include "/etc/named.root.key"; // Allow no zone transfers. Any slaves should be added here. acl "xfer" { none; }; // This should include any internal and DMZ subnets so intranet and servers // can query our internal zones. This also prevents outside hosts from using // our name server as a resolver for other domains. acl "trusted" { 10.87.19.0/24; 2001:abcd:ef::/64; fc00::/7; fe80::/10; 127.0.0.1; ::1; }; key "control-key" { algorithm hmac-sha256; secret "##!!pulled-from-rndc.conf-generation!!##"; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "control-key"; }; }; logging { channel default_syslog { severity debug; syslog local2; }; channel audit_syslog { severity debug; syslog local3; }; category default { default_syslog; }; category client { audit_syslog; }; category config { default_syslog; }; category dnssec { audit_syslog; }; category general { default_syslog; }; category lame-servers { audit_syslog; }; category network { audit_syslog; }; category notify { audit_syslog; }; category queries { audit_syslog; }; category resolver { audit_syslog; }; category security { audit_syslog; default_syslog; }; category update { audit_syslog; }; category xfer-in { audit_syslog; }; category xfer-out { audit_syslog; }; }; options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; zone-statistics yes; // Override the version information to reduce enumeration options version "It's over 9000"; // More efficient zone transfers transfer-format many-answers; // Set the maximum time a zone transfer can take. Any zone transfer that // takes longer than 15 minutes is unlikely to ever complete. If there are // HUGE zone files this may become an issue. max-transfer-time-in 15; // With no dynamic interfaces, bind doesn't need to poll for interface state interface-interval 0; dnssec-validation auto; managed-keys-directory "/var/named/dynamic"; // Only accept queries and cached queries from the trusted ACL allow-query { trusted; }; allow-query-cache { trusted; }; }; // Trusted portion of the split-horizon DNS containing internal domains, // private records, as well as allow recursive lookups. view "internal-in" in { match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Zone transfers limited to members of the "xfer" ACL allow-transfer { xfer; }; zone "." IN { type hint; file "named.ca"; }; zone "1057.name" IN { type primary; file "data/internal/1057.name.zone.db"; allow-update { none; }; }; zone "19.87.10.in-addr.arpa" IN { type primary; file "data/internal/19.87.10.in-addr.arpa.zone.db"; allow-update { none; }; }; zone "0.0.0.0.f.e.0.0.d.c.b.a.1.0.0.2.ip6.arpa" IN { type primary; file "data/internal/0.0.0.0.f.e.0.0.d.c.b.a.1.0.0.2.arpa.zone.db"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; }; // Untrusted/External portion of the split-horizon DNS, only allow internal view "external-in" in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; zone "." IN { type hint; file "named.ca"; }; zone "1057.name" IN { type primary; file "data/public/1057.name.zone.db"; allow-query { any; }; allow-update { none; }; }; zone "0.0.0.0.f.e.0.0.d.c.b.a.1.0.0.2.ip6.arpa" IN { type primary; file "data/public/0.0.0.0.f.e.0.0.d.c.b.a.1.0.0.2.arpa.zone.db"; allow-query { any; }; allow-update { none; }; }; }; // View for users attempting to query the server using the CHAOS class. Trusted // users can still use this to query for the servers version number. view "bind-chaos" chaos { match-clients { any; }; recursion no; zone "bind" { type primary; file "db.bind"; allow-query { trusted; }; allow-transfer { none; }; }; };