include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { mykey; }; }; logging { channel "default" { syslog local1; severity info; }; category "default" { "default"; }; }; acl "trusted_networks" { 127.0.0.1; 212.85.158.144/28; }; // Enable statistics at http://127.0.0.1:5380/ statistics-channels { inet 127.0.0.1 port 5380 allow { 127.0.0.1; }; }; options { version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; pid-file "/var/run/named.pid"; statistics-file "/var/tmp/named.stats"; zone-statistics yes; // datasize 256M; coresize 100M; // fetch-glue no; // recursion no; // recursive-clients 10000; auth-nxdomain yes; query-source address * port *; listen-on port 53 { any; }; cleaning-interval 120; transfers-in 20; transfers-per-ns 2; lame-ttl 0; max-ncache-ttl 10800; // forwarders { first_public_nameserver_ip; second_public_nameserver_ip; }; // allow-update { none; }; // allow-transfer { any; }; // Prevent DoS attacks by generating bogus zone transfer // requests. This will result in slower updates to the // slave servers (e.g. they will await the poll interval // before checking for updates). notify no; // notify explicit; // also-notify { secondary_name_server }; // Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers; // Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60; // We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0; // Uncoment these to enable IPv6 connections support // IPv4 will still work // listen-on { none; }; // listen-on-v6 { any; }; // allow-query { trusted_networks; }; allow-transfer {"none";}; allow-recursion { trusted_networks; }; // Deny anything from the bogon networks as // detailed in the "bogon" ACL. // blackhole { bogon; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localdomain" IN { type master; file "master/localdomain.zone"; allow-update { none; }; }; zone "localhost" IN { type master; file "master/localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "reverse/named.local"; allow-update { none; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "reverse/named.ip6.local"; allow-update { none; }; }; zone "255.in-addr.arpa" IN { type master; file "reverse/named.broadcast"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "reverse/named.zero"; allow-update { none; }; };