/* This is the default named.conf for bind9 on Trustix Secure Linux. Some of these settings are made to enhance your system security, but certain domain configurations may force you to make certain changes. It is heavily inspired by Securing BIND Template by Rob Thomas robt at cymru dot com. If there is any errors, they are probably mine, so you are far better off asking on tsl-discuss at tslng dot org than bugging Rob. You may want to thank him for his excellent work though. Erlend Midttun <erlendbm at tslng dot org> */ /* Setting up some Access Control Lists */ /* List of secondary nameservers or other servers/networks you want to permit zone transfers. Example: */ acl secondaries { localhost; }; /* These are the clients that are allowed to use this name server for normal DNS queries. */ acl trusted { localnets; }; /* These are adresses you do not wish answer DNS queries from at all. You may wish to add the list RFC1918 networks here as well as the list from IANA over test, multicast or experimental networks. You may want to review such a list every now and then though if you choose to use it. */ acl drop { 224.0.0.0/24; }; /* Logging. We send it to syslog and let it sort out the rest. */ logging { /* We send it to local2 instead of the default "daemon" to separate it from others who uses "daemon" too. */ channel my_syslog { syslog local2; severity debug; }; /* By default use the my_syslog channel */ category default { my_syslog; }; /* Logging is good, but there are just too many broken configurations out there. This means throw away the most commons error as you can't really do anything about it anyway. */ category lame-servers { null; }; }; /* Now this is the place for general options. */ options { // The directory for the files directory "/var/named"; // The pid file pid-file "/var/run/named/named.pid"; // The statistics file statistics-file "/var/run/named/named.stats"; /* Force old style query port. May help you through some firewalls. Default is to use an unprivileged port. */ // query-source address * port 53; /* Generate more efficient zone transfers. This will place multiple DNS records in a DNS message, instead of one per DNS message. */ transfer-format many-answers; /* Set the maximum zone transfer time to something more reasonable. In this case, we state that any zone transfer that takes longer than 60 minutes is unlikely to ever complete. WARNING: If you have very large zone files, adjust this to fit your requirements. */ max-transfer-time-in 60; /* We have no dynamic interfaces, so BIND shouldn't need to poll for interface state {UP|DOWN}. */ interface-interval 0; /* Restrict zone transfers to the servers specified as secondary name servers. */ allow-transfer { secondaries; }; /* Only allow queries and recursive queries from local networks to prevent abuse. For domains you are authorative for, enable it with allow-query { any; }; on a per domain basis or place them in the "external-in" view. Tips posted on Bugtraq Tue Sep 9 2003 by Chris Brenton */ allow-query { trusted; }; allow-recursion { trusted; }; /* Or you can allow specific networks like this if you need to */ // allow-query { localnets; 192.168.1.0/24; }; // allow-recursion { localnets; 192.168.1.0/24; }; /* Deny anything from the networks listed in the "drop" acl. */ blackhole { drop; }; }; /* Note that both the 'logging' and 'options' entries can't be used twice. */ /* Zone settings; You probably want to make changes here according to your domain configuration. */ view "internal-in" in { /* Our internal (trusted) view. We permit the internal networks to freely access this view. We perform recursion for our internal hosts, and retrieve data from the cache for them. */ match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone "." in { // Link in the root server hint file. type hint; file "root.cache"; }; zone "127.in-addr.arpa" in { /* Allow queries for the 127/8 network, but not zone transfers. Every name server, both slave and master, will be a master for this zone. */ type master; file "master/127.in-addr.arpa"; allow-query { any; }; allow-transfer { none; }; }; // And of course the localhost zone "localhost" in { type master; allow-query { any; }; file "master/localhost"; }; // Broadcast zones zone "0.in-addr.arpa" { type master; allow-query { any; }; file "master/0.in-addr.arpa"; }; zone "255.in-addr.arpa" { type master; allow-query { any; }; file "master/255.in-addr.arpa"; }; /* Seems Verisign answers to any query for these zones pointing them to their own website. We therefore only care for NS records for these domains. */ zone "com." { type delegation-only; }; zone "net." { type delegation-only; }; /* zone "internal.ournetwork.com" in { // Our internal A RR zone. There may be several of these. type master; file "master/internal.ournetwork.com"; }; */ /* zone "7.7.7.in-addr.arpa" in { // Our internal PTR RR zone. Again, there may be several of these. type master; file "master/7.7.7.in-addr.arpa"; }; */ }; // Create a view for external DNS clients. view "external-in" in { // Our external (untrusted) view. We permit any client to access // portions of this view. We do not perform recursion or cache // access for hosts using this view. match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; allow-query { any; }; // Link in our zones zone "." in { type hint; file "root.cache"; }; /* zone "ournetwork.net" in { type master; file "master/ournetwork.net"; }; */ /* zone "8.8.8.in-addr.arpa" in { type master; file "master/8.8.8.in-addr.arpa"; }; */ }; view tighten-chaos chaos { /* The "chaos" type is used among others, to request the version information from bind. This release of bind allows for you to set what it should report as version, but I prefer just to deny (and therefore log) it. In order to do this we need our own chaos view, which is matched by everyone. */ match-clients { any; }; recursion no; zone "." chaos { type hint; file "/dev/null"; }; zone "bind" chaos { type master; file "master/bind.chaos"; allow-query { none; }; allow-transfer { none; }; }; };