/named/log/ch_lame-servers.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_statistics_log {

        file "/var/named/log/ch_statistics.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_panic_log {

        file "/var/named/log/ch_panic.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_update_log {

        file "/var/named/log/ch_update.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_ncache_log {

        file "/var/named/log/ch_ncache.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_xfer-in_log {

        file "/var/named/log/ch_xfer-in.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_xfer-out_log {

        file "/var/named/log/ch_xfer-out.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_db_log {

        file "/var/named/log/ch_db.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_eventlib_log {

        file "/var/named/log/ch_eventlib.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_packet_log {

        file "/var/named/log/ch_packet.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_notify_log {

        file "/var/named/log/ch_notify.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_cname_log {

        file "/var/named/log/ch_cname.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_security_log {

        file "/var/named/log/ch_security.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_os_log {

        file "/var/named/log/ch_os.log"  versions 3 size 20m;

        severity debug;
         print-category yes;

         print-severity yes;

         print-time yes;

     };

 

    channel ch_insist_log {
         file "/var/named/log/ch_insist.log"  versions 3 size 20m;

         severity debug;

         print-category yes;

         print-severity yes;

         print-time yes;

     };

 

    channel ch_maintenance_log {
         file "/var/named/log/ch_maintenance.log"  versions 3 size 20m;

         severity debug;

         print-category yes;

         print-severity yes;

         print-time yes;

     };

 

    channel ch_load_log {
         file "/var/named/log/ch_load.log"  versions 3 size 20m;

         severity debug;

         print-category yes;

         print-severity yes;

         print-time yes;

     };

 

    channel ch_response-checks_log {
         file "/var/named/log/ch_response-checks.log"  versions 3 size 20m;

         severity debug;

         print-category yes;

         print-severity yes;

         print-time yes;

     };

 

     category default { ch_default_log; };

     category config { ch_config_log; };

     category parser { ch_parser_log; };

     category queries { ch_queries_log; };

     category lame-servers { ch_lame-servers_log; };

     category statistics { ch_statistics_log; };

     category panic { ch_panic_log; };

     category update { ch_update_log; };

     category ncache { ch_ncache_log; };

     category xfer-in { ch_xfer-in_log; };

     category xfer-out { ch_xfer-out_log; };

     category db { ch_db_log; };

     category eventlib { ch_eventlib_log; };

     category packet { ch_packet_log; };

     category notify { ch_notify_log; };

     category cname { ch_cname_log; };

     category security { ch_security_log; };

     category os { ch_os_log; };

     category insist { ch_insist_log; };

     category maintenance { ch_maintenance_log; };

     category response-checks { ch_response-checks_log; };

     category load { ch_load_log; };

 };

 

 

// a caching only nameserver config
 

zone "." {
 

     type hint;
 

     file "master/db.cache";
 

};
 

 

zone "0.0.127.in-addr.arpa" IN {
 

     type master;
 

     file "master/db.127.0.0";
 

};
 

zone "175.103.210.in-addr.arpa" {
 

        type slave;
 

        file "slave/db.210.103.175";
 

      // isp에서 transfer 할 수 있도록 해야 함.
 

        // 이 클래스에 대한 위임은 isp까지만 되어 있다.
 

        allow-transfer { 203.255.112.34; 203.255.112.4; 200.1.1.1; };
 

        notify yes;
 

};
 

 

2.  dns로그 남기는 디렉토리 추가하기

 

# cd /var/named/chroot/var/named
# mkdir log
#  chown named.named log

 

 

# service named restart

 

 

 

로컬 호스트
 

[root@ps2 root# chkconfig --list | grep nscd
 

nscd            0:해제  1:해제  2:해제  3:해제  4:해제  5:해제  6:해제
 

 

 

3.  Centos 5.3  에  BIND 9.6.1-P1에서의 가능한  logging  설정예

 


logging {

    channel "__default_syslog" {

        // Send most of the named messages to syslog.

        syslog local2;  // ( kern | user | mail | daemon | auth |

                        // syslog | lpr | new | uucp | cron |

                        // authpriv | ftp | local0 | local1 |

                        // local2 | local3 | local4 | local5 |

                        // local6 | local7 )

        severity debug; // ( critical | error | warning | notice |

                        // info | debug [ level ] | dynamic )

    };

 

 

        //

        // log channel list

        //

 

    channel ch_default_log {

        file "/var/named/log/ch_default.log";

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_config_log {

        file "/var/named/log/ch_config.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

 

    channel ch_queries_log {

        file "/var/named/log/ch_queries.log"  versions 5 size 30m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_lame-servers_log {

        file "/var/named/log/ch_lame-servers.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_statistics_log {

        file "/var/named/log/ch_statistics.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };


    channel ch_update_log {

        file "/var/named/log/ch_update.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };


    channel ch_xfer-in_log {

        file "/var/named/log/ch_xfer-in.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

    channel ch_xfer-out_log {

        file "/var/named/log/ch_xfer-out.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };


    channel ch_notify_log {

        file "/var/named/log/ch_notify.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };


    channel ch_security_log {

        file "/var/named/log/ch_security.log"  versions 3 size 20m;

        severity debug;

        print-category yes;

        print-severity yes;

        print-time yes;

    };

 
     category default { ch_default_log; };

     category config { ch_config_log; };

     category queries { ch_queries_log; };

     category lame-servers { ch_lame-servers_log; };

     category update { ch_update_log; };

     category xfer-in { ch_xfer-in_log; };

     category xfer-out { ch_xfer-out_log; };

     category notify { ch_notify_log; };

     category security { ch_security_log; };

 };