// (oe) Loosely based on the document below and from production server configurations. // http://www.cymru.com/Documents/secure-bind-template.html // // $Id: named.conf 80849 2007-09-06 11:56:48Z oden $ // $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/named.conf $ // secret must be the same as in /etc/rndc.conf include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { mykey; }; }; // Access lists (ACL's) should be defined here include "/etc/bogon_acl.conf"; include "/etc/trusted_networks_acl.conf"; // Define logging channels include "/etc/logging.conf"; options { version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; pid-file "/var/run/named.pid"; statistics-file "/var/tmp/named.stats"; zone-statistics yes; // datasize 256M; coresize 100M; // fetch-glue no; // recursion no; // recursive-clients 10000; auth-nxdomain yes; query-source address * port *; listen-on port 53 { any; }; cleaning-interval 120; transfers-in 20; transfers-per-ns 2; lame-ttl 0; max-ncache-ttl 10800; // forwarders { first_public_nameserver_ip; second_public_nameserver_ip; }; // allow-update { none; }; // allow-transfer { any; }; // Prevent DoS attacks by generating bogus zone transfer // requests. This will result in slower updates to the // slave servers (e.g. they will await the poll interval // before checking for updates). notify no; // notify explicit; // also-notify { secondary_name_server }; // Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers; // Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60; // We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0; // Uncoment these to enable IPv6 connections support // IPv4 will still work // listen-on { none; }; // listen-on-v6 { any; }; // allow-query { trusted_networks; }; allow-recursion { trusted_networks; }; // Deny anything from the bogon networks as // detailed in the "bogon" ACL. blackhole { bogon; }; }; // workaround stupid stuff... (OE: Wed 17 Sep 2003) zone "ac" { type delegation-only; }; zone "cc" { type delegation-only; }; zone "com" { type delegation-only; }; zone "cx" { type delegation-only; }; zone "lv" { type delegation-only; }; zone "museum" { type delegation-only; }; zone "net" { type delegation-only; }; zone "nu" { type delegation-only; }; zone "ph" { type delegation-only; }; zone "sh" { type delegation-only; }; zone "tm" { type delegation-only; }; zone "ws" { type delegation-only; }; zone "." IN { type hint; file "named.ca"; }; zone "localdomain" IN { type master; file "master/localdomain.zone"; allow-update { none; }; }; zone "localhost" IN { type master; file "master/localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "reverse/named.local"; allow-update { none; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "reverse/named.ip6.local"; allow-update { none; }; }; zone "255.in-addr.arpa" IN { type master; file "reverse/named.broadcast"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "reverse/named.zero"; allow-update { none; }; };