CONTENT

CHANGES

Szukaj

#top Konfiguracja¶

[<<]|[<]|[^]|[v]|[>]|[>>]|[Zwiń]|[#top]|[X]

#top SINGLE CONFIG WITHOUT VIEWS¶

#top create /etc/named/named.conf¶

cat > /etc/named/named.conf << EOF
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

include "/etc/named/named.options.conf";
include "/etc/named/named.logging.conf";
include "/etc/named/rndc.key";

// these are zones that contain definitions for all the localhost
// names and addresses, as recommended in RFC1912 - these names should
// ONLY be served to localhost clients:
include "/etc/named/named.rfc1912.zones";

// all views must contain the root hints zone:
include "/etc/named/named.zoneroot";

// local zones
include "/etc/named/named.local.conf";

EOF

#top create /etc/named/named.zoneroot¶

cat > /etc/named/named.zoneroot << EOF
//
//   The 'named.root' root cache hints zone for the bind DNS 'named' nameserver.
//
//   named's cache must be primed with the addresses of the root zone '.' nameservers.
//   The root zone file can be obtained by querying the root 'A' nameserver:
//     $ dig . ns @198.41.0.4 > named.root
//   Or by download via FTP / HTTP:
//     $ wget ftp://ftp.rs.internic.net/domain/named.root
//
//   Every view that is to provide recursive service must include this zone.
//
zone "." {
	type hint;
	file "/etc/named/named.ca";
};

EOF
sed 's,        ,\t,g' -i /etc/named/named.zoneroot

#top create /etc/named/named.options.conf¶

#top named.options.conf (CentOS 5.*)¶

cat > /etc/named/named.options.conf << EOF
//
// named.options.conf
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

options {
	directory "/var/named"; // the default
	// Put pid file in working dir
	pid-file "/var/run/named/named.pid";
	//listen-on { any; };
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	
	dump-file   "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	
	recursion yes;
	allow-recursion { 127.0.0.1; };
};

#top named.options.conf (CentOS 6.*)¶

cat > /etc/named/named.options.conf << EOF
//
// named.options.conf
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

options {
	directory "/var/named"; // the default
	// Put pid file in working dir
	pid-file "/var/run/named/named.pid";
	//listen-on { any; };
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	
	dump-file   "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	
	recursion yes;
	allow-recursion { 127.0.0.1; };
	
	dnssec-enable yes;
	dnssec-validation yes;
	//dnssec-lookaside auto; // trouble with recursion
	
	/* Path to ISC DLV key */
	bindkeys-file "/etc/named/named.iscdlv.key";
};

EOF
sed 's,        ,\t,g' -i /etc/named/named.options.conf

#top create /etc/named/named.logging.conf¶

cat > /etc/named/named.logging.conf << EOF
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
// named.logging.conf
//

logging {
	channel named_file   { file "/var/log/named/named.log";   severity dynamic; print-time yes; };
	channel queries_file { file "/var/log/named/queries.log"; severity dynamic; print-time yes; };
	
	category default { named_file;   };
	category queries { queries_file; };
};

EOF
sed 's,        ,\t,g' -i /etc/named/named.logging.conf

#top create /etc/named/named.local.conf¶

zone "xen.wbcd.pl"                { type master; file "/etc/named/zones/xen.wbcd.pl";                 notify no; allow-query { any; }; allow-update { none; }; allow-transfer { }; };
zone "41.10.in-addr.arpa"         { type master; file "/etc/named/zones/41.10.in-addr.arpa";          notify no; allow-query { any; }; allow-update { none; }; allow-transfer { }; };
zone "cen05.xen.wbcd.pl"          { type master; file "/etc/named/zones/cen05.xen.wbcd.pl";           notify no; allow-query { any; }; allow-update { none; }; allow-transfer { }; };

#top create zone files¶

cat > /etc/named/zones/xen.wbcd.pl << EOF
;
; zone xen.wbcd.pl
;
$ORIGIN xen.wbcd.pl.
$TTL    604800
@		IN	SOA	xen.wbcd.pl. root.xen.wbcd.pl. (
	2010070526		; Serial = numer seryjny, dzisiejsza data i numer zmiany
			8H		; Refresh = odświeżanie (w sek)
			2H		; Retry = powtórzenie (w sek)
			1W		; Expire = przedawnienie (w sek)
			1D		; Minimum TTL = minimum (w sek)
)

@		IN	NS	xen.wbcd.pl.
@		IN	A	10.5.5.5
@		IN	MX	10 xen.wbcd.pl.

;
; zone xen.wbcd.pl
;
gw			A	10.41.0.250
netboot			A	10.41.0.33
cen05			A	10.41.0.50
EOF

cat > /etc/named/zones/41.10.in-addr.arpa << EOF
;
; zone xen.wbcd.pl
;
$TTL 43200
@		IN	SOA	xen.wbcd.pl. root.xen.wbcd.pl. (
	2010070526		; Serial
			2H		; Refresh
			1H		; Retry
			1W		; Expire
			1D		; Default_ttl
)
		IN	NS	xen.wbcd.pl.

;
; zone xen.wbcd.pl
;
250.0		IN	PTR	gw.xen.wbcd.pl.
33.0		IN	PTR	netboot.xen.wbcd.pl.
EOF

cat > /etc/named/zones/cen05.xen.wbcd.pl << EOF
;
; zone cen05.xen.wbcd.pl
;
$TTL    604800
@		IN	SOA	cen05.xen.wbcd.pl. root.cen05.xen.wbcd.pl. (
	2010080101		; Serial = numer seryjny, dzisiejsza data i numer zmiany
			8H		; Refresh = odświeżanie (w sek)
			2H		; Retry = powtórzenie (w sek)
			1W		; Expire = przedawnienie (w sek)
			1D		; Minimum TTL = minimum (w sek)
)

@		IN	NS	cen05.xen.wbcd.pl.
@		IN	A	10.41.0.50
@		IN	MX	10 cen05.xen.wbcd.pl.
cen05-a		IN	A	10.41.0.50
cen05-b		IN	A	10.41.0.50
cen05-a		IN	MX	10 cen05-a
cen05-b		IN	MX	10 cen05-b
EOF

#top start named server¶

/etc/init.d/named start

tail -f /var/log/named/named.log
tail -f /var/log/named/queries.log

#top ADVANCED CONFIG WITH VIEWS¶

#top create /etc/named/named.conf (adv view)¶

cat > /etc/named/named.conf << EOF
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//

include "/etc/named/named.options.conf";
include "/etc/named/named.logging.conf";
include "/etc/named/rndc.key";

view "localhost_resolver"
{
	/*
	 * This view sets up named to be a localhost resolver ( caching only nameserver ).
	 * If all you want is a caching-only nameserver, then you need only define this view:
	 */
	match-clients           { localhost; };
	match-destinations      { localhost; };
	recursion yes;
	
	// all views must contain the root hints zone:
	include "/etc/named/named.zoneroot";
	
	/*
	 * these are zones that contain definitions for all the localhost
	 * names and addresses, as recommended in RFC1912 - these names should
	 * ONLY be served to localhost clients:
	 */
	include "/etc/named/named.rfc1912.zones";
	
	// local zones
	include "/etc/named/named.local.conf";
};
view "internal"
{
	/*
	 * This view will contain zones you want to serve only to "internal" clients
	 * that connect via your directly attached LAN interfaces - "localnets" .
	 */
	match-clients           { localnets; };
	match-destinations      { localnets; };
	recursion yes;
	
	// all views must contain the root hints zone:
	include "/etc/named/named.zoneroot";
	
	// include "named.rfc1912.zones";
	// you should not serve your rfc1912 names to non-localhost clients.
	
	// These are your "authoritative" internal zones, and would probably
	// also be included in the "localhost_resolver" view above :
	
	// local zones
	include "/etc/named/named.local.conf";
	
	zone "cen05.xen.wbcd.pl"          { type master; file "/etc/named/zones-int/cen05.xen.wbcd.pl";     notify no; allow-query { any; }; allow-update { none; }; allow-transfer { }; };
};
view    "external"
{
	/*
	 * This view will contain zones you want to serve only to "external" clients
	 * that have addresses that are not on your directly attached LAN interface subnets:
	 */
	match-clients           { any; };
	match-destinations      { any; };
	
	// you'd probably want to deny recursion to external clients, so you don't
	// end up providing free DNS service to all takers
	recursion no;
	
	// all views must contain the root hints zone:
	include "/etc/named/named.zoneroot";
	
	// include "named.rfc1912.zones";
	// you should not serve your rfc1912 names to non-localhost clients.
	
	// These are your "authoritative" external zones, and would probably
	// contain entries for just your web and mail servers:
	
	// local zones
	include "/etc/named/named.local.conf";
	
	zone "cen05.xen.wbcd.pl"          { type master; file "/etc/named/zones-ext/cen05.xen.wbcd.pl";     notify no; allow-query { any; }; allow-update { none; }; allow-transfer { }; };
};
EOF
sed 's,        ,\t,g' -i /etc/named/named.conf

#top create zone files (adv view)¶

mkdir -p /etc/named/zones-myself /etc/named/zones-others /etc/named/zones-int /etc/named/zones-ext

cat > /etc/named/zones-myself/cen05.xen.wbcd.pl << EOF
;
; zone cen05.xen.wbcd.pl
;
$TTL    604800
@		IN	SOA	cen05.xen.wbcd.pl. root.cen05.xen.wbcd.pl. (
	2010080101		; Serial = numer seryjny, dzisiejsza data i numer zmiany
			8H		; Refresh = odświeżanie (w sek)
			2H		; Retry = powtórzenie (w sek)
			1W		; Expire = przedawnienie (w sek)
			1D		; Minimum TTL = minimum (w sek)
)

@		IN	NS	cen05.xen.wbcd.pl.
@		IN	A	10.41.0.50
@		IN	MX	10 cen05.xen.wbcd.pl.
cen06-1		IN	A	10.41.0.51
cen06-2		IN	A	10.41.0.52
cen06-1		IN	MX	10 cen06-1
cen06-2		IN	MX	10 cen06-2
EOF

cat > /etc/named/zones-others/cen05.xen.wbcd.pl << EOF
;
; zone cen05.xen.wbcd.pl
;
$TTL    604800
@		IN	SOA	cen05.xen.wbcd.pl. root.cen05.xen.wbcd.pl. (
	2010080101		; Serial = numer seryjny, dzisiejsza data i numer zmiany
			8H		; Refresh = odświeżanie (w sek)
			2H		; Retry = powtórzenie (w sek)
			1W		; Expire = przedawnienie (w sek)
			1D		; Minimum TTL = minimum (w sek)
)

@		IN	NS	cen05.xen.wbcd.pl.
@		IN	A	10.41.0.50
@		IN	MX	10 cen05.xen.wbcd.pl.
cen06-1		IN	A	10.41.0.50
cen06-2		IN	A	10.41.0.50
cen06-1		IN	MX	10 cen06-1
cen06-2		IN	MX	10 cen06-2
EOF

#top create /etc/named/named.zoneroot (adv view)¶

cat > /etc/named/named.zoneroot << EOF
//
//   The 'named.root' root cache hints zone for the bind DNS 'named' nameserver.
//
//   named's cache must be primed with the addresses of the root zone '.' nameservers.
//   The root zone file can be obtained by querying the root 'A' nameserver:
//     $ dig . ns @198.41.0.4 > named.root
//   Or by download via FTP / HTTP:
//     $ wget ftp://ftp.rs.internic.net/domain/named.root
//
//   Every view that is to provide recursive service must include this zone.
//
zone "." {
	type hint;
	file "/etc/named/named.ca";
};
EOF
sed 's,        ,\t,g' -i /etc/named/named.zoneroot

#top create /etc/named/named.options.conf (adv view)¶

#top named.options.conf (adv view) (CentOS 5.*)¶

cat > /etc/named/named.options.conf << EOF
//
// named.options.conf
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

options {
	directory "/var/named"; // the default
	// Put pid file in working dir
	pid-file "/var/run/named/named.pid";
	//listen-on { any; };
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	
	recursion yes; // in VIEWS
	allow-recursion { 127.0.0.1; }; // in VIEWS
};

EOF
sed 's,        ,\t,g' -i /etc/named/named.options.conf

#top named.options.conf (adv view) (CentOS 6.*)¶

cat > /etc/named/named.options.conf << EOF
//
// named.options.conf
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

options {
	directory "/var/named"; // the default
	// Put pid file in working dir
	pid-file "/var/run/named/named.pid";
	//listen-on { any; };
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	
	//recursion yes; // in VIEWS
	//allow-recursion { 127.0.0.1; }; // in VIEWS
	
	dnssec-enable yes;
	dnssec-validation yes;
	//dnssec-lookaside auto; // trouble with recursion
	
	/* Path to ISC DLV key */
	bindkeys-file "/etc/named/named.iscdlv.key";
};

EOF
sed 's,        ,\t,g' -i /etc/named/named.options.conf

#top create /etc/named/named.logging.conf (adv view)¶

cat > /etc/named/named.logging.conf << EOF
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
// named.logging.conf
//

logging {
	channel named_file   { file "/var/log/named/named.log";   severity dynamic; print-time yes; };
	channel queries_file { file "/var/log/named/queries.log"; severity dynamic; print-time yes; };
	
	category default { named_file;   };
	category queries { queries_file; };
};

EOF
sed 's,        ,\t,g' -i /etc/named/named.logging.conf

#top start named server (adv view)¶

/etc/init.d/named start

tail -f /var/log/named/named.log
tail -f /var/log/named/queries.log

#top MASTER/SLAVE DOMAIN SERVER¶

WARNING: /etc/named/named.local.conf:21: option 'allow-update' is not allowed in 'slave' zone 'cen06-2.xen.wbcd.pl'
WARNING: /etc/named/named.local.conf:21: option 'allow-update' is not allowed in 'slave' zone 'cen06-1.xen.wbcd.pl'

#top master cen06-1 / slave cen06-2¶

cat >> /etc/named/named.local.conf << EOF
zone "cen06-1.xen.wbcd.pl" {
	type master;
	//type slave;
	file "/etc/named/zones/cen06-1.xen.wbcd.pl";
	allow-query    { any; };
	notify yes;
	also-notify    { 10.41.0.52; };
	allow-transfer { 10.41.0.51; 10.41.0.52; };
};
zone "cen06-2.xen.wbcd.pl" {
	//type master;
	type slave;
	file "/var/named/slaves/cen06-2.xen.wbcd.pl";
	allow-query    { any; };
	masters        { 10.41.0.52; };
	allow-notify   { 10.41.0.52; };
	allow-transfer { 10.41.0.51; 10.41.0.52; };
};
EOF

cat > /etc/named/zones/cen06-1.xen.wbcd.pl << EOF
;
; zone cen06-1.xen.wbcd.pl
;
\$TTL    604800
@		IN	SOA	cen06-1.xen.wbcd.pl. root.cen06-1.xen.wbcd.pl. (
	2010080102		; Serial = numer seryjny, dzisiejsza data i numer zmiany
			8H		; Refresh = odświeżanie (w sek)
			2H		; Retry = powtórzenie (w sek)
			1W		; Expire = przedawnienie (w sek)
			1D		; Minimum TTL = minimum (w sek)
)

@		IN	NS	cen06-1.xen.wbcd.pl.
@		IN	A	10.41.0.51
@		IN	MX	10 cen06-1.xen.wbcd.pl.
EOF

touch /var/named/slaves/cen06-2.xen.wbcd.pl
chown named:named /var/named/slaves/cen06-2.xen.wbcd.pl

#top master cen06-2 / slave cen06-1¶

cat >> /etc/named/named.local.conf << EOF
zone "cen06-2.xen.wbcd.pl" {
	type master;
	//type slave;
	file "/etc/named/zones/cen06-2.xen.wbcd.pl";
	allow-query    { any; };
	notify yes;
	also-notify    { 10.41.0.51; };
	allow-transfer { 10.41.0.51; 10.41.0.52; };
};
zone "cen06-1.xen.wbcd.pl" {
	//type master;
	type slave;
	file "/var/named/slaves/cen06-1.xen.wbcd.pl";
	allow-query    { any; };
	masters        { 10.41.0.51; };
	allow-notify   { 10.41.0.51; };
	allow-transfer { 10.41.0.51; 10.41.0.52; };
};
EOF

cat > /etc/named/zones/cen06-2.xen.wbcd.pl << EOF
;
; zone cen06-2.xen.wbcd.pl
;
\$TTL    604800
@		IN	SOA	cen06-2.xen.wbcd.pl. root.cen06-2.xen.wbcd.pl. (
	2010080102		; Serial = numer seryjny, dzisiejsza data i numer zmiany
			8H		; Refresh = odświeżanie (w sek)
			2H		; Retry = powtórzenie (w sek)
			1W		; Expire = przedawnienie (w sek)
			1D		; Minimum TTL = minimum (w sek)
)

@		IN	NS	cen06-2.xen.wbcd.pl.
@		IN	A	10.41.0.52
@		IN	MX	10 cen06-2.xen.wbcd.pl.
EOF

touch /var/named/slaves/cen06-1.xen.wbcd.pl
chown named:named /var/named/slaves/cen06-1.xen.wbcd.pl

#top start named server (master/slave)¶

/etc/init.d/named start

tail -f /var/log/named/named.log
tail -f /var/log/named/queries.log

#top testing configuration (master/slave)¶

sed -r "s,[0-9]{10},`date +'%Y%m%d01'`,g" -i /etc/named/zones/cen06-1.xen.wbcd.pl
sed -r "s,[0-9]{10},`date +'%Y%m%d01'`,g" -i /etc/named/zones/cen06-2.xen.wbcd.pl

cat >> /etc/named/zones/cen06-1.xen.wbcd.pl << EOF
ola		IN	A	10.41.0.51
EOF
sed -r "s,[0-9]{10},`date +'%Y%m%d02'`,g" -i /etc/named/zones/cen06-1.xen.wbcd.pl

cat >> /etc/named/zones/cen06-2.xen.wbcd.pl << EOF
ola		IN	A	10.41.0.51
EOF
sed -r "s,[0-9]{10},`date +'%Y%m%d02'`,g" -i /etc/named/zones/cen06-2.xen.wbcd.pl

/etc/init.d/named reload
tail -f /var/log/named/named.log

cat /etc/named/zones/cen06-1.xen.wbcd.pl
cat /var/named/slaves/cen06-2.xen.wbcd.pl

cat /etc/named/zones/cen06-2.xen.wbcd.pl
cat /var/named/slaves/cen06-1.xen.wbcd.pl

#top named.conf¶

Dokumentacja named:
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html (wersja 9.9)
http://addons.wbcd.pl/docs/bind9/9.8.2/Bv9ARM.ch06.html (wersja 9.8.2)

Dokumentacja named: include Statement Grammar (v9.9) | include Statement Grammar (v9.8.2)
Dokumentacja named: include Statement Definition and Usage (v9.9) | include Statement Definition and Usage (v9.8.2)

/etc/named/named.conf

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

include "/etc/named/named.options.conf";
include "/etc/named/named.logging.conf";
include "/etc/named/rndc.key";

// these are zones that contain definitions for all the localhost
// names and addresses, as recommended in RFC1912 - these names should
// ONLY be served to localhost clients:
include "/etc/named/named.rfc1912.zones";

// all views must contain the root hints zone:
include "/etc/named/named.zoneroot";

// local zones
include "/etc/named/named.local.conf";

/etc/named/named.zoneroot

// root.hint
zone "." {
	type hint; file "/etc/named/named.ca";
};

/etc/named/named.ca

; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     3600000 IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53
H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::803f:235
I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42
M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:dc3::35

;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE  rcvd: 615

#top keys¶

Dokumentacja named: key Statement Grammar (v9.9) | key Statement Grammar (v9.8.2)
Dokumentacja named: key Statement Definition and Usage (v9.9) | key Statement Definition and Usage (v9.8.2)

Składnia:

key key_id {
    algorithm string;
    secret string;
};

/etc/named/rndc.key

# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
        algorithm hmac-md5;
        secret "************************";
};
[...]
# End of named.conf

Dokumentacja named: trusted-keys Statement Grammar (v9.9) | trusted-keys Statement Grammar (v9.8.2)
Dokumentacja named: trusted-keys Statement Definition and Usage (v9.9) | trusted-keys Statement Definition and Usage (v9.8.2)

/etc/named/named.options.conf

// trusted-keys

Dokumentacja named: managed-keys Statement Grammar (v9.9) | managed-keys Statement Grammar (v9.8.2)
Dokumentacja named: managed-keys Statement Definition and Usage (v9.9) | managed-keys Statement Definition and Usage (v9.8.2)

/etc/named/named.iscdlv.key

managed-keys {
	# NOTE: This key is current as of October 2009.
	# If it fails to initialize correctly, it may have expired;
	# see https://www.isc.org/solutions/dlv for a replacement.
	dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
};

#top controls¶

Dokumentacja named: controls Statement Grammar (v9.9) | controls Statement Grammar (v9.8.2)
Dokumentacja named: controls Statement Definition and Usage (v9.9) | controls Statement Definition and Usage (v9.8.2)

Składnia:

controls {
   [ inet ( ip_addr | * ) [ port ip_port ]
                allow {  address_match_list  }
                keys { key_list }; ]
   [ inet ...; ]
   [ unix path perm number owner number group number
     keys { key_list }; ]
   [ unix ...; ]
};

/etc/named/rndc.key

# Use with the following in named.conf, adjusting the allow list as needed:
[...]
controls {
	inet 127.0.0.1 port 953
	allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf

#top options¶

Dokumentacja named: options Statement Grammar (v9.9) | options Statement Grammar (v9.8.2)
Dokumentacja named: options Statement Definition and Usage (v9.9) | options Statement Definition and Usage (v9.8.2)

Składnia:

options {
    [ attach-cache cache_name; ]
    [ version version_string; ]
    [ hostname hostname_string; ]
    [ server-id server_id_string; ]
    [ directory path_name; ]
    [ key-directory path_name; ]
    [ managed-keys-directory path_name; ]
    [ named-xfer path_name; ]
    [ tkey-gssapi-keytab path_name; ]
    [ tkey-gssapi-credential principal; ]
    [ tkey-domain domainname; ]
    [ tkey-dhkey key_name key_tag; ]
    [ cache-file path_name; ]
    [ dump-file path_name; ]
    [ bindkeys-file path_name; ]
    [ secroots-file path_name; ]
    [ session-keyfile path_name; ]
    [ session-keyname key_name; ]
    [ session-keyalg algorithm_id; ]
    [ memstatistics yes_or_no; ]
    [ memstatistics-file path_name; ]
    [ pid-file path_name; ]
    [ recursing-file path_name; ]
    [ statistics-file path_name; ]
    [ zone-statistics yes_or_no; ]
    [ auth-nxdomain yes_or_no; ]
    [ deallocate-on-exit yes_or_no; ]
    [ dialup dialup_option; ]
    [ fake-iquery yes_or_no; ]
    [ fetch-glue yes_or_no; ]
    [ flush-zones-on-shutdown yes_or_no; ]
    [ has-old-clients yes_or_no; ]
    [ host-statistics yes_or_no; ]
    [ host-statistics-max number; ]
    [ minimal-responses yes_or_no; ]
    [ multiple-cnames yes_or_no; ]
    [ notify yes_or_no | explicit | master-only; ]
    [ recursion yes_or_no; ]
    [ rfc2308-type1 yes_or_no; ]
    [ use-id-pool yes_or_no; ]
    [ maintain-ixfr-base yes_or_no; ]
    [ ixfr-from-differences (yes_or_no | master | slave); ]
    [ dnssec-enable yes_or_no; ]
    [ dnssec-validation (yes_or_no | auto); ]
    [ dnssec-lookaside ( auto |
                        no |
                        domain trust-anchor domain ); ]
    [ dnssec-must-be-secure domain yes_or_no; ]
    [ dnssec-accept-expired yes_or_no; ]
    [ forward ( only | first ); ]
    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
    [ dual-stack-servers [port ip_port] {
        ( domain_name [port ip_port] |
          ip_addr [port ip_port] ) ; 
        ... }; ]
    [ check-names ( master | slave | response )
        ( warn | fail | ignore ); ]
    [ check-dup-records ( warn | fail | ignore ); ]
    [ check-mx ( warn | fail | ignore ); ]
    [ check-wildcard yes_or_no; ]
    [ check-integrity yes_or_no; ]
    [ check-mx-cname ( warn | fail | ignore ); ]
    [ check-srv-cname ( warn | fail | ignore ); ]
    [ check-sibling yes_or_no; ]
    [ allow-new-zones { yes_or_no }; ]
    [ allow-notify { address_match_list }; ]
    [ allow-query { address_match_list }; ]
    [ allow-query-on { address_match_list }; ]
    [ allow-query-cache { address_match_list }; ]
    [ allow-query-cache-on { address_match_list }; ]
    [ allow-transfer { address_match_list }; ]
    [ allow-recursion { address_match_list }; ]
    [ allow-recursion-on { address_match_list }; ]
    [ allow-update { address_match_list }; ]
    [ allow-update-forwarding { address_match_list }; ]
    [ update-check-ksk yes_or_no; ]
    [ dnssec-dnskey-kskonly yes_or_no; ]
    [ dnssec-secure-to-insecure yes_or_no ;]
    [ try-tcp-refresh yes_or_no; ]
    [ allow-v6-synthesis { address_match_list }; ]
    [ blackhole { address_match_list }; ]
    [ use-v4-udp-ports { port_list }; ]
    [ avoid-v4-udp-ports { port_list }; ]
    [ use-v6-udp-ports { port_list }; ]
    [ avoid-v6-udp-ports { port_list }; ]
    [ listen-on [ port ip_port ] { address_match_list }; ]
    [ listen-on-v6 [ port ip_port ] { address_match_list }; ]
    [ query-source ( ( ip4_addr | * )
        [ port ( ip_port | * ) ] |
        [ address ( ip4_addr | * ) ]
        [ port ( ip_port | * ) ] ) ; ]
    [ query-source-v6 ( ( ip6_addr | * )
        [ port ( ip_port | * ) ] | 
        [ address ( ip6_addr | * ) ] 
        [ port ( ip_port | * ) ] ) ; ]
    [ use-queryport-pool yes_or_no; ]
    [ queryport-pool-ports number; ]
    [ queryport-pool-updateinterval number; ]
    [ max-transfer-time-in number; ]
    [ max-transfer-time-out number; ]
    [ max-transfer-idle-in number; ]
    [ max-transfer-idle-out number; ]
    [ tcp-clients number; ]
    [ reserved-sockets number; ]
    [ recursive-clients number; ]
    [ serial-query-rate number; ]
    [ serial-queries number; ]
    [ tcp-listen-queue number; ]
    [ transfer-format ( one-answer | many-answers ); ]
    [ transfers-in  number; ]
    [ transfers-out number; ]
    [ transfers-per-ns number; ]
    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
    [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
    [ alt-transfer-source-v6 (ip6_addr | *)
                             [port ip_port] ; ]
    [ use-alt-transfer-source yes_or_no; ]
    [ notify-delay seconds ; ]
    [ notify-source (ip4_addr | *) [port ip_port] ; ]
    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
    [ notify-to-soa yes_or_no ; ]
    [ also-notify { ip_addr [port ip_port] ;
                  [ ip_addr [port ip_port] ; ... ] }; ]
    [ max-ixfr-log-size number; ]
    [ max-journal-size size_spec; ]
    [ coresize size_spec ; ]
    [ datasize size_spec ; ]
    [ files size_spec ; ]
    [ stacksize size_spec ; ]
    [ cleaning-interval number; ]
    [ heartbeat-interval number; ]
    [ interface-interval number; ]
    [ statistics-interval number; ]
    [ topology { address_match_list }];
    [ sortlist { address_match_list }];
    [ rrset-order { order_spec ; [ order_spec ; ... ] ] };
    [ lame-ttl number; ]
    [ max-ncache-ttl number; ]
    [ max-cache-ttl number; ]
    [ sig-validity-interval number [number] ; ]
    [ sig-signing-nodes number ; ]
    [ sig-signing-signatures number ; ]
    [ sig-signing-type number ; ]
    [ min-roots number; ]
    [ use-ixfr yes_or_no ; ]
    [ provide-ixfr yes_or_no; ]
    [ request-ixfr yes_or_no; ]
    [ treat-cr-as-space yes_or_no ; ]
    [ min-refresh-time number ; ]
    [ max-refresh-time number ; ]
    [ min-retry-time number ; ]
    [ max-retry-time number ; ]
    [ port ip_port; ]
    [ additional-from-auth yes_or_no ; ]
    [ additional-from-cache yes_or_no ; ]
    [ random-device path_name ; ]
    [ max-cache-size size_spec ; ]
    [ match-mapped-addresses yes_or_no; ]
    [ filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); ]
    [ filter-aaaa { address_match_list }; ]
    [ dns64 IPv6-prefix {
        [ clients { address_match_list }; ]
        [ mapped { address_match_list }; ]
        [ exclude { address_match_list }; ]
        [ suffix IPv6-address; ]
        [ recursive-only yes_or_no; ]
        [ break-dnssec yes_or_no; ]
    }; ];
    [ dns64-server name ]
    [ dns64-contact name ]
    [ preferred-glue ( A | AAAA | NONE ); ]
    [ edns-udp-size number; ]
    [ max-udp-size number; ]
    [ root-delegation-only [ exclude { namelist } ] ; ]
    [ querylog yes_or_no ; ]
    [ disable-algorithms domain { algorithm;
                                [ algorithm; ] }; ]
    [ acache-enable yes_or_no ; ]
    [ acache-cleaning-interval number; ]
    [ max-acache-size size_spec ; ]
    [ clients-per-query number ; ]
    [ max-clients-per-query number ; ]
    [ masterfile-format (text|raw) ; ]
    [ empty-server name ; ]
    [ empty-contact name ; ]
    [ empty-zones-enable yes_or_no ; ]
    [ disable-empty-zone zone_name ; ]
    [ zero-no-soa-ttl yes_or_no ; ]
    [ zero-no-soa-ttl-cache yes_or_no ; ]
    [ resolver-query-timeout number ; ]
    [ deny-answer-addresses { address_match_list } [ except-from { namelist } ];]
    [ deny-answer-aliases { namelist } [ except-from { namelist } ];]
    [ response-policy { zone_name [ policy given | disabled | passthru | nxdomain | nodata | cname domain ] ; } ; ]
};

/etc/named/named.options.conf

//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

//
// named.options.conf
//

options {
	directory "/var/named";
	// Put files that named is allowed to write in the data/ directory:
	pid-file "/var/run/named/named.pid";
	//listen-on { any; };
	listen-on port 53 { any; };
	listen-on-v6 port 53 { any; };
	//use-v6-udp-ports { range 32768 32769; };
	//avoid-v6-udp-ports { range 0 65535; };

	dump-file       "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";

	//recursion yes;
	// allow-recursion set in view
	//allow-recursion { clientsinternal; };

	dnssec-enable yes;
	dnssec-validation no;
	//dnssec-lookaside auto; // trouble with recursion

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named/named.iscdlv.key";

	/* The following defaults apply: min-retry-time 500 seconds, and max-retry-time 1209600 seconds (2 weeks). */
	// 2014-XX-XX
	//min-retry-time 5;
	//max-retry-time 10;
	// 2015-03-17
	//min-retry-time 3;
	//max-retry-time 9;
	// 2015-08-09
	min-retry-time 5;
	max-retry-time 15;
	/* resolver-query-timeout: The amount of time the resolver will spend attempting to resolve a recursive query before failing. */
	/* The default and minimum is 10 and the maximum is 30. Setting it to 0 will result in the default being used. */
	// unknown option 'resolver-query-timeout:'
	// resolver-query-timeout: 5;
	query-source 10.5.5.5;
	query-source-v6 ::1;
};

directory path_name;

The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g. named.run) is this directory. If a directory is not specified, the working directory defaults to '.', the directory from which the server was started. The directory specified should be an absolute path.

pid-file path_name;

The pathname of the file the server writes its process ID in. If not specified, the default is /var/run/named/named.pid. The PID file is used by programs that want to send signals to the running name server. Specifying pid-file none disables the use of a PID file - no file will be written and any existing one will be removed. Note that none is a keyword, not a filename, and therefore is not enclosed in double quotes.

listen-on [ port ip_port ] { address_match_list };

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port and an address_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.

listen-on-v6 [ port ip_port ] { address_match_list };

The listen-on-v6 option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6.

use-v4-udp-ports { port_list };

If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, named will use the corresponding system default range; otherwise, it will use its own defaults:

avoid-v4-udp-ports { port_list };

If port is * or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.

use-v6-udp-ports { port_list };

avoid-v6-udp-ports { port_list };

dump-file path_name;

The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db.

statistics-file path_name;

The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server's current directory. The format of the file is described in the section called "The Statistics File".

memstatistics yes|no;

Write memory statistics to the file specified by memstatistics-file at exit. The default is no unless '-m record' is specified on the command line in which case it is yes.

memstatistics-file path_name;

The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is named.memstats.

recursion yes|no;

If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. See also fetch-glue above.

allow-recursion { address_match_list };

Specifies which hosts are allowed to make recursive queries through this server. If allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used.

dnssec-enable yes|no;

Enable DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC. The default is yes.

dnssec-validation yes|no|auto;

Enable DNSSEC validation in named. Note dnssec-enable also needs to be set to yes to be effective. If set to no, DNSSEC validation is disabled. If set to auto, DNSSEC validation is enabled, and a default trust-anchor for the DNS root zone is used. If set to yes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a trusted-keys or managed-keys statement. The default is yes.

dnssec-lookaside auto|no|domain trust-anchor domain;

When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.

If dnssec-lookaside is set to auto, then built-in default values for the DLV domain and trust anchor will be used, along with a built-in key for validation.

If dnssec-lookaside is set to no, then dnssec-lookaside is not used.

The default DLV key is stored in the file bind.keys; named will load that key at startup if dnssec-lookaside is set to auto. A copy of the file is installed along with BIND 9, and is current as of the release date. If the DLV key expires, a new copy of bind.keys can be downloaded from https://www.isc.org/solutions/dlv.

(To prevent problems if bind.keys is not found, the current key is also compiled in to named. Relying on this is not recommended, however, as it requires named to be recompiled with a new key when the DLV key expires.)

NOTE: named only loads certain specific keys from bind.keys: those for the DLV zone and for the DNS root zone. The file cannot be used to store keys for other zones.

bindkeys-file path_name;

The pathname of the file the server dumps security roots to when instructed to do so with rndc secroots. If not specified, the default is named.secroots.

min-retry-time number;, max-retry-time number;,

These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents.

These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.

The following defaults apply. min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds (2 weeks).

query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ];, query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ];,

If the server doesn't know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) will be used.

If port is * or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.

#top logging¶

Dokumentacja named: logging Statement Grammar (v9.9) | logging Statement Grammar (v9.8.2)
Dokumentacja named: logging Statement Definition and Usage (v9.9) | logging Statement Definition and Usage (v9.8.2)
Dokumentacja named: The category Phrase | The category Phrase
Dokumentacja named: The query-errors Category | The query-errors Category
Dokumentacja named: Response Policy Zone (RPZ) Rewriting | Response Policy Zone (RPZ) Rewriting

Składnia:

logging {
   [ channel channel_name {
     ( file path_name
         [ versions ( number | unlimited ) ]
         [ size size spec ]
       | syslog syslog_facility
       | stderr
       | null );
     [ severity (critical | error | warning | notice |
                 info | debug [ level ] | dynamic ); ]
     [ print-category yes or no; ]
     [ print-severity yes or no; ]
     [ print-time yes or no; ]
   }; ]
   [ category category_name {
     channel_name ; [ channel_name ; ... ]
   }; ]
   ...
};

Minimalna niezbędna / wystarczająca konfiguracja logowania:
/etc/named/named.logging.conf

logging {
	channel named_file   { file "/var/log/named/named.log";   severity dynamic; print-time yes; print-category yes; print-severity yes; };
	channel queries_file { file "/var/log/named/queries.log"; severity dynamic; print-time yes; print-category yes; print-severity yes; };

	category default { named_file;   };
	category queries { queries_file; };
};

/etc/named/named.logging.conf

logging {
	channel named_file   { file "/var/log/named/named.log";   severity dynamic; print-time yes; print-category yes; print-severity yes; };
	channel queries_file { file "/var/log/named/queries.log"; severity dynamic; print-time yes; print-category yes; print-severity yes; };
channel general_file         { file "/var/log/named/general.log";         severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel database_file        { file "/var/log/named/database.log";        severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel security_file        { file "/var/log/named/security.log";        severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel config_file          { file "/var/log/named/config.log";          severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel resolver_file        { file "/var/log/named/resolver.log";        severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel xfer_in_file         { file "/var/log/named/xfer-in.log";         severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel xfer_out_file        { file "/var/log/named/xfer-out.log";        severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel notify_file          { file "/var/log/named/notify.log";          severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel client_file          { file "/var/log/named/client.log";          severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel unmatched_file       { file "/var/log/named/unmatched.log";       severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel network_file         { file "/var/log/named/network.log";         severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel update_file          { file "/var/log/named/update.log";          severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel update_security_file { file "/var/log/named/update-security.log"; severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel query_errors_file    { file "/var/log/named/query-errors.log";    severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel dispatch_file        { file "/var/log/named/dispatch.log";        severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel dnssec_file          { file "/var/log/named/dnssec.log";          severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel lame_servers_file    { file "/var/log/named/lame-servers.log";    severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel delegation_only_file { file "/var/log/named/delegation-only.log"; severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel edns_disabled_file   { file "/var/log/named/edns-disabled.log";   severity debug 4; print-time yes; print-category yes; print-severity yes; };
channel rpz_file             { file "/var/log/named/rpz.log";             severity debug 4; print-time yes; print-category yes; print-severity yes; };
// available 9.9
// channel rate_limit_file      { file "/var/log/named/rate-limit.log";      severity dynamic; print-time yes; print-category yes; print-severity yes;};
// channel cname_file           { file "/var/log/named/cname.log";           severity dynamic; print-time yes; print-category yes; print-severity yes;};

	category default { named_file;   };
	category queries { queries_file; };
category general          { general_file;         };
category database         { database_file;        };
category security         { security_file;        };
category config           { config_file;          };
category resolver         { resolver_file;        };
category xfer-in          { xfer_in_file;         };
category xfer-out         { xfer_out_file;        };
category notify           { notify_file;          };
category client           { client_file;          };
category unmatched        { unmatched_file;       };
category network          { network_file;         };
category update           { update_file;          };
category update-security  { update_security_file; };
category query-errors     { query_errors_file;    };
category dispatch         { dispatch_file;        };
category dnssec           { dnssec_file;          };
category lame-servers     { lame_servers_file;    };
category delegation-only  { delegation_only_file; };
category edns-disabled    { edns_disabled_file;   };
category rpz              { rpz_file;             };
// available 9.9
// category rate-limit      { rate_limit_file;      };
// category cname           { cname_file;           };
};

Following are the available categories and brief descriptions of the types of log information they contain.
More categories may be added in future BIND releases.

default	The default category defines the logging options for those categories where no specific configuration has been defined.
general	The catch-all. Many things still aren't classified into categories, and they all end up here.
database	Messages relating to the databases used internally by the name server to store zone and cache data.
security	Approval and denial of requests.
config	Configuration file parsing and processing.
resolver	DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
xfer-in	Zone transfers the server is receiving.
xfer-out	Zone transfers the server is sending.
notify	The NOTIFY protocol.
client	Processing of client requests.
unmatched	Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
network	Network operations.
update	Dynamic updates.
update-security	Approval and denial of update requests.
queries	Specify where queries should be logged to. At startup, specifying the category queries will also enable query logging unless querylog option has been specified. The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported. `client 127.0.0.1#62536: query: www.example.com IN AAAA +SE` `client ::1#62537: query: www.example.net IN AAAA -SE`
query-errors	Information about queries that resulted in some failure.
dispatch	Dispatching of incoming packets to the server modules where they are to be processed.
dnssec	DNSSEC and TSIG protocol processing.
lame-servers	Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
delegation-only	Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a hint or stub zone declaration.
edns-disabled	Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand. Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports. Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
RPZ	Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.

The channel Phrase

All log output goes to one or more channels; you can make as many of them as you want.

Every channel definition must include a destination clause that says whether messages selected for the channel go to a file, to a particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is info), and whether to include a named-generated time stamp, the category name and/or severity level (the default is not to include any).

The null destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless.

The file destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.

If you use the versions log file option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions of the file lamers.log, then just before it is opened lamers.log.1 is renamed to lamers.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. You can say versions unlimited to not limit the number of versions. If a size option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any existing log file is simply appended.

The size option for files is used to limit log growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no versions option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the maximum size. The default behavior is not to limit the size of the file.

The syslog destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. How syslog will handle messages sent to this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored.

The severity clause works like syslog's "priorities", except that they can also be used if you are writing straight to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.

If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.

The stderr destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a foreground process, for example when debugging a configuration.

The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the named server with the -d flag followed by a positive integer, or by running rndc trace. The global debug level can be set to zero, and debugging mode turned off, by running rndc notrace. All debugging messages in the server have a debug level, and higher debug levels give more detailed output.

Konfiguracja przeznaczenia logowania zdarzeń informacji:

logging {
# logowanie do pliku path_name
channel channel_name { file path_name [ versions ( number | unlimited ) ] [ size size spec ]; [...] };
# logowanie do syslog z priorytetem syslog_facility (facility + level)
channel channel_name { syslog syslog_facility; [...] };
# logowanie do wyjścia błędów (standard error)
channel channel_name { stderr; [...] };
# wyłączenie logowanie (logowanie do null)
channel channel_name { null; [...] };
[...]
};

Konfiguracja poziomu szczegółów logowanych informacji:

# włączenie logowania tylko komunikatów krytycznych
channel channel_name { [...] severity critical; [...] };
# włączenie logowania tylko komunikatów o błędach
channel channel_name { [...] severity error; [...] };
# włączenie logowania tylko komunikatów ostrzeżeń
channel channel_name { [...] severity warning; [...] };
# włączenie logowania tylko komunikatów powiadomień
channel channel_name { [...] severity notice; [...] };
# włączenie logowania tylko komunikatów informacyjnych
channel channel_name { [...] severity info; [...] };
# włączenie logowania tylko komunikatów debug o poziomie 1
channel channel_name { [...] severity debug 1; [...] };
# włączenie logowania tylko komunikatów o poziomie 3
channel channel_name { [...] severity debug 3; [...] };
# włączenie logowania tylko komunikatów debug o poziomie 5
channel channel_name { [...] severity debug 5; [...] };
# włączenie logowania tylko komunikatów 
channel channel_name { [...] severity dynamic; [...] };

Konfiguracja włączania / wyłączania logowania czasu wraz z logowanymi informacjami:

channel channel_name { [...] print-time yes; [...] };
channel channel_name { [...] print-time no; [...] };

If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also logs the date and time.

Konfiguracja włączania / wyłączania kategorii logowanych informacji wraz z logowanymi informacjami:

channel channel_name { [...] print-category yes; [...] };
channel channel_name { [...] print-category no; [...] };

If print-category is requested, then the category of the message will be logged as well.

Konfiguracja włączania / wyłączania logowania poziomu szczegółów wraz z logowanymi informacjami:

channel channel_name { [...] print-severity yes; [...] };
channel channel_name { [...] print-severity no; [...] };

Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity.

#top statistics-channels¶

Dokumentacja named: statistics-channels Statement Grammar (v9.9) | statistics-channels Statement Grammar (v9.8.2)
Dokumentacja named: statistics-channels Statement Definition and Usage (v9.9) | statistics-channels Statement Definition and Usage (v9.8.2)
Dokumentacja named: statistics (v9.9) | statistics (v9.8.2)
Dokumentacja named: Statistics Counters (v9.9) | Statistics Counters (v9.8.2)

Składnia:

statistics-channels {
   [ inet ( ip_addr | * ) [ port ip_port ]
   [ allow {  address_match_list  } ]; ]
   [ inet ...; ]
};

/etc/named/named.options.conf

statistics-channels {
	inet * port 8053 allow { 127.0.0.1; 10.5.5.5; 10.0.0.3; };
};

Statistics are available via loopback address http://localhost:8053/ or via network address http://10.5.5.5:8053/

#top view¶

Dokumentacja named: view Statement Grammar (v9.9) | view Statement Grammar (v9.8.2)
Dokumentacja named: view Statement Definition and Usage (v9.9) | view Statement Definition and Usage (v9.8.2)

Składnia:

view view_name
      [class] {
      match-clients { address_match_list };
      match-destinations { address_match_list };
      match-recursive-only yes_or_no ;
      [ view_option; ...]
      [ zone_statement; ...]
};

/etc/named/named.conf

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
//   file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//

include "/etc/named/named.options.conf";
include "/etc/named/named.logging.conf";
include "/etc/named/rndc.key";

view "internal" {
	//query-source 192.168.2.2;
	match-clients { localhost; hosts_wbcdnat; hosts_wbcdxen; hosts_wbcdvpn; };
	recursion yes;
	allow-recursion { localhost; hosts_wbcdnat; hosts_wbcdxen; hosts_wbcdvpn; };
	// need for remove warning:
	// Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
	// WARNING: empty-zones-enable yes; causes resolve redDNS for host forwarded does not work: Host *.*.*.10.in-addr.arpa. not found: 3(NXDOMAIN)
	empty-zones-enable no;

	// these are zones that contain definitions for all the localhost
	// names and addresses, as recommended in RFC1912 - these names should
	// ONLY be served to localhost clients:
	include "/etc/named/named.rfc1912.zones";
	// all views must contain the root hints zone:
	include "/etc/named/named.zoneroot";

	// local zones
	include "/etc/named/named.local-int.conf";
};

view "external" {
	//query-source 192.168.2.2;
	match-clients { hosts_external; };
	recursion no;

	// these are zones that contain definitions for all the localhost
	// names and addresses, as recommended in RFC1912 - these names should
	// ONLY be served to localhost clients:
	//include "/etc/named/named.rfc1912.zones";
	// all views must contain the root hints zone:
	include "/etc/named/named.zoneroot";

	// local zones
	include "/etc/named/named.local-ext.conf";
};

match-clients { address_match_list };

Each view statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the address_match_list of the view's match-clients clause and its destination IP address matches the address_match_list of the view's match-destinations clause. If not specified, both match-clients and match-destinations default to matching all addresses. In addition to checking IP addresses match-clients and match-destinations can also take keys which provide an mechanism for the client to select the view. A view can also be specified as match-recursive-only, which means that only recursive requests from matching clients will match that view. The order of the view statements is significant - a client request will be resolved in the context of the first view that it matches.

Zones defined within a view statement will only be accessible to clients that match the view. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup.

Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. When no view-specific value is given, the value in the options statement is used as a default. Also, zone options can have default values specified in the view statement; these view-specific defaults take precedence over those in the options statement.

Views are class specific. If no class is given, class IN is assumed. Note that all non-IN views must contain a hint zone, since only the IN class has compiled-in default hints.

If there are no view statements in the config file, a default view that matches any client is automatically created in class IN. Any zone statements specified on the top level of the configuration file are considered to be part of this default view, and the options statement will apply to the default view. If any explicit view statements are present, all zone statements must occur inside view statements.

recursion yes|no;

allow-recursion { address_match_list };

empty-zones-enable yes|no;

Enable or disable all empty zones. By default, they are enabled.

disable-empty-zone zone_name;

Disable individual empty zones. By default, none are disabled. This option can be specified multiple times.

Built-in Empty Zones

Named has some built-in empty zones (SOA and NS records only). These are for zones that should normally be answered locally and which queries should not be sent to the Internet's root servers. The official servers which cover these namespaces return NXDOMAIN responses to these queries. In particular, these cover the reverse namespaces for addresses from RFC 1918, RFC 4193, and RFC 5737. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address.

Named will attempt to determine if a built-in zone already exists or is active (covered by a forward-only forwarding declaration) and will not create an empty zone in that case.

#top zone¶

Dokumentacja named: zone Statement Grammar (v9.9) | zone Statement Grammar (v9.8.2)
Dokumentacja named: zone Statement Definition and Usage (v9.9) | zone Statement Definition and Usage (v9.8.2)
Dokumentacja named: Zone Class (v9.9) | Zone Class (v9.8.2)
Dokumentacja named: Zone Options (v9.9) | Zone Options (v9.8.2)

Składnia:

zone zone_name [class] {
    type master;
    [ allow-query { address_match_list }; ]
    [ allow-query-on { address_match_list }; ]
    [ allow-transfer { address_match_list }; ]
    [ allow-update { address_match_list }; ]
    [ update-policy local | { update_policy_rule [...] }; ]
    [ also-notify { ip_addr [port ip_port] ;
                  [ ip_addr [port ip_port] ; ... ] }; ]
    [ check-names (warn|fail|ignore) ; ]
    [ check-mx (warn|fail|ignore) ; ]
    [ check-wildcard yes_or_no; ]
    [ check-integrity yes_or_no ; ]
    [ dialup dialup_option ; ]
    [ file string ; ]
    [ masterfile-format (text|raw) ; ]
    [ journal string ; ]
    [ max-journal-size size_spec; ]
    [ forward (only|first) ; ]
    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
    [ ixfr-base string ; ]
    [ ixfr-from-differences yes_or_no; ]
    [ ixfr-tmp-file string ; ]
    [ maintain-ixfr-base yes_or_no ; ]
    [ max-ixfr-log-size number ; ]
    [ max-transfer-idle-out number ; ]
    [ max-transfer-time-out number ; ]
    [ notify yes_or_no | explicit | master-only ; ]
    [ notify-delay seconds ; ]
    [ notify-to-soa yes_or_no; ]
    [ pubkey number number number string ; ]
    [ notify-source (ip4_addr | *) [port ip_port] ; ]
    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
    [ zone-statistics yes_or_no ; ]
    [ sig-validity-interval number [number] ; ]
    [ sig-signing-nodes number ; ]
    [ sig-signing-signatures number ; ]
    [ sig-signing-type number ; ]
    [ database string ; ]
    [ min-refresh-time number ; ]
    [ max-refresh-time number ; ]
    [ min-retry-time number ; ]
    [ max-retry-time number ; ]
    [ key-directory path_name; ]
    [ auto-dnssec allow|maintain|off; ]
    [ zero-no-soa-ttl yes_or_no ; ]
};

zone zone_name [class] {
    type slave;
    [ allow-notify { address_match_list }; ]
    [ allow-query { address_match_list }; ]
    [ allow-query-on { address_match_list }; ]
    [ allow-transfer { address_match_list }; ]
    [ allow-update-forwarding { address_match_list }; ]
    [ update-check-ksk yes_or_no; ]
    [ dnssec-update-mode ( maintain | no-resign ); ]
    [ dnssec-dnskey-kskonly yes_or_no; ]
    [ dnssec-secure-to-insecure yes_or_no ; ]
    [ try-tcp-refresh yes_or_no; ]
    [ also-notify { ip_addr [port ip_port] ;
                  [ ip_addr [port ip_port] ; ... ] }; ]
    [ check-names (warn|fail|ignore) ; ]
    [ dialup dialup_option ; ]
    [ file string ; ]
    [ masterfile-format (text|raw) ; ]
    [ journal string ; ]
    [ max-journal-size size_spec; ]
    [ forward (only|first) ; ]
    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
    [ ixfr-base string ; ]
    [ ixfr-from-differences yes_or_no; ]
    [ ixfr-tmp-file string ; ]
    [ maintain-ixfr-base yes_or_no ; ]
    [ masters [port ip_port] { ( masters_list | ip_addr
                              [port ip_port]
                              [key key] ) ; [...] }; ]
    [ max-ixfr-log-size number ; ]
    [ max-transfer-idle-in number ; ]
    [ max-transfer-idle-out number ; ]
    [ max-transfer-time-in number ; ]
    [ max-transfer-time-out number ; ]
    [ notify yes_or_no | explicit | master-only ; ]
    [ notify-delay seconds ; ]
    [ notify-to-soa yes_or_no; ]
    [ pubkey number number number string ; ]
    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
    [ transfer-source-v6 (ip6_addr | *) [port ip_port] ; ]
    [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
    [ alt-transfer-source-v6 (ip6_addr | *)
                             [port ip_port] ; ]
    [ use-alt-transfer-source yes_or_no; ]
    [ notify-source (ip4_addr | *) [port ip_port] ; ]
    [ notify-source-v6 (ip6_addr | *) [port ip_port] ; ]
    [ zone-statistics yes_or_no ; ]
    [ database string ; ]
    [ min-refresh-time number ; ]
    [ max-refresh-time number ; ]
    [ min-retry-time number ; ]
    [ max-retry-time number ; ]
    [ multi-master yes_or_no ; ]
    [ zero-no-soa-ttl yes_or_no ; ]
};

zone zone_name [class] {
    type hint;
    file string ;
    [ delegation-only yes_or_no ; ]
    [ check-names (warn|fail|ignore) ; ] // Not Implemented.
};

zone zone_name [class] {
    type stub;
    [ allow-query { address_match_list }; ]
    [ allow-query-on { address_match_list }; ]
    [ check-names (warn|fail|ignore) ; ]
    [ dialup dialup_option ; ]
    [ delegation-only yes_or_no ; ]
    [ file string ; ]
    [ masterfile-format (text|raw) ; ]
    [ forward (only|first) ; ]
    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
    [ masters [port ip_port] { ( masters_list | ip_addr
                              [port ip_port]
                              [key key] ) ; [...] }; ]
    [ max-transfer-idle-in number ; ]
    [ max-transfer-time-in number ; ]
    [ pubkey number number number string ; ]
    [ transfer-source (ip4_addr | *) [port ip_port] ; ]
    [ transfer-source-v6 (ip6_addr | *)
                         [port ip_port] ; ]
    [ alt-transfer-source (ip4_addr | *) [port ip_port] ; ]
    [ alt-transfer-source-v6 (ip6_addr | *)
                            [port ip_port] ; ]
    [ use-alt-transfer-source yes_or_no; ]
    [ zone-statistics yes_or_no ; ]
    [ database string ; ]
    [ min-refresh-time number ; ]
    [ max-refresh-time number ; ]
    [ min-retry-time number ; ]
    [ max-retry-time number ; ]
    [ multi-master yes_or_no ; ]
};

zone zone_name [class] {
    type static-stub;
    [ allow-query { address_match_list }; ]
    [ server-addresses { [ ip_addr ; ... ] }; ]
    [ server-names { [ namelist ] }; ]  
    [ zone-statistics yes_or_no ; ]
};

zone zone_name [class] {
    type forward;
    [ forward (only|first) ; ]
    [ forwarders { [ ip_addr [port ip_port] ; ... ] }; ]
    [ delegation-only yes_or_no ; ]
};

zone zone_name [class] {
    type delegation-only;
};

/etc/named/named.local-int.conf

// my zones
zone "wbcd.pl"                    { type master; file "/etc/named/zones-int/wbcd.pl";                     notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcd_trans;       }; also-notify { }; };
zone "nat.wbcd.pl"                { type master; file "/etc/named/zones-int/nat.wbcd.pl";                 notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };
zone "0.10.in-addr.arpa"          { type master; file "/etc/named/zones-int/0.10.in-addr.arpa";           notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };
zone "5.5.10.in-addr.arpa"        { type master; file "/etc/named/zones-int/5.5.10.in-addr.arpa";         notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { none;               }; also-notify { }; };
zone "app.wbcd.pl"                { type master; file "/etc/named/zones-int/app.wbcd.pl";                 notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };
zone "dev.wbcd.pl"                { type master; file "/etc/named/zones-int/dev.wbcd.pl";                 notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };

/etc/named/named.local-ext.conf

zone "wbcd.pl"                    { type master; file "/etc/named/zones-ext/wbcd.pl";                     notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcd_trans;       }; also-notify { }; };
zone "nat.wbcd.pl"                { type master; file "/etc/named/zones-ext/nat.wbcd.pl";                 notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };
//zone "0.10.in-addr.arpa"          { type master; file "/etc/named/zones-ext/0.10.in-addr.arpa";           notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };
//zone "5.5.10.in-addr.arpa"        { type master; file "/etc/named/zones-ext/5.5.10.in-addr.arpa";         notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { none;               }; also-notify { }; };
zone "app.wbcd.pl"                { type master; file "/etc/named/zones-ext/app.wbcd.pl";                 notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };
zone "dev.wbcd.pl"                { type master; file "/etc/named/zones-ext/dev.wbcd.pl";                 notify no; allow-query { any;                }; allow-update { none; }; allow-transfer { plwbcdnat_trans;    }; also-notify { }; };

Zone Types

master	The server has a master copy of the data for the zone and will be able to provide authoritative answers for it.
slave	A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. Masters list elements can also be names of other masters lists. By default, transfers are made from port 53 on the servers; this can be changed for all servers by specifying a port number before the list of IP addresses, or on a per-server basis after the IP address. Authentication to the master can also be done with per-server TSIG keys. If a file is specified, then the replica will be written to this file whenever the zone is changed, and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to use a two-level naming scheme for zone filenames. For example, a slave server for the zone example.com might place the zone contents into a file called ex/example.com where ex/ is just the first two letters of the zone name. (Most operating systems behave very slowly if you put 100000 files into a single directory.)
stub	A stub zone is similar to a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS; they are a feature specific to the BIND implementation. Stub zones can be used to eliminate the need for glue NS record in a parent zone at the expense of maintaining a stub zone entry and a set of name server addresses in named.conf. This usage is not recommended for new configurations, and BIND 9 supports it only in a limited way. In BIND 4/8, zone transfers of a parent zone included the NS records from stub children of that zone. This meant that, in some cases, users could get away with configuring child stubs only in the master server for the parent zone. BIND 9 never mixes together zone data from different zones in this way. Therefore, if a BIND 9 master serving a parent zone has child stub zones configured, all the slave servers for the parent zone also need to have the same child stub zones configured. Stub zones can also be used as a way of forcing the resolution of a given domain to use a particular set of authoritative servers. For example, the caching name servers on a private network using RFC1918 addressing may be configured with stub zones for 10.in-addr.arpa to use a set of internal name servers as the authoritative servers for that domain.
static-stub	A static-stub zone is similar to a stub zone with the following exceptions: the zone data is statically configured, rather than transferred from a master server; when recursion is necessary for a query that matches a static-stub zone, the locally configured data (nameserver names and glue addresses) is always used even if different authoritative information is cached. Zone data is configured via the server-addresses and server-names zone options. The zone data is maintained in the form of NS and (if necessary) glue A or AAAA RRs internally, which can be seen by dumping zone databases by rndc dumpdb -all. The configured RRs are considered local configuration parameters rather than public data. Non recursive queries (i.e., those with the RD bit off) to a static-stub zone are therefore prohibited and will be responded with REFUSED. Since the data is statically configured, no zone maintenance action takes place for a static-stub zone. For example, there is no periodic refresh attempt, and an incoming notify message will be rejected with an rcode of NOTAUTH. Each static-stub zone is configured with internally generated NS and (if necessary) glue A or AAAA RRs
forward	A "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same servers as set globally) you need to re-specify the global forwarders.
hint	The initial set of root name servers is specified using a "hint zone". When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers hints. Classes other than IN have no built-in defaults hints.
delegation-only	This is used to enforce the delegation-only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones. delegation-only has no effect on answers received from forwarders. See caveats in root-delegation-only.

# deklaracja zony master
zone zone_name { type master; file string; [...] };
# deklaracja zony slave
zone zone_name { type slave; file string; [...] };
# deklaracja zony typu stub
zone zone_name { type stub; [...] };
# deklaracja zony typu static-stub
zone zone_name { type static-stub; [...] };
# deklaracja zony oddelegowanej na wskazany serwer
zone zone_name { type forward; forward (only|first); forwarders { [ip_addr [port ip_port]; ...] }; [...] };
# deklaracja zony dla root domain zones
zone "." IN    { type hint; file "/etc/named/named.ca"; [...] };
# deklaracja zony typu delegation-only
zone zone_name { type delegation-only; [...] };

notify yes|no|explicit|master-only;

If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see the section called "Notify". The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option.

If master-only, notifies are only sent for master zones. If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent.

The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves to crash.

also-notify {ip_addr [port ip_port]; [ip_addr [port ip_port]; ... ] };

Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. If an also-notify list is given in a zone statement, it will override the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list).

allow-notify { address_match_list };

Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master.

allow-update { address_match_list };

Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see the section called "Dynamic Update Security" for details.

allow-transfer { address_match_list };

Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers to all hosts.

allow-query { address_match_list };

Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.

Zone File
Dokumentacja named: Zone File (v9.9) | Zone File (v9.8.2)

Dokumentacja named: Types of Resource Records and When to Use Them (v9.9) | Types of Resource Records and When to Use Them (v9.8.2)
Dokumentacja named: Discussion of MX Records (v9.9) | Discussion of MX Records (v9.8.2)
Dokumentacja named: Setting TTLs (v9.9) | Setting TTLs (v9.8.2)
Dokumentacja named: Inverse Mapping in IPv4 (v9.9) | Inverse Mapping in IPv4 (v9.8.2)
Dokumentacja named: Other Zone File Directives (v9.9) | Other Zone File Directives (v9.8.2)

/etc/named/zones-int/wbcd.pl

;
; zone wbcd.pl
;
$TTL    604800
@				IN      SOA     wbcd.pl. root.wbcd.pl. (
		2014040102              ; Serial = numer seryjny, dzisiejsza data i numer zmiany
				8H              ; Refresh = odświeżanie (w sek)
				2H              ; Retry = powtórzenie (w sek)
				1D              ; Expire = przedawnienie (w sek)
				1D              ; Minimum TTL = minimum (w sek)
)

@			IN	NS		ns1.wbcd.pl.
@			IN	NS		ns2.wbcd.pl.
@			IN	NS		ns3.wbcd.pl.
ns1			IN	A		10.5.5.5
ns2			IN	A		10.5.5.5
ns3			IN	A		10.5.5.5

@			IN	A		10.5.5.5

@			IN	MX		10 wbcd.pl.
@			IN	TXT		"v=spf1 ip4:10.5.5.5 -all"
_dmarc			IN	TXT		"v=DMARC1; p=none; rua=mailto:dmarc-feedback@wbcd.pl; ruf=mailto:auth-reports@wbcd.pl"

$INCLUDE "/etc/named/zones-comm/wbcd.pl-hosts"

/etc/named/zones-ext/wbcd.pl

;
; zone wbcd.pl
;
$TTL    604800
@				IN      SOA     wbcd.pl. root.wbcd.pl. (
		2014040102              ; Serial = numer seryjny, dzisiejsza data i numer zmiany
				8H              ; Refresh = odświeżanie (w sek)
				2H              ; Retry = powtórzenie (w sek)
				1D              ; Expire = przedawnienie (w sek)
				1D              ; Minimum TTL = minimum (w sek)
)

@			IN	NS		ns1.wbcd.pl.
@			IN	NS		ns2.wbcd.pl.
@			IN	NS		ns3.wbcd.pl.
ns1			IN	A		89.231.96.70
ns2			IN	A		89.231.96.70
ns3			IN	A		89.231.96.70

@			IN	A		89.231.96.70

@			IN	MX		10 wbcd.pl.
@			IN	TXT		"v=spf1 ip4:89.231.96.70 -all"
_dmarc			IN	TXT		"v=DMARC1; p=none; rua=mailto:dmarc-feedback@wbcd.pl; ruf=mailto:auth-reports@wbcd.pl"

$INCLUDE "/etc/named/zones-comm/wbcd.pl-hosts"

#top acl¶

Dokumentacja named: acl Statement Grammar (v9.9) | acl Statement Grammar (v9.8.2)
Dokumentacja named: acl Statement Definition and Usage (v9.9) | acl Statement Definition and Usage (v9.8.2)

Składnia:

acl acl-name {
    address_match_list
};

/etc/named/named.options.conf

//
// acl match: address
//
acl hosts_wbcdnat {
	10.5.5.0/28;
	10.0.0.0/16;
	192.168.210.0/24;
};

acl hosts_wbcdxen {
	10.41.0.0/16;
	10.42.0.0/16;
	10.43.0.0/16;
	10.44.0.0/16;
	10.45.0.0/16;
};

acl hosts_wbcdvmnet {
	10.21.0.0/16;
	10.22.0.0/16;
	10.23.0.0/16;
	10.24.0.0/16;
	10.25.0.0/16;
};

acl hosts_wbcdvpn {
	10.50.0.0/16;
	10.55.0.0/16;
};

acl hosts_external {
	any;
};

Zmodyfikowany ostatnio: 2016/05/30 15:26:20 (7 lat temu), textsize: 95,0 kB, htmlsize: 161 kB

Zapraszam do komentowania, zgłaszania sugestii, propozycji, własnych przykładów, ...

Dodaj komentarzKomentarze użytkowników