blob: b7d563df632089019175a4bb7a40f74bc61b205d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
// vi:ft=named noexpandtab
include "/etc/bind/rndc.key";
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
options {
directory "/etc/bind/local/zones";
managed-keys-directory "/etc/bind/local/managed-keys";
bindkeys-file "/etc/bind/bind.keys"; // Default is /etc/bind.keys :-(
dnssec-validation no; // AWS resolvers return invalid zone signatures
zone-statistics full; // Track full stats for prometheus export
masterfile-format text; // Write zonefiles in text even for secondary zones
auth-nxdomain no; // conform to RFC1035
notify master-only; // don't send NOTIFY from secondaries
version none;
hostname none;
// Force TCP if response would be larger than IPv6 fragment size
// see: https://blog.apnic.net/2020/09/17/dns-flag-day-2020-what-you-need-to-know/
max-udp-size 1220;
edns-udp-size 1220;
// Allow more transfers at once to improve secondary convergence
transfers-in 50;
transfers-out 50;
listen-on { any; };
listen-on-v6 { any; };
allow-update-forwarding { any; };
// Typically this ACL is empty but exists so that it can be populated
// during an attack to block bad clients.
blackhole {
blackhole-clients;
};
allow-notify {
internal-keys;
external-keys;
};
allow-recursion {
internal-nets;
localhost;
};
allow-transfer {
internal-nets;
localhost;
};
};
statistics-channels {
inet 127.0.0.1 port 8053 allow { localhost; };
inet ::1 port 8053 allow { localhost; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
inet ::1 allow { localhost; } keys { "rndc-key"; };
};
acl internal-nets {
// Internal RFC1918
172.16.0.0/12;
// Unknown? Maybe Docker bridge?
192.168.255.0/24;
// Pomona ARIN
23.149.16.0/24;
2602:0803:4000::/40;
// AWS
2600:1f14:f39:e000::/56;
2600:1f16:33:500::/56;
2a05:d01c:7ba:b800::/56;
};
include "/etc/bind/local/named.conf";
|
