Scribd
Upload
55 views7 pages

12.2. /etc/named - Conf: 12.2.1. Common Statement Types

The document discusses the /etc/named.conf file, which contains configuration statements for the BIND DNS server. It describes common statement types like acl, options, and zone that are used to define access controls, global server options, and zone-specific settings. Administrators must carefully edit this file to avoid syntax errors that would prevent the named service from starting. Manual edits may also be overwritten by the DNS configuration tool.

Uploaded by

ShankarPrasai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
55 views7 pages

12.2. /etc/named - Conf: 12.2.1. Common Statement Types

The document discusses the /etc/named.conf file, which contains configuration statements for the BIND DNS server. It describes common statement types like acl, options, and zone that are used to define access controls, global server options, and zone-specific settings. Administrators must carefully edit this file to avoid syntax errors that would prevent the named service from starting. Manual edits may also be overwritten by the DNS configuration tool.

Uploaded by

ShankarPrasai
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

8/17/2016

/etc/named.conf

RedHatEnterpriseLinux3:ReferenceGuide
Chapter12.BerkeleyInternetNameDomain(BIND)

Prev

Next

12.2./etc/named.conf
Thenamed.conffileisacollectionofstatementsusingnestedoptionssurroundedbyopening
andclosingellipsecharacters,{}.Administratorsmustbecarefulwheneditingnamed.confto
avoidsyntacticalerrorsasmanyseeminglyminorerrorswillpreventthenamedservicefrom
starting.
Warning

Donotmanuallyeditthe/etc/named.conffileoranyfilesinthe/var/named/
directoryifyouareusingtheDomainNameServiceConfigurationTool.Any
manualchangestothosefileswillbeoverwrittenthenexttimetheDomain
NameServiceConfigurationToolisused.

Atypicalnamed.conffileisorganizedsimilartothefollowingexample:
<statement1>["<statement1name>"][<statement1class>]{
<option1>
<option2>
<optionN>
}
<statement2>["<statement2name>"][<statement2class>]{
<option1>
<option2>
<optionN>
}
<statementN>["<statementNname>"][<statementNclass>]{
<option1>
<option2>
<optionN>
}

12.2.1.CommonStatementTypes
Thefollowingtypesofstatementsarecommonlyusedin/etc/named.conf:

12.2.1.1.aclStatement
Theaclstatement(oraccesscontrolstatement)definesgroupsofhostswhichcanthenbe
permittedordeniedaccesstothenameserver.
Anaclstatementtakesthefollowingform:
acl<aclname>{
<matchelement>
[<matchelement>...]
}
https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

1/7

8/17/2016

/etc/named.conf

Inthisstatement,replace<aclname>withthenameoftheaccesscontrollistandreplace
<matchelement>withasemicolonseparatedlistofIPaddresses.Mostofthetime,an
individualIPaddressorIPnetworknotation(suchas10.0.1.0/24)isusedtoidentifytheIP
addresseswithintheaclstatement.
Thefollowingaccesscontrollistsarealreadydefinedaskeywordstosimplifyconfiguration:
anyMatcheseveryIPaddress.
localhostMatchesanyIPaddressinusebythelocalsystem.
localnetsMatchesanyIPaddressonanynetworktowhichthelocalsystemis
connected.
noneMatchesnoIPaddresses.
Whenusedinconjunctionwithotherstatements(suchastheoptionsstatement),acl
statementscanbeveryusefulinpreventingthemisuseofaBINDnameserver.
Thefollowingexampledefinestwoaccesscontrollistsandusesanoptionsstatementto
definehowtheyaretreatedbythenameserver:
aclblackhats{
10.0.2.0/24
192.168.0.0/24
}
aclredhats{
10.0.1.0/24
}
options{
blackhole{blackhats}
allowquery{redhats}
allowrecursion{redhats}
}

Thisexamplecontainstwoaccesscontrollists,blackhatsandredhats.Hostsinthe
blackhatslistaredeniedaccesstothenameserver,whilehostsintheredhatslistare
givennormalaccess.

12.2.1.2.includeStatement
Theincludestatementallowsfilestobeincludedinanamed.conffile.Thiswaysensitive
configurationdata(suchaskeys)canbeplacedinaseparatefilewithrestrictivepermissions.
Anincludestatementtakesthefollowingform:
include"<filename>"
Inthisstatement,<filename>isreplacedwithanabsolutepathtoafile.

12.2.1.3.optionsStatement
https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

2/7

8/17/2016

/etc/named.conf

Theoptionsstatementdefinesglobalserverconfigurationoptionsandsetsdefaultsforother
statements.Itcanbeusedtospecifythelocationofthenamedworkingdirectory,thetypesof
queriesallowed,andmuchmore.
Theoptionsstatementtakesthefollowingform:
options{
<option>

[<option>...]
}
Inthisstatement,the<option>directivesarereplacedwithavalidoption.
Thefollowingarecommonlyusedoptions:
allowquerySpecifieswhichhostsareallowedtoquerythisnameserver.Bydefault,
allhostsareallowedtoquery.Anaccesscontrollist,orcollectionofIPaddressesor
networksmaybeusedheretoonlyallowparticularhoststoquerythenameserver.
allowrecursionSimilartoallowquery,thisoptionappliestorecursivequeries.
Bydefault,allhostsareallowedtoperformrecursivequeriesonthenameserver.
blackholeSpecifieswhichhostsarenotallowedtoquerytheserver.
directorySpecifiesthenamedworkingdirectoryifdifferentfromthedefaultvalue,
/var/named/.
forwardSpecifiestheforwardingbehaviorofaforwardersdirective.
Thefollowingoptionsareaccepted:
firstSpecifiesthatthenameserverslistedintheforwardersdirectivebe
queriedbeforenamedattemptstoresolvethenameitself.
onlySpecifiesthatnamednotattemptnameresolutionitselfintheeventqueries
tonameserversspecifiedintheforwardersdirectivefail.
forwardersSpecifiesalistofvalidIPaddressesfornameserverswhererequests
shouldbeforwardedforresolution.
listenonSpecifiesthenetworkinterfaceonwhichnamedlistensforqueries.By
default,allinterfacesareused.
UsingthisdirectiveonaDNSserverwhichalsoactsagateway,BINDcanbeconfigured
toonlyanswerqueriesthatoriginatefromoneofthenetworks.
Alistenondirectivelookslikethefollowingexample:
options{
listenon{10.0.1.1}
}
Inthisexample,onlyrequeststhatarrivefromthenetworkinterfaceservingtheprivate
network(10.0.1.1)willbeaccepted.
notifyControlswhethernamednotifiestheslaveserverswhenazoneisupdated.It
acceptsthefollowingoptions:
https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

3/7

8/17/2016

/etc/named.conf

yesNotifiesslaveservers.
noDoesnotnotifyslaveservers.
explicitOnlynotifiesslaveserversspecifiedinanalsonotifylistwithina
zonestatement.
pidfileSpecifiesthelocationoftheprocessIDfilecreatedbynamed.
statisticsfileSpecifiesanalternatelocationforstatisticsfiles.Bydefault,
namedstatisticsaresavedtothe/var/named/named.statsfile.
Dozensofotheroptionsarealsoavailable,manyofwhichrelyupononeanothertowork
properly.RefertotheBIND9AdministratorReferenceManualreferencedinSection12.7.1
InstalledDocumentationandthebind.confmanpageformoredetails.

12.2.1.4.zoneStatement
Azonestatementdefinesthecharacteristicsofazonesuchasthelocationofitsconfiguration
fileandzonespecificoptions.Thisstatementcanbeusedtooverridetheglobaloptions
statements.
Azonestatementtakesthefollowingform:
zone<zonename><zoneclass>{
<zoneoptions>
[<zoneoptions>...]
}
Inthisstatement,<zonename>isthenameofthezone,<zoneclass>istheoptionalclassof
thezone,and<zoneoptions>isalistofoptionscharacterizingthezone.
The<zonename>attributeforthezonestatementisparticularlyimportant,asitisthedefault
valueassignedforthe$ORIGINdirectiveusedwithinthecorrespondingzonefilelocatedinthe
/var/named/directory.Thenameddaemonappendsthenameofthezonetoanynonfully
qualifieddomainnamelistedinthezonefile.
Forexample,ifazonestatementdefinesthenamespaceforexample.com,use
example.comasthe<zonename>soitisplacedattheendofhostnameswithinthe
example.comzonefile.
Formoreinformationaboutzonefiles,seeSection12.3ZoneFiles.
Themostcommonzonestatementoptionsincludethefollowing:
allowquerySpecifiestheclientsthatareallowedtorequestinformationaboutthis
zone.Thedefaultistoallowallqueryrequests.
allowtransferSpecifiestheslaveserversthatareallowedtorequestatransferof
thezone'sinformation.Thedefaultistoallowalltransferrequests.
allowupdateSpecifiesthehoststhatareallowedtodynamicallyupdateinformation
intheirzone.Thedefaultistodenyalldynamicupdaterequests.
Becarefulwhenallowinghoststoupdateinformationabouttheirzone.Donotenablethis
optionunlessthehostspecifiediscompletelytrusted.Ingeneral,itbettertohavean
administratormanuallyupdatetherecordsforazoneandreloadthenamedservice.
https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

4/7

8/17/2016

/etc/named.conf

fileSpecifiesthenameofthefileinthenamedworkingdirectorythatcontainsthe
zone'sconfigurationdata.
mastersSpecifiestheIPaddressesfromwhichtorequestauthoritativezone
informationandisusedonlyifthezoneisdefinedastypeslave.
notifySpecifieswhetherornotnamednotifiestheslaveserverswhenazoneis
updated.Thisdirectiveacceptsthefollowingoptions:
yesNotifiesslaveservers.
noDoesnotnotifyslaveservers.
explicitOnlynotifiesslaveserversspecifiedinanalsonotifylistwithina
zonestatement.
typeDefinesthetypeofzone.
Belowisalistofvalidoptions:
forwardForwardsallrequestsforinformationaboutthiszonetoother
nameservers.
hintAspecialtypeofzoneusedtopointtotherootnameserverswhichresolve
querieswhenazoneisnototherwiseknown.Noconfigurationbeyondthedefaultis
necessarywithahintzone.
masterDesignatesthenameserverasauthoritativeforthiszone.Azoneshould
besetasthemasterifthezone'sconfigurationfilesresideonthesystem.
slaveDesignatesthenameserverasaslaveserverforthiszone.Alsospecifies
theIPaddressofthemasternameserverforthezone.
zonestatisticsConfiguresnamedtokeepstatisticsconcerningthiszone,writing
themtoeitherthedefaultlocation(/var/named/named.stats)orthefilelistedinthe
statisticsfileoptionintheserverstatement.SeeSection12.2.2Other
StatementTypesformoreinformationabouttheserverstatement.

12.2.1.5.SamplezoneStatements
Mostchangestothe/etc/named.conffileofamasterorslavenameserverinvolvesadding,
modifying,ordeletingzonestatements.Whilethesezonestatementscancontainmany
options,mostnameserversrequireonlyasmallsubsettofunctionefficiently.Thefollowing
zonestatementsareverybasicexamplesillustratingamasterslavenameserverrelationship.
Thefollowingisanexampleofazonestatementfortheprimarynameserverhosting
example.com(192.168.0.1):
zone"example.com"IN{
typemaster
file"example.com.zone"
allowupdate{none}
}
Inthestatement,thezoneisidentifiedasexample.com,thetypeissettomaster,andthe
namedserviceisinstructedtoreadthe/var/named/example.com.zonefile.Italsotellsnamed
nottoallowanyotherhoststoupdate.
https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

5/7

8/17/2016

/etc/named.conf

Aslaveserver'szonestatementforexample.comisslightlydifferentfromtheprevious
example.Foraslaveserver,thetypeissettoslaveandinplaceoftheallowupdatelineis
adirectivetellingnamedtheIPaddressofthemasterserver.
Thefollowingisanexampleslaveserverzonestatementforexample.comzone:
zone"example.com"{
typeslave
file"example.com.zone"
masters{192.168.0.1}
}
Thiszonestatementconfiguresnamedontheslaveservertoquerythemasterserveratthe
192.168.0.1IPaddressforinformationabouttheexample.comzone.Theinformationthe
slaveserverreceivesfromthemasterserverissavedtothe/var/named/example.com.zone
file.

12.2.2.OtherStatementTypes
Thefollowingisalistoflesserusedstatementtypesavailablewithinnamed.conf
controlsConfiguresvarioussecurityrequirementsnecessarytousetherndc
commandtoadministerthenamedservice.
RefertoSection12.4.1Configuring/etc/named.conftolearnmoreabouthowthe
controlsstatementisstructuredandabouttheoptionswhichareavailable.
key"<keyname>"Definesaparticularkeybyname.Keysareusedtoauthenticate
variousactions,suchassecureupdatesortheuseoftherndccommand.Twooptions
areusedwithkey:
algorithm<algorithmname>Thetypeofalgorithmused,suchasdsaor
hmacmd5.
secret"<keyvalue>"Theencryptedkey.
RefertoSection12.4.2Configuring/etc/rndc.confforinstructiononhowtowriteakey
statement.
loggingAllowsfortheuseofmultipletypesoflogs,calledchannels.Byusingthe
channeloptionwithintheloggingstatement,acustomizedtypeoflog,withitsownfile
name(file),sizelimit(size),versioning(version),andlevelofimportance
(severity),canbeconstructed.Onceacustomizedchannelhasbeendefined,a
categoryoptionisusedtocategorizethechannelandbeginloggingwhennamedis
restarted.
Bydefault,namedlogsstandardmessagestothesyslogdaemon,whichplacesthemin
/var/log/messages.ThisoccursbecauseseveralstandardchannelsarebuiltintoBIND
withvariousseveritylevels,suchasonethathandlesinformationalloggingmessages
(default_syslog)andanotherthatspecificallyhandlesdebuggingmessages
(default_debug).Adefaultcategory,calleddefault,usesthebuiltinchannelstodo
normalloggingwithoutanyspecialconfiguration.
Customizingtheloggingprocesscanbeaverydetailedprocessandisbeyondthescope
ofthischapter.ForinformationoncreatingcustomBINDlogs,seetheBIND9
AdministratorReferenceManualreferencedinSection12.7.1InstalledDocumentation.
https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

6/7

8/17/2016

/etc/named.conf

serverSpecifiesoptionsthataffecthownamedshouldrespondtoremote
nameservers,especiallyinregardstonotificationsandzonetransfers.
Thetransferformatoptioncontrolswhetheroneresourcerecordissentwitheach
message(oneanswer)ormultipleresourcerecordsaresentwitheachmessage
(manyanswers).Whilemanyanswersismoreefficient,onlynewerBINDnameservers
understandit.
trustedkeysContainsassortedpublickeysusedforsecureDNS(DNSSEC).See
Section12.5.3SecurityformoreinformationconcerningBINDsecurity.
view"<viewname>"Createsspecialviewsdependinguponwhichnetworkthehost
queryingthenameserverison.Thisallowssomehoststoreceiveoneanswerregardinga
zonewhileotherhostsreceivetotallydifferentinformation.Alternatively,certainzones
mayonlybemadeavailabletoparticulartrustedhostswhilenontrustedhostscanonly
makequeriesforotherzones.
Multipleviewsmaybeused,buttheirnamesmustbeunique.Thematchclients
optionspecifiestheIPaddressesthatapplytoaparticularview.Anyoptionsstatements
mayalsobeusedwithinaview,overridingtheglobaloptionsalreadyconfiguredfor
named.Mostviewstatementscontainmultiplezonestatementsthatapplytothe
matchclientslist.Theorderinwhichviewstatementsarelistedisimportant,asthe
firstviewstatementthatmatchesaparticularclient'sIPaddressisused.
SeeSection12.5.2MultipleViewsformoreinformationabouttheviewstatement.

12.2.3.CommentTags
Thefollowingisalistofvalidcommenttagsusedwithinnamed.conf:
//Whenplacedatthebeginningofaline,thatlineisignoredbynamed.
#Whenplacedatthebeginningofaline,thatlineisignoredbynamed.
/*and*/Whentextisencloseinthesetags,theblockoftextisignoredbynamed.
Prev
BerkeleyInternetName
Domain(BIND)

Home
Up

https://access.redhat.com/documentation/enUS/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1bindnamedconf.html

Next
ZoneFiles

7/7

You might also like