diff options
author | Mike Crute <mike@crute.us> | 2023-10-27 19:01:48 -0700 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2023-10-27 19:01:48 -0700 |
commit | 0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437 (patch) | |
tree | 31bde55e6b27dd6b756b0d5cf64385009f88e88e /bind/conf/named.conf | |
parent | 2ec55d13b91e63a237f4523c17fe50c81709bb2b (diff) | |
download | dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.bz2 dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.tar.xz dockerfiles-0fd8fd6b0b78d0e2fc8cfdd029dad9cbb83c7437.zip |
bind: simplify shipped config
Diffstat (limited to 'bind/conf/named.conf')
-rw-r--r-- | bind/conf/named.conf | 97 |
1 files changed, 0 insertions, 97 deletions
diff --git a/bind/conf/named.conf b/bind/conf/named.conf deleted file mode 100644 index 54b3ace..0000000 --- a/bind/conf/named.conf +++ /dev/null | |||
@@ -1,97 +0,0 @@ | |||
1 | // vi:ft=named noexpandtab | ||
2 | |||
3 | include "/etc/bind/rndc.key"; | ||
4 | |||
5 | //======================================================================== | ||
6 | // If BIND logs error messages about the root key being expired, | ||
7 | // you will need to update your keys. See https://www.isc.org/bind-keys | ||
8 | //======================================================================== | ||
9 | |||
10 | options { | ||
11 | directory "/etc/bind/local/zones"; | ||
12 | managed-keys-directory "/etc/bind/local/managed-keys"; | ||
13 | bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-( | ||
14 | |||
15 | dnssec-validation no; // AWS resolvers return invalid zone signatures | ||
16 | zone-statistics full; // Track full stats for prometheus export | ||
17 | masterfile-format text; // Write zonefiles in text even for secondary zones | ||
18 | auth-nxdomain no; // conform to RFC1035 | ||
19 | notify master-only; // don't send NOTIFY from secondaries | ||
20 | |||
21 | version none; | ||
22 | hostname none; | ||
23 | |||
24 | // Force TCP if response would be larger than IPv6 fragment size | ||
25 | // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ | ||
26 | max-udp-size 1220; | ||
27 | edns-udp-size 1220; | ||
28 | |||
29 | // Allow more transfers at once to improve secondary convergence | ||
30 | transfers-in 50; | ||
31 | transfers-out 50; | ||
32 | |||
33 | listen-on { any; }; | ||
34 | listen-on-v6 { any; }; | ||
35 | allow-update-forwarding { any; }; | ||
36 | |||
37 | // Typically this ACL is empty but exists so that it can be populated | ||
38 | // during an attack to block bad clients. | ||
39 | blackhole { | ||
40 | blackhole-clients; | ||
41 | }; | ||
42 | |||
43 | allow-notify { | ||
44 | internal-keys; | ||
45 | external-keys; | ||
46 | }; | ||
47 | |||
48 | allow-recursion { | ||
49 | internal-nets; | ||
50 | localhost; | ||
51 | }; | ||
52 | |||
53 | allow-transfer { | ||
54 | internal-nets; | ||
55 | localhost; | ||
56 | }; | ||
57 | }; | ||
58 | |||
59 | logging { | ||
60 | category default { default_stderr; default_debug; }; | ||
61 | }; | ||
62 | |||
63 | statistics-channels { | ||
64 | // inet 127.0.0.1 port 8053 allow { monitoring-hosts; }; | ||
65 | // inet ::1 port 8053 allow { monitoring-hosts; }; | ||
66 | |||
67 | inet 0.0.0.0 port 8053 allow { monitoring-hosts; }; | ||
68 | inet :: port 8053 allow { monitoring-hosts; }; | ||
69 | }; | ||
70 | |||
71 | controls { | ||
72 | inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; | ||
73 | inet ::1 allow { localhost; } keys { "rndc-key"; }; | ||
74 | }; | ||
75 | |||
76 | acl internal-nets { | ||
77 | // Internal RFC1918 | ||
78 | 172.16.0.0/12; | ||
79 | |||
80 | // Unknown? Maybe Docker bridge? | ||
81 | 192.168.255.0/24; | ||
82 | |||
83 | // Pomona ARIN | ||
84 | 23.149.16.0/24; | ||
85 | 104.250.232.0/22; | ||
86 | 2602:0803:4000::/40; | ||
87 | }; | ||
88 | |||
89 | acl monitoring-hosts { | ||
90 | localhost; | ||
91 | |||
92 | // monitoring-1.sea1.crute.me | ||
93 | 172.16.0.64/32; | ||
94 | 2602:803:4070:0:5054:9fff:fe55:2cb3/128; | ||
95 | }; | ||
96 | |||
97 | include "/etc/bind/local/named.conf"; | ||