bc5dde
/*
bc5dde
 Sample named.conf BIND DNS server 'named' configuration file
bc5dde
 for the Red Hat BIND distribution.
bc5dde
310562
 See the BIND Administrator's Reference Manual (ARM) for details about the
310562
 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
bc5dde
*/
bc5dde
bc5dde
options
bc5dde
{
bc5dde
	// Put files that named is allowed to write in the data/ directory:
bc5dde
	directory 		"/var/named";		// "Working" directory
bc5dde
	dump-file 		"data/cache_dump.db";
bc5dde
        statistics-file 	"data/named_stats.txt";
bc5dde
        memstatistics-file 	"data/named_mem_stats.txt";
24159a
	recursing-file		"data/named.recursing";
24159a
	secroots-file		"data/named.secroots";
bc5dde
bc5dde
bc5dde
	/*
bc5dde
	  Specify listenning interfaces. You can use list of addresses (';' is
bc5dde
	  delimiter) or keywords "any"/"none"
bc5dde
	*/
bc5dde
	//listen-on port 53	{ any; };
bc5dde
	listen-on port 53	{ 127.0.0.1; };
bc5dde
bc5dde
	//listen-on-v6 port 53	{ any; };
bc5dde
	listen-on-v6 port 53	{ ::1; };
bc5dde
bc5dde
	/*
bc5dde
	  Access restrictions
bc5dde
bc5dde
	  There are two important options:
bc5dde
	    allow-query { argument; };
bc5dde
	      - allow queries for authoritative data
bc5dde
bc5dde
	    allow-query-cache { argument; };
bc5dde
	      - allow queries for non-authoritative data (mostly cached data)
bc5dde
bc5dde
	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
bc5dde
	  Examples:
bc5dde
	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
bc5dde
	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
bc5dde
	*/
bc5dde
bc5dde
	allow-query		{ localhost; };
bc5dde
	allow-query-cache	{ localhost; };
bc5dde
bc5dde
	/* Enable/disable recursion - recursion yes/no;
bc5dde
bc5dde
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
bc5dde
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
bc5dde
	   recursion. 
bc5dde
	 - If your recursive DNS server has a public IP address, you MUST enable access 
bc5dde
	   control to limit queries to your legitimate users. Failing to do so will
bc5dde
	   cause your server to become part of large scale DNS amplification 
bc5dde
	   attacks. Implementing BCP38 within your network would greatly
bc5dde
	   reduce such attack surface 
bc5dde
	 */
bc5dde
	recursion yes;
bc5dde
bc5dde
	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
bc5dde
bc5dde
	/* Enable serving of DNSSEC related data - enable on both authoritative
bc5dde
 	   and recursive servers DNSSEC aware servers */
bc5dde
	dnssec-enable yes;
bc5dde
bc5dde
	/* Enable DNSSEC validation on recursive servers */
bc5dde
	dnssec-validation yes;
bc5dde
fd4b48
	/* In RHEL-7 we use /run/named instead of default /var/run/named
fd4b48
	   so we have to configure paths properly. */
bc5dde
	pid-file "/run/named/named.pid";
fd4b48
	session-keyfile "/run/named/session.key";
bc5dde
bc5dde
	managed-keys-directory "/var/named/dynamic";
bc5dde
};
bc5dde
bc5dde
logging 
bc5dde
{
bc5dde
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
bc5dde
 *      named will try to write the 'named.run' file in the $directory (/var/named).
bc5dde
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
bc5dde
 *      so put the default debug log file in data/ :
bc5dde
 */
bc5dde
        channel default_debug {
bc5dde
                file "data/named.run";
bc5dde
                severity dynamic;
3ce7d3
        };
bc5dde
};
bc5dde
bc5dde
/*
bc5dde
 Views let a name server answer a DNS query differently depending on who is asking.
bc5dde
bc5dde
 By default, if named.conf contains no "view" clauses, all zones are in the 
bc5dde
 "default" view, which matches all clients.
bc5dde
bc5dde
 Views are processed sequentially. The first match is used so the last view should
bc5dde
 match "any" - it's fallback and the most restricted view.
bc5dde
bc5dde
 If named.conf contains any "view" clause, then all zones MUST be in a view.
bc5dde
*/
bc5dde
bc5dde
view "localhost_resolver"
bc5dde
{
bc5dde
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
bc5dde
 * If all you want is a caching-only nameserver, then you need only define this view:
bc5dde
 */
bc5dde
	match-clients 		{ localhost; };
bc5dde
	recursion yes;
bc5dde
bc5dde
	# all views must contain the root hints zone:
bc5dde
	zone "." IN {
bc5dde
	        type hint;
bc5dde
	        file "/var/named/named.ca";
bc5dde
	};
bc5dde
bc5dde
        /* these are zones that contain definitions for all the localhost
bc5dde
         * names and addresses, as recommended in RFC1912 - these names should
bc5dde
	 * not leak to the other nameservers:
bc5dde
	 */
bc5dde
	include "/etc/named.rfc1912.zones";
bc5dde
};
bc5dde
view "internal"
bc5dde
{
bc5dde
/* This view will contain zones you want to serve only to "internal" clients
bc5dde
   that connect via your directly attached LAN interfaces - "localnets" .
bc5dde
 */
bc5dde
	match-clients		{ localnets; };
bc5dde
	recursion yes;
bc5dde
bc5dde
	zone "." IN {
bc5dde
	        type hint;
bc5dde
	        file "/var/named/named.ca";
bc5dde
	};
bc5dde
bc5dde
        /* these are zones that contain definitions for all the localhost
bc5dde
         * names and addresses, as recommended in RFC1912 - these names should
bc5dde
	 * not leak to the other nameservers:
bc5dde
	 */
bc5dde
	include "/etc/named.rfc1912.zones";
bc5dde
 
bc5dde
	// These are your "authoritative" internal zones, and would probably
bc5dde
	// also be included in the "localhost_resolver" view above :
bc5dde
bc5dde
	/*
bc5dde
	  NOTE for dynamic DNS zones and secondary zones:
bc5dde
bc5dde
	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
bc5dde
bc5dde
	  If you are using views and DDNS/secondary zones it is strongly
bc5dde
	  recommended to read FAQ on ISC site (www.isc.org), section
bc5dde
	  "Configuration and Setup Questions", questions
bc5dde
	  "How do I share a dynamic zone between multiple views?" and
bc5dde
	  "How can I make a server a slave for both an internal and an external
bc5dde
	   view at the same time?"
bc5dde
	*/
bc5dde
bc5dde
	zone "my.internal.zone" { 
bc5dde
		type master;
bc5dde
		file "my.internal.zone.db";
bc5dde
	};
bc5dde
	zone "my.slave.internal.zone" {
bc5dde
		type slave;
bc5dde
		file "slaves/my.slave.internal.zone.db";
bc5dde
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
bc5dde
		// put slave zones in the slaves/ directory so named can update them
bc5dde
	};	
bc5dde
	zone "my.ddns.internal.zone" {
bc5dde
		type master;
bc5dde
		allow-update { key ddns_key; };
bc5dde
		file "dynamic/my.ddns.internal.zone.db";
bc5dde
		// put dynamically updateable zones in the slaves/ directory so named can update them
3ce7d3
	};
bc5dde
};
bc5dde
bc5dde
key ddns_key
bc5dde
{
bc5dde
	algorithm hmac-md5;
bc5dde
	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
bc5dde
};
bc5dde
bc5dde
view "external"
bc5dde
{
bc5dde
/* This view will contain zones you want to serve only to "external" clients
bc5dde
 * that have addresses that are not match any above view:
bc5dde
 */
bc5dde
	match-clients		{ any; };
bc5dde
bc5dde
	zone "." IN {
bc5dde
	        type hint;
bc5dde
	        file "/var/named/named.ca";
bc5dde
	};
bc5dde
bc5dde
	recursion no;
bc5dde
	// you'd probably want to deny recursion to external clients, so you don't
bc5dde
        // end up providing free DNS service to all takers
bc5dde
bc5dde
	// These are your "authoritative" external zones, and would probably
bc5dde
        // contain entries for just your web and mail servers:
bc5dde
bc5dde
	zone "my.external.zone" { 
bc5dde
		type master;
bc5dde
		file "my.external.zone.db";
bc5dde
	};
bc5dde
};
bc5dde
bc5dde
/* Trusted keys
bc5dde
bc5dde
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
bc5dde
  have to configure at least one trusted key.
bc5dde
bc5dde
  Note that no key written below is valid. Especially root key because root zone
bc5dde
  is not signed yet.
bc5dde
*/
bc5dde
/*
bc5dde
trusted-keys {
bc5dde
// Root Key
bc5dde
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
bc5dde
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
bc5dde
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
bc5dde
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
bc5dde
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
bc5dde
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
bc5dde
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
bc5dde
bc5dde
// Key for forward zone
bc5dde
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
bc5dde
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
bc5dde
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
bc5dde
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
bc5dde
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
bc5dde
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
bc5dde
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
bc5dde
bc5dde
// Key for reverse zone.
bc5dde
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
bc5dde
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
bc5dde
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
bc5dde
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
bc5dde
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
bc5dde
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
bc5dde
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
bc5dde
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
bc5dde
};
bc5dde
*/