Manifest of dnshost scripts and file.
File: dnshost_usrlocaletc_namedb.tgz
Description: Contains the configuration for the BIND 9 DNS services that run on this machine.
Installation:
Install bind9 package first, then untar this collection as follows:
# cd /usr/local/etc
# tar xvzf dnshost_usrlocaletc_namedb.tgz
Contents:
$ tar tvzf dnshost_usrlocaletc_namedb.tgz
drwxr-xr-x 0 root wheel 0 Nov 19 12:00 namedb/
-rw-r--r-- 0 bind bind 2403 Nov 19 11:59 namedb/bind.keys
drwxr-xr-x 0 bind bind 0 Nov 19 11:59 namedb/dynamic/
-rw-r--r-- 0 bind bind 2618 Dec 2 12:34 namedb/named.conf
-rw-r--r-- 0 bind bind 21992 Nov 19 11:59 namedb/named.conf.sample
-rw-r--r-- 0 bind bind 927 Nov 19 11:59 namedb/named.root
-rw-r--r-- 0 bind bind 3317 Nov 19 11:59 namedb/named.root.SAVE
drwxr-xr-x 0 bind bind 0 Dec 2 15:35 namedb/primary/
-rw------- 0 bind bind 100 Nov 19 11:59 namedb/rndc.key
drwxr-xr-x 0 bind bind 0 Nov 19 11:59 namedb/secondary/
drwxr-xr-x 0 bind bind 0 Nov 19 11:59 namedb/working/
-rw-r--r-- 0 bind bind 297 Nov 19 11:59 namedb/working/managed-keys.bind
-rw-r--r-- 0 bind bind 355 Nov 19 11:59 namedb/primary/ptr_198.51
-rw-r--r-- 0 bind bind 465 Nov 19 11:59 namedb/primary/ptr_203.0
-rw-r--r-- 0 bind bind 693 Dec 1 19:29 namedb/primary/example.com
-rw-r--r-- 0 bind bind 148 Nov 19 11:59 namedb/primary/empty
-rw-r--r-- 0 bind bind 407 Nov 19 14:12 namedb/primary/ptr_ipv6
-rw-r--r-- 0 bind bind 287 Dec 2 15:35 namedb/primary/managed-keys.bind
-rw-r--r-- 0 bind bind 226 Nov 19 11:59 namedb/primary/localhost-reverse
-rw-r--r-- 0 bind bind 158 Nov 19 11:59 namedb/primary/localhost-forward
-rw-r--r-- 0 bind bind 351 Dec 1 19:30 namedb/primary/ptr_192.168
$
=====================================================================================
bind.keys
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. The only trust anchors it contains
# are for the DNS root zone ("."). Trust anchors for any other zones MUST
# be configured elsewhere; if they are configured here, they will not be
# recognized or used by named.
#
# To use the built-in root key, set "dnssec-validation auto;" in the
# named.conf options, or else leave "dnssec-validation" unset. If
# "dnssec-validation" is set to "yes", then the keys in this file are
# ignored; keys will need to be explicitly configured in named.conf for
# validation to work. "auto" is the default setting, unless named is
# built with "configure --disable-auto-validation", in which case the
# default is "yes".
#
# This file is NOT expected to be user-configured.
#
# Servers being set up for the first time can use the contents of this file
# as initializing keys; thereafter, the keys in the managed key database
# will be trusted and maintained automatically.
#
# These keys are current as of Mar 2019. If any key fails to initialize
# correctly, it may have expired. In that event you should replace this
# file with a current version. The latest version of bind.keys can always
# be obtained from ISC at https://www.isc.org/bind-keys.
#
# See https://data.iana.org/root-anchors/root-anchors.xml for current trust
# anchor information for the root zone.
trust-anchors {
# This key (20326) was published in the root zone in 2017.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};
=====================================================================================
named.conf
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
acl trusted-queriers {
203.0.113.0/24;
2001:db8:12::/64;
127.0.0.1;
::1;
localhost;
};
acl v6only-networks {
2001:db8:12::/64;
};
options {
directory "/usr/local/etc/namedb/primary";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
listen-on { any; };
listen-on-v6 { any; };
recursion no;
allow-transfer { trusted-queriers; };
// NOTE: Remove comments when using DNS64
// dns64 64:FF9B::/96 {
// clients { any; };
// exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
// suffix ::;
// };
};
// forward zone
zone "example.com" {
type primary;
file "/usr/local/etc/namedb/primary/example.com";
allow-transfer {trusted-queriers;};
};
// reverse zones for 203.0, 198.51, 192.168, and 2001:0db8
zone "0.203.in-addr.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/ptr_203.0";
allow-transfer {trusted-queriers;};
};
zone "51.198.in-addr.arpa"{
type primary;
file "/usr/local/etc/namedb/primary/ptr_198.51";
allow-transfer {trusted-queriers;};
};
zone "2.1.0.0.8.b.d.0.1.0.0.2.ip6.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/ptr_ipv6";
allow-transfer {trusted-queriers; };
};
zone "168.192.in-addr.arpa" {
type primary;
file "/usr/local/etc/namedb/primary/ptr_192.168";
allow-transfer {trusted-queriers;};
};
// Block below added by BIND9
// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
zone "localhost" { type primary; file "/usr/local/etc/namedb/primary/localhost-forward"; };
zone "127.in-addr.arpa" { type primary; file "/usr/local/etc/namedb/primary/localhost-reverse"; };
zone "255.in-addr.arpa" { type primary; file "/usr/local/etc/namedb/primary/empty"; };
// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
zone "0.ip6.arpa" { type primary; file "/usr/local/etc/namedb/primary/localhost-reverse"; };
// "This" Network (RFCs 1912, 5735 and 6303)
zone "0.in-addr.arpa" { type primary; file "/usr/local/etc/namedb/primary/empty"; };
// Our own root zone file so we don't leak out to the Internet
zone "." {
type master;
file "/usr/local/etc/namedb/named.root";
allow-transfer {trusted-queriers; };
};
=====================================================================================
named.root
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: November 16, 2017
; related version of root zone: 2017111601
;
; FORMERLY NS.INTERNIC.NET
;
$TTL 3600
. 3600 IN SOA dnshost.example.com. jpb.dnshost.example.com (
100 ; serial
14400 ; refresh
7200 ; retry
28800 ; expire
64000 ) ; min neg cache expire
. 3600 NS dnshost.example.com.
dnshost.example.com. 3600 A 203.0.113.53
dnshost.example.com. 3600 AAAA 2001:db8:12::53
=====================================================================================
rndc.key
key "rndc-key" {
algorithm hmac-sha256;
secret "wesiGsTgu7OwV44aA6C2P8XmZdW4z/YdPJ4D/vRNPTM=";
};
=====================================================================================
empty
$TTL 3h
@ SOA @ nobody.localhost. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
@ NS @
; Silence a BIND warning
@ A 127.0.0.1
=====================================================================================
example.com
$TTL 3600
@ IN SOA example.com. jpb.example.com. (
5 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Negative Cache TTL
;
; name servers - NS records
@ IN NS dnshost.example.com.
; name servers - A records
dnshost IN A 203.0.113.53
;external1 IN A 203.0.113.10
external1 IN A 192.168.1.2
external2 IN A 203.0.113.20
external3 IN A 203.0.113.30
firewall IN A 203.0.113.50
firewall-em0 IN A 203.0.113.50
firewall-em1 IN A 198.51.100.50
firewall-em1 IN AAAA 2001:db8:12::50
internal IN A 198.51.100.200
; name servers - AAAA records
dnshost IN AAAA 2001:db8:12::53
v6only IN AAAA 2001:db8:12::6
=====================================================================================
localhost-forward
$TTL 3h
localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
NS localhost.
A 127.0.0.1
AAAA ::1
=====================================================================================
localhost-reverse
$TTL 3h
@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h
; Serial, Refresh, Retry, Expire, Neg. cache TTL
NS localhost.
1.0.0 PTR localhost.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR localhost.
=====================================================================================
managed-keys.bind
$TTL 0 ; 0 seconds
. IN SOA . . (
100 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20241202213508 19700101000000 19700101000000 0 0 0 ; placeholder
=====================================================================================
ptr_192.168
$TTL 3600
@ IN SOA example.com. jpb.example.com. (
3 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Negative Cache TTL
;
; name servers - NS records
IN NS dnshost.example.com.
; PTR Records
53.1 IN PTR dnshost.example.com.
2.1 IN PTR external1.example.com.
=====================================================================================
ptr_198.51
$TTL 3600
@ IN SOA example.com. jpb.example.com. (
3 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Negative Cache TTL
;
; name servers - NS records
IN NS dnshost.example.com.
; PTR Records
50.100 IN PTR firewall-em1.example.com.
200.100 IN PTR internal.example.com.
=====================================================================================
ptr_203.0
$TTL 3600
@ IN SOA example.com. jpb.example.com. (
3 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Negative Cache TTL
;
; name servers - NS records
IN NS dnshost.example.com.
; PTR Records
53.113 IN PTR dnshost.example.com.
10.113 IN PTR external1.example.com.
20.113 IN PTR external2.example.com.
30.113 IN PTR external3.example.com.
50.113 IN PTR firewall-em0.example.com.
=====================================================================================
ptr_ipv6
$TTL 3600
@ IN SOA example.com. jpb.example.com. (
3 ; Serial
3h ; Refresh
1h ; Retry
1w ; Expire
1h ) ; Negative Cache TTL
;
@ IN NS dnshost.example.com.
$ORIGIN 0.0.0.0.2.1.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR dnshost.example.com.
6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR v6only.example.com.
=====================================================================================
managed-keys.bind
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
100 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20220502020339 19700101000000 19700101000000 0 0 0 ; placeholder
=====================================================================================Appendix E. DNS Server Configuration
Table of Contents
DNS configuration for IPFW Primer book.