bc5dde |
bc5dde |
Sample named.conf BIND DNS server 'named' configuration file
bc5dde |
for the Red Hat BIND distribution.
bc5dde |
310562 |
See the BIND Administrator's Reference Manual (ARM) for details about the
310562 |
configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
// Put files that named is allowed to write in the data/ directory:
bc5dde |
directory "/var/named"; // "Working" directory
bc5dde |
dump-file "data/cache_dump.db";
bc5dde |
statistics-file "data/named_stats.txt";
bc5dde |
memstatistics-file "data/named_mem_stats.txt";
24159a |
recursing-file "data/named.recursing";
24159a |
secroots-file "data/named.secroots";
bc5dde |
bc5dde |
bc5dde |
bc5dde |
Specify listenning interfaces. You can use list of addresses (';' is
bc5dde |
delimiter) or keywords "any"/"none"
bc5dde |
bc5dde |
//listen-on port 53 { any; };
bc5dde |
listen-on port 53 {; };
bc5dde |
bc5dde |
//listen-on-v6 port 53 { any; };
bc5dde |
listen-on-v6 port 53 { ::1; };
bc5dde |
bc5dde |
bc5dde |
Access restrictions
bc5dde |
bc5dde |
There are two important options:
bc5dde |
allow-query { argument; };
bc5dde |
- allow queries for authoritative data
bc5dde |
bc5dde |
allow-query-cache { argument; };
bc5dde |
- allow queries for non-authoritative data (mostly cached data)
bc5dde |
bc5dde |
You can use address, network address or keywords "any"/"localhost"/"none" as argument
bc5dde |
bc5dde |
allow-query { localhost;;; };
bc5dde |
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526;; };
bc5dde |
bc5dde |
bc5dde |
allow-query { localhost; };
bc5dde |
allow-query-cache { localhost; };
bc5dde |
bc5dde |
/* Enable/disable recursion - recursion yes/no;
bc5dde |
bc5dde |
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
bc5dde |
- If you are building a RECURSIVE (caching) DNS server, you need to enable
bc5dde |
bc5dde |
- If your recursive DNS server has a public IP address, you MUST enable access
bc5dde |
control to limit queries to your legitimate users. Failing to do so will
bc5dde |
cause your server to become part of large scale DNS amplification
bc5dde |
attacks. Implementing BCP38 within your network would greatly
bc5dde |
reduce such attack surface
bc5dde |
bc5dde |
recursion yes;
bc5dde |
bc5dde |
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
bc5dde |
bc5dde |
/* Enable serving of DNSSEC related data - enable on both authoritative
bc5dde |
and recursive servers DNSSEC aware servers */
bc5dde |
dnssec-enable yes;
bc5dde |
bc5dde |
/* Enable DNSSEC validation on recursive servers */
bc5dde |
dnssec-validation yes;
bc5dde |
fd4b48 |
/* In RHEL-7 we use /run/named instead of default /var/run/named
fd4b48 |
so we have to configure paths properly. */
bc5dde |
pid-file "/run/named/named.pid";
fd4b48 |
session-keyfile "/run/named/session.key";
bc5dde |
bc5dde |
managed-keys-directory "/var/named/dynamic";
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
/* If you want to enable debugging, eg. using the 'rndc trace' command,
bc5dde |
* named will try to write the 'named.run' file in the $directory (/var/named).
bc5dde |
* By default, SELinux policy does not allow named to modify the /var/named directory,
bc5dde |
* so put the default debug log file in data/ :
bc5dde |
bc5dde |
channel default_debug {
bc5dde |
file "data/named.run";
bc5dde |
severity dynamic;
3ce7d3 |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
Views let a name server answer a DNS query differently depending on who is asking.
bc5dde |
bc5dde |
By default, if named.conf contains no "view" clauses, all zones are in the
bc5dde |
"default" view, which matches all clients.
bc5dde |
bc5dde |
Views are processed sequentially. The first match is used so the last view should
bc5dde |
match "any" - it's fallback and the most restricted view.
bc5dde |
bc5dde |
If named.conf contains any "view" clause, then all zones MUST be in a view.
bc5dde |
bc5dde |
bc5dde |
view "localhost_resolver"
bc5dde |
bc5dde |
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
bc5dde |
* If all you want is a caching-only nameserver, then you need only define this view:
bc5dde |
bc5dde |
match-clients { localhost; };
bc5dde |
recursion yes;
bc5dde |
bc5dde |
# all views must contain the root hints zone:
bc5dde |
zone "." IN {
bc5dde |
type hint;
bc5dde |
file "/var/named/named.ca";
bc5dde |
bc5dde |
bc5dde |
/* these are zones that contain definitions for all the localhost
bc5dde |
* names and addresses, as recommended in RFC1912 - these names should
bc5dde |
* not leak to the other nameservers:
bc5dde |
bc5dde |
include "/etc/named.rfc1912.zones";
bc5dde |
bc5dde |
view "internal"
bc5dde |
bc5dde |
/* This view will contain zones you want to serve only to "internal" clients
bc5dde |
that connect via your directly attached LAN interfaces - "localnets" .
bc5dde |
bc5dde |
match-clients { localnets; };
bc5dde |
recursion yes;
bc5dde |
bc5dde |
zone "." IN {
bc5dde |
type hint;
bc5dde |
file "/var/named/named.ca";
bc5dde |
bc5dde |
bc5dde |
/* these are zones that contain definitions for all the localhost
bc5dde |
* names and addresses, as recommended in RFC1912 - these names should
bc5dde |
* not leak to the other nameservers:
bc5dde |
bc5dde |
include "/etc/named.rfc1912.zones";
bc5dde |
bc5dde |
// These are your "authoritative" internal zones, and would probably
bc5dde |
// also be included in the "localhost_resolver" view above :
bc5dde |
bc5dde |
bc5dde |
NOTE for dynamic DNS zones and secondary zones:
bc5dde |
bc5dde |
bc5dde |
bc5dde |
If you are using views and DDNS/secondary zones it is strongly
bc5dde |
recommended to read FAQ on ISC site (www.isc.org), section
bc5dde |
"Configuration and Setup Questions", questions
bc5dde |
"How do I share a dynamic zone between multiple views?" and
bc5dde |
"How can I make a server a slave for both an internal and an external
bc5dde |
view at the same time?"
bc5dde |
bc5dde |
bc5dde |
zone "my.internal.zone" {
bc5dde |
type master;
bc5dde |
file "my.internal.zone.db";
bc5dde |
bc5dde |
zone "my.slave.internal.zone" {
bc5dde |
type slave;
bc5dde |
file "slaves/my.slave.internal.zone.db";
bc5dde |
masters { /* put master nameserver IPs here */; } ;
bc5dde |
// put slave zones in the slaves/ directory so named can update them
bc5dde |
bc5dde |
zone "my.ddns.internal.zone" {
bc5dde |
type master;
bc5dde |
allow-update { key ddns_key; };
bc5dde |
file "dynamic/my.ddns.internal.zone.db";
bc5dde |
// put dynamically updateable zones in the slaves/ directory so named can update them
3ce7d3 |
bc5dde |
bc5dde |
bc5dde |
key ddns_key
bc5dde |
bc5dde |
algorithm hmac-md5;
bc5dde |
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
bc5dde |
bc5dde |
bc5dde |
view "external"
bc5dde |
bc5dde |
/* This view will contain zones you want to serve only to "external" clients
bc5dde |
* that have addresses that are not match any above view:
bc5dde |
bc5dde |
match-clients { any; };
bc5dde |
bc5dde |
zone "." IN {
bc5dde |
type hint;
bc5dde |
file "/var/named/named.ca";
bc5dde |
bc5dde |
bc5dde |
recursion no;
bc5dde |
// you'd probably want to deny recursion to external clients, so you don't
bc5dde |
// end up providing free DNS service to all takers
bc5dde |
bc5dde |
// These are your "authoritative" external zones, and would probably
bc5dde |
// contain entries for just your web and mail servers:
bc5dde |
bc5dde |
zone "my.external.zone" {
bc5dde |
type master;
bc5dde |
file "my.external.zone.db";
bc5dde |
bc5dde |
bc5dde |
bc5dde |
/* Trusted keys
bc5dde |
bc5dde |
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
bc5dde |
have to configure at least one trusted key.
bc5dde |
bc5dde |
Note that no key written below is valid. Especially root key because root zone
bc5dde |
is not signed yet.
bc5dde |
bc5dde |
bc5dde |
trusted-keys {
bc5dde |
// Root Key
bc5dde |
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |
// Key for forward zone
bc5dde |
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
bc5dde |
bc5dde |
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
bc5dde |
bc5dde |
bc5dde |
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
bc5dde |
bc5dde |
bc5dde |
// Key for reverse zone.
bc5dde |
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
bc5dde |
bc5dde |
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
bc5dde |
bc5dde |
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
bc5dde |
bc5dde |
bc5dde |
bc5dde |
bc5dde |