a2a915
/*
a2a915
 Sample named.conf BIND DNS server 'named' configuration file
a2a915
 for the Red Hat BIND distribution.
a2a915
a2a915
 See the BIND Administrator's Reference Manual (ARM) for details about the
a2a915
 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
a2a915
*/
a2a915
a2a915
options
a2a915
{
a2a915
	// Put files that named is allowed to write in the data/ directory:
a2a915
	directory 		"/var/named";		// "Working" directory
a2a915
	dump-file 		"data/cache_dump.db";
a2a915
        statistics-file 	"data/named_stats.txt";
a2a915
        memstatistics-file 	"data/named_mem_stats.txt";
a2a915
	recursing-file		"data/named.recursing";
a2a915
	secroots-file		"data/named.secroots";
a2a915
a2a915
a2a915
	/*
a2a915
	  Specify listenning interfaces. You can use list of addresses (';' is
a2a915
	  delimiter) or keywords "any"/"none"
a2a915
	*/
a2a915
	//listen-on port 53	{ any; };
a2a915
	listen-on port 53	{ 127.0.0.1; };
a2a915
a2a915
	//listen-on-v6 port 53	{ any; };
a2a915
	listen-on-v6 port 53	{ ::1; };
a2a915
a2a915
	/*
a2a915
	  Access restrictions
a2a915
a2a915
	  There are two important options:
a2a915
	    allow-query { argument; };
a2a915
	      - allow queries for authoritative data
a2a915
a2a915
	    allow-query-cache { argument; };
a2a915
	      - allow queries for non-authoritative data (mostly cached data)
a2a915
a2a915
	  You can use address, network address or keywords "any"/"localhost"/"none" as argument
a2a915
	  Examples:
a2a915
	    allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
a2a915
	    allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
a2a915
	*/
a2a915
a2a915
	allow-query		{ localhost; };
a2a915
	allow-query-cache	{ localhost; };
a2a915
a2a915
	/* Enable/disable recursion - recursion yes/no;
a2a915
a2a915
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
a2a915
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
a2a915
	   recursion. 
a2a915
	 - If your recursive DNS server has a public IP address, you MUST enable access 
a2a915
	   control to limit queries to your legitimate users. Failing to do so will
a2a915
	   cause your server to become part of large scale DNS amplification 
a2a915
	   attacks. Implementing BCP38 within your network would greatly
a2a915
	   reduce such attack surface 
a2a915
	 */
a2a915
	recursion yes;
a2a915
a2a915
	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
a2a915
a2a915
	/* Enable serving of DNSSEC related data - enable on both authoritative
a2a915
 	   and recursive servers DNSSEC aware servers */
a2a915
	dnssec-enable yes;
a2a915
a2a915
	/* Enable DNSSEC validation on recursive servers */
a2a915
	dnssec-validation yes;
a2a915
a2a915
	/* In RHEL-7 we use /run/named instead of default /var/run/named
a2a915
	   so we have to configure paths properly. */
a2a915
	pid-file "/run/named/named.pid";
a2a915
	session-keyfile "/run/named/session.key";
a2a915
a2a915
	managed-keys-directory "/var/named/dynamic";
a2a915
};
a2a915
a2a915
logging 
a2a915
{
a2a915
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
a2a915
 *      named will try to write the 'named.run' file in the $directory (/var/named).
a2a915
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
a2a915
 *      so put the default debug log file in data/ :
a2a915
 */
a2a915
        channel default_debug {
a2a915
                file "data/named.run";
a2a915
                severity dynamic;
a2a915
        };
a2a915
};
a2a915
a2a915
/*
a2a915
 Views let a name server answer a DNS query differently depending on who is asking.
a2a915
a2a915
 By default, if named.conf contains no "view" clauses, all zones are in the 
a2a915
 "default" view, which matches all clients.
a2a915
a2a915
 Views are processed sequentially. The first match is used so the last view should
a2a915
 match "any" - it's fallback and the most restricted view.
a2a915
a2a915
 If named.conf contains any "view" clause, then all zones MUST be in a view.
a2a915
*/
a2a915
a2a915
view "localhost_resolver"
a2a915
{
a2a915
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
a2a915
 * If all you want is a caching-only nameserver, then you need only define this view:
a2a915
 */
a2a915
	match-clients 		{ localhost; };
a2a915
	recursion yes;
a2a915
a2a915
	# all views must contain the root hints zone:
a2a915
	zone "." IN {
a2a915
	        type hint;
a2a915
	        file "/var/named/named.ca";
a2a915
	};
a2a915
a2a915
        /* these are zones that contain definitions for all the localhost
a2a915
         * names and addresses, as recommended in RFC1912 - these names should
a2a915
	 * not leak to the other nameservers:
a2a915
	 */
a2a915
	include "/etc/named.rfc1912.zones";
a2a915
};
a2a915
view "internal"
a2a915
{
a2a915
/* This view will contain zones you want to serve only to "internal" clients
a2a915
   that connect via your directly attached LAN interfaces - "localnets" .
a2a915
 */
a2a915
	match-clients		{ localnets; };
a2a915
	recursion yes;
a2a915
a2a915
	zone "." IN {
a2a915
	        type hint;
a2a915
	        file "/var/named/named.ca";
a2a915
	};
a2a915
a2a915
        /* these are zones that contain definitions for all the localhost
a2a915
         * names and addresses, as recommended in RFC1912 - these names should
a2a915
	 * not leak to the other nameservers:
a2a915
	 */
a2a915
	include "/etc/named.rfc1912.zones";
a2a915
 
a2a915
	// These are your "authoritative" internal zones, and would probably
a2a915
	// also be included in the "localhost_resolver" view above :
a2a915
a2a915
	/*
a2a915
	  NOTE for dynamic DNS zones and secondary zones:
a2a915
a2a915
	  DO NOT USE SAME FILES IN MULTIPLE VIEWS!
a2a915
a2a915
	  If you are using views and DDNS/secondary zones it is strongly
a2a915
	  recommended to read FAQ on ISC site (www.isc.org), section
a2a915
	  "Configuration and Setup Questions", questions
a2a915
	  "How do I share a dynamic zone between multiple views?" and
a2a915
	  "How can I make a server a slave for both an internal and an external
a2a915
	   view at the same time?"
a2a915
	*/
a2a915
a2a915
	zone "my.internal.zone" { 
a2a915
		type master;
a2a915
		file "my.internal.zone.db";
a2a915
	};
a2a915
	zone "my.slave.internal.zone" {
a2a915
		type slave;
a2a915
		file "slaves/my.slave.internal.zone.db";
a2a915
		masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
a2a915
		// put slave zones in the slaves/ directory so named can update them
a2a915
	};	
a2a915
	zone "my.ddns.internal.zone" {
a2a915
		type master;
a2a915
		allow-update { key ddns_key; };
a2a915
		file "dynamic/my.ddns.internal.zone.db";
a2a915
		// put dynamically updateable zones in the slaves/ directory so named can update them
a2a915
	};
a2a915
};
a2a915
a2a915
key ddns_key
a2a915
{
a2a915
	algorithm hmac-md5;
a2a915
	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
a2a915
};
a2a915
a2a915
view "external"
a2a915
{
a2a915
/* This view will contain zones you want to serve only to "external" clients
a2a915
 * that have addresses that are not match any above view:
a2a915
 */
a2a915
	match-clients		{ any; };
a2a915
a2a915
	zone "." IN {
a2a915
	        type hint;
a2a915
	        file "/var/named/named.ca";
a2a915
	};
a2a915
a2a915
	recursion no;
a2a915
	// you'd probably want to deny recursion to external clients, so you don't
a2a915
        // end up providing free DNS service to all takers
a2a915
a2a915
	// These are your "authoritative" external zones, and would probably
a2a915
        // contain entries for just your web and mail servers:
a2a915
a2a915
	zone "my.external.zone" { 
a2a915
		type master;
a2a915
		file "my.external.zone.db";
a2a915
	};
a2a915
};
a2a915
a2a915
/* Trusted keys
a2a915
a2a915
  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
a2a915
  have to configure at least one trusted key.
a2a915
a2a915
  Note that no key written below is valid. Especially root key because root zone
a2a915
  is not signed yet.
a2a915
*/
a2a915
/*
a2a915
trusted-keys {
a2a915
// Root Key
a2a915
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
a2a915
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
a2a915
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
a2a915
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
a2a915
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
a2a915
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
a2a915
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
a2a915
a2a915
// Key for forward zone
a2a915
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
a2a915
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
a2a915
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
a2a915
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
a2a915
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
a2a915
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
a2a915
                      SCThlHf3xiYleDbt/o1OTQ09A0=";
a2a915
a2a915
// Key for reverse zone.
a2a915
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
a2a915
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
a2a915
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
a2a915
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
a2a915
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
a2a915
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
a2a915
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
a2a915
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
a2a915
};
a2a915
*/