Hide named hostname, server-id and version for bind.

ScIT-Raphael · ScIT-Raphael · commit dae9da8f8a7a · 2018-11-14T10:16:33.000+01:00
diff --git a/install/debian/8/bind/named.conf.options b/install/debian/8/bind/named.conf.options
@@ -0,0 +1,24 @@
+options {
+        directory "/var/cache/bind";
+         // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+         // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+         // forwarders {
+        //      0.0.0.0;
+        // };
+         //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        auth-nxdomain no;
+        allow-recursion { 127.0.0.1; ::1; };
+        allow-transfer {"none";};
+        hostname none;
+        server-id none;
+        version none;
+};
diff --git a/install/debian/9/bind/named.conf.options b/install/debian/9/bind/named.conf.options
@@ -0,0 +1,24 @@
+options {
+        directory "/var/cache/bind";
+         // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+         // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+         // forwarders {
+        //      0.0.0.0;
+        // };
+         //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        auth-nxdomain no;
+        allow-recursion { 127.0.0.1; ::1; };
+        allow-transfer {"none";};
+        hostname none;
+        server-id none;
+        version none;
+};
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -1154,9 +1154,11 @@ fi
 
 if [ "$named" = 'yes' ]; then
     cp -f $hestiacp/bind/named.conf /etc/bind/
-    sed -i "s%listen-on%//listen%" /etc/bind/named.conf.options
+    cp -f $hestiacp/bind/named.conf.options /etc/bind/
     chown root:bind /etc/bind/named.conf
+    chown root:bind /etc/bind/named.conf.options
     chmod 640 /etc/bind/named.conf
+    chmod 640 /etc/bind/named.conf.options
     aa-complain /usr/sbin/named 2>/dev/null
     if [ "$apparmor" = 'yes' ]; then
         echo "/home/** rwm," >> /etc/apparmor.d/local/usr.sbin.named 2>/dev/null
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1138,9 +1138,11 @@ fi
 
 if [ "$named" = 'yes' ]; then
     cp -f $hestiacp/bind/named.conf /etc/bind/
-    sed -i "s%listen-on%//listen%" /etc/bind/named.conf.options
+    cp -f $hestiacp/bind/named.conf.options /etc/bind/
     chown root:bind /etc/bind/named.conf
+    chown root:bind /etc/bind/named.conf.options
     chmod 640 /etc/bind/named.conf
+    chmod 640 /etc/bind/named.conf.options
     aa-complain /usr/sbin/named > /dev/null 2>&1
     echo "/home/** rwm," >> /etc/apparmor.d/local/usr.sbin.named 2>/dev/null
     service apparmor status > /dev/null 2>&1
diff --git a/install/ubuntu/14.04/bind/named.conf.options b/install/ubuntu/14.04/bind/named.conf.options
@@ -0,0 +1,24 @@
+options {
+        directory "/var/cache/bind";
+         // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+         // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+         // forwarders {
+        //      0.0.0.0;
+        // };
+         //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        auth-nxdomain no;
+        allow-recursion { 127.0.0.1; ::1; };
+        allow-transfer {"none";};
+        hostname none;
+        server-id none;
+        version none;
+};
diff --git a/install/ubuntu/16.04/bind/named.conf.options b/install/ubuntu/16.04/bind/named.conf.options
@@ -0,0 +1,24 @@
+options {
+        directory "/var/cache/bind";
+         // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+         // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+         // forwarders {
+        //      0.0.0.0;
+        // };
+         //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        auth-nxdomain no;
+        allow-recursion { 127.0.0.1; ::1; };
+        allow-transfer {"none";};
+        hostname none;
+        server-id none;
+        version none;
+};
diff --git a/install/ubuntu/18.04/bind/named.conf.options b/install/ubuntu/18.04/bind/named.conf.options
@@ -0,0 +1,24 @@
+options {
+        directory "/var/cache/bind";
+         // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+         // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+         // forwarders {
+        //      0.0.0.0;
+        // };
+         //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+        auth-nxdomain no;
+        allow-recursion { 127.0.0.1; ::1; };
+        allow-transfer {"none";};
+        hostname none;
+        server-id none;
+        version none;
+};
