· 6 years ago · Mar 31, 2020, 01:46 PM
1/*
2 Sample named.conf BIND DNS server 'named' configuration file
3 for the Red Hat BIND distribution.
4
5 See the BIND Administrator's Reference Manual (ARM) for details about the
6 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
7*/
8
9options
10{
11 // Put files that named is allowed to write in the data/ directory:
12 directory "/var/named"; // "Working" directory
13 dump-file "data/cache_dump.db";
14 statistics-file "data/named_stats.txt";
15 memstatistics-file "data/named_mem_stats.txt";
16 recursing-file "data/named.recursing";
17 secroots-file "data/named.secroots";
18
19
20 /*
21 Specify listenning interfaces. You can use list of addresses (';' is
22 delimiter) or keywords "any"/"none"
23 */
24 //listen-on port 53 { any; };
25 listen-on port 53 { any; };
26
27 //listen-on-v6 port 53 { any; };
28 listen-on-v6 port 53 { ::1; };
29
30 /*
31 Access restrictions
32
33 There are two important options:
34 allow-query { argument; };
35 - allow queries for authoritative data
36
37 allow-query-cache { argument; };
38 - allow queries for non-authoritative data (mostly cached data)
39
40 You can use address, network address or keywords "any"/"localhost"/"none" as argument
41 Examples:
42 allow-query { any; };
43 allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; 172.29.253.0/24; };
44 */
45
46 allow-query { any; };
47 allow-query-cache { any; };
48
49 /* Enable/disable recursion - recursion yes/no;
50
51 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
52 - If you are building a RECURSIVE (caching) DNS server, you need to enable
53 recursion.
54 - If your recursive DNS server has a public IP address, you MUST enable access
55 control to limit queries to your legitimate users. Failing to do so will
56 cause your server to become part of large scale DNS amplification
57 attacks. Implementing BCP38 within your network would greatly
58 reduce such attack surface
59 */
60 recursion yes;
61
62 /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
63
64 /* Enable serving of DNSSEC related data - enable on both authoritative
65 and recursive servers DNSSEC aware servers */
66 dnssec-enable yes;
67
68 /* Enable DNSSEC validation on recursive servers */
69 dnssec-validation yes;
70
71 /* In RHEL-7 we use /run/named instead of default /var/run/named
72 so we have to configure paths properly. */
73 pid-file "/run/named/named.pid";
74 session-keyfile "/run/named/session.key";
75
76 managed-keys-directory "/var/named/dynamic";
77};
78
79logging
80{
81/* If you want to enable debugging, eg. using the 'rndc trace' command,
82 * named will try to write the 'named.run' file in the $directory (/var/named).
83 * By default, SELinux policy does not allow named to modify the /var/named directory,
84 * so put the default debug log file in data/ :
85 */
86 channel default_debug {
87 file "data/named.run";
88 severity dynamic;
89 };
90};
91
92/*
93 Views let a name server answer a DNS query differently depending on who is asking.
94
95 By default, if named.conf contains no "view" clauses, all zones are in the
96 "default" view, which matches all clients.
97
98 Views are processed sequentially. The first match is used so the last view should
99 match "any" - it's fallback and the most restricted view.
100
101 If named.conf contains any "view" clause, then all zones MUST be in a view.
102*/
103
104view "localhost_resolver"
105{
106/* This view sets up named to be a localhost resolver ( caching only nameserver ).
107 * If all you want is a caching-only nameserver, then you need only define this view:
108 */
109 match-clients { localhost; };
110 recursion yes;
111
112 # all views must contain the root hints zone:
113 zone "." IN {
114 type hint;
115 file "/var/named/named.ca";
116 };
117
118 /* these are zones that contain definitions for all the localhost
119 * names and addresses, as recommended in RFC1912 - these names should
120 * not leak to the other nameservers:
121 */
122 include "/etc/named.rfc1912.zones";
123};
124view "internal"
125{
126/* This view will contain zones you want to serve only to "internal" clients
127 that connect via your directly attached LAN interfaces - "localnets" .
128 */
129 match-clients { localnets; };
130 recursion yes;
131
132 zone "." IN {
133 type hint;
134 file "/var/named/named.ca";
135 };
136
137 /* these are zones that contain definitions for all the localhost
138 * names and addresses, as recommended in RFC1912 - these names should
139 * not leak to the other nameservers:
140 */
141 include "/etc/named.rfc1912.zones";
142
143 // These are your "authoritative" internal zones, and would probably
144 // also be included in the "localhost_resolver" view above :
145
146 /*
147 NOTE for dynamic DNS zones and secondary zones:
148
149 DO NOT USE SAME FILES IN MULTIPLE VIEWS!
150
151 If you are using views and DDNS/secondary zones it is strongly
152 recommended to read FAQ on ISC site (www.isc.org), section
153 "Configuration and Setup Questions", questions
154 "How do I share a dynamic zone between multiple views?" and
155 "How can I make a server a slave for both an internal and an external
156 view at the same time?"
157 */
158
159 zone "local.skiloisir4.test" {
160 type master;
161 file "local.skiloisir4.test";
162 };
163};
164key ddns_key
165{
166 algorithm hmac-md5;
167 secret "H1Pl33tksEAXbEHq9rEfsVqxS7cCm8ie2W2Aa6UYTIGEGtXuhVFRGaIkjd6B";
168};
169
170view "external"
171{
172/* This view will contain zones you want to serve only to "external" clients
173 * that have addresses that are not match any above view:
174 */
175 match-clients { any; };
176
177 zone "." IN {
178 type hint;
179 file "/var/named/named.ca";
180 };
181
182 recursion no;
183 // you'd probably want to deny recursion to external clients, so you don't
184 // end up providing free DNS service to all takers
185
186 // These are your "authoritative" external zones, and would probably
187 // contain entries for just your web and mail servers:
188
189 zone "skiloisir4.test" {
190 type master;
191 file "skiloisir4.test";
192 };
193};
194
195/* Trusted keys
196
197 This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
198 have to configure at least one trusted key.
199
200 Note that no key written below is valid. Especially root key because root zone
201 is not signed yet.
202*/
203/*
204trusted-keys {
205// Root Key
206"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
207 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
208 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
209 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
210 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
211 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
212 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
213
214// Key for forward zone
215example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
216 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
217 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
218 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
219 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
220 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
221 SCThlHf3xiYleDbt/o1OTQ09A0=";
222
223// Key for reverse zone.
2242.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
225 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
226 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
227 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
228 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
229 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
230 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
231 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
232};
233*/
234RAW Paste Data
235/*
236 Sample named.conf BIND DNS server 'named' configuration file
237 for the Red Hat BIND distribution.
238
239 See the BIND Administrator's Reference Manual (ARM) for details about the
240 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
241*/
242
243options
244{
245 // Put files that named is allowed to write in the data/ directory:
246 directory "/var/named"; // "Working" directory
247 dump-file "data/cache_dump.db";
248 statistics-file "data/named_stats.txt";
249 memstatistics-file "data/named_mem_stats.txt";
250 recursing-file "data/named.recursing";
251 secroots-file "data/named.secroots";
252
253
254 /*
255 Specify listenning interfaces. You can use list of addresses (';' is
256 delimiter) or keywords "any"/"none"
257 */
258 //listen-on port 53 { any; };
259 listen-on port 53 { any; };
260
261 //listen-on-v6 port 53 { any; };
262 listen-on-v6 port 53 { ::1; };
263
264 /*
265 Access restrictions
266
267 There are two important options:
268 allow-query { argument; };
269 - allow queries for authoritative data
270
271 allow-query-cache { argument; };
272 - allow queries for non-authoritative data (mostly cached data)
273
274 You can use address, network address or keywords "any"/"localhost"/"none" as argument
275 Examples:
276 allow-query { any; };
277 allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; 172.29.253.0/24; };
278 */
279
280 allow-query { localhost; };
281 allow-query-cache { localhost; };
282
283 /* Enable/disable recursion - recursion yes/no;
284
285 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
286 - If you are building a RECURSIVE (caching) DNS server, you need to enable
287 recursion.
288 - If your recursive DNS server has a public IP address, you MUST enable access
289 control to limit queries to your legitimate users. Failing to do so will
290 cause your server to become part of large scale DNS amplification
291 attacks. Implementing BCP38 within your network would greatly
292 reduce such attack surface
293 */
294 recursion yes;
295
296 /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
297
298 /* Enable serving of DNSSEC related data - enable on both authoritative
299 and recursive servers DNSSEC aware servers */
300 dnssec-enable yes;
301
302 /* Enable DNSSEC validation on recursive servers */
303 dnssec-validation yes;
304
305 /* In RHEL-7 we use /run/named instead of default /var/run/named
306 so we have to configure paths properly. */
307 pid-file "/run/named/named.pid";
308 session-keyfile "/run/named/session.key";
309
310 managed-keys-directory "/var/named/dynamic";
311};
312
313logging
314{
315/* If you want to enable debugging, eg. using the 'rndc trace' command,
316 * named will try to write the 'named.run' file in the $directory (/var/named).
317 * By default, SELinux policy does not allow named to modify the /var/named directory,
318 * so put the default debug log file in data/ :
319 */
320 channel default_debug {
321 file "data/named.run";
322 severity dynamic;
323 };
324};
325
326/*
327 Views let a name server answer a DNS query differently depending on who is asking.
328
329 By default, if named.conf contains no "view" clauses, all zones are in the
330 "default" view, which matches all clients.
331
332 Views are processed sequentially. The first match is used so the last view should
333 match "any" - it's fallback and the most restricted view.
334
335 If named.conf contains any "view" clause, then all zones MUST be in a view.
336*/
337
338view "localhost_resolver"
339{
340/* This view sets up named to be a localhost resolver ( caching only nameserver ).
341 * If all you want is a caching-only nameserver, then you need only define this view:
342 */
343 match-clients { localhost; };
344 recursion yes;
345
346 # all views must contain the root hints zone:
347 zone "." IN {
348 type hint;
349 file "/var/named/named.ca";
350 };
351
352 /* these are zones that contain definitions for all the localhost
353 * names and addresses, as recommended in RFC1912 - these names should
354 * not leak to the other nameservers:
355 */
356 include "/etc/named.rfc1912.zones";
357};
358view "internal"
359{
360/* This view will contain zones you want to serve only to "internal" clients
361 that connect via your directly attached LAN interfaces - "localnets" .
362 */
363 match-clients { localnets; };
364 recursion yes;
365
366 zone "." IN {
367 type hint;
368 file "/var/named/named.ca";
369 };
370
371 /* these are zones that contain definitions for all the localhost
372 * names and addresses, as recommended in RFC1912 - these names should
373 * not leak to the other nameservers:
374 */
375 include "/etc/named.rfc1912.zones";
376
377 // These are your "authoritative" internal zones, and would probably
378 // also be included in the "localhost_resolver" view above :
379
380 /*
381 NOTE for dynamic DNS zones and secondary zones:
382
383 DO NOT USE SAME FILES IN MULTIPLE VIEWS!
384
385 If you are using views and DDNS/secondary zones it is strongly
386 recommended to read FAQ on ISC site (www.isc.org), section
387 "Configuration and Setup Questions", questions
388 "How do I share a dynamic zone between multiple views?" and
389 "How can I make a server a slave for both an internal and an external
390 view at the same time?"
391 */
392
393 zone "local.skiloisir22.test" {
394 type master;
395 file "local.skiloisir22.test";
396 };
397};
398key ddns_key
399{
400 algorithm hmac-md5;
401 secret "H1Pl33tksEAXbEHq9rEfsVqxS7cCm8ie2W2Aa6UYTIGEGtXuhVFRGaIkjd6B";
402};
403
404view "external"
405{
406/* This view will contain zones you want to serve only to "external" clients
407 * that have addresses that are not match any above view:
408 */
409 match-clients { any; };
410
411 zone "." IN {
412 type hint;
413 file "/var/named/named.ca";
414 };
415
416 recursion no;
417 // you'd probably want to deny recursion to external clients, so you don't
418 // end up providing free DNS service to all takers
419
420 // These are your "authoritative" external zones, and would probably
421 // contain entries for just your web and mail servers:
422
423 zone "skiloisir22.test" {
424 type master;
425 file "skiloisir22.test";
426 };
427};
428
429/* Trusted keys
430
431 This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
432 have to configure at least one trusted key.
433
434 Note that no key written below is valid. Especially root key because root zone
435 is not signed yet.
436*/
437/*
438trusted-keys {
439// Root Key
440"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
441 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
442 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
443 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
444 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
445 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
446 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
447
448// Key for forward zone
449example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
450 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
451 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
452 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
453 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
454 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
455 SCThlHf3xiYleDbt/o1OTQ09A0=";
456
457// Key for reverse zone.
4582.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
459 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
460 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
461 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
462 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
463 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
464 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
465 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
466};
467*/
468
469We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
470Not a member of Pastebin yet?
471Sign Up, it unlocks many cool features!
472
473create new paste / dealsnew! / syntax languages / archive / faq / tools / night mode / api / scraping api
474privacy statement / cookies policy / terms of service / security disclosure / dmca / contact
475
476By using Pastebin.com you agree to our cookies policy to enhance your experience.
477Site design & logo © 2020 Pastebin; user contributions (pastes) licensed under cc by-sa 3.0 Dedicated Server Hosting by Steadfast
478Top