On 17/02/2023 16:06, Bob McDonald wrote:
I'm implementing a caching resolver under FreeBSD 13.1 running on a
RaspberryPI. Bind 9.18.11
My named.conf is below. My question is do these look like workable
options? I include logging and a statistics channel in my preliminary
implementations for more detail on what's going on. That will go away
eventually. Any comments are welcome.
Thanks,
Bob
named.conf:
acl rfc1918-nets {
10.0.0.0/8 <http://10.0.0.0/8>;
172.16.0.0/12 <http://172.16.0.0/12>;
192.168.0.0/16 <http://192.168.0.0/16>;
};
include "/usr/local/etc/namedb/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
inet ::1 port 953 allow { ::1; } keys { rndc-key; };
};
options {
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
secroots-file "/var/cache/bind/secroots.txt";
memstatistics-file "/var/stats/named_mem_stats.txt";
managed-keys-directory "/var/cache/bind";
session-keyfile "/var/cache/bind/session.key";
recursion yes;
masterfile-format text;
minimal-responses no;
empty-zones-enable yes;
empty-server "raspberrypi-00.ddisupport.tech";
empty-contact "robert\.mcdonald.ddiarchitect.tech";
querylog yes;
query-source address 172.27.255.99;
transfer-source 172.27.255.99;
notify-source 172.27.255.99;
request-nsid yes;
server-id hostname;
zone-statistics full;
dnssec-validation auto;
dnssec-accept-expired no;
listen-on { 127.0.0.1; };
listen-on { 172.27.255.99; };
listen-on-v6 { ::1; };
allow-query { ::1; 127.0.0.1; rfc1918-nets; };
allow-query-cache { ::1; 127.0.0.1; rfc1918-nets; };
allow-recursion { ::1; 127.0.0.1; rfc1918-nets; };
};
zone "localhost" { type master; file
"/usr/local/etc/namedb/primary/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file
"/usr/local/etc/namedb/primary/localhost-reverse.db";};
statistics-channels {
inet 172.27.255.99 port 28079 allow { rfc1918-nets; };
};
logging {
channel default_log {
file "/var/log/named/default" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "/var/log/named/auth_servers" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnssec_log {
file "/var/log/named/dnssec" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "/var/log/named/zone_transfers" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel ddns_log {
file "/var/log/named/ddns" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "/var/log/named/client_security" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rate_limiting_log {
file "/var/log/named/rate_limiting" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "/var/log/named/rpz" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnstap_log {
file "/var/log/named/dnstap" versions 3 size 1m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel queries_log {
file "/var/log/named/queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel query-errors_log {
file "/var/log/named/query-errors" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog daemon;
severity info;
};
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "/var/log/named/named.debug";
severity dynamic;
};
category default { default_syslog; default_debug; default_log; };
category config { default_syslog; default_debug; default_log; };
category dispatch { default_syslog; default_debug; default_log; };
category network { default_syslog; default_debug; default_log; };
category general { default_syslog; default_debug; default_log; };
category resolver { auth_servers_log; default_debug; };
category cname { auth_servers_log; default_debug; };
category delegation-only { auth_servers_log; default_debug; };
category lame-servers { auth_servers_log; default_debug; };
category edns-disabled { auth_servers_log; default_debug; };
category dnssec { dnssec_log; default_debug; };
category notify { zone_transfers_log; default_debug; };
category xfer-in { zone_transfers_log; default_debug; };
category xfer-out { zone_transfers_log; default_debug; };
category update{ ddns_log; default_debug; };
category update-security { ddns_log; default_debug; };
category unmatched{ client_security_log; default_debug; };
category client{ client_security_log; default_debug; };
category security { client_security_log; default_debug; };
category rate-limit { rate_limiting_log; default_debug; };
category spill { rate_limiting_log; default_debug; };
category database { rate_limiting_log; default_debug; };
category rpz { rpz_log; default_debug; };
category queries { queries_log; };
category query-errors {query-errors_log; };
//
// Log messages relating to the "dnstap" DNS traffic capture system (if you
// are not using dnstap, then you may want to comment out this category and
// associated channel).
//
category dnstap { dnstap_log; default_debug; };
};
Perhaps also inject a file-based RPZ in there too.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
