named.conf revision 224125
150472Speter// $FreeBSD: head/etc/namedb/named.conf 224125 2011-07-17 06:20:47Z dougb $ 235947Speter// 3135961Sdougb// Refer to the named.conf(5) and named(8) man pages, and the documentation 4135961Sdougb// in /usr/share/doc/bind9 for more details. 5135961Sdougb// 6135961Sdougb// If you are going to set up an authoritative server, make sure you 7110516Skeramida// understand the hairy details of how DNS works. Even with 887262Scjc// simple mistakes, you can break connectivity for affected parties, 9110516Skeramida// or cause huge amounts of useless Internet traffic. 1035832Sache 1135832Sacheoptions { 12200563Sdougb // All file and path names are relative to the chroot directory, 13200563Sdougb // if any, and should be fully qualified. 14200563Sdougb directory "/etc/namedb/working"; 15135875Sdougb pid-file "/var/run/named/pid"; 16135875Sdougb dump-file "/var/dump/named_dump.db"; 17135918Sdougb statistics-file "/var/stats/named.stats"; 1835832Sache 19135961Sdougb// If named is being used only as a local resolver, this is a safe default. 20135961Sdougb// For named to be accessible to the network, comment this option, specify 21135961Sdougb// the proper IP address, or delete this option. 22135961Sdougb listen-on { 127.0.0.1; }; 23135961Sdougb 24135961Sdougb// If you have IPv6 enabled on this system, uncomment this option for 25135961Sdougb// use as a local resolver. To give access to the network, specify 26135961Sdougb// an IPv6 address, or the keyword "any". 27135961Sdougb// listen-on-v6 { ::1; }; 28135961Sdougb 29171698Sdougb// These zones are already covered by the empty zones listed below. 30171698Sdougb// If you remove the related empty zones below, comment these lines out. 31171698Sdougb disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; 32171698Sdougb disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 33171698Sdougb disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; 34171698Sdougb 3535947Speter// If you've got a DNS server around at your upstream provider, enter 3635832Sache// its IP address here, and enable the line below. This will make you 3735832Sache// benefit from its cache, thus reduce overall DNS traffic in the Internet. 3835832Sache/* 3935832Sache forwarders { 4035832Sache 127.0.0.1; 4135832Sache }; 4235832Sache*/ 43192215Sdougb 44192215Sdougb// If the 'forwarders' clause is not empty the default is to 'forward first' 45192215Sdougb// which will fall back to sending a query from your local server if the name 46192215Sdougb// servers in 'forwarders' do not have the answer. Alternatively you can 47192215Sdougb// force your name server to never initiate queries of its own by enabling the 48192215Sdougb// following line: 49192215Sdougb// forward only; 50192215Sdougb 51192215Sdougb// If you wish to have forwarding configured automatically based on 52192215Sdougb// the entries in /etc/resolv.conf, uncomment the following line and 53192215Sdougb// set named_auto_forward=yes in /etc/rc.conf. You can also enable 54192215Sdougb// named_auto_forward_only (the effect of which is described above). 55192215Sdougb// include "/etc/namedb/auto_forward.conf"; 56192215Sdougb 5735832Sache /* 58180478Sdougb Modern versions of BIND use a random UDP port for each outgoing 59180478Sdougb query by default in order to dramatically reduce the possibility 60180478Sdougb of cache poisoning. All users are strongly encouraged to utilize 61180478Sdougb this feature, and to configure their firewalls to accommodate it. 62180478Sdougb 63180478Sdougb AS A LAST RESORT in order to get around a restrictive firewall 64180478Sdougb policy you can try enabling the option below. Use of this option 65180478Sdougb will significantly reduce your ability to withstand cache poisoning 66180478Sdougb attacks, and should be avoided if at all possible. 67180478Sdougb 68180478Sdougb Replace NNNNN in the example with a number between 49160 and 65530. 69180478Sdougb */ 70180478Sdougb // query-source address * port NNNNN; 7135832Sache}; 7235832Sache 7335832Sache// If you enable a local name server, don't forget to enter 127.0.0.1 74110516Skeramida// first in your /etc/resolv.conf so this server will be queried. 7535832Sache// Also, make sure to enable it in /etc/rc.conf. 7635832Sache 77171698Sdougb// The traditional root hints mechanism. Use this, OR the slave zones below. 78200563Sdougbzone "." { type hint; file "/etc/namedb/named.root"; }; 79171698Sdougb 80170914Sdougb/* Slaving the following zones from the root name servers has some 81170914Sdougb significant advantages: 82170914Sdougb 1. Faster local resolution for your users 83170914Sdougb 2. No spurious traffic will be sent from your network to the roots 84170914Sdougb 3. Greater resilience to any potential root server failure/DDoS 85170914Sdougb 86171865Sdougb On the other hand, this method requires more monitoring than the 87171865Sdougb hints file to be sure that an unexpected failure mode has not 88171865Sdougb incapacitated your server. Name servers that are serving a lot 89171865Sdougb of clients will benefit more from this approach than individual 90171865Sdougb hosts. Use with caution. 91171865Sdougb 92171698Sdougb To use this mechanism, uncomment the entries below, and comment 93171698Sdougb the hint zone above. 94218865Sdougb 95218865Sdougb As documented at http://dns.icann.org/services/axfr/ these zones: 96218865Sdougb "." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET 97218865Sdougb are availble for AXFR from these servers on IPv4 and IPv6: 98218865Sdougb xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org 99170914Sdougb*/ 100171698Sdougb/* 10135832Sachezone "." { 102170914Sdougb type slave; 103200563Sdougb file "/etc/namedb/slave/root.slave"; 104170914Sdougb masters { 105171865Sdougb 192.5.5.241; // F.ROOT-SERVERS.NET. 106170914Sdougb }; 107170914Sdougb notify no; 10835832Sache}; 109170914Sdougbzone "arpa" { 110170914Sdougb type slave; 111200563Sdougb file "/etc/namedb/slave/arpa.slave"; 112170914Sdougb masters { 113171865Sdougb 192.5.5.241; // F.ROOT-SERVERS.NET. 114170914Sdougb }; 115170914Sdougb notify no; 11635832Sache}; 117171698Sdougb*/ 118107254Sume 119170914Sdougb/* Serving the following zones locally will prevent any queries 120170914Sdougb for these zones leaving your network and going to the root 121170914Sdougb name servers. This has two significant advantages: 122170914Sdougb 1. Faster local resolution for your users 123170914Sdougb 2. No spurious traffic will be sent from your network to the roots 124170914Sdougb*/ 125224125Sdougb// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) 126200563Sdougbzone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; 127200563Sdougbzone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; 128200563Sdougbzone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 129170914Sdougb 130224125Sdougb// RFC 1912-style zone for IPv6 localhost address (RFC 6303) 131200563Sdougbzone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; 132170914Sdougb 133224125Sdougb// "This" Network (RFCs 1912, 5735 and 6303) 134200563Sdougbzone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 135170914Sdougb 136224125Sdougb// Private Use Networks (RFCs 1918, 5735 and 6303) 137200563Sdougbzone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 138200563Sdougbzone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 139200563Sdougbzone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 140200563Sdougbzone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 141200563Sdougbzone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 142200563Sdougbzone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 143200563Sdougbzone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 144200563Sdougbzone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 145200563Sdougbzone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 146200563Sdougbzone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 147200563Sdougbzone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 148200563Sdougbzone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 149200563Sdougbzone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 150200563Sdougbzone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 151200563Sdougbzone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 152200563Sdougbzone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 153200563Sdougbzone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 154200563Sdougbzone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 155170914Sdougb 156224125Sdougb// Link-local/APIPA (RFCs 3927, 5735 and 6303) 157200563Sdougbzone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 158170914Sdougb 159218350Sdougb// IETF protocol assignments (RFCs 5735 and 5736) 160218350Sdougbzone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 161218350Sdougb 162224125Sdougb// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303) 163200563Sdougbzone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 164202582Sdougbzone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 165202582Sdougbzone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 166170914Sdougb 167224125Sdougb// IPv6 Example Range for Documentation (RFCs 3849 and 6303) 168218350Sdougbzone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 169202582Sdougb 170202582Sdougb// Domain Names for Documentation and Testing (BCP 32) 171202582Sdougbzone "test" { type master; file "/etc/namedb/master/empty.db"; }; 172202582Sdougbzone "example" { type master; file "/etc/namedb/master/empty.db"; }; 173202582Sdougbzone "invalid" { type master; file "/etc/namedb/master/empty.db"; }; 174202582Sdougbzone "example.com" { type master; file "/etc/namedb/master/empty.db"; }; 175202582Sdougbzone "example.net" { type master; file "/etc/namedb/master/empty.db"; }; 176202582Sdougbzone "example.org" { type master; file "/etc/namedb/master/empty.db"; }; 177202582Sdougb 178218350Sdougb// Router Benchmark Testing (RFCs 2544 and 5735) 179200563Sdougbzone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 180200563Sdougbzone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 181170914Sdougb 182218350Sdougb// IANA Reserved - Old Class E Space (RFC 5735) 183200563Sdougbzone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 184200563Sdougbzone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 185200563Sdougbzone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 186200563Sdougbzone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 187200563Sdougbzone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 188200563Sdougbzone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 189200563Sdougbzone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 190200563Sdougbzone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 191200563Sdougbzone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 192200563Sdougbzone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 193200563Sdougbzone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 194200563Sdougbzone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 195200563Sdougbzone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 196200563Sdougbzone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 197200563Sdougbzone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 198170914Sdougb 199170914Sdougb// IPv6 Unassigned Addresses (RFC 4291) 200200563Sdougbzone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 201200563Sdougbzone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 202200563Sdougbzone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 203200563Sdougbzone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 204200563Sdougbzone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 205200563Sdougbzone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 206200563Sdougbzone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 207200563Sdougbzone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 208200563Sdougbzone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 209200563Sdougbzone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 210200563Sdougbzone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 211200563Sdougbzone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 212200563Sdougbzone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 213200563Sdougbzone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 214200563Sdougbzone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 215200563Sdougbzone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 216200563Sdougbzone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 217200563Sdougbzone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 218200563Sdougbzone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 219200563Sdougbzone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 220200563Sdougbzone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 221200563Sdougbzone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 222200563Sdougbzone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 223200563Sdougbzone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 224200563Sdougbzone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 225200563Sdougbzone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 226200563Sdougbzone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 227200563Sdougbzone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 228200563Sdougbzone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 229200563Sdougbzone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 230200563Sdougbzone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 231200563Sdougbzone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 232200563Sdougbzone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 233170914Sdougb 234224125Sdougb// IPv6 ULA (RFCs 4193 and 6303) 235200563Sdougbzone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 236200563Sdougbzone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 237170914Sdougb 238224125Sdougb// IPv6 Link Local (RFCs 4291 and 6303) 239200563Sdougbzone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 240200563Sdougbzone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 241200563Sdougbzone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 242200563Sdougbzone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 243170914Sdougb 244224125Sdougb// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303) 245200563Sdougbzone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 246200563Sdougbzone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 247200563Sdougbzone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 248200563Sdougbzone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; 249170914Sdougb 250170914Sdougb// IP6.INT is Deprecated (RFC 4159) 251200563Sdougbzone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; 252170914Sdougb 25335832Sache// NB: Do not use the IP addresses below, they are faked, and only 25435832Sache// serve demonstration/documentation purposes! 25535947Speter// 256135910Sdougb// Example slave zone config entries. It can be convenient to become 257135910Sdougb// a slave at least for the zone your own domain is in. Ask 25835947Speter// your network administrator for the IP address of the responsible 259170914Sdougb// master name server. 26035947Speter// 261170914Sdougb// Do not forget to include the reverse lookup zone! 262170914Sdougb// This is named after the first bytes of the IP address, in reverse 263170914Sdougb// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. 26435947Speter// 265170914Sdougb// Before starting to set up a master zone, make sure you fully 266170914Sdougb// understand how DNS and BIND work. There are sometimes 267170914Sdougb// non-obvious pitfalls. Setting up a slave zone is usually simpler. 26835947Speter// 26935832Sache// NB: Don't blindly enable the examples below. :-) Use actual names 27035947Speter// and addresses instead. 27135832Sache 272140640Sdougb/* An example dynamic zone 273137182Sgshapirokey "exampleorgkey" { 274170914Sdougb algorithm hmac-md5; 275170914Sdougb secret "sf87HJqjkqh8ac87a02lla=="; 276137182Sgshapiro}; 277137182Sgshapirozone "example.org" { 278137182Sgshapiro type master; 279137182Sgshapiro allow-update { 280137182Sgshapiro key "exampleorgkey"; 281137182Sgshapiro }; 282200563Sdougb file "/etc/namedb/dynamic/example.org"; 283137182Sgshapiro}; 284140640Sdougb*/ 285137182Sgshapiro 286170914Sdougb/* Example of a slave reverse zone 287140640Sdougbzone "1.168.192.in-addr.arpa" { 288140640Sdougb type slave; 289200563Sdougb file "/etc/namedb/slave/1.168.192.in-addr.arpa"; 290140640Sdougb masters { 291140640Sdougb 192.168.1.1; 292140640Sdougb }; 293140640Sdougb}; 29435832Sache*/ 295