FastHandle - Automation Examples

FastHandle is fast operation tools for infrastructure configurations and tests.

User Tools

Site Tools


Top     SiteMap

Sidebar


Top     SiteMap

Manager Server

Target Server













.

middleware:bind:conf002.html



BIND (bind.py)

bind-9.9.4 sample Configuration

Introduction

  • CentOS7
  • /usr/share/doc/bind-9.9.4/sample/


/etc/named.conf

/usr/share/doc/bind-9.9.4/sample/etc/named.conf

/*
 Sample named.conf BIND DNS server 'named' configuration file
 for the Red Hat BIND distribution.

 See the BIND Administrator's Reference Manual (ARM) for details about the
 configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
*/

options
{
        // Put files that named is allowed to write in the data/ directory:
        directory               "/var/named";           // "Working" directory
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";


        /*
          Specify listenning interfaces. You can use list of addresses (';' is
          delimiter) or keywords "any"/"none"
        */
        //listen-on port 53     { any; };
        listen-on port 53       { 127.0.0.1; };

        //listen-on-v6 port 53  { any; };
        listen-on-v6 port 53    { ::1; };

        /*
          Access restrictions

          There are two important options:
            allow-query { argument; };
              - allow queries for authoritative data

            allow-query-cache { argument; };
              - allow queries for non-authoritative data (mostly cached data)

          You can use address, network address or keywords "any"/"localhost"/"none" as argument
          Examples:
            allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
            allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
        */

        allow-query             { localhost; };
        allow-query-cache       { localhost; };

        /* Enable/disable recursion - recursion yes/no;

         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
         */
        recursion yes;

        /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */

        /* Enable serving of DNSSEC related data - enable on both authoritative
           and recursive servers DNSSEC aware servers */
        dnssec-enable yes;

        /* Enable DNSSEC validation on recursive servers */
        dnssec-validation yes;

        /* In RHEL-7 we use /run/named instead of default /var/run/named
           so we have to configure paths properly. */
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        managed-keys-directory "/var/named/dynamic";
};

logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

/*
 Views let a name server answer a DNS query differently depending on who is asking.

 By default, if named.conf contains no "view" clauses, all zones are in the
 "default" view, which matches all clients.

 Views are processed sequentially. The first match is used so the last view should
 match "any" - it's fallback and the most restricted view.

 If named.conf contains any "view" clause, then all zones MUST be in a view.
*/

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
        match-clients           { localhost; };
        recursion yes;

        # all views must contain the root hints zone:
        zone "." IN {
                type hint;
                file "/var/named/named.ca";
        };

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * not leak to the other nameservers:
         */
        include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
        match-clients           { localnets; };
        recursion yes;

        zone "." IN {
                type hint;
                file "/var/named/named.ca";
        };

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
         * not leak to the other nameservers:
         */
        include "/etc/named.rfc1912.zones";

        // These are your "authoritative" internal zones, and would probably
        // also be included in the "localhost_resolver" view above :

        /*
          NOTE for dynamic DNS zones and secondary zones:

          DO NOT USE SAME FILES IN MULTIPLE VIEWS!

          If you are using views and DDNS/secondary zones it is strongly
          recommended to read FAQ on ISC site (www.isc.org), section
          "Configuration and Setup Questions", questions
          "How do I share a dynamic zone between multiple views?" and
          "How can I make a server a slave for both an internal and an external
           view at the same time?"
        */

        zone "my.internal.zone" {
                type master;
                file "my.internal.zone.db";
        };
        zone "my.slave.internal.zone" {
                type slave;
                file "slaves/my.slave.internal.zone.db";
                masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
                // put slave zones in the slaves/ directory so named can update them
        };
        zone "my.ddns.internal.zone" {
                type master;
                allow-update { key ddns_key; };
                file "dynamic/my.ddns.internal.zone.db";
                // put dynamically updateable zones in the slaves/ directory so named can update them
        };
};

key ddns_key
{
        algorithm hmac-md5;
        secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
};

view "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not match any above view:
 */
        match-clients           { any; };

        zone "." IN {
                type hint;
                file "/var/named/named.ca";
        };

        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers

        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:

        zone "my.external.zone" {
                type master;
                file "my.external.zone.db";
        };
};

/* Trusted keys

  This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
  have to configure at least one trusted key.

  Note that no key written below is valid. Especially root key because root zone
  is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";

// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
                      SCThlHf3xiYleDbt/o1OTQ09A0=";

// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/


named.rfc1912.zones

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};


named.localhost

$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
        AAAA    ::1


named.loopback

$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
        AAAA    ::1
        PTR     localhost.




/var/named/my.external.zone.db

/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db

@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.


/var/named/my.internal.zone.db



middleware/bind/conf002.html.txt ยท Last modified: 2018/02/13 00:36 by kurihara