Product SiteDocumentation Site

10.2. Configuring the named Service

When the named service is started, it reads the configuration from the files as described in Table 10.1, “The named service configuration files”.
Table 10.1. The named service configuration files
Path Description
/etc/named.conf The main configuration file.
/etc/named/ An auxiliary directory for configuration files that are included in the main configuration file.

The configuration file consists of a collection of statements with nested options surrounded by opening and closing curly brackets (that is, { and }). Note that when editing the file, you have to be careful not to make any syntax error, otherwise the named service will not start. A typical /etc/named.conf file is organized as follows: 
statement-1 ["statement-1-name"] [statement-1-class] {
  option-1;
  option-2;
  option-N;
};
statement-2 ["statement-2-name"] [statement-2-class] {
  option-1;
  option-2;
  option-N;
};
statement-N ["statement-N-name"] [statement-N-class] {
  option-1;
  option-2;
  option-N;
};

Note: Running BIND in a Chroot Environment

If you have installed the bind-chroot package, the BIND service will run in the /var/named/chroot environment. In that case, the initialization script will mount the above configuration files using the mount --bind command, so that you can manage the configuration outside this environment.

10.2.1. Common Statement Types

The following types of statements are commonly used in /etc/named.conf:
acl
The acl (Access Control List) statement allows you to define groups of hosts, so that they can be permitted or denied access to the nameserver. It takes the following form: 
acl acl-name {
  match-element;
  ...
};
The acl-name statement name is the name of the access control list, and the match-element option is usually an individual IP address (such as 10.0.1.1) or a CIDR network notation (for example, 10.0.1.0/24). For a list of already defined keywords, see Table 10.2, “Predefined access control lists”.
Table 10.2. Predefined access control lists
Keyword Description
any Matches every IP address.
localhost Matches any IP address that is in use by the local system.
localnets Matches any IP address on any network to which the local system is connected.
none Does not match any IP address.

The acl statement can be especially useful with conjunction with other statements such as options. Example 10.2, “Using acl in conjunction with options defines two access control lists, black-hats and red-hats, and adds black-hats on the blacklist while granting red-hats a normal access.
Example 10.2. Using acl in conjunction with options
acl black-hats {
  10.0.2.0/24;
  192.168.0.0/24;
  1234:5678::9abc/24;
};
acl red-hats {
  10.0.1.0/24;
};
options {
  blackhole { black-hats; };
  allow-query { red-hats; };
  allow-query-cache { red-hats; };
};

include
The include statement allows you to include files in the /etc/named.conf, so that potentially sensitive data can be placed in a separate file with restricted permissions. It takes the following form: 
include "file-name"
The file-name statement name is an absolute path to a file.
Example 10.3. Including a file to /etc/named.conf
include "/etc/named.rfc1912.zones";

options
The options statement allows you to define global server configuration options as well as to set defaults for other statements. It can be used to specify the location of the named working directory, the types of queries allowed, and much more. It takes the following form: 
options {
  option;
  ...
};
For a list of frequently used option directives, see Table 10.3, “Commonly used options” below.
Table 10.3. Commonly used options
Option Description
allow-query Specifies which hosts are allowed to query the nameserver for authoritative resource records. It accepts an access control lists, a collection of IP addresses, or networks in the CIDR notation. All hosts are allowed by default.
allow-query-cache Specifies which hosts are allowed to query the nameserver for non-authoritative data such as recursive queries. Only localhost and localnets are allowed by default.
blackhole Specifies which hosts are not allowed to query the nameserver. This option should be used when particular host or network floods the server with requests. The default option is none.
directory Specifies a working directory for the named service. The default option is /var/named/.
dnssec-enable Specifies whether to return DNSSEC related resource records. The default option is yes.
dnssec-validation Specifies whether to prove that resource records are authentic via DNSSEC. The default option is yes.
forwarders Specifies a list of valid IP addresses for nameservers to which the requests should be forwarded for resolution.
forward
Specifies the behavior of the forwarders directive. It accepts the following options:
  • first — The server will query the nameservers listed in the forwarders directive before attempting to resolve the name on its own.
  • only — When unable to query the nameservers listed in the forwarders directive, the server will not attempt to resolve the name on its own.
listen-on Specifies the IPv4 network interface on which to listen for queries. On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv4 interfaces are used by default.
listen-on-v6 Specifies the IPv6 network interface on which to listen for queries. On a DNS server that also acts as a gateway, you can use this option to answer queries originating from a single network only. All IPv6 interfaces are used by default.
max-cache-size Specifies the maximum amount of memory to be used for server caches. When the limit is reached, the server causes records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default option is 32M.
notify
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
  • yes — The server will notify all secondary nameservers.
  • no — The server will not notify any secondary nameserver.
  • master-only — The server will notify primary server for the zone only.
  • explicit — The server will notify only the secondary servers that are specified in the also-notify list within a zone statement.
pid-file Specifies the location of the process ID file created by the named service.
recursion Specifies whether to act as a recursive server. The default option is yes.
statistics-file Specifies an alternate location for statistics files. The /var/named/named.stats file is used by default.

Important: Restrict Recursive Servers to Selected Clients Only

To prevent distributed denial of service (DDoS) attacks, it is recommended that you use the allow-query-cache option to restrict recursive DNS services for a particular subset of clients only.
Refer to the BIND 9 Administrator Reference Manual referenced in Section 10.8.1, “Installed Documentation”, and the named.conf manual page for a complete list of available options.
Example 10.4. Using the options statement
options {
  allow-query       { localhost; };
  listen-on port    53 { 127.0.0.1; };
  listen-on-v6 port 53 { ::1; };
  max-cache-size    256M;
  directory         "/var/named";
  statistics-file   "/var/named/data/named_stats.txt";

  recursion         yes;
  dnssec-enable     yes;
  dnssec-validation yes;
};

zone
The zone statement allows you to define the characteristics of a zone, such as the location of its configuration file and zone-specific options, and can be used to override the global options statements. It takes the following form: 
zone zone-name [zone-class] {
  option;
  ...
};
The zone-name attribute is the name of the zone, zone-class is the optional class of the zone, and option is a zone statement option as described in Table 10.4, “Commonly used options”.
The zone-name attribute is particularly important, as it is the default value assigned for the $ORIGIN directive used within the corresponding zone file located in the /var/named/ directory. The named daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file. For example, if a zone statement defines the namespace for example.com, use example.com as the zone-name so that it is placed at the end of hostnames within the example.com zone file.
For more information about zone files, refer to Section 10.3, “Editing Zone Files”.
Table 10.4. Commonly used options
Option Description
allow-query Specifies which clients are allowed to request information about this zone. This option overrides global allow-query option. All query requests are allowed by default.
allow-transfer Specifies which secondary servers are allowed to request a transfer of the zone's information. All transfer requests are allowed by default.
allow-update
Specifies which hosts are allowed to dynamically update information in their zone. The default option is to deny all dynamic update requests.
Note that you should be careful when allowing hosts to update information about their zone. Do not set IP addresses in this option unless the server is in the trusted network. Instead, use TSIG key as described in Section 10.6.3, “Transaction SIGnatures (TSIG)”.
file Specifies the name of the file in the named working directory that contains the zone's configuration data.
masters Specifies from which IP addresses to request authoritative zone information. This option is used only if the zone is defined as type slave.
notify
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:
  • yes — The server will notify all secondary nameservers.
  • no — The server will not notify any secondary nameserver.
  • master-only — The server will notify primary server for the zone only.
  • explicit — The server will notify only the secondary servers that are specified in the also-notify list within a zone statement.
type
Specifies the zone type. It accepts the following options:
  • delegation-only — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as NXDOMAIN. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
  • forward — Forwards all requests for information about this zone to other nameservers.
  • hint — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a hint zone.
  • master — Designates the nameserver as authoritative for this zone. A zone should be set as the master if the zone's configuration files reside on the system.
  • slave — Designates the nameserver as a slave server for this zone. Master server is specified in masters directive.

Most changes to the /etc/named.conf file of a primary or secondary nameserver involve adding, modifying, or deleting zone statements, and only a small subset of zone statement options is usually needed for a nameserver to work efficiently.
In Example 10.5, “A zone statement for a primary nameserver”, the zone is identified as example.com, the type is set to master, and the named service is instructed to read the /var/named/example.com.zone file. It also allows only a secondary nameserver (192.168.0.2) to transfer the zone.
Example 10.5. A zone statement for a primary nameserver
zone "example.com" IN {
  type master;
  file "example.com.zone";
  allow-transfer { 192.168.0.2; };
};

A secondary server's zone statement is slightly different. The type is set to slave, and the masters directive is telling named the IP address of the master server.
In Example 10.6, “A zone statement for a secondary nameserver”, the named service is configured to query the primary server at the 192.168.0.1 IP address for information about the example.com zone. The received information is then saved to the /var/named/slaves/example.com.zone file. Note that you have to put all slave zones to /var/named/slaves directory, otherwise the service will fail to transfer the zone.
Example 10.6. A zone statement for a secondary nameserver
zone "example.com" {
  type slave;
  file "slaves/example.com.zone";
  masters { 192.168.0.1; };
};