[deployment-guide/comm-rel: 438/727] Updated the Common Mistakes to Avoid section.
Jaromir Hradilek
jhradile at fedoraproject.org
Tue Oct 19 13:01:40 UTC 2010
commit 072f1c79badaa8f74efd8953d526c200efa98333
Author: Jaromir Hradilek <jhradile at redhat.com>
Date: Thu Aug 19 17:28:47 2010 +0200
Updated the Common Mistakes to Avoid section.
en-US/The_BIND_DNS_Server.xml | 85 ++++++++++++++++++-----------------------
1 files changed, 37 insertions(+), 48 deletions(-)
---
diff --git a/en-US/The_BIND_DNS_Server.xml b/en-US/The_BIND_DNS_Server.xml
index 75db5eb..0936c33 100644
--- a/en-US/The_BIND_DNS_Server.xml
+++ b/en-US/The_BIND_DNS_Server.xml
@@ -1987,59 +1987,48 @@ ns.icann.org. 12884 IN A 192.0.34.126
<secondary>common mistakes</secondary>
</indexterm>
<para>
- It is very common for beginners to make mistakes when editing BIND configuration files. Be sure to avoid the following issues:
+ The following is a list of advices how to avoid common mistakes users make when configuring a nameserver:
</para>
- <itemizedlist>
- <listitem>
- <para>
- <emphasis>Take care to increment the serial number when editing a zone file.</emphasis>
- </para>
- <para>
- If the serial number is not incremented, the master nameserver has the correct, new information, but the slave nameservers are never notified of the change and do not attempt to refresh their data of that zone.
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis>Be careful to use ellipses and semi-colons correctly in the <filename>/etc/named.conf</filename> file.</emphasis>
- </para>
- <para>
- An omitted semi-colon or unclosed ellipse section can cause <command>named</command> to refuse to start.
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis>Remember to place periods (<command>.</command>) in zone files after all FQDNs and omit them on hostnames.</emphasis>
- </para>
- <para>
- A period at the end of a domain name denotes a fully qualified domain name. If the period is omitted, then <command>named</command> appends the name of the zone or the <command>$ORIGIN</command> value to complete it.
- </para>
- </listitem>
- <listitem>
- <para>
- If a firewall is blocking connections from the <command>named</command> daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
- </para>
- <!-- RHEL5: silas: fix (BZ#455374); thoger:
- Further research in DNS security showed that using fixed source UDP port for DNS queries is a security threat allowing attacker to conduct cache poisoning attacks. Because of that, bind name server was updated via RHSA-2008:0533 [1] to use new randomly selected source port for each DNS query, not only during daemon startup. Advice above can make DNS resolving work through firewalls configured in such restrictive way, but it puts your DNS resolving at risk. You should not configure named to use static source port, rather firewall configuration need to be changed to allow queries from random UDP source port.-->
- <warning id="warning-Warning-Avoid_Using_Fixed_UDP_Source_Ports">
- <title>Warning: Avoid Using Fixed UDP Source Ports</title>
+ <variablelist>
+ <varlistentry>
+ <term>Use semicolons and curly brackets correctly</term>
+ <listitem>
+ <para>
+ An omitted semicolon or unmatched curly bracket in the <filename>/etc/named.conf</filename> file can prevent the <systemitem class="service">named</systemitem> service from starting.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Use period (that is, the <literal>.</literal> character) correctly</term>
+ <listitem>
+ <para>
+ In zone files, a period at the end of a domain name denotes a fully qualified domain name. If omitted, the <systemitem class="service">named</systemitem> service will append the name of the zone or the value of <option>$ORIGIN</option> to complete it.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Increment the serial number when editing a zone file</term>
+ <listitem>
<para>
- Recent research in DNS security has shown that using a fixed UDP source port for DNS queries is a potential security vulnerability that could allow an attacker to more easily conduct cache-poisoning attacks
+ If the serial number is not incremented, the primary nameserver will have the correct, new information, but the secondary nameservers will never be notified of the change, and will not attempt to refresh their data of that zone.
</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Configure the firewall</term>
+ <listitem>
<para>
- DNS resolving is at risk whenever <application>named</application> is configured to use a static UDP source port. To avoid this risk, configure your firewall to allow queries from a random UDP source port.
+ If a firewall is blocking connections from the <systemitem class="service">named</systemitem> service to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
</para>
- </warning>
- <!--<para>By default, BIND version 9 uses random ports above 1024 to query other nameservers. Some firewalls, however, expect all nameservers to communicate using only port 53. To force <command
- moreinfo="none">named</command> to use port 53, add the following
- line to the <command
- moreinfo="none">options</command> statement of <filename
- moreinfo="none">/etc/named.conf</filename>:</para>
- <screen>
-<command
- moreinfo="none">query-source address * port 53;</command>
- </screen>-->
- </listitem>
- </itemizedlist>
+ <warning id="warning-Warning-Avoid_Using_Fixed_UDP_Source_Ports">
+ <title>Warning: Avoid Using Fixed UDP Source Ports</title>
+ <para>
+ According to the recent research in DNS security, using a fixed UDP source port for DNS queries is a potential security vulnerability that could allow an attacker to conduct cache-poisoning attacks more easily. To prevent this, configure your firewall to allow queries from a random UDP source port.
+ </para>
+ </warning>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</section>
<section id="s1-bind-additional-resources">
<title>Additional Resources</title>
More information about the docs-commits
mailing list