<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>DNS HOWTO : �$B4pK\E*$J%;%-%e%j%F%#%*%W%7%g%s�(B</TITLE>
<LINK HREF="DNS-HOWTO-7.html" REL=next>
<LINK HREF="DNS-HOWTO-5.html" REL=previous>
<LINK HREF="DNS-HOWTO.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="DNS-HOWTO-7.html">�$B<!$N%Z!<%8�(B</A>
<A HREF="DNS-HOWTO-5.html">�$BA0$N%Z!<%8�(B</A>
<A HREF="DNS-HOWTO.html#toc6">�$BL\<!$X�(B</A>
<HR>
<H2><A NAME="security"></A> <A NAME="s6">6. �$B4pK\E*$J%;%-%e%j%F%#%*%W%7%g%s�(B</A></H2>
<P><EM>By Jamie Norrish</EM>
<P>
<P><B>�$BLdBj$rHr$1$k$?$a$N%*%W%7%g%s@_Dj�(B</B>
<P>
<P>�$B$$$/$D$+4JC1$J:n6H$r9T$($P!"%5!<%P$r$h$j0BA4$K$G$-!"�(B
�$B$^$?%5!<%P$NIi2Y$rDc8:$G$-$^$9!#�(B
�$B$3$3$G>R2p$9$kFbMF$O=PH/E@$K2a$.$^$;$s!#�(B
�$B%;%-%e%j%F%#$N$3$H$r9M$($k$J$i�(B (�$B9M$($k$Y$-$G$9�(B)�$B!"�(B
�$B%M%C%H>e$K$"$kB>$N%j%=!<%9$K$"$?$C$F$/$@$5$$�(B
(
<A HREF="DNS-HOWTO-11.html#bigger">�$B:G8e$N>O�(B</A>�$B$r$4Mw$/$@$5$$�(B)�$B!#�(B
<P>
<P>�$B0J2<$N;XDj$O�(B <CODE>named.conf</CODE> �$B$K9T$$$^$9!#�(B
�$B$3$l$i$N;XDj$r$3$N%U%!%$%k$N�(B <CODE>options</CODE> �$B$NFbIt$K=q$/$H!"�(B
�$B$3$N%U%!%$%k$G%j%9%H$5$l$?$9$Y$F$N%>!<%s$KE,MQ$5$l$^$9!#�(B
�$BFCDj$N�(B <CODE>zone</CODE> �$B%(%s%H%j$NFbIt$K=q$/$H!"�(B
�$B$=$N%>!<%s$@$1$KE,MQ$5$l$^$9!#�(B
<CODE>zone</CODE> �$BFbIt$K=q$+$l$?%(%s%H%j$O�(B
<CODE>options</CODE> �$B$K=q$+$l$?%(%s%H%j$h$j$bM%@h$5$l$^$9!#�(B
<P>
<H2><A NAME="ss6.1">6.1 �$B%>!<%sE>Aw$N@)8B�(B</A>
</H2>
<P>�$B%9%l!<%V%5!<%P$,%I%a%$%s$KBP$9$kLd9g$o$;$K1~$($k$K$O!"�(B
�$B%W%i%$%^%j%5!<%P$+$i%>!<%s$N>pJs$rE>Aw$7$F$/$kI,MW$,$"$j$^$9!#�(B
�$B$7$+$7%9%l!<%V%5!<%P0J30$N%[%9%H$K$O!"$3$NE>Aw$NI,MW$O$J$$$O$:$G$9!#�(B
�$B$G$9$+$i%>!<%sE>Aw$O�(B
<CODE>allow-transfer</CODE> �$B%*%W%7%g%s$r;H$C$F@)8B$7$^$7$g$&!#�(B
�$BNc$($P�(B ns.friend.bogus �$B$N�(B IP �$B%"%I%l%9$G$"$k�(B
192.168.1.4 �$B$H!"�(B
�$B$=$l$+$i%G%P%C%0MQ$N<+J,<+?H$rDI2C$9$k$J$i$P�(B:
<P>
<HR>
<PRE>
zone "linux.bogus" {
allow-transfer { 192.168.1.4; localhost; };
};
</PRE>
<HR>
<P>�$B%>!<%sE>Aw$r@)8B$9$l$P!"30It$N?M!9$+$i8+$($k$N$O!"�(B
�$BH`$i$,D>@\?R$M$?%[%9%H$K4X$9$kFbMF$@$1$K8B$i$l$^$9!#�(B
DNS �$B@_Dj$N>\:YA4BN$rLd9g$o$;$k$3$H$O$G$-$J$/$J$k$N$G$9!#�(B
<P>
<H2><A NAME="ss6.2">6.2 �$BIT@5MxMQ$+$i<i$k�(B</A>
</H2>
<P>�$B$^$:!"FbIt%M%C%H%o!<%/$H%m!<%+%k$N%^%7%s$+$i$N$b$N$r$N$>$-!"�(B
�$B$"$J$?$N4IM}$9$k%I%a%$%s0J30$X$NLd9g$o$;$O6X;_$7$^$7$g$&!#�(B
�$B$3$l$O!"�(B
�$B0-0U$r;}$C$F$"$J$?$N�(B DNS �$B%5!<%P$rMxMQ$7$h$&$H$9$k;n$_$r6X;_$9$k$@$1$G$J$/!"�(B
�$BK\MhITI,MW$JLd9g$o$;$r8:$i$7$^$9!#�(B
<P>
<HR>
<PRE>
options {
allow-query { 192.168.196.0/24; localhost; };
};
zone "linux.bogus" {
allow-query { any; };
};
zone "196.168.192.in-addr.arpa" {
allow-query { any; };
};
</PRE>
<HR>
<P>
<P>�$B$5$i$KFbIt�(B/�$B%m!<%+%k$+$i$N$b$N$r=|$-!":F5"E*$JLd9g$o$;$b6X;_$7$^$9!#�(B
�$B$3$l$K$h$j%-%c%C%7%e1x@w967b�(B (cache poisoning attack:
�$B4V0c$C$?%G!<%?$r%5!<%P$KAw$j$D$1$k$3$H�(B) �$B$N4m81@-$,8:$i$;$^$9!#�(B
<P>
<HR>
<PRE>
options {
allow-recursion { 192.168.196.0/24; localhost; };
};
</PRE>
<HR>
<P>
<H2><A NAME="ss6.3">6.3 named �$B$r�(B root �$B0J30$G<B9T$9$k�(B</A>
</H2>
<P>named �$B$r�(B root �$B0J30$+$i<B9T$9$k$N$ONI$$9M$($G$9!#�(B
�$BGK$i$l$?$H$-$K!"%/%i%C%+!<$KC%$o$l$k8"8B$r8:$i$9$3$H$,=PMh$^$9$+$i!#�(B
�$B$^$:�(B named �$B$rF0:n$5$;$k%f!<%6$r:n$j!"�(B
�$B<!$K�(B named �$B$r5/F0$7$F$$$k�(B init �$B%9%/%j%W%H$r=$@5$7$^$9!#�(B
�$B?7$7$/:n$C$?%f!<%6L>$r!"�(B
named �$B$N�(B -u �$B%U%i%0$K;XDj$7$^$9!#�(B
<P>
<P>�$BNc$($P�(B Debian GNU/Linux 2.2 �$B$J$i!"�(B
<CODE>/etc/init.d/bind</CODE> �$B%9%/%j%W%H$r0J2<$N9T$N$h$&$K=$@5$7$^$9�(B
(�$B%f!<%6�(B <CODE>named</CODE> �$B$O$"$i$+$8$a:n@.$7$F$*$-$^$9�(B):
<P>
<HR>
<PRE>
start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named
</PRE>
<HR>
<P>Red Hat �$B$dB>$N%G%#%9%H%j%S%e!<%7%g%s$G$bF1MM$K$G$-$k$O$:$G$9!#�(B
<P>Dave Lugo �$B$O!"Fs$D$N�(B chroot �$B$rMQ$$$?%;%-%e%"$J@_Dj$r�(B
<A HREF="http://www.etherboy.com/dns/chrootdns.html">http://www.etherboy.com/dns/chrootdns.html</A>
�$B$G2r@b$7$F$$$^$9!#$-$C$H6=L#$r;}$?$l$kFI<T$,B?$$$G$7$g$&!#�(B
�$B$3$l$rMQ$$$l$P�(B named �$B$rF0$+$7$F$$$k%[%9%H$r$5$i$K0BA4$K$G$-$^$9!#�(B
<P>
<HR>
<A HREF="DNS-HOWTO-7.html">�$B<!$N%Z!<%8�(B</A>
<A HREF="DNS-HOWTO-5.html">�$BA0$N%Z!<%8�(B</A>
<A HREF="DNS-HOWTO.html#toc6">�$BL\<!$X�(B</A>
</BODY>
</HTML>
