|
Adam Tkac |
98dc34 |
/*
|
|
Adam Tkac |
98dc34 |
Sample named.conf BIND DNS server 'named' configuration file
|
|
Adam Tkac |
98dc34 |
for the Red Hat BIND distribution.
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
See the BIND Administrator's Reference Manual (ARM) for details, in:
|
|
Adam Tkac |
98dc34 |
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
|
|
Adam Tkac |
98dc34 |
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
|
|
Adam Tkac |
98dc34 |
its manual.
|
|
Adam Tkac |
98dc34 |
*/
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
options
|
|
jvdias |
053216 |
{
|
|
jvdias |
053216 |
// Put files that named is allowed to write in the data/ directory:
|
|
Adam Tkac |
98dc34 |
directory "/var/named"; // "Working" directory
|
|
jvdias |
053216 |
dump-file "data/cache_dump.db";
|
|
jvdias |
053216 |
statistics-file "data/named_stats.txt";
|
|
jvdias |
053216 |
memstatistics-file "data/named_mem_stats.txt";
|
|
 |
0b15f3 |
secroots-file "data/named.secroots";
|
|
|
0b15f3 |
recursing-file "data/named.recursing";
|
|
jvdias |
053216 |
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
/*
|
|
Adam Tkac |
98dc34 |
Specify listenning interfaces. You can use list of addresses (';' is
|
|
Adam Tkac |
98dc34 |
delimiter) or keywords "any"/"none"
|
|
Adam Tkac |
98dc34 |
*/
|
|
Adam Tkac |
98dc34 |
//listen-on port 53 { any; };
|
|
Adam Tkac |
98dc34 |
listen-on port 53 { 127.0.0.1; };
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
//listen-on-v6 port 53 { any; };
|
|
Adam Tkac |
98dc34 |
listen-on-v6 port 53 { ::1; };
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
/*
|
|
Adam Tkac |
98dc34 |
Access restrictions
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
There are two important options:
|
|
Adam Tkac |
98dc34 |
allow-query { argument; };
|
|
Adam Tkac |
98dc34 |
- allow queries for authoritative data
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
allow-query-cache { argument; };
|
|
Adam Tkac |
98dc34 |
- allow queries for non-authoritative data (mostly cached data)
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
You can use address, network address or keywords "any"/"localhost"/"none" as argument
|
|
Adam Tkac |
98dc34 |
Examples:
|
|
Adam Tkac |
98dc34 |
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
|
|
Adam Tkac |
98dc34 |
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
|
|
Adam Tkac |
98dc34 |
*/
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
allow-query { localhost; };
|
|
Adam Tkac |
98dc34 |
allow-query-cache { localhost; };
|
|
Adam Tkac |
98dc34 |
|
|
Tomas Hozza |
d0fda0 |
/* Enable/disable recursion - recursion yes/no;
|
|
Tomas Hozza |
d0fda0 |
|
|
Tomas Hozza |
d0fda0 |
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
|
Tomas Hozza |
d0fda0 |
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
|
Tomas Hozza |
d0fda0 |
recursion.
|
|
Tomas Hozza |
d0fda0 |
- If your recursive DNS server has a public IP address, you MUST enable access
|
|
Tomas Hozza |
d0fda0 |
control to limit queries to your legitimate users. Failing to do so will
|
|
Tomas Hozza |
d0fda0 |
cause your server to become part of large scale DNS amplification
|
|
Tomas Hozza |
d0fda0 |
attacks. Implementing BCP38 within your network would greatly
|
|
Tomas Hozza |
d0fda0 |
reduce such attack surface
|
|
Tomas Hozza |
d0fda0 |
*/
|
|
Adam Tkac |
98dc34 |
recursion yes;
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
/* Enable DNSSEC validation on recursive servers */
|
|
Adam Tkac |
98dc34 |
dnssec-validation yes;
|
|
Adam Tkac |
34adbe |
|
|
Tomas Hozza |
93a69b |
/* In Fedora we use /run/named instead of default /var/run/named
|
|
Tomas Hozza |
93a69b |
so we have to configure paths properly. */
|
|
Adam Tkac |
2043f0 |
pid-file "/run/named/named.pid";
|
|
Tomas Hozza |
93a69b |
session-keyfile "/run/named/session.key";
|
|
Tomas Hozza |
ad6dbb |
|
|
Tomas Hozza |
ad6dbb |
managed-keys-directory "/var/named/dynamic";
|
|
Tomas Hozza |
71f9fb |
|
|
Tomas Hozza |
71f9fb |
/* In Fedora we use system-wide Crypto Policy */
|
|
Tomas Hozza |
71f9fb |
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
|
Tomas Hozza |
71f9fb |
include "/etc/crypto-policies/back-ends/bind.config";
|
|
jvdias |
053216 |
};
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
logging
|
|
jvdias |
053216 |
{
|
|
jvdias |
053216 |
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
|
jvdias |
053216 |
* named will try to write the 'named.run' file in the $directory (/var/named).
|
|
jvdias |
053216 |
* By default, SELinux policy does not allow named to modify the /var/named directory,
|
|
jvdias |
053216 |
* so put the default debug log file in data/ :
|
|
jvdias |
053216 |
*/
|
|
jvdias |
053216 |
channel default_debug {
|
|
jvdias |
053216 |
file "data/named.run";
|
|
jvdias |
053216 |
severity dynamic;
|
|
|
0b15f3 |
};
|
|
jvdias |
053216 |
};
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
/*
|
|
Adam Tkac |
98dc34 |
Views let a name server answer a DNS query differently depending on who is asking.
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
By default, if named.conf contains no "view" clauses, all zones are in the
|
|
Adam Tkac |
98dc34 |
"default" view, which matches all clients.
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
Views are processed sequentially. The first match is used so the last view should
|
|
Adam Tkac |
98dc34 |
match "any" - it's fallback and the most restricted view.
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
If named.conf contains any "view" clause, then all zones MUST be in a view.
|
|
Adam Tkac |
98dc34 |
*/
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
view "localhost_resolver"
|
|
jvdias |
053216 |
{
|
|
jvdias |
053216 |
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
|
|
jvdias |
053216 |
* If all you want is a caching-only nameserver, then you need only define this view:
|
|
jvdias |
053216 |
*/
|
|
jvdias |
053216 |
match-clients { localhost; };
|
|
jvdias |
053216 |
recursion yes;
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
# all views must contain the root hints zone:
|
|
Adam Tkac |
98dc34 |
zone "." IN {
|
|
Adam Tkac |
98dc34 |
type hint;
|
|
Adam Tkac |
98dc34 |
file "/var/named/named.ca";
|
|
Adam Tkac |
98dc34 |
};
|
|
jvdias |
053216 |
|
|
jvdias |
053216 |
/* these are zones that contain definitions for all the localhost
|
|
jvdias |
053216 |
* names and addresses, as recommended in RFC1912 - these names should
|
|
Adam Tkac |
95fd5e |
* not leak to the other nameservers:
|
|
jvdias |
053216 |
*/
|
|
jvdias |
053216 |
include "/etc/named.rfc1912.zones";
|
|
jvdias |
053216 |
};
|
|
jvdias |
053216 |
view "internal"
|
|
jvdias |
053216 |
{
|
|
jvdias |
053216 |
/* This view will contain zones you want to serve only to "internal" clients
|
|
jvdias |
053216 |
that connect via your directly attached LAN interfaces - "localnets" .
|
|
jvdias |
053216 |
*/
|
|
jvdias |
fc31cd |
match-clients { localnets; };
|
|
jvdias |
053216 |
recursion yes;
|
|
jvdias |
053216 |
|
|
Adam Tkac |
98dc34 |
zone "." IN {
|
|
Adam Tkac |
98dc34 |
type hint;
|
|
Adam Tkac |
98dc34 |
file "/var/named/named.ca";
|
|
Adam Tkac |
98dc34 |
};
|
|
Adam Tkac |
95fd5e |
|
|
Adam Tkac |
95fd5e |
/* these are zones that contain definitions for all the localhost
|
|
Adam Tkac |
95fd5e |
* names and addresses, as recommended in RFC1912 - these names should
|
|
Adam Tkac |
95fd5e |
* not leak to the other nameservers:
|
|
Adam Tkac |
95fd5e |
*/
|
|
Adam Tkac |
95fd5e |
include "/etc/named.rfc1912.zones";
|
|
|
600bfd |
|
|
jvdias |
053216 |
// These are your "authoritative" internal zones, and would probably
|
|
jvdias |
053216 |
// also be included in the "localhost_resolver" view above :
|
|
jvdias |
053216 |
|
|
Adam Tkac |
98dc34 |
/*
|
|
Adam Tkac |
98dc34 |
NOTE for dynamic DNS zones and secondary zones:
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
If you are using views and DDNS/secondary zones it is strongly
|
|
Adam Tkac |
98dc34 |
recommended to read FAQ on ISC site (www.isc.org), section
|
|
Adam Tkac |
98dc34 |
"Configuration and Setup Questions", questions
|
|
Adam Tkac |
98dc34 |
"How do I share a dynamic zone between multiple views?" and
|
|
Adam Tkac |
98dc34 |
"How can I make a server a slave for both an internal and an external
|
|
Adam Tkac |
98dc34 |
view at the same time?"
|
|
Adam Tkac |
98dc34 |
*/
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
zone "my.internal.zone" {
|
|
|
de4624 |
type primary;
|
|
jvdias |
053216 |
file "my.internal.zone.db";
|
|
jvdias |
053216 |
};
|
|
jvdias |
053216 |
zone "my.slave.internal.zone" {
|
|
|
de4624 |
type secondary;
|
|
jvdias |
053216 |
file "slaves/my.slave.internal.zone.db";
|
|
jvdias |
053216 |
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
|
|
jvdias |
053216 |
// put slave zones in the slaves/ directory so named can update them
|
|
jvdias |
053216 |
};
|
|
jvdias |
053216 |
zone "my.ddns.internal.zone" {
|
|
|
de4624 |
type primary;
|
|
jvdias |
053216 |
allow-update { key ddns_key; };
|
|
Adam Tkac |
98dc34 |
file "dynamic/my.ddns.internal.zone.db";
|
|
jvdias |
053216 |
// put dynamically updateable zones in the slaves/ directory so named can update them
|
|
|
0b15f3 |
};
|
|
jvdias |
053216 |
};
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
key ddns_key
|
|
jvdias |
053216 |
{
|
|
|
8b8d05 |
algorithm hmac-sha256;
|
|
|
8b8d05 |
secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
|
|
jvdias |
053216 |
};
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
view "external"
|
|
jvdias |
053216 |
{
|
|
jvdias |
053216 |
/* This view will contain zones you want to serve only to "external" clients
|
|
Adam Tkac |
95fd5e |
* that have addresses that are not match any above view:
|
|
jvdias |
053216 |
*/
|
|
Adam Tkac |
95fd5e |
match-clients { any; };
|
|
jvdias |
053216 |
|
|
Adam Tkac |
98dc34 |
zone "." IN {
|
|
Adam Tkac |
98dc34 |
type hint;
|
|
Adam Tkac |
98dc34 |
file "/var/named/named.ca";
|
|
Adam Tkac |
98dc34 |
};
|
|
Adam Tkac |
98dc34 |
|
|
jvdias |
053216 |
recursion no;
|
|
jvdias |
053216 |
// you'd probably want to deny recursion to external clients, so you don't
|
|
jvdias |
053216 |
// end up providing free DNS service to all takers
|
|
jvdias |
053216 |
|
|
jvdias |
053216 |
// These are your "authoritative" external zones, and would probably
|
|
jvdias |
053216 |
// contain entries for just your web and mail servers:
|
|
jvdias |
053216 |
|
|
jvdias |
053216 |
zone "my.external.zone" {
|
|
|
de4624 |
type primary;
|
|
jvdias |
053216 |
file "my.external.zone.db";
|
|
jvdias |
053216 |
};
|
|
jvdias |
053216 |
};
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
/* Trusted keys
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
|
|
|
8b8d05 |
should configure at least one trusted key.
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
Note that no key written below is valid. Especially root key because root zone
|
|
Adam Tkac |
98dc34 |
is not signed yet.
|
|
Adam Tkac |
98dc34 |
*/
|
|
Adam Tkac |
98dc34 |
/*
|
|
|
8b8d05 |
trust-anchors {
|
|
Adam Tkac |
98dc34 |
// Root Key
|
|
|
8b8d05 |
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
|
|
|
8b8d05 |
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
|
|
|
8b8d05 |
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
|
|
|
8b8d05 |
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
|
|
|
8b8d05 |
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
|
|
|
8b8d05 |
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
|
|
|
8b8d05 |
R1AkUTV74bU=";
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
// Key for forward zone
|
|
|
8b8d05 |
example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
|
|
|
8b8d05 |
LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
|
|
|
8b8d05 |
LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
|
|
|
8b8d05 |
UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
|
|
|
8b8d05 |
yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
|
|
|
8b8d05 |
Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
|
|
|
8b8d05 |
Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
|
|
|
8b8d05 |
xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
|
|
|
8b8d05 |
|
|
Adam Tkac |
98dc34 |
|
|
Adam Tkac |
98dc34 |
// Key for reverse zone.
|
|
|
8b8d05 |
2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
|
|
Adam Tkac |
98dc34 |
};
|
|
Adam Tkac |
98dc34 |
*/
|