The named.conf file

The file named.conf is the main configuration file of BIND. It is the first configuration file read by named, the DNS name daemon.

Note

BIND 8 configuration files should work with BIND 9, although some modifications might be necessary. Some options do not work with BIND 9. BIND 9 offers new areas of configuration, please consult the BIND documentation and manpages when upgradading from BIND 8 to BIND 9.

Note

BIND 4 configuration files can be converted to BIND 9 format using a script callednamed-bootconf.sh

7.1.4.1 Location ofnamed.conf

According to LPI the location of the file named.conf is in the /etc directory. However, the location may vary across distributions. For example in the Debian Linux distribution named.conf is located in the /etc/bind directory.

7.1.4.2 A caching-only name server

A caching-only name server resolves names, which are also stored in a cache, so that they can be accessed faster when the nameserver is asked to resolve these names again. But this is what every name server does. The difference is that this is the only task a caching-only name server performs. It does not serve out zones, except for a few internal ones.

This is an example of a caching-only named.conf file. The version below is taken from the Debian bind package (some comments removed).

options {

directory "/var/named";

// query-source address * port 53;

// forwarders { // 0.0.0.0;

// };

};

// reduce log verbosity on issues outside our control logging {

category lame-servers { null; };

category cname { null; };

};

// prime the server with knowledge of the root servers zone "." {

type hint;

file "/etc/bind/db.root";

};

// be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912

zone "localhost" { type master;

file "/etc/bind/db.local";

};

zone "127.in-addr.arpa" { type master;

file "/etc/bind/db.127";

};

zone "0.in-addr.arpa" { type master;

file "/etc/bind/db.0";

};

zone "255.in-addr.arpa" { type master;

file "/etc/bind/db.255";

};

// add entries for other zones below here

The Debian bind package that contains this file, will provide a fully functional caching-only name server. BIND packages of other manufacturers will provide the same functionality.

7.1.4.3 Syntax

The named.conf file contains statements that start with a keyword plus an opening curly brace “{” and end with a closing curly brace “}”. A statement may contain other statements. The forwarders statement is an example of this. A statement may also contain IP addresses or the file word followed by a filename. These simple statements must be terminated by a semi-colon (;).

All kinds of comments are allowed, e.g., // and # as end of line comments. See the named.conf(5) manual page for details.

Note

The “;” is NOT valid as a comment sign in named.conf. However, it is a comment sign in BIND zone files, like the file /etc/bind/db.localfrom thenamed.confexample above. An example BIND zone file can be found in Section7.2.3.1

7.1.4.4 Theoptions_statement

Of the many possible entries (see named.conf (5)) inside an options statement, only directory, forwarders, forward, versionand dialup will be discussed below.

Note

There can be only oneoptionsstatement in anamed.conffile.

NOTABLE KEYWORDS IN N A M E D.C O N F

directory Specifies the working directory for the name daemon. A common value is /var/named. Also, zone files without a directory part are looked up in this directory.

Recent distributions separate the configuration directory from the working directory. In a recent Debian Linux distribution, for example, the working directory is specified as /var/cache/bind, but all the configuration files can be found in /etc/bind. All zone files can also be found in the latter directory and must be specified with their directory part, as can be seen in the named.conf example above.

forwarders The forwarders statement contains one or more IP addresses of name servers to query. How these IP ad-dresses are used is specified by the forward statement described below.

The default is no forwarders. Resolving is done through the worldwide (or company local) DNS system.

Usually the specified name servers are the same the Service Provider uses.

forward The forward works only when forwarders are specified.

Two values can be specified: forward first; (default) and forward only;. With forward first, the query is sent first to the specified name-server IP addresses and if this fails it should perform lookups elsewhere. With forward only, queries are limited only to the specified name-server IP addresses.

An example with both forwarders and forward:

options { // ...

forwarders { 123.12.134.2;

123.12.134.3;

}

forward only;

// ...

};

In this example bind is told to query only the name servers 123.12.134.2 and 123.12.134.3.

version It is possible to query the version from a running name server:

$ dig @ns12.zoneedit.com version.bind chaos txt

; <<>> DiG 9.8.3-P1 <<>> @ns12.zoneedit.com version.bind chaos txt

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59790

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; WARNING: recursion requested but not available

;; QUESTION SECTION:

;version.bind. CH TXT

;; ANSWER SECTION:

VERSION.BIND. 0 CH TXT "8.4.X"

;; Query time: 169 msec

;; SERVER: 209.62.64.46#53(209.62.64.46)

;; WHEN: Tue Jun 25 11:38:48 2013

;; MSG SIZE rcvd: 60

Note that the BIND version is shown in the output. Because some BIND versions have known exploits, the BIND version is sometimes kept hidden. The version specification:

version "not revealed";

or

version none;

inside the options statement leads to not revealed responses on version queries.

dialup When a name server sits behind a firewall, that connects to the outside world through a dialup connection, some maintenance normally done by name servers might be unwanted. Examples of unwanted actions are: sending heartbeat packets, zone transfers with a nameserver on the other side of the firewall.

The following example, also inside the options part, stops external zone maintenance:

heartbeat-interval 0;

dialup yes; // NOTE: This actually *stops* dialups!

Many more options can be placed inside the options block. Refer to the manual pages for details.

Depending on the distribution used, a seperate bind.conf.options file might be used which holds all the options for the BIND configuration. The main configuration file named.conf has to include this separate file though, which can be accomplished by adding the following line to named.conf:

include "/etc/bind/named.conf.options";

Other separate configuration files like named.conf.log or named.conf.default-zones may be nested this way as well.

7.1.4.5 Theloggingstatement

The BIND (version 8 and 9) logging system is too elaborate to discuss in detail here. An important difference between the two has to do with parsing the log configuration. BIND 8 used to parse the logging statement and start the logging configuration right away. BIND 9 only establishes the logging configuration after the entire configuration file has been parsed. While starting

up, the server sends all logging messages regarding syntax errors in the configuration file to the default channels. These errors may be redirected to standard error output if the -g option has been given during startup.

The distinction between categories and channels is an important part of logging.

A channel is an output specification. The null channel, for example, dismisses any output sent to the channel.

A category is a type of data. The category security is one of many categories. To log messages of type (category) security, for example, to the default_syslog channel, use the following:

logging {

category security { default_syslog; };

// ...

};

To turn off logging for certain types of data, send it to the null channel, as is done in the example named.conf shown earlier:

logging {

category lame-servers { null; };

category cname { null; };

};

This means that messages of types lame-servers and cname are being discarded.

There are reasonable defaults for logging. This means that a named.conf without logging statement is possible.

Note

A maximum of oneloggingstatement is allowed in anamed.conffile.

7.1.4.6 Predefinedzone_statements

A zone defined in named.conf can be referred to using the “@” symbol inside the corresponding zone file. The “@” is called the current origin. For example,

zone "127.in-addr.arpa" { type master;

file "/etc/bind/db.127";

};

will result in a current origin of 127.in-addr.arpa that is available as “@” in file /etc/bind/db.127.

Details about zone files, as well as how to create your own zone files and statements will be covered in Section7.2.

In document The LPIC-2 Exam Prep. The LPIC-2 Exam Prep. Copyright 2013 Snow B.V. (Page 163-167)