BIND configuration file (/etc/named.conf)

The /etc/named.conf file is the main configuration file for BIND. It should be owned by the named user because the named service is run by this user. The file permissions for named.conf should only allow the owner to read and write to the file (which also allows the root user to modify the file).

The named.conf file is a collection of statements using nested options surrounded by opening and closing curly braces { }.

Following lines shows comments In named.conf

/* This is a comment.
    This is a comment
   This is a comment
 */

// This is a comment.
# This is a comment.

A sample named.conf file, which is shipped with RedHat Enterprise Linux is copied below. You can view it in /usr/share/doc/bind-9.3.3/sample/etc directory.

[root@RHEL01 etc]# cat named.conf
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
# all views must contain the root hints zone:
include "/etc/named.root.hints";

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/etc/named.root.hints";

// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "slaves/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-clients { !localnets; !localhost; };
match-destinations { !localnets; !localhost; };

recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers

// all views must contain the root hints zone:
include "/etc/named.root.hints";

// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:

zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};

Following are the important statements in named.conf.

• acl: The acl statement (or access control statement) defines groups of hosts which can then be permitted or denied access to the nameserver.

Example:

acl <acl-name> {
<match-element>;
[<match-element>; ...]
};

• include: Include the contents of a separate file, which can have more restrictive permissions to protect sensitive data. The <filename> must include the full path to the file.

Example:

include “<filename>”

• options: The options statement can be used to set global options for the server and defaults for other statements.

Example:

options {
<option>
};

In above options statement, the <option> directives are replaced with a valid option.

o allow-query — Specifies which hosts are allowed to query this nameserver. By default, all hosts are allowed to query. An access control list, or collection of IP addresses or networks may be used here to only allow particular hosts to query the nameserver.

o allow-recursion — Similar to allow-query, this option applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver.

o blackhole — Specifies which hosts are not allowed to query the server.

o directory — Specifies the named working directory if different from the default value, /var/named/.

o forward — Specifies the forwarding behavior of a forwarders directive. The following options are accepted:

a) first — Specifies that the nameservers listed in the forwarders directive be queried before named attempts to resolve the name itself.

b) only — Specifies that named does not attempt name resolution itself in the event queries to nameservers specified in the forwarders directive fail.

o forwarders — Specifies a list of valid IP addresses for nameservers where requests should be forwarded for resolution.

o listen-on — Specifies the network interface on which named listens for queries. By default, all interfaces are used.

o notify — Specify whether named notifies the slave servers when a zone is updated. It accepts the following options:

a) yes — Notifies slave servers.

b) no — Does not notify slave servers.

c) explicit — Only notifies slave servers specified in an also-notify list within a zone statement.

• logging: Customize logging.

• Views : On a BIND server, views can be created to customize the data sent to different requesters based on the source and destination IP addresses.

Example:

view <name> <class> {
match-clients { <ip_list> } ;
match-destinations { <ip_list> } ;
match-recursive-only <value> ;
<options>
<zone-statements>
};

• zone: Zone statement is used to define a zone and its properties. Zone files are written to the /var/named/ directory.

The zone statements have the following syntax:

zone <name> <class> {
type <type>
<options>
};

o The <name> must be unique and must be the domain name for the zone such as omnisecu.com.

o The <class> is optional. It can be one of the following:

a) IN: Internet zone. The default class if one is not given.

b) HS: Hesiod zone. Hesiod is a service used to distribute system information such as user and group definition and password files and print configuration files.

c) CHAOS: CHAOSnet zone. CHAOSnet is a LAN protocol.

o The <type> must be one of the following:

o master: Authoritative name server for the zone.

o slave: Secondary name server for the zone. Retrieve zone data from the master server.

o stub: Like a slave zone except it only retrieves the NS records from the master zone.

allow-query — Specifies the clients that are allowed to request information about this zone. The default is to allow all query requests.

allow-transfer — Specifies the slave servers that are allowed to request a transfer of the zone's information. The default is to allow all transfer requests.

allow-update — Specifies the hosts that are allowed to dynamically update information in their zone. The default is to deny all dynamic update requests.

Be careful when allowing hosts to update information about their zone. Do not enable this option unless the host specified is completely trusted. In general, it better to have an administrator manually update the records for a zone and reload the named service.

file — Specifies the name of the file in the named working directory that contains the zone's configuration data. In the above sample named.conf file, the directory is /var/named.

masters — Specifies the IP addresses from which to request authoritative zone information and is used only if the zone is defined as type slave.

notify — Specifies whether or not named notifies the slave servers when a zone is updated. This directive accepts the following options:

yes — Notifies slave servers.

no — Does not notify slave servers.

explicit — Only notifies slave servers specified in an also-notify list within a zone statement.

Examples:

A sample of master zone statement is copied below.

zone "mynet.com" IN {
        type master;
        file "mynet.com.zone.db";
        allow-transfer {192.168.1.105;};
        allow-query { 192.168.1.0/24; };
};

A sample of slave zone statement is copied below.

zone "mynet.com" IN {
type slave;
file "slaves/mynet.com.zone.db";
allow-query { 192.168.1.0/24; };
masters { 192.168.1.104; };
};