diff options
Diffstat (limited to 'bind/conf/named.conf')
-rw-r--r-- | bind/conf/named.conf | 82 |
1 files changed, 48 insertions, 34 deletions
diff --git a/bind/conf/named.conf b/bind/conf/named.conf index dcf0cf3..b7d563d 100644 --- a/bind/conf/named.conf +++ b/bind/conf/named.conf | |||
@@ -2,41 +2,47 @@ | |||
2 | 2 | ||
3 | include "/etc/bind/rndc.key"; | 3 | include "/etc/bind/rndc.key"; |
4 | 4 | ||
5 | options { | 5 | //======================================================================== |
6 | directory "/etc/bind/local/cache"; | 6 | // If BIND logs error messages about the root key being expired, |
7 | bindkeys-file "/etc/bind/bind.keys"; | 7 | // you will need to update your keys. See https://www.isc.org/bind-keys |
8 | 8 | //======================================================================== | |
9 | //======================================================================== | ||
10 | // If BIND logs error messages about the root key being expired, | ||
11 | // you will need to update your keys. See https://www.isc.org/bind-keys | ||
12 | //======================================================================== | ||
13 | 9 | ||
14 | // mcrute: disable dnssec because the AWS resolvers return invalid zone | 10 | options { |
15 | // signatures | 11 | directory "/etc/bind/local/zones"; |
16 | dnssec-validation no; | 12 | managed-keys-directory "/etc/bind/local/managed-keys"; |
17 | 13 | bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-( | |
18 | zone-statistics full; | ||
19 | 14 | ||
20 | auth-nxdomain no; # conform to RFC1035 | 15 | dnssec-validation no; // AWS resolvers return invalid zone signatures |
21 | notify master-only; # don't send NOTIFY from secondaries | 16 | zone-statistics full; // Track full stats for prometheus export |
17 | masterfile-format text; // Write zonefiles in text even for secondary zones | ||
18 | auth-nxdomain no; // conform to RFC1035 | ||
19 | notify master-only; // don't send NOTIFY from secondaries | ||
22 | 20 | ||
23 | version none; | 21 | version none; |
24 | hostname none; | 22 | hostname none; |
25 | 23 | ||
26 | listen-on { | 24 | // Force TCP if response would be larger than IPv6 fragment size |
27 | any; | 25 | // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ |
28 | }; | 26 | max-udp-size 1220; |
27 | edns-udp-size 1220; | ||
29 | 28 | ||
30 | listen-on-v6 { | 29 | // Allow more transfers at once to improve secondary convergence |
31 | any; | 30 | transfers-in 50; |
32 | }; | 31 | transfers-out 50; |
32 | |||
33 | listen-on { any; }; | ||
34 | listen-on-v6 { any; }; | ||
35 | allow-update-forwarding { any; }; | ||
33 | 36 | ||
34 | allow-update-forwarding { | 37 | // Typically this ACL is empty but exists so that it can be populated |
35 | any; | 38 | // during an attack to block bad clients. |
39 | blackhole { | ||
40 | blackhole-clients; | ||
36 | }; | 41 | }; |
37 | 42 | ||
38 | allow-notify { | 43 | allow-notify { |
39 | all-dns-servers; | 44 | internal-keys; |
45 | external-keys; | ||
40 | }; | 46 | }; |
41 | 47 | ||
42 | allow-recursion { | 48 | allow-recursion { |
@@ -48,15 +54,6 @@ options { | |||
48 | internal-nets; | 54 | internal-nets; |
49 | localhost; | 55 | localhost; |
50 | }; | 56 | }; |
51 | |||
52 | // Force TCP if response would be larger than IPv6 fragment size | ||
53 | // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/ | ||
54 | max-udp-size 1220; | ||
55 | edns-udp-size 1220; | ||
56 | |||
57 | // Allow more transfers at once to improve secondary convergence | ||
58 | transfers-in 50; | ||
59 | transfers-out 50; | ||
60 | }; | 57 | }; |
61 | 58 | ||
62 | statistics-channels { | 59 | statistics-channels { |
@@ -69,4 +66,21 @@ controls { | |||
69 | inet ::1 allow { localhost; } keys { "rndc-key"; }; | 66 | inet ::1 allow { localhost; } keys { "rndc-key"; }; |
70 | }; | 67 | }; |
71 | 68 | ||
72 | include "/etc/bind/named_local.conf"; | 69 | acl internal-nets { |
70 | // Internal RFC1918 | ||
71 | 172.16.0.0/12; | ||
72 | |||
73 | // Unknown? Maybe Docker bridge? | ||
74 | 192.168.255.0/24; | ||
75 | |||
76 | // Pomona ARIN | ||
77 | 23.149.16.0/24; | ||
78 | 2602:0803:4000::/40; | ||
79 | |||
80 | // AWS | ||
81 | 2600:1f14:f39:e000::/56; | ||
82 | 2600:1f16:33:500::/56; | ||
83 | 2a05:d01c:7ba:b800::/56; | ||
84 | }; | ||
85 | |||
86 | include "/etc/bind/local/named.conf"; | ||