forked from calculate/calculate-overlay
parent
9531695b17
commit
0a0c16c169
@ -1,216 +0,0 @@
|
||||
/*
|
||||
* Refer to the named.conf(5) and named(8) man pages, and the documentation
|
||||
* in /usr/share/doc/bind-9 for more details.
|
||||
* Online versions of the documentation can be found here:
|
||||
* http://www.isc.org/software/bind/documentation
|
||||
*
|
||||
* If you are going to set up an authoritative server, make sure you
|
||||
* understand the hairy details of how DNS works. Even with simple mistakes,
|
||||
* you can break connectivity for affected parties, or cause huge amounts of
|
||||
* useless Internet traffic.
|
||||
*/
|
||||
|
||||
acl "xfer" {
|
||||
/* Allow no transfers. If we have other name servers, place them here. */
|
||||
//127.0.0.1/32;
|
||||
//::1/128;
|
||||
"none";
|
||||
};
|
||||
|
||||
/*
|
||||
* You might put in here some ips which are allowed to use the cache or
|
||||
* recursive queries
|
||||
*/
|
||||
acl "trusted" {
|
||||
127.0.0.0/8;
|
||||
::1/128;
|
||||
};
|
||||
|
||||
options {
|
||||
directory "/var/bind";
|
||||
pid-file "/var/run/named/named.pid";
|
||||
|
||||
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
|
||||
// bindkeys-file "/etc/bind/bind.keys";
|
||||
|
||||
listen-on-v6 { ::1; };
|
||||
listen-on { 127.0.0.1; };
|
||||
|
||||
allow-query {
|
||||
/*
|
||||
* Accept queries from our "trusted" ACL. We will
|
||||
* allow anyone to query our master zones below.
|
||||
* This prevents us from becoming a free DNS server
|
||||
* to the masses.
|
||||
*/
|
||||
trusted;
|
||||
};
|
||||
|
||||
allow-query-cache {
|
||||
/* Use the cache for the "trusted" ACL. */
|
||||
trusted;
|
||||
};
|
||||
|
||||
allow-transfer {
|
||||
/*
|
||||
* Zone tranfers limited to members of the
|
||||
* "xfer" ACL (e.g. secondary nameserver).
|
||||
*/
|
||||
xfer;
|
||||
};
|
||||
|
||||
/*
|
||||
* If you've got a DNS server around at your upstream provider, enter its
|
||||
* IP address here, and enable the line below. This will make you benefit
|
||||
* from its cache, thus reduce overall DNS traffic in the Internet.
|
||||
*
|
||||
* Uncomment the following lines to turn on DNS forwarding, and change
|
||||
* and/or update the forwarding ip address(es):
|
||||
*/
|
||||
/*
|
||||
forward first;
|
||||
forwarders {
|
||||
// 123.123.123.123; // Your ISP NS
|
||||
// 124.124.124.124; // Your ISP NS
|
||||
4.2.2.1; // Level3 Public DNS
|
||||
4.2.2.2; // Level3 Public DNS
|
||||
8.8.8.8; // Google Open DNS
|
||||
8.8.4.4; // Google Open DNS
|
||||
};
|
||||
|
||||
*/
|
||||
|
||||
// dnssec-enable yes;
|
||||
// dnssec-validation yes;
|
||||
|
||||
/* if you have problems and are behind a firewall: */
|
||||
//query-source address * port 53;
|
||||
};
|
||||
|
||||
logging {
|
||||
channel default_log {
|
||||
file "/var/log/named/named.log" versions 5 size 50M;
|
||||
print-time yes;
|
||||
print-severity yes;
|
||||
print-category yes;
|
||||
};
|
||||
|
||||
category default { default_log; };
|
||||
category general { default_log; };
|
||||
};
|
||||
|
||||
include "/etc/bind/rndc.key";
|
||||
controls {
|
||||
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
|
||||
};
|
||||
|
||||
|
||||
view "internal" in {
|
||||
/*
|
||||
* Our internal (trusted) view. We permit the internal networks
|
||||
* to freely access this view. We perform recursion for our
|
||||
* internal hosts, and retrieve data from the cache for them.
|
||||
*/
|
||||
|
||||
match-clients { trusted; };
|
||||
recursion yes;
|
||||
additional-from-auth yes;
|
||||
additional-from-cache yes;
|
||||
|
||||
zone "." in {
|
||||
type hint;
|
||||
file "/var/bind/root.cache";
|
||||
};
|
||||
|
||||
zone "localhost" IN {
|
||||
type master;
|
||||
file "pri/localhost.zone";
|
||||
allow-update { none; };
|
||||
notify no;
|
||||
allow-query { any; };
|
||||
allow-transfer { none; };
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" IN {
|
||||
type master;
|
||||
file "pri/127.zone";
|
||||
allow-update { none; };
|
||||
notify no;
|
||||
allow-query { any; };
|
||||
allow-transfer { none; };
|
||||
};
|
||||
|
||||
/*
|
||||
* NOTE: All zone blocks for "public" view should be listed here in "internal"
|
||||
* too! Otherwise you'll have trouble to resolv the public zones properly.
|
||||
* That affects all hosts from the "trusted" ACL.
|
||||
* A separate config, which contains all zone blocks, might be better in
|
||||
* this case. Then you can simply add:
|
||||
* include "/etc/bind/zones.cfg";
|
||||
* for "internal" and "public" view.
|
||||
*/
|
||||
|
||||
/*
|
||||
* Briefly, a zone which has been declared delegation-only will be effectively
|
||||
* limited to containing NS RRs for subdomains, but no actual data beyond its
|
||||
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
||||
* filter out "wildcard" or "synthesized" data from NAT boxes or from
|
||||
* authoritative name servers whose undelegated (in-zone) data is of no
|
||||
* interest.
|
||||
* See http://www.isc.org/software/bind/delegation-only for more info
|
||||
*/
|
||||
|
||||
//zone "COM" { type delegation-only; };
|
||||
//zone "NET" { type delegation-only; };
|
||||
};
|
||||
|
||||
view "public" in {
|
||||
/*
|
||||
* Our external (untrusted) view. We permit any client to access
|
||||
* portions of this view. We do not perform recursion or cache
|
||||
* access for hosts using this view.
|
||||
*/
|
||||
|
||||
match-clients { any; };
|
||||
recursion no;
|
||||
additional-from-auth no;
|
||||
additional-from-cache no;
|
||||
|
||||
zone "." in {
|
||||
type hint;
|
||||
file "/var/bind/root.cache";
|
||||
};
|
||||
|
||||
//zone "YOUR-DOMAIN.TLD" {
|
||||
// type master;
|
||||
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
|
||||
// allow-query { any; };
|
||||
// allow-transfer { xfer; };
|
||||
//};
|
||||
|
||||
//zone "YOUR-SLAVE.TLD" {
|
||||
// type slave;
|
||||
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
|
||||
// masters { <MASTER>; };
|
||||
|
||||
// /* Anybody is allowed to query but transfer should be controlled by the master. */
|
||||
// allow-query { any; };
|
||||
// allow-transfer { none; };
|
||||
|
||||
// /* The master should be the only one who notifies the slaves, shouldn't it? */
|
||||
// allow-notify { <MASTER>; };
|
||||
// notify no;
|
||||
//};
|
||||
};
|
||||
|
||||
/* Hide the bind version */
|
||||
/*
|
||||
view "chaos" chaos {
|
||||
match-clients { any; };
|
||||
allow-query { none; };
|
||||
zone "." {
|
||||
type hint;
|
||||
file "/dev/null"; // or any empty file
|
||||
};
|
||||
};
|
||||
*/
|
@ -0,0 +1,165 @@
|
||||
/*
|
||||
* Refer to the named.conf(5) and named(8) man pages, and the documentation
|
||||
* in /usr/share/doc/bind-9 for more details.
|
||||
* Online versions of the documentation can be found here:
|
||||
* http://www.isc.org/software/bind/documentation
|
||||
*
|
||||
* If you are going to set up an authoritative server, make sure you
|
||||
* understand the hairy details of how DNS works. Even with simple mistakes,
|
||||
* you can break connectivity for affected parties, or cause huge amounts of
|
||||
* useless Internet traffic.
|
||||
*/
|
||||
|
||||
acl "xfer" {
|
||||
/* Deny transfers by default except for the listed hosts.
|
||||
* If we have other name servers, place them here.
|
||||
*/
|
||||
none;
|
||||
};
|
||||
|
||||
/*
|
||||
* You might put in here some ips which are allowed to use the cache or
|
||||
* recursive queries
|
||||
*/
|
||||
acl "trusted" {
|
||||
127.0.0.0/8;
|
||||
::1/128;
|
||||
};
|
||||
|
||||
options {
|
||||
directory "/var/bind";
|
||||
pid-file "/var/run/named/named.pid";
|
||||
|
||||
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
|
||||
//bindkeys-file "/etc/bind/bind.keys";
|
||||
|
||||
listen-on-v6 { ::1; };
|
||||
listen-on { 127.0.0.1; };
|
||||
|
||||
allow-query {
|
||||
/*
|
||||
* Accept queries from our "trusted" ACL. We will
|
||||
* allow anyone to query our master zones below.
|
||||
* This prevents us from becoming a free DNS server
|
||||
* to the masses.
|
||||
*/
|
||||
trusted;
|
||||
};
|
||||
|
||||
allow-query-cache {
|
||||
/* Use the cache for the "trusted" ACL. */
|
||||
trusted;
|
||||
};
|
||||
|
||||
allow-recursion {
|
||||
/* Only trusted addresses are allowed to use recursion. */
|
||||
trusted;
|
||||
};
|
||||
|
||||
allow-transfer {
|
||||
/* Zone tranfers are denied by default. */
|
||||
none;
|
||||
};
|
||||
|
||||
allow-update {
|
||||
/* Don't allow updates, e.g. via nsupdate. */
|
||||
none;
|
||||
};
|
||||
|
||||
/*
|
||||
* If you've got a DNS server around at your upstream provider, enter its
|
||||
* IP address here, and enable the line below. This will make you benefit
|
||||
* from its cache, thus reduce overall DNS traffic in the Internet.
|
||||
*
|
||||
* Uncomment the following lines to turn on DNS forwarding, and change
|
||||
* and/or update the forwarding ip address(es):
|
||||
*/
|
||||
/*
|
||||
forward first;
|
||||
forwarders {
|
||||
// 123.123.123.123; // Your ISP NS
|
||||
// 124.124.124.124; // Your ISP NS
|
||||
// 4.2.2.1; // Level3 Public DNS
|
||||
// 4.2.2.2; // Level3 Public DNS
|
||||
8.8.8.8; // Google Open DNS
|
||||
8.8.4.4; // Google Open DNS
|
||||
};
|
||||
|
||||
*/
|
||||
|
||||
//dnssec-enable yes;
|
||||
//dnssec-validation yes;
|
||||
|
||||
/* if you have problems and are behind a firewall: */
|
||||
//query-source address * port 53;
|
||||
};
|
||||
|
||||
/*
|
||||
logging {
|
||||
channel default_log {
|
||||
file "/var/log/named/named.log" versions 5 size 50M;
|
||||
print-time yes;
|
||||
print-severity yes;
|
||||
print-category yes;
|
||||
};
|
||||
|
||||
category default { default_log; };
|
||||
category general { default_log; };
|
||||
};
|
||||
*/
|
||||
|
||||
include "/etc/bind/rndc.key";
|
||||
controls {
|
||||
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
|
||||
};
|
||||
|
||||
zone "." in {
|
||||
type hint;
|
||||
file "/var/bind/root.cache";
|
||||
};
|
||||
|
||||
zone "localhost" IN {
|
||||
type master;
|
||||
file "pri/localhost.zone";
|
||||
notify no;
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" IN {
|
||||
type master;
|
||||
file "pri/127.zone";
|
||||
notify no;
|
||||
};
|
||||
|
||||
/*
|
||||
* Briefly, a zone which has been declared delegation-only will be effectively
|
||||
* limited to containing NS RRs for subdomains, but no actual data beyond its
|
||||
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
||||
* filter out "wildcard" or "synthesized" data from NAT boxes or from
|
||||
* authoritative name servers whose undelegated (in-zone) data is of no
|
||||
* interest.
|
||||
* See http://www.isc.org/software/bind/delegation-only for more info
|
||||
*/
|
||||
|
||||
//zone "COM" { type delegation-only; };
|
||||
//zone "NET" { type delegation-only; };
|
||||
|
||||
//zone "YOUR-DOMAIN.TLD" {
|
||||
// type master;
|
||||
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
|
||||
// allow-query { any; };
|
||||
// allow-transfer { xfer; };
|
||||
//};
|
||||
|
||||
//zone "YOUR-SLAVE.TLD" {
|
||||
// type slave;
|
||||
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
|
||||
// masters { <MASTER>; };
|
||||
|
||||
/* Anybody is allowed to query but transfer should be controlled by the master. */
|
||||
// allow-query { any; };
|
||||
// allow-transfer { none; };
|
||||
|
||||
/* The master should be the only one who notifies the slaves, shouldn't it? */
|
||||
// allow-notify { <MASTER>; };
|
||||
// notify no;
|
||||
//};
|
Loading…
Reference in new issue