Sanity Check
Ed Daniel
esdaniel at esdaniel.com
Fri Feb 17 17:48:26 UTC 2023
On 17/02/2023 16:06, Bob McDonald wrote:
> I'm implementing a caching resolver under FreeBSD 13.1 running on a
> RaspberryPI. Bind 9.18.11
>
> My named.conf is below. My question is do these look like workable
> options? I include logging and a statistics channel in my preliminary
> implementations for more detail on what's going on. That will go away
> eventually. Any comments are welcome.
>
> Thanks,
>
> Bob
>
> named.conf:
>
> acl rfc1918-nets {
> 10.0.0.0/8 <http://10.0.0.0/8>;
> 172.16.0.0/12 <http://172.16.0.0/12>;
> 192.168.0.0/16 <http://192.168.0.0/16>;
> };
>
> include "/usr/local/etc/namedb/rndc.key";
>
> controls {
> inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
> inet ::1 port 953 allow { ::1; } keys { rndc-key; };
> };
>
> options {
> directory "/usr/local/etc/namedb/working";
> pid-file "/var/run/named/pid";
> dump-file "/var/dump/named_dump.db";
> statistics-file "/var/stats/named.stats";
> secroots-file "/var/cache/bind/secroots.txt";
> memstatistics-file "/var/stats/named_mem_stats.txt";
> managed-keys-directory "/var/cache/bind";
> session-keyfile "/var/cache/bind/session.key";
> recursion yes;
> masterfile-format text;
> minimal-responses no;
> empty-zones-enable yes;
> empty-server "raspberrypi-00.ddisupport.tech";
> empty-contact "robert\.mcdonald.ddiarchitect.tech";
> querylog yes;
> query-source address 172.27.255.99;
> transfer-source 172.27.255.99;
> notify-source 172.27.255.99;
> request-nsid yes;
> server-id hostname;
> zone-statistics full;
> dnssec-validation auto;
> dnssec-accept-expired no;
>
> listen-on { 127.0.0.1; };
> listen-on { 172.27.255.99; };
> listen-on-v6 { ::1; };
>
> allow-query { ::1; 127.0.0.1; rfc1918-nets; };
> allow-query-cache { ::1; 127.0.0.1; rfc1918-nets; };
> allow-recursion { ::1; 127.0.0.1; rfc1918-nets; };
> };
>
> zone "localhost" { type master; file
> "/usr/local/etc/namedb/primary/localhost-forward.db"; };
> zone "127.in-addr.arpa" { type master; file
> "/usr/local/etc/namedb/primary/localhost-reverse.db";};
>
> statistics-channels {
> inet 172.27.255.99 port 28079 allow { rfc1918-nets; };
> };
>
> logging {
> channel default_log {
> file "/var/log/named/default" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel auth_servers_log {
> file "/var/log/named/auth_servers" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel dnssec_log {
> file "/var/log/named/dnssec" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel zone_transfers_log {
> file "/var/log/named/zone_transfers" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel ddns_log {
> file "/var/log/named/ddns" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel client_security_log {
> file "/var/log/named/client_security" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel rate_limiting_log {
> file "/var/log/named/rate_limiting" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel rpz_log {
> file "/var/log/named/rpz" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel dnstap_log {
> file "/var/log/named/dnstap" versions 3 size 1m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel queries_log {
> file "/var/log/named/queries" versions 600 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity info;
> };
> channel query-errors_log {
> file "/var/log/named/query-errors" versions 5 size 20m;
> print-time yes;
> print-category yes;
> print-severity yes;
> severity dynamic;
> };
> channel default_syslog {
> print-time yes;
> print-category yes;
> print-severity yes;
> syslog daemon;
> severity info;
> };
> channel default_debug {
> print-time yes;
> print-category yes;
> print-severity yes;
> file "/var/log/named/named.debug";
> severity dynamic;
> };
>
> category default { default_syslog; default_debug; default_log; };
> category config { default_syslog; default_debug; default_log; };
> category dispatch { default_syslog; default_debug; default_log; };
> category network { default_syslog; default_debug; default_log; };
> category general { default_syslog; default_debug; default_log; };
>
> category resolver { auth_servers_log; default_debug; };
> category cname { auth_servers_log; default_debug; };
> category delegation-only { auth_servers_log; default_debug; };
> category lame-servers { auth_servers_log; default_debug; };
> category edns-disabled { auth_servers_log; default_debug; };
>
> category dnssec { dnssec_log; default_debug; };
>
> category notify { zone_transfers_log; default_debug; };
> category xfer-in { zone_transfers_log; default_debug; };
> category xfer-out { zone_transfers_log; default_debug; };
>
> category update{ ddns_log; default_debug; };
> category update-security { ddns_log; default_debug; };
>
> category unmatched{ client_security_log; default_debug; };
> category client{ client_security_log; default_debug; };
> category security { client_security_log; default_debug; };
>
> category rate-limit { rate_limiting_log; default_debug; };
> category spill { rate_limiting_log; default_debug; };
> category database { rate_limiting_log; default_debug; };
>
> category rpz { rpz_log; default_debug; };
>
>
> category queries { queries_log; };
>
> category query-errors {query-errors_log; };
> //
> // Log messages relating to the "dnstap" DNS traffic capture system (if you
> // are not using dnstap, then you may want to comment out this category and
> // associated channel).
> //
> category dnstap { dnstap_log; default_debug; };
> };
>
Perhaps also inject a file-based RPZ in there too.
More information about the bind-users
mailing list