900526
/*
900526
 Sample named.conf BIND DNS server 'named' configuration file
900526
 for the Red Hat BIND distribution.
900526
900526
 See the BIND Administrator's Reference Manual (ARM) for details about the
900526
 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
900526
*/
900526
900526
options
900526
{
900526
	// Put files that named is allowed to write in the data/ directory:
900526
	directory 		"/var/named";		// "Working" directory
900526
	dump-file 		"data/cache_dump.db";
900526
        statistics-file 	"data/named_stats.txt";
900526
        memstatistics-file 	"data/named_mem_stats.txt";
2c0af7
	recursing-file		"data/named.recursing";
2c0af7
	secroots-file		"data/named.secroots";
900526
900526
900526
	/*
900526
	  Specify listenning interfaces. You can use list of addresses (';' is
900526
	  delimiter) or keywords "any"/"none"
900526
	*/
900526
	//listen-on port 53	{ any; };
900526
	listen-on port 53	{ 127.0.0.1; };
900526
900526
	//listen-on-v6 port 53	{ any; };
900526
	listen-on-v6 port 53	{ ::1; };
900526
900526
	/*
900526
	  Access restrictions
900526
900526
	  There are two important options:
900526
	    allow-query { argument; };
900526
	      - allow queries for authoritative data
900526
900526
	    allow-query-cache { argument; };
900526
	      - allow queries for non-authoritative data (mostly cached data)
900526
900526
	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
900526
	  Examples:
900526
	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
900526
	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
900526
	*/
900526
900526
	allow-query		{ localhost; };
900526
	allow-query-cache	{ localhost; };
900526
900526
	/* Enable/disable recursion - recursion yes/no;
900526
900526
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
900526
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
900526
	   recursion. 
900526
	 - If your recursive DNS server has a public IP address, you MUST enable access 
900526
	   control to limit queries to your legitimate users. Failing to do so will
900526
	   cause your server to become part of large scale DNS amplification 
900526
	   attacks. Implementing BCP38 within your network would greatly
900526
	   reduce such attack surface 
900526
	 */
900526
	recursion yes;
900526
900526
	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
900526
900526
	/* Enable serving of DNSSEC related data - enable on both authoritative
900526
 	   and recursive servers DNSSEC aware servers */
900526
	dnssec-enable yes;
900526
900526
	/* Enable DNSSEC validation on recursive servers */
900526
	dnssec-validation yes;
900526
900526
	/* In RHEL-7 we use /run/named instead of default /var/run/named
900526
	   so we have to configure paths properly. */
900526
	pid-file "/run/named/named.pid";
900526
	session-keyfile "/run/named/session.key";
900526
900526
	managed-keys-directory "/var/named/dynamic";
900526
};
900526
900526
logging 
900526
{
900526
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
900526
 *      named will try to write the 'named.run' file in the $directory (/var/named).
900526
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
900526
 *      so put the default debug log file in data/ :
900526
 */
900526
        channel default_debug {
900526
                file "data/named.run";
900526
                severity dynamic;
900526
        };	
900526
};
900526
900526
/*
900526
 Views let a name server answer a DNS query differently depending on who is asking.
900526
900526
 By default, if named.conf contains no "view" clauses, all zones are in the 
900526
 "default" view, which matches all clients.
900526
900526
 Views are processed sequentially. The first match is used so the last view should
900526
 match "any" - it's fallback and the most restricted view.
900526
900526
 If named.conf contains any "view" clause, then all zones MUST be in a view.
900526
*/
900526
900526
view "localhost_resolver"
900526
{
900526
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
900526
 * If all you want is a caching-only nameserver, then you need only define this view:
900526
 */
900526
	match-clients 		{ localhost; };
900526
	recursion yes;
900526
900526
	# all views must contain the root hints zone:
900526
	zone "." IN {
900526
	        type hint;
900526
	        file "/var/named/named.ca";
900526
	};
900526
900526
        /* these are zones that contain definitions for all the localhost
900526
         * names and addresses, as recommended in RFC1912 - these names should
900526
	 * not leak to the other nameservers:
900526
	 */
900526
	include "/etc/named.rfc1912.zones";
900526
};
900526
view "internal"
900526
{
900526
/* This view will contain zones you want to serve only to "internal" clients
900526
   that connect via your directly attached LAN interfaces - "localnets" .
900526
 */
900526
	match-clients		{ localnets; };
900526
	recursion yes;
900526
900526
	zone "." IN {
900526
	        type hint;
900526
	        file "/var/named/named.ca";
900526
	};
900526
900526
        /* these are zones that contain definitions for all the localhost
900526
         * names and addresses, as recommended in RFC1912 - these names should
900526
	 * not leak to the other nameservers:
900526
	 */
900526
	include "/etc/named.rfc1912.zones";
900526
 
900526
	// These are your "authoritative" internal zones, and would probably
900526
	// also be included in the "localhost_resolver" view above :
900526
900526
	/*
900526
	  NOTE for dynamic DNS zones and secondary zones:
900526
900526
	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
900526
900526
	  If you are using views and DDNS/secondary zones it is strongly
900526
	  recommended to read FAQ on ISC site (www.isc.org), section
900526
	  "Configuration and Setup Questions", questions
900526
	  "How do I share a dynamic zone between multiple views?" and
900526
	  "How can I make a server a slave for both an internal and an external
900526
	   view at the same time?"
900526
	*/
900526
900526
	zone "my.internal.zone" { 
900526
		type master;
900526
		file "my.internal.zone.db";
900526
	};
900526
	zone "my.slave.internal.zone" {
900526
		type slave;
900526
		file "slaves/my.slave.internal.zone.db";
900526
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
900526
		// put slave zones in the slaves/ directory so named can update them
900526
	};	
900526
	zone "my.ddns.internal.zone" {
900526
		type master;
900526
		allow-update { key ddns_key; };
900526
		file "dynamic/my.ddns.internal.zone.db";
900526
		// put dynamically updateable zones in the slaves/ directory so named can update them
900526
	};			
900526
};
900526
900526
key ddns_key
900526
{
900526
	algorithm hmac-md5;
900526
	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
900526
};
900526
900526
view "external"
900526
{
900526
/* This view will contain zones you want to serve only to "external" clients
900526
 * that have addresses that are not match any above view:
900526
 */
900526
	match-clients		{ any; };
900526
900526
	zone "." IN {
900526
	        type hint;
900526
	        file "/var/named/named.ca";
900526
	};
900526
900526
	recursion no;
900526
	// you'd probably want to deny recursion to external clients, so you don't
900526
        // end up providing free DNS service to all takers
900526
900526
	// These are your "authoritative" external zones, and would probably
900526
        // contain entries for just your web and mail servers:
900526
900526
	zone "my.external.zone" { 
900526
		type master;
900526
		file "my.external.zone.db";
900526
	};
900526
};
900526
900526
/* Trusted keys
900526
900526
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
900526
  have to configure at least one trusted key.
900526
900526
  Note that no key written below is valid. Especially root key because root zone
900526
  is not signed yet.
900526
*/
900526
/*
900526
trusted-keys {
900526
// Root Key
900526
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
900526
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
900526
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
900526
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
900526
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
900526
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
900526
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
900526
900526
// Key for forward zone
900526
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
900526
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
900526
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
900526
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
900526
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
900526
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
900526
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
900526
900526
// Key for reverse zone.
900526
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
900526
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
900526
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
900526
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
900526
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
900526
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
900526
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
900526
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
900526
};
900526
*/