Resolved Slave DNS Manager Extension security

[Branko]

Hello,

I have installed Slave DNS Manager Extension and set it up successfully. Everything is working great.
But, there is only one thing that bothers me.
When I run DNS test on mxtoolbox.com it warns "Open Zone Transfer Detected" for Slave Server.

I followed the exact instructions that are given in the extension and Plesk documentation. And I did not add anything else to /etc/bind/named.conf.options besides what was given by extension instructions.

Should I ignore that mxtoolbox.com warning? Is Slave Server protected from third-party zone transfer?
Or I should add some more lines to /etc/bind/named.conf.options for security?

This is the content of my /etc/bind/named.conf.options:

options {
directory "/var/cache/bind";

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-new-zones yes;
};

key "rndc-key-(My Master Server IP)" {
algorithm hmac-md5;
secret "(my-secret-key)";
};

controls {
inet * port 953 allow { (My Master Server IP); 127.0.0.1; } keys { "rndc-key-(My Master Server IP)"; };
};​

Thank you in advance.

 

[AYamshanov]

Hi Branco,

What OS/version installed on slave DNS server? Bind version?

 

[Branko]

Hi AYamshanov, thank you for replying.

Slave server OS/version is Ubuntu 16.04 64bit
Bind version is BIND 9.10.3-P4-Ubuntu

 

[AYamshanov]

I have checked in the same environment.

The Slave DNS Manager suggest minimal required configuration changes.
Bind server with default settings on Ubuntu allows zone transfer, it is true. If you want disable it, put next code into "options" section of "/etc/bind/named.conf.options" and restart bind server ("systemctl restart bind9.service")

allow-transfer { "none"; };

 

[Branko]

Thank you very much!

Done what you said and, yes, now is everything ok.

Have a very nice day!