DNS/Configuring BIND resolver

Configuring the BIND resolver

Bind, out of the box resolves for every computer that asks for it's services if it is on the local network subnet.

By default, If you can access bind on your local network, you can ask it questions, So for example, if bind is on your local network let's say 192.168.0.21, then all computers in that network (Obtaining local IP addresses from a nat router such as a home router), Computers on your network can ask bind questions, But computers from the internet can not.

If you setup a DMZ on the router to that server, computers on the internet will be able to use your bind server to resolve names if you change some settings in your bind installation (as demonstrated below), simply because in this case bind is the entry point to your network and is accessible from the internet.

If bind is connected directly to the internet, and has a public IP address, you can allow anyone to use it.

So, to restate things, BIND's resolver is functional right out of the box, and although it is safe to allow people to use it, it would slow things down for you a bit if you are on a slow network, not to mention the memory and processor needed (Not much, but resolving does require resources).

So to disallow people from using your resolver for whatever reason, you can tell bind to resolve for a few people and not everyone

On our installation, Bind has 3 config files (We used Debian Lenny), and rather than the traditional /etc/named.cond, our config file is /etc/bind/named.conf and if you take a closer look at it, you will find that it includes (Prepends) a file named.conf.options at the beginning, and named.conf.local at the end, so the file is split into 3 parts

To only accept (Connections / Questions / Queries / Listen to / resolve for) a set of computers (Hosts) of your choice, you should add the following directive in the options area of the config, /etc/bind/named.conf.options

options {
  // tell named where to find files mentioned below
  directory "/var/named";
  //What adapter or IP will the DNS requests come on, where should BIND listen
  listen-on-v6 { any; };
   listen-on { any; };
  //restrict access to our web enabled devices
  //Who can query the resolver
   allow-query { 10.14.10.10; 10.14.11.0/24;}; 
};

the listen-on directive with the value ANY tells bind to listen on any request coming from any network adapter on any IP address, you can surely put this machines ip address in this area of the configuration file so that requests to any other IP that point to this bind server are ignored.

allow-query tells bind who can querry it, if you put a machines IP in there, only that machine will be able to use the bind resolver, in this example, requests from 10.14.10.10 AND 10.14.11.xxx will be responded to (Where a /24 means 256 hosts that are stated as X in the IP), you can add to that list whatever you wish.

So, now that we have disallowed use by anyone outside our network, let us get on to other important stuff..