// Boot file for internal slave name server // PLEASE REMEMBER TO TAKE A COPY OF THE OLD CONFIGURATION FILE BEFORE MODIFYING // sudo cp /etc/named.conf /var/named/old/named.conf.`date +%Y%m%d%H%M%S` // Setup keys include "/var/named/dnskeys.conf"; // Set up our ACLs acl "xfer" { // localnets; // Allow localnet transfers. If we have other // name servers, place them here. // Note that in the Netherlands, for example, // the TLD servers 193.176.144.2 and 193.176.144.138 // are allowed to perform zone tranfers // from the domains under .nl. // 10.17.4.7; // Chris }; acl "trusted" { // Place our internal and DMZ subnets in here so that // intranet and DMZ clients may send DNS queries. This // also prevents outside hosts from using our name server // as a resolver for other domains. localhost; // All clients can ask 10.17.0.0/18; // New Office LAN }; acl "bogon" { // Filter out the bogon networks. These are networks // listed by IANA as test, RFC1918, Multicast, experi- // mental, etc. If you see DNS queries or updates with // a source address within these networks, this is likely // of malicious origin. CAUTION: If you are using RFC1918 // netblocks on your network, remove those netblocks from // this list of blackhole ACLs! 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; // 10.0.0.0/8; Internal net 23.0.0.0/8; 31.0.0.0/8; 69.0.0.0/8; 70.0.0.0/8; 71.0.0.0/8; 72.0.0.0/8; 73.0.0.0/8; 74.0.0.0/8; 75.0.0.0/8; 76.0.0.0/8; 77.0.0.0/8; 78.0.0.0/8; 79.0.0.0/8; 82.0.0.0/8; 83.0.0.0/8; 84.0.0.0/8; 85.0.0.0/8; 86.0.0.0/8; 87.0.0.0/8; 88.0.0.0/8; 89.0.0.0/8; 90.0.0.0/8; 91.0.0.0/8; 92.0.0.0/8; 93.0.0.0/8; 94.0.0.0/8; 95.0.0.0/8; 96.0.0.0/8; 97.0.0.0/8; 98.0.0.0/8; 99.0.0.0/8; 100.0.0.0/8; 101.0.0.0/8; 102.0.0.0/8; 103.0.0.0/8; 104.0.0.0/8; 105.0.0.0/8; 106.0.0.0/8; 107.0.0.0/8; 108.0.0.0/8; 109.0.0.0/8; 110.0.0.0/8; 111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8; 114.0.0.0/8; 115.0.0.0/8; 126.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 191.255.0.0/16; 192.0.2.0/24; 192.168.0.0/16; 198.18.0.0/16; 201.0.0.0/8; 223.255.255.0/24; 224.0.0.0/3; 240.0.0.0/4; }; options { directory "/var/named"; forward only; forwarders { xxx.xxx.xxx.xxx; yyy.yyy.yyy.yyy; }; query-source address 10.17.4.7 port 53; transfer-source 10.17.4.7; allow-query { // Accept queries from our "trusted" ACL. We will not // allow anyone to query our master zones below. // This prevents us from becoming a free DNS server // to the masses. trusted; }; allow-transfer { // Zone tranfers limited to members of the // "xfer" ACL. xfer; }; blackhole { // Deny anything from the bogon networks as // detailed in the "bogon" ACL. bogon; }; }; logging { category lame-servers { null; }; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "key_rndc"; }; }; ###################### LOCAL ZONES ######################### # Forward zone "localhost" { type master; file "zone/local/localhost.zone"; }; # Reverse zone "0.0.127.in-addr.arpa" { type master; file "zone/local/named.local"; }; ###################### SLAVE ZONES ############################ ### SLAVE zones start here # Forward zone "intra.example.com" { type slave; file "zone/slave/forward/intra.example.com.db"; masters { 10.17.4.8; }; }; zone "gsm.example.com" { type slave; file "zone/slave/forward/gsm.example.com.db"; masters { 172.25.1.6; }; }; # Reverse zone "4.17.10.in-addr.arpa" { type slave; file "zone/slave/reverse/4.17.10.db"; masters { 10.17.4.8; }; }; zone "3.17.10.in-addr.arpa" { type slave; file "zone/slave/reverse/3.17.10.db"; masters { 10.17.3.7; }; };