1 files changed, 48 insertions, 34 deletions
diff --git a/bind/conf/named.conf b/bind/conf/named.conf
index dcf0cf3..b7d563d 100644
--- a/bind/conf/named.conf
+++ b/bind/conf/named.conf
@@ -2,41 +2,47 @@
 include "/etc/bind/rndc.key";
-options {
+//========================================================================
-        directory "/etc/bind/local/cache";
+// If BIND logs error messages about the root key being expired,
-        bindkeys-file "/etc/bind/bind.keys";
+// you will need to update your keys.  See https://www.isc.org/bind-keys
+//========================================================================
-        //========================================================================
-        // If BIND logs error messages about the root key being expired,
-        // you will need to update your keys.  See https://www.isc.org/bind-keys
-        //========================================================================
-        // mcrute: disable dnssec because the AWS resolvers return invalid zone
+options {
-        // signatures
+        directory "/etc/bind/local/zones";
-        dnssec-validation no;
+        managed-keys-directory "/etc/bind/local/managed-keys";
+        bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-(
-        zone-statistics full;
-        auth-nxdomain no;    # conform to RFC1035
+        dnssec-validation no; // AWS resolvers return invalid zone signatures
-        notify master-only;  # don't send NOTIFY from secondaries
+        zone-statistics full; // Track full stats for prometheus export
+        masterfile-format text; // Write zonefiles in text even for secondary zones
+        auth-nxdomain no; // conform to RFC1035
+        notify master-only; // don't send NOTIFY from secondaries
        version none;
        hostname none;
-        listen-on {
+        // Force TCP if response would be larger than IPv6 fragment size
-                any;
+        // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
-        };
+        max-udp-size 1220;
+        edns-udp-size 1220;
-        listen-on-v6 {
+        // Allow more transfers at once to improve secondary convergence
-                any;
+        transfers-in 50;
-        };
+        transfers-out 50;
+        listen-on { any; };
+        listen-on-v6 { any; };
+        allow-update-forwarding { any; };
-        allow-update-forwarding {
+        // Typically this ACL is empty but exists so that it can be populated
-                any;
+        // during an attack to block bad clients.
+        blackhole {
+                blackhole-clients;
        };
        allow-notify {
-                all-dns-servers;
+                internal-keys;
+                external-keys;
        };
        allow-recursion {
@@ -48,15 +54,6 @@ options {
                internal-nets;
                localhost;
        };
-        // Force TCP if response would be larger than IPv6 fragment size
-        // see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
-        max-udp-size 1220;
-        edns-udp-size 1220;
-        // Allow more transfers at once to improve secondary convergence
-        transfers-in 50;
-        transfers-out 50;
 };
 statistics-channels {
@@ -69,4 +66,21 @@ controls {
        inet ::1 allow { localhost; } keys { "rndc-key"; };
 };
-include "/etc/bind/named_local.conf";
+acl internal-nets {
+        // Internal RFC1918
+        172.16.0.0/12;
+        // Unknown? Maybe Docker bridge?
+        192.168.255.0/24;
+        // Pomona ARIN
+        23.149.16.0/24;
+        2602:0803:4000::/40;
+        // AWS
+        2600:1f14:f39:e000::/56;
+        2600:1f16:33:500::/56;
+        2a05:d01c:7ba:b800::/56;
+};
+include "/etc/bind/local/named.conf";

diff --git a/bind/conf/named.conf b/bind/conf/named.conf index dcf0cf3..b7d563d 100644 --- a/bind/conf/named.conf +++ b/bind/conf/named.conf
@@ -2,41 +2,47 @@
2		2
3	include "/etc/bind/rndc.key";	3	include "/etc/bind/rndc.key";
4		4
5	options {	5	//========================================================================
6	directory "/etc/bind/local/cache";	6	// If BIND logs error messages about the root key being expired,
7	bindkeys-file "/etc/bind/bind.keys";	7	// you will need to update your keys. See https://www.isc.org/bind-keys
8		8	//========================================================================
9	//========================================================================
10	// If BIND logs error messages about the root key being expired,
11	// you will need to update your keys. See https://www.isc.org/bind-keys
12	//========================================================================
13		9
14	// mcrute: disable dnssec because the AWS resolvers return invalid zone	10	options {
15	// signatures	11	directory "/etc/bind/local/zones";
16	dnssec-validation no;	12	managed-keys-directory "/etc/bind/local/managed-keys";
17		13	bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-(
18	zone-statistics full;
19		14
20	auth-nxdomain no; # conform to RFC1035	15	dnssec-validation no; // AWS resolvers return invalid zone signatures
21	notify master-only; # don't send NOTIFY from secondaries	16	zone-statistics full; // Track full stats for prometheus export
		17	masterfile-format text; // Write zonefiles in text even for secondary zones
		18	auth-nxdomain no; // conform to RFC1035
		19	notify master-only; // don't send NOTIFY from secondaries
22		20
23	version none;	21	version none;
24	hostname none;	22	hostname none;
25		23
26	listen-on {	24	// Force TCP if response would be larger than IPv6 fragment size
27	any;	25	// see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
28	};	26	max-udp-size 1220;
		27	edns-udp-size 1220;
29		28
30	listen-on-v6 {	29	// Allow more transfers at once to improve secondary convergence
31	any;	30	transfers-in 50;
32	};	31	transfers-out 50;
		32
		33	listen-on { any; };
		34	listen-on-v6 { any; };
		35	allow-update-forwarding { any; };
33		36
34	allow-update-forwarding {	37	// Typically this ACL is empty but exists so that it can be populated
35	any;	38	// during an attack to block bad clients.
		39	blackhole {
		40	blackhole-clients;
36	};	41	};
37		42
38	allow-notify {	43	allow-notify {
39	all-dns-servers;	44	internal-keys;
		45	external-keys;
40	};	46	};
41		47
42	allow-recursion {	48	allow-recursion {
@@ -48,15 +54,6 @@ options {
48	internal-nets;	54	internal-nets;
49	localhost;	55	localhost;
50	};	56	};
51
52	// Force TCP if response would be larger than IPv6 fragment size
53	// see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
54	max-udp-size 1220;
55	edns-udp-size 1220;
56
57	// Allow more transfers at once to improve secondary convergence
58	transfers-in 50;
59	transfers-out 50;
60	};	57	};
61		58
62	statistics-channels {	59	statistics-channels {
@@ -69,4 +66,21 @@ controls {
69	inet ::1 allow { localhost; } keys { "rndc-key"; };	66	inet ::1 allow { localhost; } keys { "rndc-key"; };
70	};	67	};
71		68
72	include "/etc/bind/named_local.conf";	69	acl internal-nets {
		70	// Internal RFC1918
		71	172.16.0.0/12;
		72
		73	// Unknown? Maybe Docker bridge?
		74	192.168.255.0/24;
		75
		76	// Pomona ARIN
		77	23.149.16.0/24;
		78	2602:0803:4000::/40;
		79
		80	// AWS
		81	2600:1f14:f39:e000::/56;
		82	2600:1f16:33:500::/56;
		83	2a05:d01c:7ba:b800::/56;
		84	};
		85
		86	include "/etc/bind/local/named.conf";