130 lines
2.7 KiB
Django/Jinja
130 lines
2.7 KiB
Django/Jinja
//
|
|
// named.conf
|
|
//
|
|
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
|
// server as a caching only nameserver (as a localhost DNS resolver only).
|
|
//
|
|
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
|
//
|
|
|
|
options {
|
|
listen-on port 53 {
|
|
{% for ip in bind9_listen_on_ipv4 %}
|
|
{{ ip }};
|
|
{% endfor %}
|
|
127.0.0.1;
|
|
};
|
|
|
|
listen-on-v6 port 53 {
|
|
{% for ip in bind9_listen_on_ipv6 %}
|
|
{{ ip }};
|
|
{% endfor %}
|
|
::1;
|
|
};
|
|
|
|
directory "/var/named";
|
|
dump-file "/var/named/data/cache_dump.db";
|
|
statistics-file "/var/named/data/named_stats.txt";
|
|
memstatistics-file "/var/named/data/named_mem_stats.txt";
|
|
secroots-file "/var/named/data/named.secroots";
|
|
recursing-file "/var/named/data/named.recursing";
|
|
|
|
allow-query {
|
|
{% for ip in bind9_global_allow_query %}
|
|
{{ ip }};
|
|
{% endfor %}
|
|
localhost;
|
|
};
|
|
|
|
/*
|
|
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
|
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
|
recursion.
|
|
- If your recursive DNS server has a public IP address, you MUST enable access
|
|
control to limit queries to your legitimate users. Failing to do so will
|
|
cause your server to become part of large scale DNS amplification
|
|
attacks. Implementing BCP38 within your network would greatly
|
|
reduce such attack surface
|
|
*/
|
|
recursion yes;
|
|
|
|
dnssec-validation yes;
|
|
|
|
managed-keys-directory "/var/named/dynamic";
|
|
geoip-directory "/usr/share/GeoIP";
|
|
|
|
pid-file "/run/named/named.pid";
|
|
session-keyfile "/run/named/session.key";
|
|
|
|
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
|
include "/etc/crypto-policies/back-ends/bind.config";
|
|
};
|
|
|
|
logging {
|
|
channel default_debug {
|
|
file "data/named.run";
|
|
severity dynamic;
|
|
};
|
|
};
|
|
|
|
zone "." IN {
|
|
type hint;
|
|
file "named.ca";
|
|
};
|
|
|
|
{% for zone in bind9_forward_zones %}
|
|
zone "{{ zone.origin }}" {
|
|
|
|
allow-query {
|
|
{% for entry in zone.allow_query %}
|
|
{{ entry }};
|
|
{% endfor %}
|
|
};
|
|
|
|
allow-update {
|
|
{% for entry in zone.allow_update %}
|
|
key {{ entry }};
|
|
{% endfor %}
|
|
};
|
|
|
|
file "/etc/named/{{ zone.origin }}db";
|
|
|
|
type {{ zone.type }};
|
|
|
|
};
|
|
{% endfor %}
|
|
|
|
|
|
|
|
{% for zone in bind9_reverse_zones %}
|
|
zone "{{ zone.origin }}" {
|
|
|
|
allow-query {
|
|
{% for entry in zone.allow_query %}
|
|
{{ entry }};
|
|
{% endfor %}
|
|
};
|
|
|
|
allow-update {
|
|
{% for entry in zone.allow_update %}
|
|
key {{ entry }};
|
|
{% endfor %}
|
|
};
|
|
|
|
file "/etc/named/{{ zone.origin }}db";
|
|
|
|
type {{ zone.type }};
|
|
|
|
};
|
|
{% endfor %}
|
|
|
|
{% for key in bind9_keys %}
|
|
key "{{ key.name }}" {
|
|
algorithm {{ key.algorithm }};
|
|
secret "{{ key.secret }}";
|
|
};
|
|
{% endfor %}
|
|
|
|
include "/etc/named.rfc1912.zones";
|
|
include "/etc/named.root.key";
|