//////////////////////////////////////////////////////////////////////////////// //Basic named.conf for a caching, recursive, authoritative BIND 9.11 DNS server. //Last update: 2019-09-24 - Shaun Cummiskey - // //Supplement to the article "Building a BIND 9.11 DNS Server on CentOS 6" //See: // //For an exhaustive list of configuration options, see the BIND manual, Ch. 6: // //////////////////////////////////////////////////////////////////////////////// //Create an access control list named "trusted" which we'll use to restrict //who can query this server as a full-fledged DNS server. Members of this ACL //will be able to query this server for any zone (e.g. centos.org, google.com) //even though we aren't authoritative for them. Other networks will only be //allowed to resolve zones we're authoritative for. acl "trusted" { //Allow localhost localhost; //Allow the localnets alias (auto-detected networks on this machine) localnets; //You can allow individual IPs, like your other servers, home, office, etc. // 172.93.52.73; }; //////////////////////////////////////////////////////////////////////////////// //The options{} clause sets up global server configurations and defaults. //////////////////////////////////////////////////////////////////////////////// options { //By default, BIND will listen on port 53 on all interfaces. If you don't //want that behavior, you can define specific listen IPs/ports here. // listen-on port 53 { 127.0.0.1; 192.168.1.53; }; // listen-on-v6 port 53 { ::1; }; //Who's allowed to query this server for any record already in the cache? //This includes zones that we aren't authoritative for (e.g. centos.org). //You SHOULD restrict this capability to trusted hosts. allow-query { //Allow members of the "trusted" ACL, defined above trusted; }; //Who's allowed to query this server recursively? In other words, who can //use this server as a wide-open public DNS server to resolve everything? //You MUST restrict this capability to trusted hosts! allow-recursion { //Allow members of the "trusted" ACL, defined above trusted; }; //Who's allowed to request zone transfers (AXFR, IXFR) from this server? //If you have slave servers or a secondary/backup DNS provider, those //IPs MUST be allowed here. Otherwise, you SHOULD restrict this capability //only to trusted hosts. allow-transfer { //Allow members of the "trusted" ACL, defined above trusted; //dns.he.net free secondary DNS service // 216.218.133.2; }; //Set the base working directory; any relative paths will start from here directory "/var/named"; //DNSSEC keys will be stored here managed-keys-directory "/var/named/dynamic"; //If you run `rndc dumpdb`, the output will go here dump-file "/var/named/data/cache_dump.db"; //If you run `rndc stats`, the output will go here statistics-file "/var/named/data/named_stats.txt"; //On exit, named can write memory usage statistics here memstatistics-file "/var/named/data/named_mem_stats.txt"; //Don't return AAAA records to IPv4 clients if an A record is available filter-aaaa-on-v4 yes; //Set a memory limit for the cache. If you have lots of RAM, bump this up. max-cache-size 256m; //Cached records will be purged after this many seconds (at most) max-cache-ttl 86400; //NXDOMAIN responses will be purged after this many seconds (at most) max-ncache-ttl 60; //Configure UDP packet sizes that will transit most firewalls unfragmented edns-udp-size 1432; max-udp-size 1432; //Establish a rate limit to discourage malicious use of this server. BIND //won't send more than 10 (adjust as desired) identical responses to the //same client per second. This makes your authoritative server unattractive //for use in DNS amplification attacks. Local networks detected on this //machine will be exempted from the rate limit. rate-limit { responses-per-second 10; exempt-clients { localnets; }; }; //Enable DNSSEC with automatic validation using built-in root keys dnssec-enable yes; dnssec-validation auto; bindkeys-file "/etc/bind.keys"; //When zone files are changed, send notification to slave servers notify yes; //Obfuscate replies to queries for our server version (CH TXT version.bind) version "[SECURED]"; }; //////////////////////////////////////////////////////////////////////////////// //The logging{} clause defines the logging facilities, file locations, size, //and verbosity. Here, BIND is configured to log most types of events into //separate files on disk. DNSSEC errors will be logged to dnssec.log, security //errors will be logged to security.log, and so on. For further options, see // //////////////////////////////////////////////////////////////////////////////// logging { //Define a logging "channel," or output facility, for most categories of log //events. Any category not defined as its own channel will be logged to the //default_file channel. //This will be the default channel channel default_file { //The log file location, with optional size and rotation parameters file "/var/log/named/default.log" versions 3 size 5m; //Logging level; "dynamic" is adjustable on the fly with `rndc trace` severity dynamic; //Include a timestamp with each log entry print-time yes; //Include the logging category with each log entry print-category yes; //Include the severity with each log entry print-severity yes; }; channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel edns-disabled_file { file "/var/log/named/edns-disabled.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel queries_file { file "/var/log/named/queries.log" versions 3 size 50m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel query-errors_file { file "/var/log/named/query-error.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel rate-limit_file { file "/var/log/named/rate-limit.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel rpz_file { file "/var/log/named/rpz.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel spill_file { file "/var/log/named/spill.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity info; print-time yes; print-category yes; print-severity yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; print-category yes; print-severity yes; }; //Assign each logging category to one of our defined channels category client { client_file; }; category config { config_file; }; category database { database_file; }; category default { default_file; }; category dispatch { dispatch_file; }; category dnssec { dnssec_file; }; category edns-disabled { edns-disabled_file; }; category general { general_file; }; category lame-servers { lame-servers_file; }; category network { network_file; }; category notify { notify_file; }; //Query logging can be IO intensive on a busy server, so it's disabled here //by routing it to the special "null" channel. To enable logging of all //incoming queries, swap out the commented and uncommented directives. category queries { null; }; // category queries { queries_file; }; category query-errors { query-errors_file; }; category rate-limit { rate-limit_file; }; category resolver { resolver_file; }; category rpz { rpz_file; }; category security { security_file; }; category spill { spill_file; }; category unmatched { unmatched_file; }; category update { update_file; }; category xfer-in { xfer-in_file; }; category xfer-out { xfer-out_file; }; }; //////////////////////////////////////////////////////////////////////////////// //A zone{} clause tells BIND that it should follow a given set of rules for the //specified zone (or domain). Here, we define the default root zone and show an //example of defining our own authoritative zone. //////////////////////////////////////////////////////////////////////////////// //The default zone; any zone not subsequently defined will use the root hints. //Don't delete this clause or comment it out. It's required for BIND to work. zone "." IN { type hint; file "named.ca"; }; //The following is a sample authoritative zone{} clause. Suppose you own the //domain "example.org" and you want your DNS server to respond to queries for //that domain. // //zone "example.org" IN { // //We are the authoritative master DNS server for this domain // type master; // // //The zone file is in /var/named/zones/example.org.zone // file "zones/example.org.zone"; // // //The whole world should be able to query our server for this zone. This // //must be explicitly defined to override the default allow-query statement // //in the options{} clause. // allow-query { any; }; // // //If you want to sign this domain for DNSSEC, specify where the keys live // //and set a value for inline-signing and auto-dnssec. See the manual at // // // //key-directory "/var/named/keys/example.org"; // //inline-signing yes; // //auto-dnssec maintain; //};