3 // Refer to the named.conf(5) and named(8) man pages, and the documentation
4 // in /usr/share/doc/bind9 for more details.
6 // If you are going to set up an authoritative server, make sure you
7 // understand the hairy details of how DNS works. Even with
8 // simple mistakes, you can break connectivity for affected parties,
9 // or cause huge amounts of useless Internet traffic.
12 // Relative to the chroot directory, if any
13 directory "/etc/namedb";
14 pid-file "/var/run/named/pid";
15 dump-file "/var/dump/named_dump.db";
16 statistics-file "/var/stats/named.stats";
18 // If named is being used only as a local resolver, this is a safe default.
19 // For named to be accessible to the network, comment this option, specify
20 // the proper IP address, or delete this option.
21 listen-on { 127.0.0.1; };
23 // If you have IPv6 enabled on this system, uncomment this option for
24 // use as a local resolver. To give access to the network, specify
25 // an IPv6 address, or the keyword "any".
26 // listen-on-v6 { ::1; };
28 // These zones are already covered by the empty zones listed below.
29 // If you remove the related empty zones below, comment these lines out.
30 disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
31 disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
32 disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
34 // If you've got a DNS server around at your upstream provider, enter
35 // its IP address here, and enable the line below. This will make you
36 // benefit from its cache, thus reduce overall DNS traffic in the Internet.
43 // If the 'forwarders' clause is not empty the default is to 'forward first'
44 // which will fall back to sending a query from your local server if the name
45 // servers in 'forwarders' do not have the answer. Alternatively you can
46 // force your name server to never initiate queries of its own by enabling the
50 // If you wish to have forwarding configured automatically based on
51 // the entries in /etc/resolv.conf, uncomment the following line and
52 // set named_auto_forward=yes in /etc/rc.conf. You can also enable
53 // named_auto_forward_only (the effect of which is described above).
54 // include "/etc/namedb/auto_forward.conf";
57 Modern versions of BIND use a random UDP port for each outgoing
58 query by default in order to dramatically reduce the possibility
59 of cache poisoning. All users are strongly encouraged to utilize
60 this feature, and to configure their firewalls to accommodate it.
62 AS A LAST RESORT in order to get around a restrictive firewall
63 policy you can try enabling the option below. Use of this option
64 will significantly reduce your ability to withstand cache poisoning
65 attacks, and should be avoided if at all possible.
67 Replace NNNNN in the example with a number between 49160 and 65530.
69 // query-source address * port NNNNN;
72 // If you enable a local name server, don't forget to enter 127.0.0.1
73 // first in your /etc/resolv.conf so this server will be queried.
74 // Also, make sure to enable it in /etc/rc.conf.
76 // The traditional root hints mechanism. Use this, OR the slave zones below.
77 zone "." { type hint; file "named.root"; };
79 /* Slaving the following zones from the root name servers has some
80 significant advantages:
81 1. Faster local resolution for your users
82 2. No spurious traffic will be sent from your network to the roots
83 3. Greater resilience to any potential root server failure/DDoS
85 On the other hand, this method requires more monitoring than the
86 hints file to be sure that an unexpected failure mode has not
87 incapacitated your server. Name servers that are serving a lot
88 of clients will benefit more from this approach than individual
89 hosts. Use with caution.
91 To use this mechanism, uncomment the entries below, and comment
97 file "slave/root.slave";
99 192.5.5.241; // F.ROOT-SERVERS.NET.
105 file "slave/arpa.slave";
107 192.5.5.241; // F.ROOT-SERVERS.NET.
111 zone "in-addr.arpa" {
113 file "slave/in-addr.arpa.slave";
115 192.5.5.241; // F.ROOT-SERVERS.NET.
121 /* Serving the following zones locally will prevent any queries
122 for these zones leaving your network and going to the root
123 name servers. This has two significant advantages:
124 1. Faster local resolution for your users
125 2. No spurious traffic will be sent from your network to the roots
128 zone "localhost" { type master; file "master/localhost-forward.db"; };
129 zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
130 zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
132 // RFC 1912-style zone for IPv6 localhost address
133 zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; };
135 // "This" Network (RFCs 1912 and 3330)
136 zone "0.in-addr.arpa" { type master; file "master/empty.db"; };
138 // Private Use Networks (RFC 1918)
139 zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
140 zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
141 zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
142 zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
143 zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
144 zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
145 zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
146 zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
147 zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
148 zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
149 zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
150 zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
151 zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
152 zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
153 zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
154 zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
155 zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
156 zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };
158 // Link-local/APIPA (RFCs 3330 and 3927)
159 zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; };
161 // TEST-NET for Documentation (RFC 3330)
162 zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; };
164 // Router Benchmark Testing (RFC 3330)
165 zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; };
166 zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; };
168 // IANA Reserved - Old Class E Space
169 zone "240.in-addr.arpa" { type master; file "master/empty.db"; };
170 zone "241.in-addr.arpa" { type master; file "master/empty.db"; };
171 zone "242.in-addr.arpa" { type master; file "master/empty.db"; };
172 zone "243.in-addr.arpa" { type master; file "master/empty.db"; };
173 zone "244.in-addr.arpa" { type master; file "master/empty.db"; };
174 zone "245.in-addr.arpa" { type master; file "master/empty.db"; };
175 zone "246.in-addr.arpa" { type master; file "master/empty.db"; };
176 zone "247.in-addr.arpa" { type master; file "master/empty.db"; };
177 zone "248.in-addr.arpa" { type master; file "master/empty.db"; };
178 zone "249.in-addr.arpa" { type master; file "master/empty.db"; };
179 zone "250.in-addr.arpa" { type master; file "master/empty.db"; };
180 zone "251.in-addr.arpa" { type master; file "master/empty.db"; };
181 zone "252.in-addr.arpa" { type master; file "master/empty.db"; };
182 zone "253.in-addr.arpa" { type master; file "master/empty.db"; };
183 zone "254.in-addr.arpa" { type master; file "master/empty.db"; };
185 // IPv6 Unassigned Addresses (RFC 4291)
186 zone "1.ip6.arpa" { type master; file "master/empty.db"; };
187 zone "3.ip6.arpa" { type master; file "master/empty.db"; };
188 zone "4.ip6.arpa" { type master; file "master/empty.db"; };
189 zone "5.ip6.arpa" { type master; file "master/empty.db"; };
190 zone "6.ip6.arpa" { type master; file "master/empty.db"; };
191 zone "7.ip6.arpa" { type master; file "master/empty.db"; };
192 zone "8.ip6.arpa" { type master; file "master/empty.db"; };
193 zone "9.ip6.arpa" { type master; file "master/empty.db"; };
194 zone "a.ip6.arpa" { type master; file "master/empty.db"; };
195 zone "b.ip6.arpa" { type master; file "master/empty.db"; };
196 zone "c.ip6.arpa" { type master; file "master/empty.db"; };
197 zone "d.ip6.arpa" { type master; file "master/empty.db"; };
198 zone "e.ip6.arpa" { type master; file "master/empty.db"; };
199 zone "0.f.ip6.arpa" { type master; file "master/empty.db"; };
200 zone "1.f.ip6.arpa" { type master; file "master/empty.db"; };
201 zone "2.f.ip6.arpa" { type master; file "master/empty.db"; };
202 zone "3.f.ip6.arpa" { type master; file "master/empty.db"; };
203 zone "4.f.ip6.arpa" { type master; file "master/empty.db"; };
204 zone "5.f.ip6.arpa" { type master; file "master/empty.db"; };
205 zone "6.f.ip6.arpa" { type master; file "master/empty.db"; };
206 zone "7.f.ip6.arpa" { type master; file "master/empty.db"; };
207 zone "8.f.ip6.arpa" { type master; file "master/empty.db"; };
208 zone "9.f.ip6.arpa" { type master; file "master/empty.db"; };
209 zone "a.f.ip6.arpa" { type master; file "master/empty.db"; };
210 zone "b.f.ip6.arpa" { type master; file "master/empty.db"; };
211 zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; };
212 zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; };
213 zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; };
214 zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; };
215 zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; };
216 zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; };
217 zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; };
218 zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; };
220 // IPv6 ULA (RFC 4193)
221 zone "c.f.ip6.arpa" { type master; file "master/empty.db"; };
222 zone "d.f.ip6.arpa" { type master; file "master/empty.db"; };
224 // IPv6 Link Local (RFC 4291)
225 zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; };
226 zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; };
227 zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; };
228 zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; };
230 // IPv6 Deprecated Site-Local Addresses (RFC 3879)
231 zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; };
232 zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; };
233 zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; };
234 zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; };
236 // IP6.INT is Deprecated (RFC 4159)
237 zone "ip6.int" { type master; file "master/empty.db"; };
239 // NB: Do not use the IP addresses below, they are faked, and only
240 // serve demonstration/documentation purposes!
242 // Example slave zone config entries. It can be convenient to become
243 // a slave at least for the zone your own domain is in. Ask
244 // your network administrator for the IP address of the responsible
245 // master name server.
247 // Do not forget to include the reverse lookup zone!
248 // This is named after the first bytes of the IP address, in reverse
249 // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
251 // Before starting to set up a master zone, make sure you fully
252 // understand how DNS and BIND work. There are sometimes
253 // non-obvious pitfalls. Setting up a slave zone is usually simpler.
255 // NB: Don't blindly enable the examples below. :-) Use actual names
256 // and addresses instead.
258 /* An example dynamic zone
259 key "exampleorgkey" {
261 secret "sf87HJqjkqh8ac87a02lla==";
268 file "dynamic/example.org";
272 /* Example of a slave reverse zone
273 zone "1.168.192.in-addr.arpa" {
275 file "slave/1.168.192.in-addr.arpa";