e55890
/*
e55890
 Sample named.conf BIND DNS server 'named' configuration file
e55890
 for the Red Hat BIND distribution.
e55890
e55890
 See the BIND Administrator's Reference Manual (ARM) for details, in:
e55890
   file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
e55890
 Also see the BIND Configuration GUI : /usr/bin/system-config-bind and 
e55890
 its manual.
e55890
*/
e55890
e55890
options
e55890
{
e55890
	// Put files that named is allowed to write in the data/ directory:
e55890
	directory 		"/var/named";		// "Working" directory
e55890
	dump-file 		"data/cache_dump.db";
e55890
        statistics-file 	"data/named_stats.txt";
e55890
        memstatistics-file 	"data/named_mem_stats.txt";
e55890
	secroots-file		"data/named.secroots";
e55890
	recursing-file		"data/named.recursing";
e55890
e55890
e55890
	/*
e55890
	  Specify listenning interfaces. You can use list of addresses (';' is
e55890
	  delimiter) or keywords "any"/"none"
e55890
	*/
e55890
	//listen-on port 53	{ any; };
e55890
	listen-on port 53	{ 127.0.0.1; };
e55890
e55890
	//listen-on-v6 port 53	{ any; };
e55890
	listen-on-v6 port 53	{ ::1; };
e55890
e55890
	/*
e55890
	  Access restrictions
e55890
e55890
	  There are two important options:
e55890
	    allow-query { argument; };
e55890
	      - allow queries for authoritative data
e55890
e55890
	    allow-query-cache { argument; };
e55890
	      - allow queries for non-authoritative data (mostly cached data)
e55890
e55890
	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
e55890
	  Examples:
e55890
	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
e55890
	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
e55890
	*/
e55890
e55890
	allow-query		{ localhost; };
e55890
	allow-query-cache	{ localhost; };
e55890
e55890
	/* Enable/disable recursion - recursion yes/no;
e55890
e55890
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
e55890
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
e55890
	   recursion. 
e55890
	 - If your recursive DNS server has a public IP address, you MUST enable access 
e55890
	   control to limit queries to your legitimate users. Failing to do so will
e55890
	   cause your server to become part of large scale DNS amplification 
e55890
	   attacks. Implementing BCP38 within your network would greatly
e55890
	   reduce such attack surface 
e55890
	 */
e55890
	recursion yes;
e55890
e55890
	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
e55890
e55890
	/* Enable serving of DNSSEC related data - enable on both authoritative
e55890
 	   and recursive servers DNSSEC aware servers */
e55890
	dnssec-enable yes;
e55890
e55890
	/* Enable DNSSEC validation on recursive servers */
e55890
	dnssec-validation yes;
e55890
e55890
	/* In Fedora we use /run/named instead of default /var/run/named
e55890
	   so we have to configure paths properly. */
e55890
	pid-file "/run/named/named.pid";
e55890
	session-keyfile "/run/named/session.key";
e55890
e55890
	managed-keys-directory "/var/named/dynamic";
e55890
e55890
    /* In Fedora we use system-wide Crypto Policy */
e55890
    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
e55890
    include "/etc/crypto-policies/back-ends/bind.config";
e55890
};
e55890
e55890
logging 
e55890
{
e55890
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
e55890
 *      named will try to write the 'named.run' file in the $directory (/var/named).
e55890
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
e55890
 *      so put the default debug log file in data/ :
e55890
 */
e55890
        channel default_debug {
e55890
                file "data/named.run";
e55890
                severity dynamic;
e55890
        };
e55890
};
e55890
e55890
/*
e55890
 Views let a name server answer a DNS query differently depending on who is asking.
e55890
e55890
 By default, if named.conf contains no "view" clauses, all zones are in the 
e55890
 "default" view, which matches all clients.
e55890
e55890
 Views are processed sequentially. The first match is used so the last view should
e55890
 match "any" - it's fallback and the most restricted view.
e55890
e55890
 If named.conf contains any "view" clause, then all zones MUST be in a view.
e55890
*/
e55890
e55890
view "localhost_resolver"
e55890
{
e55890
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
e55890
 * If all you want is a caching-only nameserver, then you need only define this view:
e55890
 */
e55890
	match-clients 		{ localhost; };
e55890
	recursion yes;
e55890
e55890
	# all views must contain the root hints zone:
e55890
	zone "." IN {
e55890
	        type hint;
e55890
	        file "/var/named/named.ca";
e55890
	};
e55890
e55890
        /* these are zones that contain definitions for all the localhost
e55890
         * names and addresses, as recommended in RFC1912 - these names should
e55890
	 * not leak to the other nameservers:
e55890
	 */
e55890
	include "/etc/named.rfc1912.zones";
e55890
};
e55890
view "internal"
e55890
{
e55890
/* This view will contain zones you want to serve only to "internal" clients
e55890
   that connect via your directly attached LAN interfaces - "localnets" .
e55890
 */
e55890
	match-clients		{ localnets; };
e55890
	recursion yes;
e55890
e55890
	zone "." IN {
e55890
	        type hint;
e55890
	        file "/var/named/named.ca";
e55890
	};
e55890
e55890
        /* these are zones that contain definitions for all the localhost
e55890
         * names and addresses, as recommended in RFC1912 - these names should
e55890
	 * not leak to the other nameservers:
e55890
	 */
e55890
	include "/etc/named.rfc1912.zones";
e55890
e55890
	// These are your "authoritative" internal zones, and would probably
e55890
	// also be included in the "localhost_resolver" view above :
e55890
e55890
	/*
e55890
	  NOTE for dynamic DNS zones and secondary zones:
e55890
e55890
	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
e55890
e55890
	  If you are using views and DDNS/secondary zones it is strongly
e55890
	  recommended to read FAQ on ISC site (www.isc.org), section
e55890
	  "Configuration and Setup Questions", questions
e55890
	  "How do I share a dynamic zone between multiple views?" and
e55890
	  "How can I make a server a slave for both an internal and an external
e55890
	   view at the same time?"
e55890
	*/
e55890
e55890
	zone "my.internal.zone" { 
e55890
		type master;
e55890
		file "my.internal.zone.db";
e55890
	};
e55890
	zone "my.slave.internal.zone" {
e55890
		type slave;
e55890
		file "slaves/my.slave.internal.zone.db";
e55890
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
e55890
		// put slave zones in the slaves/ directory so named can update them
e55890
	};	
e55890
	zone "my.ddns.internal.zone" {
e55890
		type master;
e55890
		allow-update { key ddns_key; };
e55890
		file "dynamic/my.ddns.internal.zone.db";
e55890
		// put dynamically updateable zones in the slaves/ directory so named can update them
e55890
	};
e55890
};
e55890
e55890
key ddns_key
e55890
{
e55890
	algorithm hmac-md5;
e55890
	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
e55890
};
e55890
e55890
view "external"
e55890
{
e55890
/* This view will contain zones you want to serve only to "external" clients
e55890
 * that have addresses that are not match any above view:
e55890
 */
e55890
	match-clients		{ any; };
e55890
e55890
	zone "." IN {
e55890
	        type hint;
e55890
	        file "/var/named/named.ca";
e55890
	};
e55890
e55890
	recursion no;
e55890
	// you'd probably want to deny recursion to external clients, so you don't
e55890
        // end up providing free DNS service to all takers
e55890
e55890
	// These are your "authoritative" external zones, and would probably
e55890
        // contain entries for just your web and mail servers:
e55890
e55890
	zone "my.external.zone" { 
e55890
		type master;
e55890
		file "my.external.zone.db";
e55890
	};
e55890
};
e55890
e55890
/* Trusted keys
e55890
e55890
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
e55890
  have to configure at least one trusted key.
e55890
e55890
  Note that no key written below is valid. Especially root key because root zone
e55890
  is not signed yet.
e55890
*/
e55890
/*
e55890
trusted-keys {
e55890
// Root Key
e55890
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
e55890
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
e55890
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
e55890
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
e55890
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
e55890
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
e55890
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
e55890
e55890
// Key for forward zone
e55890
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
e55890
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
e55890
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
e55890
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
e55890
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
e55890
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
e55890
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
e55890
e55890
// Key for reverse zone.
e55890
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
e55890
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
e55890
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
e55890
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
e55890
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
e55890
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
e55890
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
e55890
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
e55890
};
e55890
*/