////////////////////////////////////////////////////////////////////////////////
//Basic named.conf for a caching, recursive, authoritative BIND 9.11 DNS server.
//Last update: 2019-09-24 - Shaun Cummiskey -
//
//Supplement to the article "Building a BIND 9.11 DNS Server on CentOS 6"
//See:
//
//For an exhaustive list of configuration options, see the BIND manual, Ch. 6:
//
////////////////////////////////////////////////////////////////////////////////
//Create an access control list named "trusted" which we'll use to restrict
//who can query this server as a full-fledged DNS server. Members of this ACL
//will be able to query this server for any zone (e.g. centos.org, google.com)
//even though we aren't authoritative for them. Other networks will only be
//allowed to resolve zones we're authoritative for.
acl "trusted" {
//Allow localhost
localhost;
//Allow the localnets alias (auto-detected networks on this machine)
localnets;
//You can allow individual IPs, like your other servers, home, office, etc.
// 172.93.52.73;
};
////////////////////////////////////////////////////////////////////////////////
//The options{} clause sets up global server configurations and defaults.
////////////////////////////////////////////////////////////////////////////////
options {
//By default, BIND will listen on port 53 on all interfaces. If you don't
//want that behavior, you can define specific listen IPs/ports here.
// listen-on port 53 { 127.0.0.1; 192.168.1.53; };
// listen-on-v6 port 53 { ::1; };
//Who's allowed to query this server for any record already in the cache?
//This includes zones that we aren't authoritative for (e.g. centos.org).
//You SHOULD restrict this capability to trusted hosts.
allow-query {
//Allow members of the "trusted" ACL, defined above
trusted;
};
//Who's allowed to query this server recursively? In other words, who can
//use this server as a wide-open public DNS server to resolve everything?
//You MUST restrict this capability to trusted hosts!
allow-recursion {
//Allow members of the "trusted" ACL, defined above
trusted;
};
//Who's allowed to request zone transfers (AXFR, IXFR) from this server?
//If you have slave servers or a secondary/backup DNS provider, those
//IPs MUST be allowed here. Otherwise, you SHOULD restrict this capability
//only to trusted hosts.
allow-transfer {
//Allow members of the "trusted" ACL, defined above
trusted;
//dns.he.net free secondary DNS service
// 216.218.133.2;
};
//Set the base working directory; any relative paths will start from here
directory "/var/named";
//DNSSEC keys will be stored here
managed-keys-directory "/var/named/dynamic";
//If you run `rndc dumpdb`, the output will go here
dump-file "/var/named/data/cache_dump.db";
//If you run `rndc stats`, the output will go here
statistics-file "/var/named/data/named_stats.txt";
//On exit, named can write memory usage statistics here
memstatistics-file "/var/named/data/named_mem_stats.txt";
//Don't return AAAA records to IPv4 clients if an A record is available
filter-aaaa-on-v4 yes;
//Set a memory limit for the cache. If you have lots of RAM, bump this up.
max-cache-size 256m;
//Cached records will be purged after this many seconds (at most)
max-cache-ttl 86400;
//NXDOMAIN responses will be purged after this many seconds (at most)
max-ncache-ttl 60;
//Configure UDP packet sizes that will transit most firewalls unfragmented
edns-udp-size 1432;
max-udp-size 1432;
//Establish a rate limit to discourage malicious use of this server. BIND
//won't send more than 10 (adjust as desired) identical responses to the
//same client per second. This makes your authoritative server unattractive
//for use in DNS amplification attacks. Local networks detected on this
//machine will be exempted from the rate limit.
rate-limit {
responses-per-second 10;
exempt-clients { localnets; };
};
//Enable DNSSEC with automatic validation using built-in root keys
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "/etc/bind.keys";
//When zone files are changed, send notification to slave servers
notify yes;
//Obfuscate replies to queries for our server version (CH TXT version.bind)
version "[SECURED]";
};
////////////////////////////////////////////////////////////////////////////////
//The logging{} clause defines the logging facilities, file locations, size,
//and verbosity. Here, BIND is configured to log most types of events into
//separate files on disk. DNSSEC errors will be logged to dnssec.log, security
//errors will be logged to security.log, and so on. For further options, see
//
////////////////////////////////////////////////////////////////////////////////
logging {
//Define a logging "channel," or output facility, for most categories of log
//events. Any category not defined as its own channel will be logged to the
//default_file channel.
//This will be the default channel
channel default_file {
//The log file location, with optional size and rotation parameters
file "/var/log/named/default.log" versions 3 size 5m;
//Logging level; "dynamic" is adjustable on the fly with `rndc trace`
severity dynamic;
//Include a timestamp with each log entry
print-time yes;
//Include the logging category with each log entry
print-category yes;
//Include the severity with each log entry
print-severity yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel edns-disabled_file {
file "/var/log/named/edns-disabled.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 50m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel query-errors_file {
file "/var/log/named/query-error.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel rate-limit_file {
file "/var/log/named/rate-limit.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel rpz_file {
file "/var/log/named/rpz.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel spill_file {
file "/var/log/named/spill.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
//Assign each logging category to one of our defined channels
category client { client_file; };
category config { config_file; };
category database { database_file; };
category default { default_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category edns-disabled { edns-disabled_file; };
category general { general_file; };
category lame-servers { lame-servers_file; };
category network { network_file; };
category notify { notify_file; };
//Query logging can be IO intensive on a busy server, so it's disabled here
//by routing it to the special "null" channel. To enable logging of all
//incoming queries, swap out the commented and uncommented directives.
category queries { null; };
// category queries { queries_file; };
category query-errors { query-errors_file; };
category rate-limit { rate-limit_file; };
category resolver { resolver_file; };
category rpz { rpz_file; };
category security { security_file; };
category spill { spill_file; };
category unmatched { unmatched_file; };
category update { update_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
};
////////////////////////////////////////////////////////////////////////////////
//A zone{} clause tells BIND that it should follow a given set of rules for the
//specified zone (or domain). Here, we define the default root zone and show an
//example of defining our own authoritative zone.
////////////////////////////////////////////////////////////////////////////////
//The default zone; any zone not subsequently defined will use the root hints.
//Don't delete this clause or comment it out. It's required for BIND to work.
zone "." IN {
type hint;
file "named.ca";
};
//The following is a sample authoritative zone{} clause. Suppose you own the
//domain "example.org" and you want your DNS server to respond to queries for
//that domain.
//
//zone "example.org" IN {
// //We are the authoritative master DNS server for this domain
// type master;
//
// //The zone file is in /var/named/zones/example.org.zone
// file "zones/example.org.zone";
//
// //The whole world should be able to query our server for this zone. This
// //must be explicitly defined to override the default allow-query statement
// //in the options{} clause.
// allow-query { any; };
//
// //If you want to sign this domain for DNSSEC, specify where the keys live
// //and set a value for inline-signing and auto-dnssec. See the manual at
// //
// //key-directory "/var/named/keys/example.org";
// //inline-signing yes;
// //auto-dnssec maintain;
//};