Configuring a Caching-Only Name Server

7.7.1 Problem

You want to configure a caching-only name server.

7.7.2 Solution

Configure the name server with a root hints file (or, if you run BIND 9, use the built-in root hints) and restrict the queries it handles to the addresses of authorized resolvers using the allow-query options substatement. For example:

acl internal { 192.168.0/24; }; options { directory "/var/named"; allow-query { internal; }; }; // The root hints are compiled into a BIND 9 name server, so this zone // statement is optional on those name servers zone "." { type hint; file "db.cache"; };

7.7.3 Discussion

You may want to set up a caching-only name server as authoritative for some internal zones, so that you can ensure that data in those zones is reliable. In this configuration, the name server will ignore records from your internal zones in answers from remote name servers, making it hard for a hacker to spoof data in those zones.

Since a caching-only name server's main function is to query other name servers and cache the results, follow the instructions in Section 7.15 to protect against spoofing.

7.7.4 See Also

Section 7.15 for instructions on protecting a name server from spoofing.

Категории