aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/files')
-rw-r--r--roles/space_server/files/named.conf103
1 files changed, 103 insertions, 0 deletions
diff --git a/roles/space_server/files/named.conf b/roles/space_server/files/named.conf
new file mode 100644
index 0000000..81c4969
--- /dev/null
+++ b/roles/space_server/files/named.conf
@@ -0,0 +1,103 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+ listen-on port 53 {
+ 127.0.0.1;
+ 185.38.175.0;
+ };
+ listen-on-v6 port 53 {
+ ::1;
+ 2a01:4262:1ab::;
+ };
+ allow-query {
+ 127.0.0.1;
+ 185.38.175.0/24;
+ 10.42.0.0/16;
+ ::1;
+ 2a01:4262:1ab::/48;
+ };
+ dns64 2a01:4262:1ab:0:0:f::/96 {
+ clients { 2a01:4262:1ab:f::/64; };
+ exclude {
+ 2a01:4262:1ab:0:0:f::/96;
+ ::ffff:0:0/96;
+ };
+ };
+ directory "/var/named";
+ dump-file "/var/named/data/cache_dump.db";
+ statistics-file "/var/named/data/named_stats.txt";
+ memstatistics-file "/var/named/data/named_mem_stats.txt";
+ secroots-file "/var/named/data/named.secroots";
+ recursing-file "/var/named/data/named.recursing";
+
+ /*
+ - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+ - If you are building a RECURSIVE (caching) DNS server, you need to enable
+ recursion.
+ - If your recursive DNS server has a public IP address, you MUST enable access
+ control to limit queries to your legitimate users. Failing to do so will
+ cause your server to become part of large scale DNS amplification
+ attacks. Implementing BCP38 within your network would greatly
+ reduce such attack surface
+ */
+ recursion yes;
+
+ dnssec-enable yes;
+ dnssec-validation yes;
+
+ managed-keys-directory "/var/named/dynamic";
+
+ pid-file "/run/named/named.pid";
+ session-keyfile "/run/named/session.key";
+
+ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+ include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+ channel default_debug {
+ syslog daemon;
+ severity dynamic;
+ };
+ channel default {
+ syslog daemon;
+ severity info;
+ };
+ category default {
+ default;
+ };
+};
+
+zone "." IN {
+ type hint;
+ file "named.ca";
+};
+
+zone "s" IN {
+ type master;
+ file "/etc/named/s.zone";
+ allow-query {
+ 127.0.0.1;
+ 10.42.0.0/24; # infrastructure
+ 10.42.1.0/24; # member wired
+ 10.42.2.0/24; # member wireless
+ ::1;
+ 2a01:4262:1ab:a::/64; # infrastructure
+ 2a01:4262:1ab:b::/64; # member wired
+ 2a01:4262:1ab:c::/64; # member wireless
+ 2a01:4262:1ab:f::/64; # member nat64
+ };
+ allow-transfer {
+ none;
+ };
+};
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";