A planned third option, external , will disable all automatic signing and allow DNSSEC data to be submitted into a zone via dynamic update; this is not yet implemented. This specifies the default lifetime, in seconds, for negative trust anchors added via rndc nta.
A negative trust anchor selectively disables DNSSEC validation for zones that are known to be failing because of misconfiguration, rather than an attack. When data to be validated is at or below an active NTA and above any other configured trust anchors , named aborts the DNSSEC validation process and treats the data as insecure rather than bogus.
NTAs persist across named restarts. It also accepts ISO duration formats. This specifies how often to check whether negative trust anchors added via rndc nta are still necessary. A negative trust anchor is normally used when a domain has stopped validating due to operator error; it temporarily disables DNSSEC validation for that domain. In the interest of ensuring that DNSSEC validation is turned back on as soon as possible, named periodically sends a query to the domain, ignoring negative trust anchors, to find out whether it can now be validated.
If so, the negative trust anchor is allowed to expire early. Validity checks can be disabled for an individual NTA by using rndc nta -f , or for all NTAs by setting nta-recheck to zero. For convenience, TTL-style time unit suffixes can be used to specify the NTA recheck interval in seconds, minutes, or hours. The default is five minutes.
It cannot be longer than nta-lifetime , which cannot be longer than a week. This specifies a maximum permissible TTL value in seconds. For convenience, TTL-style time unit suffixes may be used to specify the maximum value. When loading a zone file using a masterfile-format of text or raw , any record encountered with a TTL higher than max-zone-ttl causes the zone to be rejected. The max-zone-ttl option guarantees that the largest TTL in the zone is no higher than the set value.
NOTE: Because map -format files load directly into memory, this option cannot be used with them. The default value is unlimited. A max-zone-ttl of zero is treated as unlimited. This specifies the TTL to be returned on stale answers.
The default is 1 second. The minimum allowed is also 1 second; a value of 0 is updated silently to 1 second. For stale answers to be returned, they must be enabled, either in the configuration file using stale-answer-enable or via rndc serve-stale on.
Zones configured for dynamic DNS may use this option to set the update method to be used for the zone serial number in the SOA record. With the default setting of serial-update-method increment; , the SOA serial number is incremented by one each time the zone is updated. When set to serial-update-method unixtime; , the SOA serial number is set to the number of seconds since the Unix epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
If full , the server collects statistical data on all zones, unless specifically turned off on a per-zone basis by specifying zone-statistics terse or zone-statistics none in the zone statement. The default is terse , providing minimal statistics on zones including name and current serial number, but not query type counters.
These statistics may be accessed via the statistics-channel or using rndc stats , which dumps them to the file listed in the statistics-file. See also The Statistics File. For backward compatibility with earlier versions of BIND 9, the zone-statistics option can also accept yes or no ; yes has the same meaning as full. As of BIND 9. If yes and supported by the operating system, this automatically rescans network interfaces when the interface addresses are added or removed. The default is yes.
This configuration option does not affect the time-based interface-interval option; it is recommended to set the time-based interface-interval to 0 when the operator confirms that automatic interface scanning is supported by the operating system.
The automatic-interface-scan implementation uses routing sockets for the network interface discovery; therefore, the operating system has to support the routing sockets for this feature to work. If yes , then zones can be added at runtime via rndc addzone.
The configuration information is saved in a file called viewname. Configurations for zones added at runtime are stored either in a new-zone file NZF or a new-zone database NZD , depending on whether named was linked with liblmdb at compile time.
See rndc - name server control utility for further details about rndc addzone. If yes , then the server treats all zones as if they are doing zone transfers across a dial-on-demand dialup link, which can be brought up by traffic originating from this server. Although this setting has different effects according to zone type, it concentrates the zone maintenance so that everything happens quickly, once every heartbeat-interval , ideally during a single call. It also suppresses some normal zone maintenance traffic.
If specified in the view and zone statements, the dialup option overrides the global dialup option. This should trigger the zone serial number check in the secondary providing it supports NOTIFY , allowing the secondary to verify the zone while the connection is active.
Finer control can be achieved by using notify , which only sends NOTIFY messages; notify-passive , which sends NOTIFY messages and suppresses the normal refresh queries; refresh , which suppresses normal refresh processing and sends refresh queries when the heartbeat-interval expires; and passive , which just disables normal refresh processing.
This option controls the addition of records to the authority and additional sections of responses. Such records may be included in responses to be helpful to clients; for example, NS or MX records may have associated address records included in the additional section, obviating the need for a separate address lookup.
However, adding these records to responses is not mandatory and requires additional database lookups, causing extra latency when marshalling responses. The default is no-auth-recursive. When set to yes , a cache is used to improve query performance when adding address-type A and AAAA glue records to the additional section of DNS response messages that delegate to a child zone. The glue cache uses memory proportional to the number of delegations in the zone. The default setting is yes , which improves performance at the cost of increased memory usage for the zone.
To avoid this, set it to no. If master-only , notifies are only sent for primary zones. If explicit , notifies are sent only to servers explicitly listed using also-notify. If no , no notifies are sent. The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused secondary zones to crash. If yes , require a valid server cookie before sending a full response to a UDP request from a cookie-aware client.
Setting this to yes results in a reduced amplification effect in a reflection attack, as the BADCOOKIE response is smaller than a full response, while also requiring a legitimate client to follow up with a second query with the new, valid, cookie. This can only be set at the global options level, not per-view. A mismatch between servers on the same address is not expected to cause operational problems, but the option to disable COOKIE responses so that all servers have the same behavior is provided out of an abundance of caution.
This is used by the server to determine whether the resolver has talked to it before. Resolvers which do not send a correct COOKIE option may be limited to receiving smaller responses via the nocookie-udp-size option. The default is not to return stale answers. Stale answers can also be enabled or disabled at runtime via rndc serve-stale on or rndc serve-stale off ; these override the configured setting.
Note that if stale answers have been disabled by rndc , they cannot be re-enabled by reloading or reconfiguring named ; they must be re-enabled with rndc serve-stale on , or the server must be restarted. Information about stale answers is logged under the serve-stale log category. If not set, the system generates a random secret at startup.
If there are multiple secrets specified, the first one listed in named. The others are only used to verify returned cookies. The EDNS Padding option is intended to improve confidentiality when DNS queries are sent over an encrypted channel by reducing the variability in packet sizes. If a query:. If these conditions are not met, the response is not padded.
If block-size is 0 or the ACL is none; , this feature is disabled and no padding occurs; this is the default. If block-size is greater than , a warning is logged and the value is truncated to Block sizes are ordinarily expected to be powers of two for instance, , but this is not mandatory.
This causes named to send specially formed queries once per day to domains for which trust anchors have been configured via, e. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL. By monitoring these queries, zone operators are able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one. If yes , then an IPv4-mapped IPv6 address matches any address match list entries that match the corresponding IPv4 address.
This option was introduced to work around a kernel quirk in some operating systems that causes IPv4 TCP connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match.
However, named now solves this problem internally. The use of this option is discouraged. When yes and the server loads a new version of a primary zone from its zone file or receives a new version of a secondary file via zone transfer, it compares the new version to the previous one and calculates a set of differences.
By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the primary server. In particular, if the new version of a zone is completely different from the previous one, the set of differences is of a size comparable to the combined size of the old and new zone versions, and the server needs to temporarily allocate memory to hold this complete difference set.
It is off for all zones by default. Note: if inline signing is enabled for a zone, the user-provided ixfr-from-differences setting is ignored for that zone. There are three possible settings:. The command rndc sign zonename causes named to load keys from the key repository and sign the zone with all keys that are active.
Note: once keys have been loaded for a zone the first time, the repository is searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval. The default setting is auto-dnssec off. If set to yes , DNSSEC validation is enabled, but a trust anchor must be manually configured using a trust-anchors statement or the managed-keys or trusted-keys statements, both deprecated.
If there is no configured trust anchor, validation does not take place. The default is auto , unless BIND is built with configure --disable-auto-validation , in which case the default is yes. The default root trust anchor is stored in the file bind. A copy of the file is installed along with BIND 9, and is current as of the release date. If the root key expires, a new copy of bind. To prevent problems if bind. Relying on this is not recommended, however, as it requires named to be recompiled with a new key when the root key expires.
The file cannot be used to store keys for other zones. The root key in bind. Query logging provides a complete log of all incoming queries and all query errors. The querylog option specifies whether query logging should be active when named first starts. If querylog is not specified, then query logging is determined by the presence of the logging category queries. Query logging can also be activated at runtime using the command rndc querylog on , or deactivated with rndc querylog off.
The default varies according to usage area. For primary zones the default is fail. For secondary zones the default is warn. For answers received from the network response , the default is ignore.
This performs post-load zone integrity checks on primary zones. For MX and SRV records, only in-zone hostnames are checked for out-of-zone hostnames use named-checkzone. For NS records, only names below top-of-zone are checked for out-of-zone names and glue consistency checks use named-checkzone.
Warnings are emitted if the TXT record does not exist; they can be suppressed with check-spf. This is similar to the dnssec-signzone -z command line option.
If there is any algorithm for which this requirement is not met, this option is ignored for that algorithm. This is similar to the dnssec-signzone -x command line option. If update-check-ksk is set to no , this option is ignored. This allows a dynamic zone to transition from secure to insecure i.
It is expected that this requirement will be eliminated in a future release. Note that if a zone has been configured with auto-dnssec maintain and the private keys remain accessible in the key repository, the zone will be automatically signed again the next time named is started.
The default is no , but it will become yes again in future releases. This will also be controlled by synth-from-dnssec. The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. Dual-stack servers are used as servers of last resort, to work around problems in reachability due to the lack of support for either IPv4 or IPv6 on the host machine.
Access to the server can be restricted based on the IP address of the requesting system. This is only applicable for secondary zones i. If this option is set in view or options , it is globally applied to all secondary zones. If set in the zone statement, the global value is overridden. This specifies which hosts are allowed to ask ordinary DNS questions. If not specified, the default is to allow queries from all hosts. This specifies which local addresses can accept ordinary DNS questions.
Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it is refused. When set in the zone statement for a primary zone, this specifies which hosts are allowed to submit Dynamic DNS updates to that zone.
The default is to deny updates from all hosts. In general this option should only be set at the zone level. While a default value can be set at the options or view level and inherited by zones, this could lead to some zones unintentionally allowing updates. When set in the zone statement for a secondary zone, this specifies which hosts are allowed to submit Dynamic DNS updates and have them be forwarded to the primary.
Note that enabling the update forwarding feature on a secondary server may expose primary servers to attacks if they rely on insecure IP-address-based access control; see Dynamic Update Security for more details. While a default value can be set at the options or view level and inherited by zones, this can lead to some zones unintentionally forwarding updates.
This specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC to use case-insensitive name comparisons when checking for matching domain names. If left undefined, the ACL defaults to none : case-insensitive compression is used for all clients. If the ACL is defined and matches a client, then case is ignored when compressing domain names in DNS responses sent to that client.
It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisons. There are circumstances in which named does not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different e.
This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records i. This is the amount of time in milliseconds that the resolver spends attempting to resolve a recursive query before failing. The default and minimum is and the maximum is Setting it to 0 results in the default being used. This value was originally specified in seconds. Values less than or equal to are treated as seconds and converted to milliseconds before applying the above limits.
The interfaces and ports that the server answers queries from may be specified using the listen-on option. IPv6 addresses are ignored, with a logged warning. The server listens on all interfaces allowed by the address match list. If a port is not specified, port 53 is used. Multiple listen-on statements are allowed. For example,. If no listen-on is specified, the server listens on port 53 on all IPv4 interfaces.
The listen-on-v6 option is used to specify the interfaces and the ports on which the server listens for incoming queries sent using IPv6. If not specified, the server listens on port 53 on all IPv6 interfaces. Multiple listen-on-v6 options can be used. If the server does not know the answer to a question, it queries other name servers. For queries sent over IPv6, there is a separate query-source-v6 option. The port range s is specified in the use-v4-udp-ports for IPv4 and use-v6-udp-ports for IPv6 options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.
The defaults of the query-source and query-source-v6 options are:. If such an interface is available, named uses the corresponding system default range; otherwise, it uses its own defaults:. Make sure the ranges are sufficiently large for security. A desirable size depends on various parameters, but we generally recommend it contain at least ports 14 bits of entropy. Explicit configuration of use-v4-udp-ports and use-v6-udp-ports is encouraged, so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications.
The operational configuration where named runs may prohibit the use of some ports. For example, Unix systems do not allow named , if run without a root privilege, to use ports less than If such ports are included in the specified or detected set of query ports, the corresponding query attempts will fail, resulting in resolution failures or delay.
It is therefore important to configure the set of ports that can be safely used in the expected operational environment. The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options are:. BIND 9.
For the same reason, it is generally strongly discouraged to specify a particular port for the query-source or query-source-v6 options; it implicitly disables the use of randomized port numbers. TCP queries always use a random unprivileged port.
Solaris 2. See also transfer-source and notify-source. BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers. This helps to ensure that copies of the zones quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of An optional TSIG key can also be specified with each address to cause the notify messages to be signed; this can be useful when sending notifies to multiple views.
In place of explicit addresses, one or more named masters lists can be used. If an also-notify list is given in a zone statement, it overrides the options also-notify statement. The default is the empty list no global notification list. If a message grows larger than this size, additional messages are used to complete the zone transfer. Note, however, that this is a hint, not a hard limit; if a message contains a single resource record whose RDATA does not fit within the size limit, a larger message will be permitted so the record can be transferred.
Valid values are between and octets; any values outside that range are adjusted to the nearest value within it. The default is , which was selected to improve message compression; most DNS messages of this size will compress to less than bytes.
Larger messages cannot be compressed as effectively, because is the largest permissible compression offset pointer in a DNS message. This option is mainly intended for server testing; there is rarely any benefit in setting a value other than the default. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. This statement sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file.
This indicates an alternate transfer source if the one listed in transfer-source fails and use-alt-transfer-source is set.
To avoid using the alternate transfer source, set use-alt-transfer-source appropriately and do not depend upon getting an answer back to the first refresh query. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.
See Query Address about how the available ports are determined. For example, with the following configuration:. UDP ports of IPv6 messages sent from named are in one of the following ranges: to , to , and to Note: the desired range can also be represented only with use-v4-udp-ports and use-v6-udp-ports , and the avoid- options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification.
Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of to specify a limit of one gigabyte. The following options set operating system resource limits for the name server process. Some operating systems do not support some or any of the limits; on such systems, a warning is issued if an unsupported limit is used.
When the journal file approaches the specified size, some of the oldest transactions in the journal are automatically removed. The largest permitted value is 2 gigabytes. Very small values are rounded up to bytes. It is possible to specify unlimited , which also means 2 gigabytes. If the limit is set to default or left unset, the journal is allowed to grow up to twice as large as the zone.
There is little benefit in storing larger journals. The default is Because each recursing client uses a fair bit of memory on the order of 20 kilobytes , the value of the recursive-clients option may have to be decreased on hosts with limited memory. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request is dropped. The default values are 10 and This value should reflect how many queries come in for a given name in the time it takes to resolve that name.
If the number of queries exceeds this value, named assumes that it is dealing with a non-responsive zone and drops additional queries. If it gets a response after dropping queries, it raises the estimate.
The estimate is then lowered in 20 minutes if it has remained unchanged. If clients-per-query is set to zero, there is no limit on the number of clients per query and no queries are dropped. If max-clients-per-query is set to zero, there is no upper bound other than that imposed by recursive-clients. This sets the maximum number of simultaneous iterative queries to any one domain that the server permits before blocking new queries for data in or beneath that zone.
ADDR Examples: db. Logging specifications Selectively applied options for a set of zones, rather than to all zones. The address match list designates one or more IP addresses dotted-decimal notation or IP prefixes dotted-decimal notation followed with a slash and the number of bits in the netmask. The named IP address match list must be defined by an acl statement before it can be used elsewhere; no forward references allowed. Use include to break up the configuration into more easily managed chunks.
See the server statement. Selectively applies options on a per-server basis, rather than to all servers. Selectively applies options on a per-zone basis, rather than to all zones. Note - In Solaris 7, the named.
The hosts File The hosts file contains all the data about the machines in the local zone. This file establishes the names of root servers and lists their addresses.
Generic: db. We recommend upgrading to a more modern version. Read upgrade instructions. An important part of managing server configuration and infrastructure includes maintaining an easy way to look up network interfaces and IP addresses by name, by setting up a proper Domain Name System DNS.
Using fully qualified domain names FQDNs , instead of IP addresses, to specify network addresses eases the configuration of services and applications, and increases the maintainability of configuration files. Setting up your own DNS for your private network is a great way to improve the management of your servers. This provides a central way to manage your internal hostnames and private IP addresses, which is indispensable when your environment expands to more than a few hosts.
The CentOS version of this tutorial can be found here. Refer to the following table the relevant details:. Note: Your existing setup will be different, but the example names and IP addresses will be used to demonstrate how to configure a DNS server to provide a functioning internal DNS. You should be able to easily adapt this setup to your own environment by replacing the host names and private IP addresses with your own. If you utilize multiple datacenters, you can set up an internal DNS within each respective datacenter.
By the end of this tutorial, we will have a primary DNS server, ns1 , and optionally a secondary DNS server, ns2 , which will serve as a backup. Note: Text that is highlighted in red is important!
It will often be used to denote something that needs to be replaced with your own settings or that it should be modified or added to a configuration file. For example, if you see something like host1. On both servers, edit the bind9 service parameters file:. We will start with configuring the options file. This is where we will define list of clients that we will allow recursive DNS queries from i.
Using our example private IP addresses, we will add ns1 , ns2 , host1 , and host2 to our list of trusted clients:. Now that we have our list of trusted DNS clients, we will want to edit the options block. Currently, the start of the block looks like the following:. Below the directory directive, add the highlighted configuration lines and substitute in the proper ns1 IP address so it looks something like this:.
Now save and exit named. Aside from a few comments, the file should be empty. Here, we will specify our forward and reverse zones. Assuming that our private subnet is It also specifies the zones over which the server has authority and which data files it should read to get its initial data.
Selectively applied options for a set of zones, rather than to all zones. The configuration file is read by in. The configuration file directs in. The named. Statements end with a semicolon.
0コメント