// Refer to the named.conf(5) and named(8) man pages, and the documentation // in /usr/share/doc/bind-9.*/ for more details. // // If you are going to set up an authoritative server, make sure you // understand the hairy details of how DNS works. Even with simple mistakes, // you can break connectivity for affected parties, or cause huge amounts of // useless Internet traffic. options { // All file and path names are relative to the chroot directory, if // any, and should be fully qualified. directory "/var/bind"; pid-file "/var/run/named/named.pid"; // If you have IPv6 enabled on this system, uncomment this option for use as a // local resolver. To give access to the network, specify an IPv6 address (use // '::1' for IPv6 localhost), or the keyword 'any', or use 'none' for no IPv6. listen-on-v6 { "none"; }; // If named is being used only as a local resolver, this is a safe default. For // named to be accessible to the network, comment this option, specify the // proper IP address, or delete this option. listen-on { 127.0.0.1; }; // If you've got a DNS server around at your upstream provider, enter its // IP address here, and enable the line below. This will make you benefit // from its cache, thus reduce overall DNS traffic in the Internet. // // Uncomment the following lines to turn on DNS forwarding, and change // and/or update the forwarding ip address(es): /* forwarders { 123.123.123.123; // Your ISP NS 124.124.124.124; // Your ISP NS 4.2.2.1; // Level3 Public DNS 4.2.2.2; // Level3 Public DNS 8.8.8.8; // Google Open DNS 8.8.4.4; // Google Open DNS }; */ // If the 'forwarders' clause is not empty the default is to 'forward first' // which will fall back to sending a query from your local server if the name // servers in 'forwarders' do not have the answer. Alternatively you can // force your name server to never initiate queries of its own by enabling the // following line: // forward only; // These zones are already covered by the empty zones listed below. // If you remove the related empty zones below, comment these lines // out. disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; // Usage of this DNS server limited to members of: /* allow-query { 127.0.0.0/8; ::1/128; }; */ // Global notification /* also-notify { 12.34.56.78; }; */ // Zone tranfers limited to members of: allow-transfer { "xfer"; // "xfer" ACL (see below) "trusted"; // "trusted" ACL (see below) }; // Limit which client can use recursion to members of: allow-recursion { "trusted"; // "trusted" ACL (see below) }; // Deny anything from the bogon networks as detailed in the "bogon" ACL. blackhole { "bogon"; // "bogon" ACL (see below) }; // Turn on dnssec awareness // dnssec-enable yes; /* Modern versions of BIND use a random UDP port for each outgoing query by default in order to dramatically reduce the possibility of cache poisoning. All users are strongly encouraged to utilize this feature, and to configure their firewalls to accommodate it. AS A LAST RESORT in order to get around a restrictive firewall policy you can try enabling the option below. Use of this option will significantly reduce your ability to withstand cache poisoning attacks, and should be avoided if at all possible. Replace NNNNN in the example with a number between 49160 and 65530. */ // query-source address * port NNNNN; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; }; // If you need logging with BIND the enable the sections below and change to // fit your logging requirements. /* logging { // Logging channels channel file_query_log { file "/var/log/named/query.log" versions 5 size 50M; severity info; print-time yes; print-severity yes; }; channel file_bind_log { file "/var/log/named/bind.log" versions 20 size 50M; severity info; print-time yes; print-category yes; print-severity yes; }; // Common Logging Categories category default { // Options for those categories where no specific // configuration has been defined. file_bind_log; }; category config { // Configuration file parsing and processing. file_bind_log; }; category queries { // Short query logging. file_query_log; }; category lame-servers { // These are misconfigurations in remote servers, // discovered by the BIND name server when trying // to query those servers during resolution. null; }; category update { // Dynamic updates. file_bind_log; }; category xfer-in { // Zone transfers the server is receiving. file_bind_log; }; category xfer-out { // Zone transfers the server is sending. file_bind_log; }; category security { // Approval and denial of requests. file_bind_log; }; // Logging Categories for BIND 9 only category client { // Processing of client requests. file_bind_log; }; category database { // Messages relating to the databases used // internally by the name server to store // zone and cache data. file_bind_log; }; category dispatch { // Dispatching of incoming packets to the // server modules where they are to be processed. file_bind_log; }; category dnssec { // DNSSEC and TSIG protocol processing. file_bind_log; }; category general { // The catch-all. file_bind_log; }; category network { // Network operations. file_bind_log; }; category resolver { // DNS resolution, such as the recursive lookups // performed on behalf of clients by a caching // name server. file_bind_log; }; category unmatched { // Messages that named was unable to determine // the class of or for which there was no matching // view. A one line summary is also logged to the // client category. file_bind_log; }; }; */ // BIND acl (Access Control List) clause available in BIND 9.x. The 'acl' // clause allows fine-grained control over what hosts or users may perform // what operations on the name server. acl "bogon" { /* Filter out the bogon networks. These are networks listed by IANA as test, RFC1918, Multicast, experimental, etc. If you see DNS queries or updates with a source address within these networks, this is likely of malicious origin. CAUTION: If you are using RFC1918 netblocks on your network, remove those netblocks from this list of blackhole ACLs! For a full list visit: http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml */ 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.0.2.0/24; 192.168.0.0/16; 224.0.0.0/3; 240.0.0.0/4; }; acl "xfer" { /* Allow no transfers. If we have other name servers, place them here. */ // 127.0.0.1/32; // ::1/128; "none"; }; acl "trusted" { 127.0.0.0/8; ::1/128; }; /* Example of a RFC1918 network range acl "mylocalnet" { 192.168.0.0/24; }; */ // If you enable a local name server, don't forget to enter 127.0.0.1 first in // your /etc/resolv.conf so this server will be queried. Also, make sure to // enable it at startup: rc-update add named default // Example of a internal/restricted view view "internal" { // Allow only trusted clients to use the internal view match-clients { "trusted"; }; // The traditional root hints mechanism. Use this, OR the slave zones below. zone "." IN { type hint; file "named.cache"; }; /* Slaving the following zones from the root name servers has some significant advantages: 1. Faster local resolution for your users 2. No spurious traffic will be sent from your network to the roots 3. Greater resilience to any potential root server failure/DDoS On the other hand, this method requires more monitoring than the hints file to be sure that an unexpected failure mode has not incapacitated your server. Name servers that are serving a lot of clients will benefit more from this approach than individual hosts. Use with caution. To use this mechanism, uncomment the entries below, and comment the hint zone above. */ /* zone "." IN { type slave; file "sec/root.zone"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; notify no; }; zone "arpa" IN { type slave; file "sec/arpa.zone"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; notify no; }; zone "in-addr.arpa" IN { type slave; file "sec/in-addr.arpa.zone"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; notify no; }; */ /* Serving the following zones locally will prevent any queries for these zones leaving your network and going to the root name servers. This has two significant advantages: 1. Faster local resolution for your users 2. No spurious traffic will be sent from your network to the roots */ // RFC 1912 (and BCP 32 for localhost) zone "localhost" IN { type master; file "pri/localhost.zone"; }; zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; }; zone "255.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // RFC 1912-style zone for IPv6 localhost address zone "0.ip6.arpa" IN { type master; file "pri/127.zone"; }; // "This" Network (RFCs 1912 and 3330) zone "0.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // Private Use Networks (RFC 1918) zone "10.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "16.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "17.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "18.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "19.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "20.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "21.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "22.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "23.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "24.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "25.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "26.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "27.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "28.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "29.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "30.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "31.172.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "168.192.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // Link-local/APIPA (RFCs 3330 and 3927) zone "254.169.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // TEST-NET-[1-3] for Documentation (RFC 5737) zone "2.0.192.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "100.51.198.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "113.0.203.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // IPv6 Range for Documentation (RFC 3849) zone "0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" IN { type master; file "pri/empty.zone"; }; // Domain Names for Documentation and Testing (BCP 32) zone "test" IN { type master; file "pri/empty.zone"; }; zone "example" IN { type master; file "pri/empty.zone"; }; zone "invalid" IN { type master; file "pri/empty.zone"; }; zone "example.com" IN { type master; file "pri/empty.zone"; }; zone "example.net" IN { type master; file "pri/empty.zone"; }; zone "example.org" IN { type master; file "pri/empty.zone"; }; // Router Benchmark Testing (RFC 3330) zone "18.198.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "19.198.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // IANA Reserved - Old Class E Space zone "240.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "241.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "242.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "243.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "244.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "245.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "246.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "247.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "248.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "249.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "250.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "251.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "252.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "253.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; zone "254.in-addr.arpa" IN { type master; file "pri/empty.zone"; }; // IPv6 Unassigned Addresses (RFC 4291) zone "1.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "3.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "4.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "5.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "6.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "7.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "8.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "9.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "a.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "b.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "c.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "d.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "e.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "0.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "1.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "2.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "3.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "4.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "5.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "6.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "7.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "8.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "9.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "a.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "b.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "0.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "1.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "2.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "3.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "4.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "5.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "6.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "7.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; // IPv6 ULA (RFC 4193) zone "c.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "d.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; // IPv6 Link Local (RFC 4291) zone "8.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "9.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "a.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "b.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; // IPv6 Deprecated Site-Local Addresses (RFC 3879) zone "c.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "d.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "e.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; zone "f.e.f.ip6.arpa" IN { type master; file "pri/empty.zone"; }; // IP6.INT is Deprecated (RFC 4159) zone "ip6.int" IN { type master; file "pri/empty.zone"; }; /* Briefly, a zone which has been declared delegation-only will be effectively limited to containing NS RRs for subdomains, but no actual data beyond its own apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest. See http://www.isc.org/products/BIND/delegation-only.html for more info */ //zone "COM" IN { type delegation-only; }; //zone "NET" IN { type delegation-only; }; // NB: Do not use the IP addresses below, they are faked, and only // serve demonstration/documentation purposes! // // Example slave zone config entries. It can be convenient to become a // slave at least for the zone your own domain is in. Ask your network // administrator for the IP address of the responsible master name // server. // // Do not forget to include the reverse lookup zone! // This is named after the first bytes of the IP address, in reverse // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. // // Before starting to set up a master zone, make sure you fully under- // stand how DNS and BIND work. There are sometimes non-obvious // pitfalls. Setting up a slave zone is usually simpler. // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. /* Example of a dynamic zone key "mynetlocalkey" { algorithm hmac-md5; secret "X+rpTqYj1RhAqamJqQEkqA=="; }; zone "mynet.local" IN { type master; allow-update { key "mynetlocalkey"; }; file "pri/mynet.local.zone"; }; */ /* Example of a primary zone zone "mynet.local" IN { type master; allow-update { "none"; }; file "pri/mynet.local.zone"; }; */ /* Example of a slave reverse zone zone "1.168.192.in-addr.arpa" IN { type slave; masters { 192.168.1.1; }; file "sec/1.168.192.in-addr.arpa.zone"; }; */ }; // Example of a public view view "public" { match-clients { "any"; }; zone "." IN { type hint; file "named.cache"; }; // NB: Do not use the IP addresses below, they are faked, and only // serve demonstration/documentation purposes! // // Example slave zone config entries. It can be convenient to become a // slave at least for the zone your own domain is in. Ask your network // administrator for the IP address of the responsible master name // server. // // Do not forget to include the reverse lookup zone! // This is named after the first bytes of the IP address, in reverse // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. // // Before starting to set up a master zone, make sure you fully under- // stand how DNS and BIND work. There are sometimes non-obvious // pitfalls. Setting up a slave zone is usually simpler. // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. /* Example of a dynamic zone key "mydomainkey" { algorithm hmac-md5; secret "oxSW0LFJsazS0P5ezVnQ2A=="; }; zone "mydomain.com" IN { type master; allow-update { key "mydomainkey"; }; file "pri/mydomain.com.zone"; }; */ /* Example of a primary zone zone "mydomain.com" IN { type master; allow-update { "none"; }; file "pri/mydomain.com.zone"; }; */ /* Example of a slave reverse zone zone "56.34.12.in-addr.arpa" IN { type slave; masters { 12.34.56.78; }; file "sec/56.34.12.in-addr.arpa.zone"; }; */ };