diff options
Diffstat (limited to 'roles/space_server/files')
-rw-r--r-- | roles/space_server/files/named.conf | 103 |
1 files changed, 103 insertions, 0 deletions
diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf new file mode 100644 index 0000000..81c4969 --- /dev/null +++ b/roles/space_server/files/named.conf @@ -0,0 +1,103 @@ +// +// named.conf +// +// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS +// server as a caching only nameserver (as a localhost DNS resolver only). +// +// See /usr/share/doc/bind*/sample/ for example named configuration files. +// + +options { + listen-on port 53 { + 127.0.0.1; + 185.38.175.0; + }; + listen-on-v6 port 53 { + ::1; + 2a01:4262:1ab::; + }; + allow-query { + 127.0.0.1; + 185.38.175.0/24; + 10.42.0.0/16; + ::1; + 2a01:4262:1ab::/48; + }; + dns64 2a01:4262:1ab:0:0:f::/96 { + clients { 2a01:4262:1ab:f::/64; }; + exclude { + 2a01:4262:1ab:0:0:f::/96; + ::ffff:0:0/96; + }; + }; + directory "/var/named"; + dump-file "/var/named/data/cache_dump.db"; + statistics-file "/var/named/data/named_stats.txt"; + memstatistics-file "/var/named/data/named_mem_stats.txt"; + secroots-file "/var/named/data/named.secroots"; + recursing-file "/var/named/data/named.recursing"; + + /* + - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. + - If you are building a RECURSIVE (caching) DNS server, you need to enable + recursion. + - If your recursive DNS server has a public IP address, you MUST enable access + control to limit queries to your legitimate users. Failing to do so will + cause your server to become part of large scale DNS amplification + attacks. Implementing BCP38 within your network would greatly + reduce such attack surface + */ + recursion yes; + + dnssec-enable yes; + dnssec-validation yes; + + managed-keys-directory "/var/named/dynamic"; + + pid-file "/run/named/named.pid"; + session-keyfile "/run/named/session.key"; + + /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ + include "/etc/crypto-policies/back-ends/bind.config"; +}; + +logging { + channel default_debug { + syslog daemon; + severity dynamic; + }; + channel default { + syslog daemon; + severity info; + }; + category default { + default; + }; +}; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "s" IN { + type master; + file "/etc/named/s.zone"; + allow-query { + 127.0.0.1; + 10.42.0.0/24; # infrastructure + 10.42.1.0/24; # member wired + 10.42.2.0/24; # member wireless + ::1; + 2a01:4262:1ab:a::/64; # infrastructure + 2a01:4262:1ab:b::/64; # member wired + 2a01:4262:1ab:c::/64; # member wireless + 2a01:4262:1ab:f::/64; # member nat64 + }; + allow-transfer { + none; + }; +}; + +include "/etc/named.rfc1912.zones"; +include "/etc/named.root.key"; |