Scribd Logo
Upload

Welcome to Scribd!

  • Configure BIND DNS with zone files

    Uploaded by

    ShankarPrasai
    18 views7 pages
    The document discusses the /etc/named.conf file, which contains configuration statements for the BIND DNS server. It describes common statement types like acl, options, and zone that are used to define access controls, global server options, and zone-specific settings. Administrators must carefully edit this file to avoid syntax errors that would prevent the named service from starting. Manual edits may also be overwritten by the DNS configuration tool.

    Original Description:

    DNS server

    Original Title

    _etc_named

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the /etc/named.conf file, which contains configuration statements for the BIND DNS server. It describes common statement types like acl, options, and zone that are used to define access controls, global server options, and zone-specific settings. Administrators must carefully edit this file to avoid syntax errors that would prevent the named service from starting. Manual edits may also be overwritten by the DNS configuration tool.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views7 pages

    Configure BIND DNS with zone files

    Uploaded by

    ShankarPrasai
    The document discusses the /etc/named.conf file, which contains configuration statements for the BIND DNS server. It describes common statement types like acl, options, and zone that are used to define access controls, global server options, and zone-specific settings. Administrators must carefully edit this file to avoid syntax errors that would prevent the named service from starting. Manual edits may also be overwritten by the DNS configuration tool.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    8/17/2016

    /etc/named.conf

    RedHatEnterpriseLinux3:ReferenceGuide
    Chapter12.BerkeleyInternetNameDomain(BIND)

    Prev

    Next

    12.2./etc/named.conf
    Thenamed.conffileisacollectionofstatementsusingnestedoptionssurroundedbyopening
    andclosingellipsecharacters,{}.Administratorsmustbecarefulwheneditingnamed.confto
    avoidsyntacticalerrorsasmanyseeminglyminorerrorswillpreventthenamedservicefrom
    starting.
    Warning

    Donotmanuallyeditthe/etc/named.conffileoranyfilesinthe/var/named/
    directoryifyouareusingtheDomainNameServiceConfigurationTool.Any
    manualchangestothosefileswillbeoverwrittenthenexttimetheDomain
    NameServiceConfigurationToolisused.

    Atypicalnamed.conffileisorganizedsimilartothefollowingexample:
    <statement1>["<statement1name>"][<statement1class>]{
    <option1>
    <option2>
    <optionN>
    }
    <statement2>["<statement2name>"][<statement2class>]{
    <option1>
    <option2>
    <optionN>
    }
    <statementN>["<statementNname>"][<statementNclass>]{
    <option1>
    <option2>
    <optionN>
    }

    12.2.1.CommonStatementTypes
    Thefollowingtypesofstatementsarecommonlyusedin/etc/named.conf:

    12.2.1.1.aclStatement
    Theaclstatement(oraccesscontrolstatement)definesgroupsofhostswhichcanthenbe
    permittedordeniedaccesstothenameserver.
    Anaclstatementtakesthefollowingform:
    acl<aclname>{
    <matchelement>
    [<matchelement>...]
    }
    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    1/7

    8/17/2016

    /etc/named.conf

    Inthisstatement,replace<aclname>withthenameoftheaccesscontrollistandreplace
    <matchelement>withasemicolonseparatedlistofIPaddresses.Mostofthetime,an
    individualIPaddressorIPnetworknotation(suchas10.0.1.0/24)isusedtoidentifytheIP
    addresseswithintheaclstatement.
    Thefollowingaccesscontrollistsarealreadydefinedaskeywordstosimplifyconfiguration:
    anyMatcheseveryIPaddress.
    localhostMatchesanyIPaddressinusebythelocalsystem.
    localnetsMatchesanyIPaddressonanynetworktowhichthelocalsystemis
    connected.
    noneMatchesnoIPaddresses.
    Whenusedinconjunctionwithotherstatements(suchastheoptionsstatement),acl
    statementscanbeveryusefulinpreventingthemisuseofaBINDnameserver.
    Thefollowingexampledefinestwoaccesscontrollistsandusesanoptionsstatementto
    definehowtheyaretreatedbythenameserver:
    aclblackhats{
    10.0.2.0/24
    192.168.0.0/24
    }
    aclredhats{
    10.0.1.0/24
    }
    options{
    blackhole{blackhats}
    allowquery{redhats}
    allowrecursion{redhats}
    }

    Thisexamplecontainstwoaccesscontrollists,blackhatsandredhats.Hostsinthe
    blackhatslistaredeniedaccesstothenameserver,whilehostsintheredhatslistare
    givennormalaccess.

    12.2.1.2.includeStatement
    Theincludestatementallowsfilestobeincludedinanamed.conffile.Thiswaysensitive
    configurationdata(suchaskeys)canbeplacedinaseparatefilewithrestrictivepermissions.
    Anincludestatementtakesthefollowingform:
    include"<filename>"
    Inthisstatement,<filename>isreplacedwithanabsolutepathtoafile.

    12.2.1.3.optionsStatement
    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    2/7

    8/17/2016

    /etc/named.conf

    Theoptionsstatementdefinesglobalserverconfigurationoptionsandsetsdefaultsforother
    statements.Itcanbeusedtospecifythelocationofthenamedworkingdirectory,thetypesof
    queriesallowed,andmuchmore.
    Theoptionsstatementtakesthefollowingform:
    options{
    <option>

    [<option>...]
    }
    Inthisstatement,the<option>directivesarereplacedwithavalidoption.
    Thefollowingarecommonlyusedoptions:
    allowquerySpecifieswhichhostsareallowedtoquerythisnameserver.Bydefault,
    allhostsareallowedtoquery.Anaccesscontrollist,orcollectionofIPaddressesor
    networksmaybeusedheretoonlyallowparticularhoststoquerythenameserver.
    allowrecursionSimilartoallowquery,thisoptionappliestorecursivequeries.
    Bydefault,allhostsareallowedtoperformrecursivequeriesonthenameserver.
    blackholeSpecifieswhichhostsarenotallowedtoquerytheserver.
    directorySpecifiesthenamedworkingdirectoryifdifferentfromthedefaultvalue,
    /var/named/.
    forwardSpecifiestheforwardingbehaviorofaforwardersdirective.
    Thefollowingoptionsareaccepted:
    firstSpecifiesthatthenameserverslistedintheforwardersdirectivebe
    queriedbeforenamedattemptstoresolvethenameitself.
    onlySpecifiesthatnamednotattemptnameresolutionitselfintheeventqueries
    tonameserversspecifiedintheforwardersdirectivefail.
    forwardersSpecifiesalistofvalidIPaddressesfornameserverswhererequests
    shouldbeforwardedforresolution.
    listenonSpecifiesthenetworkinterfaceonwhichnamedlistensforqueries.By
    default,allinterfacesareused.
    UsingthisdirectiveonaDNSserverwhichalsoactsagateway,BINDcanbeconfigured
    toonlyanswerqueriesthatoriginatefromoneofthenetworks.
    Alistenondirectivelookslikethefollowingexample:
    options{
    listenon{10.0.1.1}
    }
    Inthisexample,onlyrequeststhatarrivefromthenetworkinterfaceservingtheprivate
    network(10.0.1.1)willbeaccepted.
    notifyControlswhethernamednotifiestheslaveserverswhenazoneisupdated.It
    acceptsthefollowingoptions:
    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    3/7

    8/17/2016

    /etc/named.conf

    yesNotifiesslaveservers.
    noDoesnotnotifyslaveservers.
    explicitOnlynotifiesslaveserversspecifiedinanalsonotifylistwithina
    zonestatement.
    pidfileSpecifiesthelocationoftheprocessIDfilecreatedbynamed.
    statisticsfileSpecifiesanalternatelocationforstatisticsfiles.Bydefault,
    namedstatisticsaresavedtothe/var/named/named.statsfile.
    Dozensofotheroptionsarealsoavailable,manyofwhichrelyupononeanothertowork
    properly.RefertotheBIND9AdministratorReferenceManualreferencedinSection12.7.1
    InstalledDocumentationandthebind.confmanpageformoredetails.

    12.2.1.4.zoneStatement
    Azonestatementdefinesthecharacteristicsofazonesuchasthelocationofitsconfiguration
    fileandzonespecificoptions.Thisstatementcanbeusedtooverridetheglobaloptions
    statements.
    Azonestatementtakesthefollowingform:
    zone<zonename><zoneclass>{
    <zoneoptions>
    [<zoneoptions>...]
    }
    Inthisstatement,<zonename>isthenameofthezone,<zoneclass>istheoptionalclassof
    thezone,and<zoneoptions>isalistofoptionscharacterizingthezone.
    The<zonename>attributeforthezonestatementisparticularlyimportant,asitisthedefault
    valueassignedforthe$ORIGINdirectiveusedwithinthecorrespondingzonefilelocatedinthe
    /var/named/directory.Thenameddaemonappendsthenameofthezonetoanynonfully
    qualifieddomainnamelistedinthezonefile.
    Forexample,ifazonestatementdefinesthenamespaceforexample.com,use
    example.comasthe<zonename>soitisplacedattheendofhostnameswithinthe
    example.comzonefile.
    Formoreinformationaboutzonefiles,seeSection12.3ZoneFiles.
    Themostcommonzonestatementoptionsincludethefollowing:
    allowquerySpecifiestheclientsthatareallowedtorequestinformationaboutthis
    zone.Thedefaultistoallowallqueryrequests.
    allowtransferSpecifiestheslaveserversthatareallowedtorequestatransferof
    thezone'sinformation.Thedefaultistoallowalltransferrequests.
    allowupdateSpecifiesthehoststhatareallowedtodynamicallyupdateinformation
    intheirzone.Thedefaultistodenyalldynamicupdaterequests.
    Becarefulwhenallowinghoststoupdateinformationabouttheirzone.Donotenablethis
    optionunlessthehostspecifiediscompletelytrusted.Ingeneral,itbettertohavean
    administratormanuallyupdatetherecordsforazoneandreloadthenamedservice.
    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    4/7

    8/17/2016

    /etc/named.conf

    fileSpecifiesthenameofthefileinthenamedworkingdirectorythatcontainsthe
    zone'sconfigurationdata.
    mastersSpecifiestheIPaddressesfromwhichtorequestauthoritativezone
    informationandisusedonlyifthezoneisdefinedastypeslave.
    notifySpecifieswhetherornotnamednotifiestheslaveserverswhenazoneis
    updated.Thisdirectiveacceptsthefollowingoptions:
    yesNotifiesslaveservers.
    noDoesnotnotifyslaveservers.
    explicitOnlynotifiesslaveserversspecifiedinanalsonotifylistwithina
    zonestatement.
    typeDefinesthetypeofzone.
    Belowisalistofvalidoptions:
    forwardForwardsallrequestsforinformationaboutthiszonetoother
    nameservers.
    hintAspecialtypeofzoneusedtopointtotherootnameserverswhichresolve
    querieswhenazoneisnototherwiseknown.Noconfigurationbeyondthedefaultis
    necessarywithahintzone.
    masterDesignatesthenameserverasauthoritativeforthiszone.Azoneshould
    besetasthemasterifthezone'sconfigurationfilesresideonthesystem.
    slaveDesignatesthenameserverasaslaveserverforthiszone.Alsospecifies
    theIPaddressofthemasternameserverforthezone.
    zonestatisticsConfiguresnamedtokeepstatisticsconcerningthiszone,writing
    themtoeitherthedefaultlocation(/var/named/named.stats)orthefilelistedinthe
    statisticsfileoptionintheserverstatement.SeeSection12.2.2Other
    StatementTypesformoreinformationabouttheserverstatement.

    12.2.1.5.SamplezoneStatements
    Mostchangestothe/etc/named.conffileofamasterorslavenameserverinvolvesadding,
    modifying,ordeletingzonestatements.Whilethesezonestatementscancontainmany
    options,mostnameserversrequireonlyasmallsubsettofunctionefficiently.Thefollowing
    zonestatementsareverybasicexamplesillustratingamasterslavenameserverrelationship.
    Thefollowingisanexampleofazonestatementfortheprimarynameserverhosting
    example.com(192.168.0.1):
    zone"example.com"IN{
    typemaster
    file"example.com.zone"
    allowupdate{none}
    }
    Inthestatement,thezoneisidentifiedasexample.com,thetypeissettomaster,andthe
    namedserviceisinstructedtoreadthe/var/named/example.com.zonefile.Italsotellsnamed
    nottoallowanyotherhoststoupdate.
    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    5/7

    8/17/2016

    /etc/named.conf

    Aslaveserver'szonestatementforexample.comisslightlydifferentfromtheprevious
    example.Foraslaveserver,thetypeissettoslaveandinplaceoftheallowupdatelineis
    adirectivetellingnamedtheIPaddressofthemasterserver.
    Thefollowingisanexampleslaveserverzonestatementforexample.comzone:
    zone"example.com"{
    typeslave
    file"example.com.zone"
    masters{192.168.0.1}
    }
    Thiszonestatementconfiguresnamedontheslaveservertoquerythemasterserveratthe
    192.168.0.1IPaddressforinformationabouttheexample.comzone.Theinformationthe
    slaveserverreceivesfromthemasterserverissavedtothe/var/named/example.com.zone
    file.

    12.2.2.OtherStatementTypes
    Thefollowingisalistoflesserusedstatementtypesavailablewithinnamed.conf
    controlsConfiguresvarioussecurityrequirementsnecessarytousetherndc
    commandtoadministerthenamedservice.
    RefertoSection12.4.1Configuring/etc/named.conftolearnmoreabouthowthe
    controlsstatementisstructuredandabouttheoptionswhichareavailable.
    key"<keyname>"Definesaparticularkeybyname.Keysareusedtoauthenticate
    variousactions,suchassecureupdatesortheuseoftherndccommand.Twooptions
    areusedwithkey:
    algorithm<algorithmname>Thetypeofalgorithmused,suchasdsaor
    hmacmd5.
    secret"<keyvalue>"Theencryptedkey.
    RefertoSection12.4.2Configuring/etc/rndc.confforinstructiononhowtowriteakey
    statement.
    loggingAllowsfortheuseofmultipletypesoflogs,calledchannels.Byusingthe
    channeloptionwithintheloggingstatement,acustomizedtypeoflog,withitsownfile
    name(file),sizelimit(size),versioning(version),andlevelofimportance
    (severity),canbeconstructed.Onceacustomizedchannelhasbeendefined,a
    categoryoptionisusedtocategorizethechannelandbeginloggingwhennamedis
    restarted.
    Bydefault,namedlogsstandardmessagestothesyslogdaemon,whichplacesthemin
    /var/log/messages.ThisoccursbecauseseveralstandardchannelsarebuiltintoBIND
    withvariousseveritylevels,suchasonethathandlesinformationalloggingmessages
    (default_syslog)andanotherthatspecificallyhandlesdebuggingmessages
    (default_debug).Adefaultcategory,calleddefault,usesthebuiltinchannelstodo
    normalloggingwithoutanyspecialconfiguration.
    Customizingtheloggingprocesscanbeaverydetailedprocessandisbeyondthescope
    ofthischapter.ForinformationoncreatingcustomBINDlogs,seetheBIND9
    AdministratorReferenceManualreferencedinSection12.7.1InstalledDocumentation.
    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    6/7

    8/17/2016

    /etc/named.conf

    serverSpecifiesoptionsthataffecthownamedshouldrespondtoremote
    nameservers,especiallyinregardstonotificationsandzonetransfers.
    Thetransferformatoptioncontrolswhetheroneresourcerecordissentwitheach
    message(oneanswer)ormultipleresourcerecordsaresentwitheachmessage
    (manyanswers).Whilemanyanswersismoreefficient,onlynewerBINDnameservers
    understandit.
    trustedkeysContainsassortedpublickeysusedforsecureDNS(DNSSEC).See
    Section12.5.3SecurityformoreinformationconcerningBINDsecurity.
    view"<viewname>"Createsspecialviewsdependinguponwhichnetworkthehost
    queryingthenameserverison.Thisallowssomehoststoreceiveoneanswerregardinga
    zonewhileotherhostsreceivetotallydifferentinformation.Alternatively,certainzones
    mayonlybemadeavailabletoparticulartrustedhostswhilenontrustedhostscanonly
    makequeriesforotherzones.
    Multipleviewsmaybeused,buttheirnamesmustbeunique.Thematchclients
    optionspecifiestheIPaddressesthatapplytoaparticularview.Anyoptionsstatements
    mayalsobeusedwithinaview,overridingtheglobaloptionsalreadyconfiguredfor
    named.Mostviewstatementscontainmultiplezonestatementsthatapplytothe
    matchclientslist.Theorderinwhichviewstatementsarelistedisimportant,asthe
    firstviewstatementthatmatchesaparticularclient'sIPaddressisused.
    SeeSection12.5.2MultipleViewsformoreinformationabouttheviewstatement.

    12.2.3.CommentTags
    Thefollowingisalistofvalidcommenttagsusedwithinnamed.conf:
    //Whenplacedatthebeginningofaline,thatlineisignoredbynamed.
    #Whenplacedatthebeginningofaline,thatlineisignoredbynamed.
    /*and*/Whentextisencloseinthesetags,theblockoftextisignoredbynamed.
    Prev
    BerkeleyInternetName
    Domain(BIND)

    Home
    Up

    https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

    Next
    ZoneFiles

    7/7

    You might also like