BIND is an acryonym for the Berkeley Internet Name Domain. It is an implementation of Domain Name Service (DNS). If you don't have BIND 8.1.2 or later, upgrade now. Earlier releases of the 8.x series and pre 4.9.7 have a serious security problem. (CA-98.05)
BIND 8 gives the system administrator much more control than 4.x did. One valuable new feature is the ability to restrict zone transfers. Many of the new attack scripts will perform a zone transfer prior to probing your network. While host information can be learned through other means, restricting the zone transfer is another ounce of prevention.
Add an allow-transfer stanza to the options section of /etc/named.conf. Allow-transfer takes a list of IP addresses for parameters. This is what it may look like:
options {
directory "/usr/local/named"; // directory for zone files
allow-transfer {
127.0.0.1; // localhost
10.0.0.2; // secondary DNS server for my zone
};
};
This example allows zone transfers from localhost and 10.0.0.2. All other
requests are denied. If no hosts should be doing a zone transfer, there
is a predefined value called none.
Log files for named, like any other service, are useful in determining if BIND is operating properly. I find the logs become more meaningful when you turn off cname and lame-server warnings. This can be done in the logging section of /etc/named.conf.
logging {
category lame-servers { null; };
category cname { null; };
};
Its good habit to tail the log file after sending named a HUP signal.
You can initiate a zone transfer with nslookup's ls command. It takes a domain as an argument.
foreign_host$ nslookup Default Server: localhost Address: 0.0.0.0 > ls x.y.z [localhost] *** Can't list domain x.y.z: Query refused
More information can be found at the BIND homepage.