39 lines
1.9 KiB
Django/Jinja
39 lines
1.9 KiB
Django/Jinja
options {
|
|
directory "/var/cache/bind";
|
|
allow-query { localhost; 192.168.0.0/16; 10.0.0.0/8; };
|
|
|
|
// If there is a firewall between you and nameservers you want
|
|
// to talk to, you may need to fix the firewall to allow multiple
|
|
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
|
|
|
|
// If your ISP provided one or more IP addresses for stable
|
|
// nameservers, you probably want to use them as forwarders.
|
|
// Uncomment the following block, and insert the addresses replacing
|
|
// the all-0's placeholder.
|
|
|
|
// forwarders {
|
|
// 0.0.0.0;
|
|
// };
|
|
//forwarders { 208.67.222.222; 208.67.220.220; }; // OpenDNS : useful for geoloc and CDNs even if IP is changing (tunnel). Caveat : Content filtering can be enabled by anybody sharing the same IP.
|
|
forwarders { 80.67.169.12; 80.67.169.40; }; // FDN.
|
|
/*
|
|
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
|
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
|
recursion.
|
|
- If your recursive DNS server has a public IP address, you MUST enable access
|
|
control to limit queries to your legitimate users. Failing to do so will
|
|
cause your server to become part of large scale DNS amplification
|
|
attacks. Implementing BCP38 within your network would greatly
|
|
reduce such attack surface
|
|
*/
|
|
recursion yes;
|
|
//========================================================================
|
|
// If BIND logs error messages about the root key being expired,
|
|
// you will need to update your keys. See https://www.isc.org/bind-keys
|
|
//========================================================================
|
|
dnssec-validation auto;
|
|
|
|
auth-nxdomain no; # conform to RFC1035
|
|
listen-on-v6 { any; };
|
|
};
|