/* 
  This is the default named.conf for bind9 on Trustix Secure Linux.
  Some of these settings are made to enhance your system security,
  but certain domain configurations may force you to make certain changes. 
  It is heavily inspired by Securing BIND Template by 
  Rob Thomas robt at cymru dot com.
  If there is any errors, they are probably mine, so you are far better
  off asking on tsl-discuss at tslng dot org than bugging Rob.  You may
  want to thank him for his excellent work though.
  Erlend Midttun <erlendbm at tslng dot org>
*/

/*
  Setting up some Access Control Lists
*/
/*
  List of secondary nameservers or other servers/networks you want to
  permit zone transfers.
  Example:
*/
acl secondaries {
	localhost;
};

/*
  These are the clients that are allowed to use this name server for
  normal DNS queries.
*/
acl trusted {
	localnets;
};

/*
  These are adresses you do not wish answer DNS queries from at all.
  You may wish to add the list RFC1918 networks here as well as the
  list from IANA over test, multicast or experimental networks.
  You may want to review such a list every now and then though if you
  choose to use it.
*/
acl drop {
  224.0.0.0/24;
};

/*
  Logging.  We send it to syslog and let it sort out the rest.
*/
logging {
/*
  We send it to local2 instead of the default "daemon" to separate it from
  others who uses "daemon" too.
*/
	channel my_syslog {
		syslog local2;
		severity debug;
	};
/*
  By default use the my_syslog channel
*/
	category default { my_syslog; };
/*
  Logging is good, but there are just too many broken configurations out
  there. This means throw away the most commons error as you can't
  really do anything about it anyway.
*/
	category lame-servers { null; };
};

/*
  Now this is the place for general options.
*/
options {
	// The directory for the files
	directory "/var/named";

	// The pid file
	pid-file "/var/run/named/named.pid";

	// The statistics file
	statistics-file "/var/run/named/named.stats";

	/* 
	  Force old style query port.  May help you through some firewalls.
	  Default is to use an unprivileged port.
	*/
	// query-source address * port 53;

	/*
	  Generate more efficient zone transfers.  This will place
	  multiple DNS records in a DNS message, instead of one per
	  DNS message.
	*/
	transfer-format many-answers;

	/*
	  Set the maximum zone transfer time to something more
	  reasonable.  In this case, we state that any zone transfer
	  that takes longer than 60 minutes is unlikely to ever
	  complete.  WARNING:  If you have very large zone files,
	  adjust this to fit your requirements.
	*/
	max-transfer-time-in 60;

	/*
	  We have no dynamic interfaces, so BIND shouldn't need to
	  poll for interface state {UP|DOWN}.
	*/
	interface-interval 0;

	/*
	  Restrict zone transfers to the servers specified as secondary
	  name servers.
	*/
	allow-transfer { 
		secondaries;
	};

	/*
	  Only allow queries and recursive queries from local networks
	  to prevent abuse.
	  For domains you are authorative for, enable it with
	      allow-query { any; };
	  on a per domain basis or place them in the "external-in"
	  view.
	  Tips posted on Bugtraq Tue Sep 9 2003 by Chris Brenton
	*/
	allow-query {
		trusted;
	};
	allow-recursion {
		trusted;
	};
	/* Or you can allow specific networks like this if you need to */
	// allow-query { localnets; 192.168.1.0/24; };
	// allow-recursion { localnets; 192.168.1.0/24; };

	/*
	  Deny anything from the networks listed in the "drop" acl.
	*/
	blackhole {
		drop;
	};
};

/*
  Note that both the 'logging' and 'options' entries can't be used twice.
*/

/*
  Zone settings; You probably want to make changes here according to your
  domain configuration.
*/


view "internal-in" in {
/*
	Our internal (trusted) view. We permit the internal networks
	to freely access this view. We perform recursion for our
	internal hosts, and retrieve data from the cache for them.
*/
	match-clients { trusted; };
	recursion yes;
	additional-from-auth yes;
	additional-from-cache yes;

	zone "." in {
	   // Link in the root server hint file.
	   type hint;
	   file "root.cache";
	};
        zone "127.in-addr.arpa" in {
/*
	Allow queries for the 127/8 network, but not zone transfers.
	Every name server, both slave and master, will be a master
	for this zone.
*/
	  type master;
	  file "master/127.in-addr.arpa";
	  allow-query {
	      any;
	  };
	  allow-transfer {
	      none;
	  };
        };
	// And of course the localhost
	zone "localhost" in {
	  type master;
	  allow-query { any; };
	  file "master/localhost";
	};
	// Broadcast zones
	zone "0.in-addr.arpa" {
	  type master;
	  allow-query { any; };
	  file "master/0.in-addr.arpa";
	};
	zone "255.in-addr.arpa" {
	  type master;
	  allow-query { any; };
	  file "master/255.in-addr.arpa";
	};
	/*
	  Seems Verisign answers to any query for these zones pointing
	  them to their own website.  We therefore only care for NS
	  records for these domains.
	*/
	zone "com." {
		type delegation-only;
	};
	zone "net." {
		type delegation-only;
	};
/*
        zone "internal.ournetwork.com" in {
	   // Our internal A RR zone. There may be several of these.
	   type master;
	   file "master/internal.ournetwork.com";
        };
*/
/*
        zone "7.7.7.in-addr.arpa" in {
	   // Our internal PTR RR zone. Again, there may be several of these.
	   type master;
	   file "master/7.7.7.in-addr.arpa";
        };
*/
   };

// Create a view for external DNS clients.
view "external-in" in {
	// Our external (untrusted) view. We permit any client to access
	// portions of this view. We do not perform recursion or cache
	// access for hosts using this view.
	match-clients { any; };
	recursion no;
	additional-from-auth no;
	additional-from-cache no;
	allow-query { any; };


	// Link in our zones
	zone "." in {
	   type hint;
	   file "root.cache";
	};
/*
       zone "ournetwork.net" in {
	   type master;
	   file "master/ournetwork.net";
       };
*/
/*
       zone "8.8.8.in-addr.arpa" in {
	   type master;
	   file "master/8.8.8.in-addr.arpa";
       };
*/
};

view tighten-chaos chaos {
	/*
	 The "chaos" type is used among others, to request the version 
	 information from bind.  This release of bind allows for you to 
	 set what it should report as version, but I prefer just to deny 
	 (and therefore log) it. In order to do this we need our own 
	 chaos view, which is matched by everyone.
	*/

	match-clients { any; };
	recursion no;

	zone "." chaos { 
		type hint; 
		file "/dev/null";
	};

	zone "bind" chaos {
		type master;
		file "master/bind.chaos";
		allow-query { none; };
		allow-transfer { none; };
	};
};