Working With DNS Configuration Files

Domains are grouped into zones that are configured through zone files. Zone files store information about domains in the DNS database. Each zone file contains directives and resource records. Optional directives apply settings to a zone or instruct a name server to perform certain tasks. Resource records specify zone parameters and define information about the systems or hosts in a zone.

Examples of BIND configuration files can be found in the /usr/share/doc/bind/sample/etc file.

Configuring the named Daemon

The main configuration file for the named service is /etc/named.conf. The following example comes from the default /etc/named.conf file that's installed with the bind package and which configures a caching-only name server:

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
    allow-query { localnets; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

   pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";

};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The options statement defines the global server configuration options and sets defaults for other statements.

listen-on

Is the port on which named listens for queries.

directory

Specifies the default directory for zone files if a relative pathname is specified.

dump-file

Specifies where named dumps its cache if it crashes.

statistics-file

Specifies the output file for the rndc stats command.

memstatistics-file

Specifies the output file for named memory-usage statistics.

allow-query

Specifies which IP addresses might query the server. localnets specifies all locally attached networks.

recursion

Specifies whether the name server performs recursive queries.

dnssec-enable

Specifies whether to use secure DNS (DNSSEC).

dnssec-validation

Specifies whether the name server would validate replies from DNSSEC-enabled zones.

dnssec-lookaside

Specifies whether to enable DNSSEC Lookaside Validation (DLV) using the key in /etc/named.iscdlv.key defined by bindkeys-file.

The logging section activates the logging of messages to /var/named/data/named.run. The severity parameter controls the logging level, and the dynamic value means that this level can be controlled by using the rndc trace command.

The zone section specifies the initial set of root servers using a hint zone. This zone specifies that named consult /var/named/named.ca for the IP addresses of authoritative servers for the root domain (.).

You can add definitions to the configuration file that are appropriate to the network environment. The following example defines settings for the service and the top-level definitions for zones:

include "/etc/rndc.key";

controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }
};

zone "us.mydom.com" {
    type master;
    file "master-data";
    allow-update { key "rndc-key"; };
    notify yes;
};

zone "mydom.com" IN {
    type slave;
    file "sec/slave-data";
    allow-update { key "rndc-key"; };
    masters {10.1.32.1;};
};

zone "2.168.192.in-addr.arpa" IN {
    type master;
    file "reverse-192.168.2";
    allow-update { key “rndc-key”; };
    notify yes;
};

The include statement enables external files to be referenced so that sensitive data such as key hashes can be placed in a separate file with restricted permissions.

The controls statement defines access information and the security requirements that are necessary to use the rndc command with the named server:

inet

Specifies which hosts can run rndc to control named. In this example, rndc must be run on the local host (127.0.0.1).

keys

Specifies the names of the keys that can be used. The example specifies using the key named rndc-key, which is defined in /etc/rndc.key. Keys authenticate various actions by named and are the primary method of controlling remote access and administration.

The zone statements define the role of the server in different zones.

The following zone options are used:

type

Specifies that this system is the primary name server for the zone us.mydom.com and a backup server for mydom.com. 2.168.192.in-addr.arpa is a reverse zone for resolving IP addresses to host names. See About Resource Records for Reverse-Name Resolution.

file

Specifies the path to the zone file relative to /var/named. The zone file for us.mydom.com is stored in /var/named/master-data and the transferred zone data for mydom.com is cached in /var/named/sec/slave-data.

allow-update

Specifies that a shared key must exist on both the primary and backup name servers for a zone transfer to take place from the primary to the backup. The following is an example record for a key in the /etc/rndc.key file:

key "rndc-key" {
    algorithm hmac-md5;
    secret "XQX8NmM41+RfbbSdcqOejg==";
};

You can use the rndc-confgen -a command to generate a key file.

notify

Specifies whether to notify the backup name servers when the zone information is updated.

masters

Specifies the primary name server for a backup name server.

For more information, see the named.conf(5) manual page and the BIND documentation in /usr/share/doc/bind-version/arm.

About Resource Records in Zone Files

A resource record in a zone file contains the following fields, some of which are optional, depending on the record type:

Name

Domain name or IP address.

TTL (time to live)

The maximum time that a name server caches a record before it checks whether a newer one is available.

Class

Always IN for the Internet.

Type

Type of record, for example:

A (address)

IPv4 address corresponding to a host.

AAAA (address)

IPv6 address corresponding to a host.

CNAME (canonical name)

Alias name corresponding to a host name.

MX (mail exchange)

Destination for email addressed to the domain.

NS (name server)

Fully qualified domain name of an authoritative name server for a domain.

PTR (pointer)

Host name that corresponds to an IP address for address-to-name lookups (reverse-name resolution).

SOA (start of authority)

Authoritative information about a zone, such as the primary name server, the email address of the domain's administrator, and the domain's serial number. All records following a SOA record relate to the zone that it defines up to the next SOA record.

Data

Information that the record stores, such as an IP address in an A record, or a host name in a CNAME or PTR record.

The following example shows the contents of a typical zone file such as /var/named/master-data:

$TTL 86400        ; 1 day
@ IN SOA dns.us.mydom.com. root.us.mydom.com. (
            57 ; serial
            28800 ; refresh (8 hours)
            7200 ; retry (2 hours)
            2419200 ; expire (4 weeks)
            86400 ; minimum (1 day)
            )
              IN  NS      dns.us.mydom.com.

dns           IN  A       192.168.2.1
us.mydom.com  IN  A       192.168.2.1
svr01         IN  A       192.168.2.2
www           IN  CNAME   svr01
host01        IN  A       192.168.2.101
host02        IN  A       192.168.2.102
host03        IN  A       192.168.2.103
...

A comment on a line is preceded by a semicolon (;).

The $TTL directive defines the default time-to-live value for all resource records in the zone. Each resource record can define its own time-to-live value, which overrides the global setting.

The SOA record is mandatory and includes the following information:

us.mydom.com

The name of the domain.

dns.us.mydom.com.

The fully qualified domain name of the name server, including a trailing period (.) for the root domain.

root.us.mydom.com.

The email address of the domain administrator.

serial

A counter that, if incremented, tells named to reload the zone file.

refresh

The time after which a primary name server notifies backup name servers that they should refresh their database.

retry

If a refresh fails, the time that a backup name server should wait before attempting another refresh.

expire

The maximum elapsed time that a backup name server has to complete a refresh before its zone records are no longer considered authoritative and it will stop answering queries.

minimum

The minimum time for which other servers should cache information obtained from this zone.

An NS record declares an authoritative name server for the domain.

Each A record specifies the IP address that corresponds to a host name in the domain.

The CNAME record creates the alias www for svr01.

For more information, see the BIND documentation in /usr/share/doc/bind-version/arm.

About Resource Records for Reverse-Name Resolution

Forward resolution returns an IP address for a specified domain name. Reverse-name resolution returns a domain name for a specified IP address. DNS implements reverse-name resolution by using the special in-addr.arpa and ip6.arpa domains for IPv4 and IPv6.

The characteristics for a zone's in-addr.arpa or ip6.arpa domains are usually defined in /etc/named.conf, for example:

zone "2.168.192.in-addr.arpa" IN {
    type master;
    file "reverse-192.168.2";
    allow-update { key “rndc-key”; };
    notify yes;
};

The zone's name consists of in-addr.arpa, preceded by the network portion of the IP address for the domain, with its dotted quads written in reverse order.

If the network doesn't have a prefix length that's a multiple of 8, see RFC 2317 for the format that you need to use instead.

The PTR records in in-addr.arpa or ip6.arpa domains define host names that correspond to the host part of the IP address. The following example is take from the /var/named/reverse-192.168.2 zone file:

$TTL 86400        ;
@ IN SOA dns.us.mydom.com. root.us.mydom.com. (
            57 ;
            28800 ;
            7200 ;
            2419200 ;
            86400 ;
            )
              IN  NS      dns.us.mydom.com.

1             IN  PTR     dns.us.mydom.com.
1             IN  PTR     us.mydom.com.
2             IN  PTR     svr01.us.mydom.com.
101           IN  PTR     host01.us.mydom.com.
102           IN  PTR     host02.us.mydom.com.
103           IN  PTR     host03.us.mydom.com.
...

For more information, see the BIND documentation in /usr/share/doc/bind-version/arm.