// (oe) loosely based on the document below and from production server configurations. // http://www.cymru.com/Documents/secure-bind-template.html // secret must be the same as in /etc/rndc.conf key mykey { algorithm hmac-md5; secret "IriCelUSbPMypSjImBsiTHMauOumRPMkdBjoxVINAx0vxJZNRKGWzFCKibad"; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { mykey; }; }; // Access lists (ACL's) should be defined here include "bogon_acl.conf"; options { version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; pid-file "/var/run/named/named.pid"; statistics-file "/var/tmp/named.stats"; zone-statistics yes; coresize 100M; // fetch-glue no; // recursion no; auth-nxdomain yes; query-source address * port *; listen-on port 53 { any; }; cleaning-interval 120; transfers-in 20; transfers-per-ns 2; lame-ttl 0; max-ncache-ttl 10800; // allow-update { none; }; // allow-transfer { any; }; // Prevent DoS attacks by generating bogus zone transfer // requests. This will result in slower updates to the // slave servers (e.g. they will await the poll interval // before checking for updates). notify no; // Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers; // Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60; // We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0; // Uncoment these to enable IPv6 connections support // IPv4 will still work // listen-on { none; }; // listen-on-v6 { any; }; // Deny anything from the bogon networks as // detailed in the "bogon" ACL. blackhole { bogon; }; // root-delegation-only exclude { "de"; "lv"; "museum"; }; }; // define logging channels include "logging.conf"; zone "." { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" { type master; file "named.local"; }; // workaround stupid stuff... (OE: Wed 17 Sep 2003) zone "ac" { type delegation-only; }; zone "cc" { type delegation-only; }; zone "com" { type delegation-only; }; zone "cx" { type delegation-only; }; zone "museum" { type delegation-only; }; zone "net" { type delegation-only; }; zone "nu" { type delegation-only; }; zone "ph" { type delegation-only; }; zone "sh" { type delegation-only; }; zone "tm" { type delegation-only; }; zone "ws" { type delegation-only; }; zone "2.168.192.in-addr.arpa" { type master; file "mandrakesoft.reversed"; allow-update { key mykey; }; }; zone "mandrakesoft.com" { type master; file "mandrakesoft.zone"; allow-update { key mykey; }; };