7.2.1. Common Statement Types
The following types of statements are commonly used in /etc/named.conf:
The acl (Access Control List) statement defines groups of hosts which can then be permitted or denied access to the nameserver.
An acl statement takes the following form:
acl <acl-name> {
<match-element>;
[<match-element>; ...]
};
In this statement, replace <acl-name> with the name of the access control list and replace <match-element> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or CIDR network notation (such as 10.0.1.0/24) is used to identify the IP addresses within the acl statement.
The following access control lists are already defined as keywords to simplify configuration:
any — Matches every IP address
localhost — Matches any IP address in use by the local system
localnets — Matches any IP address on any network to which the local system is connected
none — Matches no IP addresses
When used in conjunction with other statements (such as the options statement), acl statements can be very useful in preventing the misuse of a BIND nameserver.
The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver:
acl black-hats {
10.0.2.0/24; 192.168.0.0/24; 1234:5678::9abc/24;};
acl red-hats { 10.0.1.0/24; };
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-query-cache { red-hats; };
}
This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access.
7.2.1.2. include Statement
The include statement allows files to be included in a named.conf file. In this way, sensitive configuration data (such as keys) can be placed in a separate file with restrictive permissions.
An include statement takes the following form:
include "<file-name>"
In this statement, <file-name> is replaced with an absolute path to a file.
7.2.1.3. options Statement
The options statement defines global server configuration options and sets defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more.
The options statement takes the following form:
options {
<option>;
[<option>; ...]
};
In this statement, the <option> directives are replaced with a valid option.
The following are commonly used options:
-
allow-query
Specifies which hosts are allowed to query this nameserver for authoritative RRs. By default, all hosts are allowed to query. An access control lists, or collection of IP addresses or networks, may be used here to allow only particular hosts to query the nameserver.
-
allow-query-cache
Similar to allow-query, this option applies to non-authoritative data, like recursive queries. By default, only localhost; and localnets; are allowed to obtain non-authoritative data.
-
blackhole
Specifies which hosts are banned from the server. This option should be used when particular host or network floods the server with requests. Default is none;
-
directory
Specifies the named working directory if different from the default value, /var/named/.
-
forwarders
Specifies a list of valid IP addresses for nameservers where requests should be forwarded for resolution.
-
forward
Specifies the forwarding behavior of a forwarders directive.
The following options are accepted:
first — Specifies that the nameservers listed in the forwarders directive be queried before named attempts to resolve the name itself.
only — Specifies that named does not attempt name resolution itself in the event that queries to nameservers specified in the forwarders directive fail.
-
listen-on
Specifies the IPv4 network interface on which named listens for queries. By default, all IPv4 interfaces are used.
Using this directive on a DNS server which also acts a gateway, BIND can be configured to only answer queries that originate from one of the networks.
The following is an example of a listen-on directive:
options { listen-on { 10.0.1.1; }; };
In this example, server listens only on (10.0.1.1) address.
-
listen-on-v6
Same as listen-on except for IPv6 interfaces.
The following is an example of a listen-on-v6 directive:
options { listen-on-v6 { 1234:5678::9abc; }; };
In this example, server listens only on (1234:5678::9abc) address.
-
max-cache-size
Specifies the maximum amount of memory to use for server caches. When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. Default is 32M.
options { max-cache-size 256M; };
-
notify
Controls whether named notifies the slave servers when a zone is updated. It accepts the following options:
yes — Notifies slave servers.
no — Does not notify slave servers.
master-only - Send notify only when server is a master server for the zone.
explicit — Only notifies slave servers specified in an also-notify list within a zone statement.
-
pid-file
Specifies the location of the process ID file created by named.
-
recursion
Specifies if named acts as a recursive server. The default is yes.
options { recursion no; };
-
statistics-file
Specifies an alternate location for statistics files. By default, named statistics are saved to the /var/named/named.stats file.
There are many other options also available, many of which rely upon one another to work properly. Refer to the
BIND 9 Administrator Reference Manual referenced in
Section 7.7.1, “Installed Documentation” and the
named.conf man page for more details.
A zone statement defines the characteristics of a zone, such as the location of its configuration file and zone-specific options. This statement can be used to override the global options statements.
A zone statement takes the following form:
zone <zone-name>
<zone-class>
<zone-options>;
[<zone-options>; ...]
};
In this statement, <zone-name> is the name of the zone, <zone-class> is the optional class of the zone, and <zone-options> is a list of options characterizing the zone.
The <zone-name> attribute for the zone statement is particularly important. It is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file.
For example, if a zone statement defines the namespace for example.com, use example.com as the <zone-name> so it is placed at the end of hostnames within the example.com zone file.
The most common zone statement options include the following:
-
allow-query
Specifies the clients that are allowed to request information about this zone. Setting of this option overrides global allow-query option. The default is to allow all query requests.
-
allow-transfer
Specifies the slave servers that are allowed to request a transfer of the zone's information. The default is to allow all transfer requests.
-
allow-update
Specifies the hosts that are allowed to dynamically update information in their zone. The default is to deny all dynamic update requests.
Be careful when allowing hosts to update information about their zone. Do not set IP addresses in this option unless the server is in the trusted network. Use TSIG key instead .
-
file
Specifies the name of the file in the named working directory that contains the zone's configuration data.
-
masters
Specifies the IP addresses from which to request authoritative zone information and is used only if the zone is defined as type slave.
-
notify
Specifies whether or not named notifies the slave servers when a zone is updated. This option has same parameters as a global notify parameter.
-
type
Defines the type of zone.
Below is a list of valid options:
delegation-only — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
forward — Forwards all requests for information about this zone to other nameservers.
hint — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a hint zone.
master — Designates the nameserver as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
slave — Designates the nameserver as a slave server for this zone. Master server is specified in masters directive.
7.2.1.5. Sample zone Statements
Most changes to the /etc/named.conf file of a master or slave nameserver involves adding, modifying, or deleting zone statements. While these zone statements can contain many options, most nameservers require only a small subset to function efficiently. The following zone statements are very basic examples illustrating a master-slave nameserver relationship.
The following is an example of a zone statement for the primary nameserver hosting example.com (192.168.0.1):
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer { 192.168.0.2; };
};
In the statement, the zone is identified as example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also allows only slave nameserver (192.168.0.2) to transfer the zone.
A slave server's zone statement for example.com is slightly different from the previous example. For a slave server, the type is set to slave and the masters directive is telling named the IP address of the master server.
The following is an example slave server zone statement for example.com zone:
zone "example.com"{
type slave;
file "slaves/example.com.zone";
masters { 192.168.0.1; };
};
This zone statement configures named on the slave server to query the master server at the 192.168.0.1 IP address for information about the example.com zone. The information that the slave server receives from the master server is saved to the /var/named/slaves/example.com.zone file. Make sure you put all slave zones to /var/named/slaves directory otherwise named will fail to transfer the zone.
