57726f
/*
57726f
 Sample named.conf BIND DNS server 'named' configuration file
57726f
 for the Red Hat BIND distribution.
57726f
57726f
 See the BIND Administrator's Reference Manual (ARM) for details, in:
57726f
   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
57726f
 Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
57726f
 its manual.
57726f
*/
57726f
57726f
options
57726f
{
57726f
	// Put files that named is allowed to write in the data/ directory:
57726f
	directory 		"/var/named";		// "Working" directory
57726f
	dump-file 		"data/cache_dump.db";
57726f
        statistics-file 	"data/named_stats.txt";
57726f
        memstatistics-file 	"data/named_mem_stats.txt";
57726f
	secroots-file		"data/named.secroots";
57726f
	recursing-file		"data/named.recursing";
57726f
57726f
57726f
	/*
57726f
	  Specify listenning interfaces. You can use list of addresses (';' is
57726f
	  delimiter) or keywords "any"/"none"
57726f
	*/
57726f
	//listen-on port 53	{ any; };
57726f
	listen-on port 53	{ 127.0.0.1; };
57726f
57726f
	//listen-on-v6 port 53	{ any; };
57726f
	listen-on-v6 port 53	{ ::1; };
57726f
57726f
	/*
57726f
	  Access restrictions
57726f
57726f
	  There are two important options:
57726f
	    allow-query { argument; };
57726f
	      - allow queries for authoritative data
57726f
57726f
	    allow-query-cache { argument; };
57726f
	      - allow queries for non-authoritative data (mostly cached data)
57726f
57726f
	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
57726f
	  Examples:
57726f
	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
57726f
	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
57726f
	*/
57726f
57726f
	allow-query		{ localhost; };
57726f
	allow-query-cache	{ localhost; };
57726f
57726f
	/* Enable/disable recursion - recursion yes/no;
57726f
57726f
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
57726f
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
57726f
	   recursion. 
57726f
	 - If your recursive DNS server has a public IP address, you MUST enable access 
57726f
	   control to limit queries to your legitimate users. Failing to do so will
57726f
	   cause your server to become part of large scale DNS amplification 
57726f
	   attacks. Implementing BCP38 within your network would greatly
57726f
	   reduce such attack surface 
57726f
	 */
57726f
	recursion yes;
57726f
57726f
	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
57726f
57726f
	/* Enable serving of DNSSEC related data - enable on both authoritative
57726f
 	   and recursive servers DNSSEC aware servers */
57726f
	dnssec-enable yes;
57726f
57726f
	/* Enable DNSSEC validation on recursive servers */
57726f
	dnssec-validation yes;
57726f
57726f
	/* In Fedora we use /run/named instead of default /var/run/named
57726f
	   so we have to configure paths properly. */
57726f
	pid-file "/run/named/named.pid";
57726f
	session-keyfile "/run/named/session.key";
57726f
57726f
	managed-keys-directory "/var/named/dynamic";
57726f
57726f
    /* In Fedora we use system-wide Crypto Policy */
57726f
    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
57726f
    include "/etc/crypto-policies/back-ends/bind.config";
57726f
};
57726f
57726f
logging 
57726f
{
57726f
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
57726f
 *      named will try to write the 'named.run' file in the $directory (/var/named).
57726f
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
57726f
 *      so put the default debug log file in data/ :
57726f
 */
57726f
        channel default_debug {
57726f
                file "data/named.run";
57726f
                severity dynamic;
57726f
        };
57726f
};
57726f
57726f
/*
57726f
 Views let a name server answer a DNS query differently depending on who is asking.
57726f
57726f
 By default, if named.conf contains no "view" clauses, all zones are in the 
57726f
 "default" view, which matches all clients.
57726f
57726f
 Views are processed sequentially. The first match is used so the last view should
57726f
 match "any" - it's fallback and the most restricted view.
57726f
57726f
 If named.conf contains any "view" clause, then all zones MUST be in a view.
57726f
*/
57726f
57726f
view "localhost_resolver"
57726f
{
57726f
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
57726f
 * If all you want is a caching-only nameserver, then you need only define this view:
57726f
 */
57726f
	match-clients 		{ localhost; };
57726f
	recursion yes;
57726f
57726f
	# all views must contain the root hints zone:
57726f
	zone "." IN {
57726f
	        type hint;
57726f
	        file "/var/named/named.ca";
57726f
	};
57726f
57726f
        /* these are zones that contain definitions for all the localhost
57726f
         * names and addresses, as recommended in RFC1912 - these names should
57726f
	 * not leak to the other nameservers:
57726f
	 */
57726f
	include "/etc/named.rfc1912.zones";
57726f
};
57726f
view "internal"
57726f
{
57726f
/* This view will contain zones you want to serve only to "internal" clients
57726f
   that connect via your directly attached LAN interfaces - "localnets" .
57726f
 */
57726f
	match-clients		{ localnets; };
57726f
	recursion yes;
57726f
57726f
	zone "." IN {
57726f
	        type hint;
57726f
	        file "/var/named/named.ca";
57726f
	};
57726f
57726f
        /* these are zones that contain definitions for all the localhost
57726f
         * names and addresses, as recommended in RFC1912 - these names should
57726f
	 * not leak to the other nameservers:
57726f
	 */
57726f
	include "/etc/named.rfc1912.zones";
57726f
57726f
	// These are your "authoritative" internal zones, and would probably
57726f
	// also be included in the "localhost_resolver" view above :
57726f
57726f
	/*
57726f
	  NOTE for dynamic DNS zones and secondary zones:
57726f
57726f
	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
57726f
57726f
	  If you are using views and DDNS/secondary zones it is strongly
57726f
	  recommended to read FAQ on ISC site (www.isc.org), section
57726f
	  "Configuration and Setup Questions", questions
57726f
	  "How do I share a dynamic zone between multiple views?" and
57726f
	  "How can I make a server a slave for both an internal and an external
57726f
	   view at the same time?"
57726f
	*/
57726f
57726f
	zone "my.internal.zone" { 
57726f
		type master;
57726f
		file "my.internal.zone.db";
57726f
	};
57726f
	zone "my.slave.internal.zone" {
57726f
		type slave;
57726f
		file "slaves/my.slave.internal.zone.db";
57726f
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
57726f
		// put slave zones in the slaves/ directory so named can update them
57726f
	};	
57726f
	zone "my.ddns.internal.zone" {
57726f
		type master;
57726f
		allow-update { key ddns_key; };
57726f
		file "dynamic/my.ddns.internal.zone.db";
57726f
		// put dynamically updateable zones in the slaves/ directory so named can update them
57726f
	};
57726f
};
57726f
57726f
key ddns_key
57726f
{
57726f
	algorithm hmac-md5;
57726f
	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
57726f
};
57726f
57726f
view "external"
57726f
{
57726f
/* This view will contain zones you want to serve only to "external" clients
57726f
 * that have addresses that are not match any above view:
57726f
 */
57726f
	match-clients		{ any; };
57726f
57726f
	zone "." IN {
57726f
	        type hint;
57726f
	        file "/var/named/named.ca";
57726f
	};
57726f
57726f
	recursion no;
57726f
	// you'd probably want to deny recursion to external clients, so you don't
57726f
        // end up providing free DNS service to all takers
57726f
57726f
	// These are your "authoritative" external zones, and would probably
57726f
        // contain entries for just your web and mail servers:
57726f
57726f
	zone "my.external.zone" { 
57726f
		type master;
57726f
		file "my.external.zone.db";
57726f
	};
57726f
};
57726f
57726f
/* Trusted keys
57726f
57726f
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
57726f
  have to configure at least one trusted key.
57726f
57726f
  Note that no key written below is valid. Especially root key because root zone
57726f
  is not signed yet.
57726f
*/
57726f
/*
57726f
trusted-keys {
57726f
// Root Key
57726f
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
57726f
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
57726f
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
57726f
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
57726f
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
57726f
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
57726f
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
57726f
57726f
// Key for forward zone
57726f
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
57726f
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
57726f
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
57726f
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
57726f
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
57726f
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
57726f
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
57726f
57726f
// Key for reverse zone.
57726f
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
57726f
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
57726f
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
57726f
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
57726f
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
57726f
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
57726f
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
57726f
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
57726f
};
57726f
*/