diff options
Diffstat (limited to 'named.conf.sample')
| -rw-r--r-- | named.conf.sample | 243 |
1 files changed, 243 insertions, 0 deletions
diff --git a/named.conf.sample b/named.conf.sample new file mode 100644 index 0000000..d2ce6dd --- /dev/null +++ b/named.conf.sample @@ -0,0 +1,243 @@ +/* + Sample named.conf BIND DNS server 'named' configuration file + for the Red Hat BIND distribution. + + See the BIND Administrator's Reference Manual (ARM) for details, in: + file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html + Also see the BIND Configuration GUI : /usr/bin/system-config-bind and + its manual. +*/ + +options +{ + // Put files that named is allowed to write in the data/ directory: + directory "/var/named"; // "Working" directory + dump-file "data/cache_dump.db"; + statistics-file "data/named_stats.txt"; + memstatistics-file "data/named_mem_stats.txt"; + secroots-file "data/named.secroots"; + recursing-file "data/named.recursing"; + + + /* + Specify listenning interfaces. You can use list of addresses (';' is + delimiter) or keywords "any"/"none" + */ + //listen-on port 53 { any; }; + listen-on port 53 { 127.0.0.1; }; + + //listen-on-v6 port 53 { any; }; + listen-on-v6 port 53 { ::1; }; + + /* + Access restrictions + + There are two important options: + allow-query { argument; }; + - allow queries for authoritative data + + allow-query-cache { argument; }; + - allow queries for non-authoritative data (mostly cached data) + + You can use address, network address or keywords "any"/"localhost"/"none" as argument + Examples: + allow-query { localhost; 10.0.0.1; 192.168.1.0/8; }; + allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; }; + */ + + allow-query { localhost; }; + allow-query-cache { localhost; }; + + /* Enable/disable recursion - recursion yes/no; + + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ + + /* Enable DNSSEC validation on recursive servers */ + dnssec-validation yes; + + /* In Fedora we use /run/named instead of default /var/run/named + so we have to configure paths properly. */ + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + managed-keys-directory "/var/named/dynamic"; + + /* In Fedora we use system-wide Crypto Policy */ + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging +{ +/* If you want to enable debugging, eg. using the 'rndc trace' command, + * named will try to write the 'named.run' file in the $directory (/var/named). + * By default, SELinux policy does not allow named to modify the /var/named directory, + * so put the default debug log file in data/ : + */ + channel default_debug { + file "data/named.run"; + severity dynamic; + }; +}; + +/* + Views let a name server answer a DNS query differently depending on who is asking. + + By default, if named.conf contains no "view" clauses, all zones are in the + "default" view, which matches all clients. + + Views are processed sequentially. The first match is used so the last view should + match "any" - it's fallback and the most restricted view. + + If named.conf contains any "view" clause, then all zones MUST be in a view. +*/ + +view "localhost_resolver" +{ +/* This view sets up named to be a localhost resolver ( caching only nameserver ). + * If all you want is a caching-only nameserver, then you need only define this view: + */ + match-clients { localhost; }; + recursion yes; + + # all views must contain the root hints zone: + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * not leak to the other nameservers: + */ + include "/etc/named.rfc1912.zones"; +}; +view "internal" +{ +/* This view will contain zones you want to serve only to "internal" clients + that connect via your directly attached LAN interfaces - "localnets" . + */ + match-clients { localnets; }; + recursion yes; + + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + /* these are zones that contain definitions for all the localhost + * names and addresses, as recommended in RFC1912 - these names should + * not leak to the other nameservers: + */ + include "/etc/named.rfc1912.zones"; + + // These are your "authoritative" internal zones, and would probably + // also be included in the "localhost_resolver" view above : + + /* + NOTE for dynamic DNS zones and secondary zones: + + DO NOT USE SAME FILES IN MULTIPLE VIEWS! + + If you are using views and DDNS/secondary zones it is strongly + recommended to read FAQ on ISC site (www.isc.org), section + "Configuration and Setup Questions", questions + "How do I share a dynamic zone between multiple views?" and + "How can I make a server a slave for both an internal and an external + view at the same time?" + */ + + zone "my.internal.zone" { + type master; + file "my.internal.zone.db"; + }; + zone "my.slave.internal.zone" { + type slave; + file "slaves/my.slave.internal.zone.db"; + masters { /* put master nameserver IPs here */ 127.0.0.1; } ; + // put slave zones in the slaves/ directory so named can update them + }; + zone "my.ddns.internal.zone" { + type master; + allow-update { key ddns_key; }; + file "dynamic/my.ddns.internal.zone.db"; + // put dynamically updateable zones in the slaves/ directory so named can update them + }; +}; + +key ddns_key +{ + algorithm hmac-sha256; + secret "use /usr/sbin/ddns-confgen to generate TSIG keys"; +}; + +view "external" +{ +/* This view will contain zones you want to serve only to "external" clients + * that have addresses that are not match any above view: + */ + match-clients { any; }; + + zone "." IN { + type hint; + file "/var/named/named.ca"; + }; + + recursion no; + // you'd probably want to deny recursion to external clients, so you don't + // end up providing free DNS service to all takers + + // These are your "authoritative" external zones, and would probably + // contain entries for just your web and mail servers: + + zone "my.external.zone" { + type master; + file "my.external.zone.db"; + }; +}; + +/* Trusted keys + + This statement contains DNSSEC keys. If you want DNSSEC aware resolver you + should configure at least one trusted key. + + Note that no key written below is valid. Especially root key because root zone + is not signed yet. +*/ +/* +trust-anchors { +// Root Key +. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 + +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv + ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF + 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e + oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd + RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN + R1AkUTV74bU="; + +// Key for forward zone +example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW + LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6 + LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws + UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX + yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP + Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m + Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393 + xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M="; + + +// Key for reverse zone. +2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D"; +}; +*/ |