Fixing bind9 config
This commit is contained in:
@@ -1,34 +1,32 @@
|
||||
/*
|
||||
* using views for internal zone requires a view for defaults
|
||||
*/
|
||||
view "defaults" {
|
||||
// prime the server with knowledge of the root servers
|
||||
zone "." {
|
||||
type hint;
|
||||
file "/usr/share/dns/root.hints";
|
||||
};
|
||||
|
||||
|
||||
// be authoritative for the localhost forward and reverse zones, and for
|
||||
// broadcast zones as per RFC 1912
|
||||
|
||||
zone "localhost" {
|
||||
type master;
|
||||
file "/etc/bind/db.local";
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.127";
|
||||
};
|
||||
|
||||
zone "0.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.0";
|
||||
};
|
||||
|
||||
zone "255.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.255";
|
||||
};
|
||||
// prime the server with knowledge of the root servers
|
||||
zone "." {
|
||||
type hint;
|
||||
file "/usr/share/dns/root.hints";
|
||||
};
|
||||
|
||||
|
||||
// be authoritative for the localhost forward and reverse zones, and for
|
||||
// broadcast zones as per RFC 1912
|
||||
|
||||
zone "localhost" {
|
||||
type master;
|
||||
file "/etc/bind/db.local";
|
||||
};
|
||||
|
||||
zone "127.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.127";
|
||||
};
|
||||
|
||||
zone "0.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.0";
|
||||
};
|
||||
|
||||
zone "255.in-addr.arpa" {
|
||||
type master;
|
||||
file "/etc/bind/db.255";
|
||||
};
|
||||
|
||||
@@ -2,70 +2,16 @@
|
||||
#
|
||||
# - local zones and views
|
||||
|
||||
view "internal" {
|
||||
match-clients {
|
||||
any;
|
||||
};
|
||||
recursion yes;
|
||||
|
||||
zone "xai-corp.net." IN {
|
||||
type master;
|
||||
file "/etc/bind/db.xai-corp.net.internal";
|
||||
allow-query { any; };
|
||||
allow-transfer { none; };
|
||||
};
|
||||
|
||||
zone "4.168.192.in-addr.arpa." IN {
|
||||
type master;
|
||||
file "/etc/bind/db.xai-corp.net.reverse";
|
||||
allow-update { none; };
|
||||
};
|
||||
|
||||
zone "xai-corp.net." IN {
|
||||
type master;
|
||||
file "/etc/bind/db.xai-corp.net.internal";
|
||||
allow-query { any; };
|
||||
allow-transfer { none; };
|
||||
};
|
||||
|
||||
//view "external" {
|
||||
// match-clients { none; };
|
||||
// recursion no;
|
||||
zone "4.168.192.in-addr.arpa." IN {
|
||||
type master;
|
||||
file "/etc/bind/db.xai-corp.net.reverse";
|
||||
allow-update { none; };
|
||||
};
|
||||
|
||||
|
||||
// zone "xai-corp.net" {
|
||||
// type master;
|
||||
// file "/etc/bind/db.xai-corp.net.external";
|
||||
// allow-query { none; };
|
||||
// allow-transfer { 127.0.0.1; };
|
||||
// };
|
||||
//};
|
||||
|
||||
/*
|
||||
* Briefly, a zone which has been declared delegation-only will be effectively
|
||||
* limited to containing NS RRs for subdomains, but no actual data beyond its
|
||||
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
|
||||
* filter out "wildcard" or "synthesized" data from NAT boxes or from
|
||||
* authoritative name servers whose undelegated (in-zone) data is of no
|
||||
* interest.
|
||||
* See http://www.isc.org/software/bind/delegation-only for more info
|
||||
*/
|
||||
|
||||
//zone "COM" { type delegation-only; };
|
||||
//zone "NET" { type delegation-only; };
|
||||
|
||||
//zone "YOUR-DOMAIN.TLD" {
|
||||
// type master;
|
||||
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
|
||||
// allow-query { any; };
|
||||
// allow-transfer { xfer; };
|
||||
//};
|
||||
|
||||
//zone "YOUR-SLAVE.TLD" {
|
||||
// type slave;
|
||||
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
|
||||
// masters { <MASTER>; };
|
||||
|
||||
/* Anybody is allowed to query but transfer should be controlled by the master. */
|
||||
// allow-query { any; };
|
||||
// allow-transfer { none; };
|
||||
|
||||
/* The master should be the only one who notifies the slaves, shouldn't it? */
|
||||
// allow-notify { <MASTER>; };
|
||||
// notify no;
|
||||
//};
|
||||
|
||||
@@ -60,8 +60,8 @@ options {
|
||||
// If BIND logs error messages about the root key being expired,
|
||||
// you will need to update your keys. See https://www.isc.org/bind-keys
|
||||
//========================================================================
|
||||
//dnssec-validation auto; //auto?
|
||||
dnssec-validation no; //auto?
|
||||
dnssec-validation auto; //auto?
|
||||
//dnssec-validation no; //auto?
|
||||
|
||||
//auth-nxdomain no; # conform to RFC1035
|
||||
listen-on-v6 { any; };
|
||||
@@ -70,11 +70,15 @@ options {
|
||||
//listen-on { any; };
|
||||
//query-source address *;
|
||||
//allow-query { trusted; };
|
||||
|
||||
//querylog no;
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
||||
//logging {
|
||||
logging {
|
||||
|
||||
// channel default_log {
|
||||
// file "/var/log/named/named.log" versions 3 size 5M;
|
||||
// severity notice;
|
||||
@@ -85,7 +89,7 @@ options {
|
||||
//
|
||||
// category default { default_log; };
|
||||
// category general { default_log; };
|
||||
//};
|
||||
};
|
||||
|
||||
|
||||
//include "etc/bind/rndc.key";
|
||||
|
||||
Reference in New Issue
Block a user