named.conf revision 171865
1// $FreeBSD: head/etc/namedb/named.conf 171865 2007-08-17 04:37:02Z dougb $ 2// 3// Refer to the named.conf(5) and named(8) man pages, and the documentation 4// in /usr/share/doc/bind9 for more details. 5// 6// If you are going to set up an authoritative server, make sure you 7// understand the hairy details of how DNS works. Even with 8// simple mistakes, you can break connectivity for affected parties, 9// or cause huge amounts of useless Internet traffic. 10 11options { 12 // Relative to the chroot directory, if any 13 directory "/etc/namedb"; 14 pid-file "/var/run/named/pid"; 15 dump-file "/var/dump/named_dump.db"; 16 statistics-file "/var/stats/named.stats"; 17 18// If named is being used only as a local resolver, this is a safe default. 19// For named to be accessible to the network, comment this option, specify 20// the proper IP address, or delete this option. 21 listen-on { 127.0.0.1; }; 22 23// If you have IPv6 enabled on this system, uncomment this option for 24// use as a local resolver. To give access to the network, specify 25// an IPv6 address, or the keyword "any". 26// listen-on-v6 { ::1; }; 27 28// These zones are already covered by the empty zones listed below. 29// If you remove the related empty zones below, comment these lines out. 30 disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; 31 disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 32 disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 33 34// In addition to the "forwarders" clause, you can force your name 35// server to never initiate queries of its own, but always ask its 36// forwarders only, by enabling the following line: 37// 38// forward only; 39 40// If you've got a DNS server around at your upstream provider, enter 41// its IP address here, and enable the line below. This will make you 42// benefit from its cache, thus reduce overall DNS traffic in the Internet. 43/* 44 forwarders { 45 127.0.0.1; 46 }; 47*/ 48 /* 49 * If there is a firewall between you and nameservers you want 50 * to talk to, you might need to uncomment the query-source 51 * directive below. Previous versions of BIND always asked 52 * questions using port 53, but BIND versions 8 and later 53 * use a pseudo-random unprivileged UDP port by default. 54 */ 55 // query-source address * port 53; 56}; 57 58// If you enable a local name server, don't forget to enter 127.0.0.1 59// first in your /etc/resolv.conf so this server will be queried. 60// Also, make sure to enable it in /etc/rc.conf. 61 62// The traditional root hints mechanism. Use this, OR the slave zones below. 63zone "." { type hint; file "named.root"; }; 64 65/* Slaving the following zones from the root name servers has some 66 significant advantages: 67 1. Faster local resolution for your users 68 2. No spurious traffic will be sent from your network to the roots 69 3. Greater resilience to any potential root server failure/DDoS 70 71 On the other hand, this method requires more monitoring than the 72 hints file to be sure that an unexpected failure mode has not 73 incapacitated your server. Name servers that are serving a lot 74 of clients will benefit more from this approach than individual 75 hosts. Use with caution. 76 77 To use this mechanism, uncomment the entries below, and comment 78 the hint zone above. 79*/ 80/* 81zone "." { 82 type slave; 83 file "slave/root.slave"; 84 masters { 85 192.5.5.241; // F.ROOT-SERVERS.NET. 86 }; 87 notify no; 88}; 89zone "arpa" { 90 type slave; 91 file "slave/arpa.slave"; 92 masters { 93 192.5.5.241; // F.ROOT-SERVERS.NET. 94 }; 95 notify no; 96}; 97zone "in-addr.arpa" { 98 type slave; 99 file "slave/in-addr.arpa.slave"; 100 masters { 101 192.5.5.241; // F.ROOT-SERVERS.NET. 102 }; 103 notify no; 104}; 105*/ 106 107/* Serving the following zones locally will prevent any queries 108 for these zones leaving your network and going to the root 109 name servers. This has two significant advantages: 110 1. Faster local resolution for your users 111 2. No spurious traffic will be sent from your network to the roots 112*/ 113// RFC 1912 114zone "localhost" { type master; file "master/localhost-forward.db"; }; 115zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; }; 116zone "255.in-addr.arpa" { type master; file "master/empty.db"; }; 117 118// RFC 1912-style zone for IPv6 localhost address 119zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; }; 120 121// "This" Network (RFCs 1912 and 3330) 122zone "0.in-addr.arpa" { type master; file "master/empty.db"; }; 123 124// IANA Reserved - Unlikely to ever be assigned 125zone "1.in-addr.arpa" { type master; file "master/empty.db"; }; 126zone "2.in-addr.arpa" { type master; file "master/empty.db"; }; 127zone "223.in-addr.arpa" { type master; file "master/empty.db"; }; 128 129// Public Data Networks (RFC 3330) 130zone "14.in-addr.arpa" { type master; file "master/empty.db"; }; 131 132// Private Use Networks (RFC 1918) 133zone "10.in-addr.arpa" { type master; file "master/empty.db"; }; 134zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; }; 135zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; }; 136zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; }; 137zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; }; 138zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; }; 139zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; }; 140zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; }; 141zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; }; 142zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; }; 143zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; }; 144zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; }; 145zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; }; 146zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; }; 147zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; }; 148zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; }; 149zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; }; 150zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; }; 151 152// Link-local/APIPA (RFCs 3330 and 3927) 153zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; }; 154 155// TEST-NET for Documentation (RFC 3330) 156zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; }; 157 158// Router Benchmark Testing (RFC 3330) 159zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; }; 160zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; }; 161 162// IANA Reserved - Old Class E Space 163zone "240.in-addr.arpa" { type master; file "master/empty.db"; }; 164zone "241.in-addr.arpa" { type master; file "master/empty.db"; }; 165zone "242.in-addr.arpa" { type master; file "master/empty.db"; }; 166zone "243.in-addr.arpa" { type master; file "master/empty.db"; }; 167zone "244.in-addr.arpa" { type master; file "master/empty.db"; }; 168zone "245.in-addr.arpa" { type master; file "master/empty.db"; }; 169zone "246.in-addr.arpa" { type master; file "master/empty.db"; }; 170zone "247.in-addr.arpa" { type master; file "master/empty.db"; }; 171zone "248.in-addr.arpa" { type master; file "master/empty.db"; }; 172zone "249.in-addr.arpa" { type master; file "master/empty.db"; }; 173zone "250.in-addr.arpa" { type master; file "master/empty.db"; }; 174zone "251.in-addr.arpa" { type master; file "master/empty.db"; }; 175zone "252.in-addr.arpa" { type master; file "master/empty.db"; }; 176zone "253.in-addr.arpa" { type master; file "master/empty.db"; }; 177zone "254.in-addr.arpa" { type master; file "master/empty.db"; }; 178 179// IPv6 Unassigned Addresses (RFC 4291) 180zone "1.ip6.arpa" { type master; file "master/empty.db"; }; 181zone "3.ip6.arpa" { type master; file "master/empty.db"; }; 182zone "4.ip6.arpa" { type master; file "master/empty.db"; }; 183zone "5.ip6.arpa" { type master; file "master/empty.db"; }; 184zone "6.ip6.arpa" { type master; file "master/empty.db"; }; 185zone "7.ip6.arpa" { type master; file "master/empty.db"; }; 186zone "8.ip6.arpa" { type master; file "master/empty.db"; }; 187zone "9.ip6.arpa" { type master; file "master/empty.db"; }; 188zone "a.ip6.arpa" { type master; file "master/empty.db"; }; 189zone "b.ip6.arpa" { type master; file "master/empty.db"; }; 190zone "c.ip6.arpa" { type master; file "master/empty.db"; }; 191zone "d.ip6.arpa" { type master; file "master/empty.db"; }; 192zone "e.ip6.arpa" { type master; file "master/empty.db"; }; 193zone "0.f.ip6.arpa" { type master; file "master/empty.db"; }; 194zone "1.f.ip6.arpa" { type master; file "master/empty.db"; }; 195zone "2.f.ip6.arpa" { type master; file "master/empty.db"; }; 196zone "3.f.ip6.arpa" { type master; file "master/empty.db"; }; 197zone "4.f.ip6.arpa" { type master; file "master/empty.db"; }; 198zone "5.f.ip6.arpa" { type master; file "master/empty.db"; }; 199zone "6.f.ip6.arpa" { type master; file "master/empty.db"; }; 200zone "7.f.ip6.arpa" { type master; file "master/empty.db"; }; 201zone "8.f.ip6.arpa" { type master; file "master/empty.db"; }; 202zone "9.f.ip6.arpa" { type master; file "master/empty.db"; }; 203zone "a.f.ip6.arpa" { type master; file "master/empty.db"; }; 204zone "b.f.ip6.arpa" { type master; file "master/empty.db"; }; 205zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 206zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 207zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 208zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 209zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 210zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 211zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 212zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 213 214// IPv6 ULA (RFC 4193) 215zone "c.f.ip6.arpa" { type master; file "master/empty.db"; }; 216zone "d.f.ip6.arpa" { type master; file "master/empty.db"; }; 217 218// IPv6 Link Local (RFC 4291) 219zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 220zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 221zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 222zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 223 224// IPv6 Deprecated Site-Local Addresses (RFC 3879) 225zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 226zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 227zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 228zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; }; 229 230// IP6.INT is Deprecated (RFC 4159) 231zone "ip6.int" { type master; file "master/empty.db"; }; 232 233// NB: Do not use the IP addresses below, they are faked, and only 234// serve demonstration/documentation purposes! 235// 236// Example slave zone config entries. It can be convenient to become 237// a slave at least for the zone your own domain is in. Ask 238// your network administrator for the IP address of the responsible 239// master name server. 240// 241// Do not forget to include the reverse lookup zone! 242// This is named after the first bytes of the IP address, in reverse 243// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. 244// 245// Before starting to set up a master zone, make sure you fully 246// understand how DNS and BIND work. There are sometimes 247// non-obvious pitfalls. Setting up a slave zone is usually simpler. 248// 249// NB: Don't blindly enable the examples below. :-) Use actual names 250// and addresses instead. 251 252/* An example dynamic zone 253key "exampleorgkey" { 254 algorithm hmac-md5; 255 secret "sf87HJqjkqh8ac87a02lla=="; 256}; 257zone "example.org" { 258 type master; 259 allow-update { 260 key "exampleorgkey"; 261 }; 262 file "dynamic/example.org"; 263}; 264*/ 265 266/* Example of a slave reverse zone 267zone "1.168.192.in-addr.arpa" { 268 type slave; 269 file "slave/1.168.192.in-addr.arpa"; 270 masters { 271 192.168.1.1; 272 }; 273}; 274*/ 275 276