Bind 9 Administrator Reference Manual

Chapter 7. BIND 9 Security Considerations

7.1. Access Control Lists

Access Control Lists (ACLs), are address match lists that you can set up and nickname for future use in

allow-notify, allow-query, allow-recursion, blackhole, allow-transfer, etc.

Using ACLs allows you to have ﬁner control over who can access your nameserver, without cluttering up

your conﬁg ﬁles with huge lists of IP addresses.

It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by

outside parties can help prevent spooﬁng and DoS attacks against your server.

Here is an example of how to properly apply ACLs:

// Set up an ACL named "bogusnets" that will block RFC1918 space,

// which is commonly used in spoofing attacks.

acl bogus-

nets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

// Set up an ACL called our-nets. Replace this with the real IP numbers.

acl our-nets { x.x.x.x/24; x.x.x.x/21; };

options {

...

allow-query { our-nets; };

allow-recursion { our-nets; };

...

blackhole { bogusnets; };

...

};

zone "example.com" {

type master;

file "m/example.com";

allow-query { any; };

};

This allows recursive queries of the server from the outside unless recursion has been previously

disabled.

For more information on how to use ACLs to protect your server, see the AUSCERT advisory at

ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos