/* * Refer to the named.conf(5) and named(8) man pages, and the documentation * in /usr/share/doc/bind-9 for more details. * Online versions of the documentation can be found here: * http://www.isc.org/software/bind/documentation * * If you are going to set up an authoritative server, make sure you * understand the hairy details of how DNS works. Even with simple mistakes, * you can break connectivity for affected parties, or cause huge amounts of * useless Internet traffic. */ acl "xfer" { /* Allow no transfers. If we have other name servers, place them here. */ //127.0.0.1/32; //::1/128; "none"; }; /* * You might put in here some ips which are allowed to use the cache or * recursive queries */ acl "trusted" { 127.0.0.0/8; ::1/128; }; options { directory "/var/bind"; pid-file "/var/run/named/named.pid"; /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ // bindkeys-file "/etc/bind/bind.keys"; listen-on-v6 { ::1; }; listen-on { 127.0.0.1; }; allow-query { /* * Accept queries from our "trusted" ACL. We will * allow anyone to query our master zones below. * This prevents us from becoming a free DNS server * to the masses. */ trusted; }; allow-query-cache { /* Use the cache for the "trusted" ACL. */ trusted; }; allow-transfer { /* * Zone tranfers limited to members of the * "xfer" ACL (e.g. secondary nameserver). */ xfer; }; /* * If you've got a DNS server around at your upstream provider, enter its * IP address here, and enable the line below. This will make you benefit * from its cache, thus reduce overall DNS traffic in the Internet. * * Uncomment the following lines to turn on DNS forwarding, and change * and/or update the forwarding ip address(es): */ /* forward first; forwarders { // 123.123.123.123; // Your ISP NS // 124.124.124.124; // Your ISP NS 4.2.2.1; // Level3 Public DNS 4.2.2.2; // Level3 Public DNS 8.8.8.8; // Google Open DNS 8.8.4.4; // Google Open DNS }; */ // dnssec-enable yes; // dnssec-validation yes; /* if you have problems and are behind a firewall: */ //query-source address * port 53; }; logging { channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; }; category default { default_log; }; category general { default_log; }; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; }; view "internal" in { /* * Our internal (trusted) view. We permit the internal networks * to freely access this view. We perform recursion for our * internal hosts, and retrieve data from the cache for them. */ match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone "." in { type hint; file "/var/bind/root.cache"; }; zone "localhost" IN { type master; file "pri/localhost.zone"; allow-update { none; }; notify no; allow-query { any; }; allow-transfer { none; }; }; zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; allow-update { none; }; notify no; allow-query { any; }; allow-transfer { none; }; }; /* * NOTE: All zone blocks for "public" view should be listed here in "internal" * too! Otherwise you'll have trouble to resolv the public zones properly. * That affects all hosts from the "trusted" ACL. * A separate config, which contains all zone blocks, might be better in * this case. Then you can simply add: * include "/etc/bind/zones.cfg"; * for "internal" and "public" view. */ /* * Briefly, a zone which has been declared delegation-only will be effectively * limited to containing NS RRs for subdomains, but no actual data beyond its * own apex (for example, its SOA RR and apex NS RRset). This can be used to * filter out "wildcard" or "synthesized" data from NAT boxes or from * authoritative name servers whose undelegated (in-zone) data is of no * interest. * See http://www.isc.org/software/bind/delegation-only for more info */ //zone "COM" { type delegation-only; }; //zone "NET" { type delegation-only; }; }; view "public" in { /* * Our external (untrusted) view. We permit any client to access * portions of this view. We do not perform recursion or cache * access for hosts using this view. */ match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; zone "." in { type hint; file "/var/bind/root.cache"; }; //zone "YOUR-DOMAIN.TLD" { // type master; // file "/var/bind/pri/YOUR-DOMAIN.TLD.zone"; // allow-query { any; }; // allow-transfer { xfer; }; //}; //zone "YOUR-SLAVE.TLD" { // type slave; // file "/var/bind/sec/YOUR-SLAVE.TLD.zone"; // masters { ; }; // /* Anybody is allowed to query but transfer should be controlled by the master. */ // allow-query { any; }; // allow-transfer { none; }; // /* The master should be the only one who notifies the slaves, shouldn't it? */ // allow-notify { ; }; // notify no; //}; }; /* Hide the bind version */ /* view "chaos" chaos { match-clients { any; }; allow-query { none; }; zone "." { type hint; file "/dev/null"; // or any empty file }; }; */