199a5d
//
199a5d
// named.conf
199a5d
//
199a5d
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
199a5d
// server as a caching only nameserver (as a localhost DNS resolver only).
199a5d
//
199a5d
// See /usr/share/doc/bind*/sample/ for example named configuration files.
199a5d
//
199a5d
199a5d
options {
199a5d
	listen-on port 53 { 127.0.0.1; };
199a5d
	listen-on-v6 port 53 { ::1; };
199a5d
	directory 	"/var/named";
199a5d
	dump-file 	"/var/named/data/cache_dump.db";
199a5d
	statistics-file "/var/named/data/named_stats.txt";
199a5d
	memstatistics-file "/var/named/data/named_mem_stats.txt";
199a5d
	secroots-file	"/var/named/data/named.secroots";
199a5d
	recursing-file	"/var/named/data/named.recursing";
199a5d
	allow-query     { localhost; };
199a5d
199a5d
	/* 
199a5d
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
199a5d
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
199a5d
	   recursion. 
199a5d
	 - If your recursive DNS server has a public IP address, you MUST enable access 
199a5d
	   control to limit queries to your legitimate users. Failing to do so will
199a5d
	   cause your server to become part of large scale DNS amplification 
199a5d
	   attacks. Implementing BCP38 within your network would greatly
199a5d
	   reduce such attack surface 
199a5d
	*/
199a5d
	recursion yes;
199a5d
199a5d
	dnssec-validation yes;
199a5d
199a5d
	managed-keys-directory "/var/named/dynamic";
199a5d
	geoip-directory "/usr/share/GeoIP";
199a5d
199a5d
	pid-file "/run/named/named.pid";
199a5d
	session-keyfile "/run/named/session.key";
199a5d
199a5d
	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
199a5d
	include "/etc/crypto-policies/back-ends/bind.config";
199a5d
};
199a5d
199a5d
logging {
199a5d
        channel default_debug {
199a5d
                file "data/named.run";
199a5d
                severity dynamic;
199a5d
        };
199a5d
};
199a5d
199a5d
zone "." IN {
199a5d
	type hint;
199a5d
	file "named.ca";
199a5d
};
199a5d
199a5d
include "/etc/named.rfc1912.zones";
199a5d
include "/etc/named.root.key";
199a5d