Listing 1 Sample named.conf files
Sample named.conf files:
--------------------------------------------------------------------------
External Authoritative --
acl bogusnets {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
192.0.2.0/24;
224.0.0.0/3;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
acl backups {
24.24.0.0/16; // Our external
199.191.128.0/24; // external company secondaries
12.127.16.0/24; // external company secondaries
};
options {
directory "/etc/namedb";
query-source address * port 53;
pid-file "/var/run/named.pid";
recursion no;
blackhole {
bogusnets;
};
allow-transfer { // Networks on which you secondaries reside,
// or individual secondaries
backups;
};
};
zone "." {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
zone "ikep.org" {
type slave;
file "db.ikep.org";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
zone "ikep.com" {
type slave;
file "db.ikep.com";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
zone "24.24.24.in-addr.arpa" {
type slave;
file "db.24.24.24";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
zone "25.24.24.in-addr.arpa" {
type slave;
file "db.24.24.25";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
controls { // Only allow the local host and the management
// workstations to control named.
inet 127.0.0.1 allow { localhost; } keys { localkey; };
inet 24.24.24.1 allow { 192.168.3.1; } keys { localkey; };
inet 24.24.25.1 allow { 192.168.4.1; } keys { localkey; };
};
key localkey {
algorithm "PutTheAlgorithmUsedToCreateYourKeyHere";
secret "PutTheGeneratedKeyHere";
};
--------------------------------------------------------------------------
Screened Caching --
options {
directory "/etc/namedb";
query-source address * port 53;
pid-file "/var/run/named.pid";
};
zone "." {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
controls { // Only allow the local host and the management
// workstations to control named.
inet 127.0.0.1 allow { localhost; } keys { localkey; };
inet 24.24.24.2 allow { 192.168.3.1; } keys { localkey; };
inet 24.24.25.2 allow { 192.168.4.1; } keys { localkey; };
};
key localkey {
algorithm "PutTheAlgorithmUsedToCreateYourKeyHere";
secret "PutTheGeneratedKeyHere";
};
-------------------------------------------------------------------------
Trusted Caching Decision --
acl internals {
192.168.0.0/16;
127.0.0.1/32;
};
acl externals {
24.24.0.0/16;
};
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
allow-transfer { none; }; // No authoritative data to transfer
// from here
allow-recursion {
internals;
externals;
};
allow-query { // Only allow queries from defined hosts
internals;
externals;
};
};
view "internal" { // Internally this acts as a caching only
// name server.
match-clients {
internals;
};
zone "." {
type hint; // Not the Internet's root level
// cache, it's our own
file "db.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
};
view "external" {
match-clients {
externals;
};
zone "." {
type forward;
forward only;
forwarders {
24.24.24.2; // Forward any unknown domain to the screened
// caching servers for resolution
24.24.25.2;
};
};
zone "ikep.org" {
type forward;
forward only;
forwarders {
192.168.1.1; // Forward any known domain to the trusted
// authoritative.
192.168.2.1; // This automatically takes care of
// subdomains like texas.ikep.org and so on.
};
};
zone "ikep.com" {
type forward;
forward only;
forwarders {
192.168.1.1; // Forward any known domain to the trusted
// authoritative.
192.168.2.1;
};
};
controls { // Only allow the local host and the management
// workstations to control named.
inet 127.0.0.1 allow { localhost; } keys { localkey; };
inet 192.168.5.1 allow { 192.168.3.1; } keys { localkey; };
inet 192.168.6.1 allow { 192.168.4.1; } keys { localkey; };
};
key localkey {
algorithm "PutTheAlgorithmUsedToCreateYourKeyHere";
secret "PutTheGeneratedKeyHere";
};
-------------------------------------------------------------------------
Trusted Authoritative --
options {
directory "/etc/namedb";
query-source address * port 53;
pid-file "/var/run/named.pid";
recursion no;
};
zone "." {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
zone "ikep.east" {
type slave;
file "db.ikep.east";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
zone "ikep.west" {
type slave;
file "db.ikep.west";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
zone "168.192.in-addr.arpa" {
type slave;
file "db.192.168";
masters {
192.168.3.1; // Address of the management workstation
192.168.4.1; // Address of a secondary management workstation, if
// you are so inclined.
};
};
controls { // Only allow the local host and the management
// workstations to control named.
inet 127.0.0.1 allow { localhost; } keys { localkey; };
inet 192.168.1.1 allow { 192.168.3.1; } keys { localkey; };
inet 192.168.2.1 allow { 192.168.4.1; } keys { localkey; };
};
key localkey {
algorithm "PutTheAlgorithmUsedToCreateYourKeyHere";
secret "PutTheGeneratedKeyHere";
};
------------------------------------------------------------------------Management Server --
/* Since I use a /32 for each of the defined addresses, I'm specifying individual hosts not networks. */
acl internals {
127.0.0.1/32; // loopback
192.168.1.1/32; // Internal Authoritative ns1
192.168.2.1/32; // Internal Authoritative ns2
};
acl externals {
127.0.0.1/32; // loopback
24.24.24.1/32; // External Caching ns1
24.24.25.1/32; // External Caching ns2
};
options { // Standard options
directory "/etc/namedb";
query-source address * port 53;
pid-file "/var/run/named.pid";
allow-transfer { // Only allow known name servers to
// invoke zone transfers.
internals;
externals;
};
allow-query { // Only allow known name servers to query.
internals;
externals;
};
};
/*
This is the view for the internal zones
*/
view "internal" {
match-clients {
internals;
};
zone "." {
type master;
file "internal/db.root";
notify yes;
};
zone "ikep.east" {
type master;
file "internal/db.ikep.east";
notify yes;
};
zone "ikep.west" {
type master;
file "internal/db.ikep.west";
notify yes;
};
zone "168.192.in-addr.arpa" {
type master;
file "internal/db.192.168";
notify yes;
};
/*
This is the view for the external zones
*/
view "external" {
match-clients {
externals;
};
zone "ikep.org" {
type master;
file "external/db.ikep.org";
notify yes;
};
zone "ikep.com" {
type master;
file "external/db.ikep.com";
notify yes;
};
zone "24.24.24.in-addr.arpa" {
type master;
file "internal/db.24.24.24";
notify yes;
};
zone "25.24.24.in-addr.arpa" {
type master;
file "internal/db.24.24.25";
notify yes;
};
};
controls {
inet 127.0.0.1 allow { localhost; } keys { localkey; };
// Only allow the local host to control
// named on the management workstation.
};
key localkey {
algorithm "PutTheAlgorithmUsedToCreateYourKeyHere";
secret "PutTheGeneratedKeyHere";
};
|
