options {

        version "mmm... gerbils!";
        allow-transfer {
                127.0.0.1;          ## localhost
                xxx.xxx.xxx.xxx;    ## your local IP.
                xxx.xxx.xxx.xxx;    ## other authorised secondary server
                xxx.xxx.xxx.xxx;    ## another authorised secondary server
        };
        notify yes;
};

This will hide the version of named you're running from whoever does a 'dig @yourserver chaos txt version.bind' query on your server. This will help keep any port 53 scanners at bay if a remotely exploitable hole is ever discovered in named in the future.

You can also define which IP addresses can pull a full zone from you. Normally, you would want only secondary servers for your zones to do this, so arbitrary hosts on the net cant see the full contents of your zones. A good security feature to keep people from seeing hosts that you may not want them to know about.

It will also turn on the nifty notify feature of named, so any nameservers listed in the NS records of your zones gets a "Hey, this zone has been changed" message from your server, letting the secondary get the new zone data sooner.

Thanks to Dale Ghent for pointing all this out.

No Comments | #897

Unless noted, all content on epistolary.org is © Copyright 1999-2008 to Rob Carlson with all rights reserved. All information is verified when possible, cited as appropriate and applied in the real world at your own risk. Send all feedback to rob@vees.net.