# This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # named.conf # named-master.conf # named-slave.conf # named-rfc1918.conf # named-rfc1918-slave.conf # named.root # master/ # master/0 # master/0.IP6.INT # master/127 # master/127.0 # master/127.0.0 # master/127.255 # master/127.255.255 # master/255 # master/localhost # master/rfc1918.template # echo x - named.conf sed 's/^X//' >named.conf << 'END-of-named.conf' X#ident "@(#)namedb:$Id$" X# -*- awk -*- X# $NetBSD: named.conf,v 1.8 2002/02/26 08:48:35 itojun Exp $ X X# X# named.conf - BIND-8 main configuration X# X# boot/config file for a BIND-8.x based DNS name server (named) X X# Set up our ACLs X# X# In BIND 8, ACL names with quotes were treated as different from the X# same name without quotes. In BIND 9, both are treated as the same. X X# An ACL listing all the "bogon" networks. These are networks listed X# by IANA as test, RFC1918, Multicast, experimental, reserved, etc. X# If you see DNS queries or updates with a source address within these X# networks, they are likely of malicious origin. X# X# Update this list from: X# X# http://www.cymru.com/Documents/bogon-bn-agg.txt X# X# See also: X# X# http://www.cymru.com/Documents/secure-bind-template.html X# X# Last updated to match: X# X# Bogon Bit Notation List v2.0 08 APR 2003 X# Secure BIND Template Version 4.0 08 APR 2003 X# X# CAUTION: If you are using RFC1918 netblocks on your network, remove X# those netblocks from this list of blackhole ACLs! If you're running X# a DHCP server you might even want to allow the LINK-LOCAL net too. X# Xacl bogon_acl { X 0.0.0.0/7; X 2.0.0.0/8; X 5.0.0.0/8; X 7.0.0.0/8; X 10.0.0.0/8; # RFC 1918 (IANA RESERVED-10) X 23.0.0.0/8; X 27.0.0.0/8; X 31.0.0.0/8; X 36.0.0.0/7; X 39.0.0.0/8; X 41.0.0.0/8; X 42.0.0.0/8; X 49.0.0.0/8; X 50.0.0.0/8; X 58.0.0.0/7; X 70.0.0.0/7; X 72.0.0.0/5; X 83.0.0.0/8; X 84.0.0.0/6; X 88.0.0.0/5; X 96.0.0.0/3; X# 127.0.0.0/8; # LOOPBACK X 128.0.0.0/16; # IANA RESERVED-3 X 128.66.0.0/16; # IANA NET-TEST-B X# 169.254.0.0/16; # IANA LINKLOCAL (DHCP client auto-config space) X 172.16.0.0/12; # RFC 1918 (IANA-BBLK-RESERVED) X 173.0.0.0/8; X 174.0.0.0/7; X 176.0.0.0/5; X 184.0.0.0/6; X 189.0.0.0/8; X 190.0.0.0/8; X 191.255.0.0/16; # IANA RESERVED (RFC 3330) X# 192.0.0.0/16; # IANA RESERVED-192 and RESERVED-2A X 192.0.2.0/24; # IANA RESERVED (RFC 3330) X 192.168.0.0/16; # RFC 1918 (IANA-CBLK-RESERVED) X 197.0.0.0/8; X 198.18.0.0/15; X 223.0.0.0/8; X 224.0.0.0/3; X 240.0.0.0/4; # Class E (RESERVED) X}; X X# Allow queries from anywhere by default. The DNS is public. X# Xacl query_acl { X any; X}; X X# Allow zone transfers from anywhere by default. The DNS is public. X# Xacl xfer_acl { X any; X}; X X# Deny A records with these target addresses. This prevents stupid X# wildcard A RRs in delegation-only zones from having any effect. X# X# Keep this list up-to-date from here: X# X# http://www.imperialviolet.org/dnsfix.html X# Xacl deny_address_record_acl { X 194.205.62.122; # .AC X 216.220.34.101; # .BZ X 206.253.214.102; # .CC (also uses 194.205.62.122 from .AC) X 64.94.110.11; # the Verisign dickheads: .COM and .NET X 159.226.7.162; # .CN X 219.88.106.80; # .CX X 202.128.12.163; # .MP X# 195.7.77.20; # .MUSEUM X 64.55.105.9; 212.181.91.6; # .NU X 203.119.4.6; # .PH X 216.98.141.250; 65.125.231.178; # .PW X 194.205.62.62; # .SH X 146.101.245.154; # .TD X 195.20.32.83; 195.20.32.86; # .TK X 194.205.62.42; # .TM X 203.73.24.11; # .TW X 216.35.187.246; # .WS X}; X X# Allow recursion from anywhere by default. X# X# You should probably limit recursion to just those clients you trust X# (or at least those you can exert policy controls over). X# X# See http://cr.yp.to/djbdns/forgery.html for an analysis of the cost X# of forging a cache entry. X# Xacl recursion_acl { X localhost; # any interface on this host X localnets; # any host on any subnet for which the system has an interface. X 127.0.0.1/32; # "localhost" itself, just to be pedantic X any; X}; X X# an ACL for restricting private zones -- used in named.rfc1918.conf X# X# if this machine is multi-homed on one of these nets then you should X# add entries for the networks your public interfaces reside on too, X# assuming you want queries from those nets to be able to access your X# private zones. X# X# NOTE: Do not completely comment out this entry, just its contents. X# Xacl local_nets_query { X localhost; # any interface on this host X localnets; # any host on any subnet for which the system has an interface. X 127.0.0.1/32; # "localhost" itself, just to be pedantic X# N.N.N.N ; # other local trusted nets/hosts... X}; X X X# Useful options and other things we like to do.... X# Xoptions { X # The working directory of the server process. X # X # WARNING: All filename references are relative to this directory. X # X directory "/var/named"; X X # keep named out of world-writable directories.... X # X dump-file "/var/named/named_dump.db"; X statistics-file "/var/named/named.stats"; X memstatistics-file "/var/named/named.memstats"; X X # use *.53 for recursive queries so as to avoid any possible X # problems with firewalls, i.e. to ensure that all DNS packets X # are on port 53, including the replies... X # X # NOTE: this cannot be used on any machine that's also running a X # public external nameserver (because that one would get all our X # replies from the outside world!) X # X # Also NOTE: You must use 0.0.0.0 if you listen on more than X # one interface (i.e. address)! X # X query-source address 0.0.0.0 port 53; X X # Use an explicit transfer source address if any NS records X # for any zones this nameserver is authoritative for point to X # any address on interface which has more than one address. X # X #transfer-source N.N.N.N; X X # You probably want this for a primary authoritative nameserver, X # and you definitely need this for an internal caching server. X # X # An AUTH-only nameserver should NOT listen on 127.0.0.1, X # especially if a caching nameserver also lives on the same X # machine and listens on an internal IP! Let the caching X # nameserver handle localhost queries. X # X #listen-on { X # N.N.N.N; /* N.N.N.N is your primary NS IP addr */ X #}; X X # If we have no dynamic interfaces, then BIND shouldn't need X # to poll for interface state changes.... X # X interface-interval 0; X X # you need this if you want to see where answers came from.... X # X host-statistics yes; X X # this is useful too (but only for BIND-9) X # X #zone-statistics yes; X X # keep track of all outstanding queries.... (only 128kb required) X # X use-id-pool yes; X X # don't allow any fooling around here! X # X check-names master fail; X check-names slave fail; X check-names response fail; X X # If this is an internal caching nameserver that can't X # directly talk to the outside world, or is supplemental to X # some other primary (internal) caching nameserver, then you X # need to forward local queries as appropriate: X # X #forward only; X #forwarders { N.N.N.N; }; X X # Generate more efficient zone transfers. This will place X # multiple DNS records in a DNS message, instead of one per X # DNS message. X # X transfer-format many-answers; X X # If yes, the server will send NS records along with the SOA X # record for negative answers. You need to set this to no if X # you have an old BIND server using you as a forwarder that X # does not understand negative answers which contain both SOA X # and NS records or if you have an old version of sendmail. X # The correct fix is to upgrade the broken server or sendmail. X # X rfc2308-type1 yes; X X # If this is an authorititative nameserver ONLY: X # X # Note we could also enhance this by setting a default X # 'allow_query' option to use the built-in ACL "none", and X # then in each public zone for which we are authoritative we X # would would specify an 'allow_query' option to use the X # built-in ACL "any". X # X # Note also the 'allow-recursion' option which can be used to X # specify more selective ACLs. X # X #recursion no; X X # This is used in conjunction with "recursion no" to prevent X # the server's cache from growing or becoming corrupted (at X # the minor cost of requiring more work from the client). X # X #fetch-glue no; X X # Turning off notify will result in slower updates to the X # slave servers (e.g. they will await the poll interval before X # checking for updates), so turn NOTIFY off only if absolutely X # necessary. X # X # Note though this can be a source of D.o.S. attacks if too X # many different sites send us bogus zone transfer X # requests.... X # X notify yes; X X # Set the maximum zone transfer time to something more X # reasonable. In this case, we state that any zone transfer X # that takes longer than 60 minutes is unlikely to ever X # complete. The default is 120 minutes (2 hours). X # X # WARNING: If you have very large zone files, adjust this to X # fit your requirements. X # X max-transfer-time-in 60; X X # Deny anything and everything from the bogon networks as X # detailed in the "bogon_acl" ACL. X # X # This is especially useful if you haven't got host-based X # firewall filtering doing the same thing.... X # X blackhole { X bogon_acl; X }; X X # Deny bogus A RRs (turn them into NXDOMAIN responses) X # X deny_address_record { X deny_address_record_acl; X }; X X # queries limited to members of the X # "query_acl" ACL. X # X allow-query { X query_acl; X }; X X # Zone tranfers limited to members of the X # "xfer_acl" ACL. X # X allow-transfer { X xfer_acl; X }; X X # recursion limited to members of the X # "recursion_acl" ACL. X # X allow-recursion { X recursion_acl; X }; X}; X X# allow the members of the "dnsadmin" group to control named.... X# Xcontrols { X unix "/var/run/ndc" perm 0660 owner 0 group 41; X}; X X# NOTE: The "severity" setting in a channel definition is a filter. It X# blocks all messages below the specified severity level. X# X# The "default_syslog" channel filters at severity "info". X# X# The "default_debug" channel filters at the server's current debug level (-d) X# X# The canonical list of categories is in src/bin/named/ns_glob.h X# Xlogging { X channel my_default_syslog { /* you cannot re-define default_syslog */ X syslog daemon; X severity info; X# print-category yes; /* for debugging logging controls */ X# print-severity yes; /* for debugging logging controls */ X }; X channel full_syslog { X syslog daemon; X severity debug; X# print-category yes; /* for debugging logging controls */ X# print-severity yes; /* for debugging logging controls */ X }; X channel notice_syslog { X syslog daemon; X severity notice; X# print-category yes; /* for debugging logging controls */ X# print-severity yes; /* for debugging logging controls */ X }; X channel warning_syslog { X syslog daemon; X severity warning; X# print-category yes; /* for debugging logging controls */ X# print-severity yes; /* for debugging logging controls */ X }; X X # some noisy check-* messages are in default @ info X # X category default { notice_syslog; default_debug; }; X category config { full_syslog; default_debug; }; X category parser { full_syslog; default_debug; }; X# listing this category turns on querylog by default X# category queries { my_default_syslog; default_debug; }; X category lame-servers { my_default_syslog; default_debug; }; X category statistics { full_syslog; default_debug; }; X category panic { my_default_syslog; default_debug; default_stderr; }; X category update { my_default_syslog; default_debug; }; X category ncache { my_default_syslog; default_debug; }; X category xfer-in { my_default_syslog; default_debug; }; X category xfer-out { my_default_syslog; default_debug; }; X category db { my_default_syslog; default_debug; }; X category eventlib { default_debug; }; X category packet { default_debug; }; X category notify { my_default_syslog; default_debug; }; X category cname { my_default_syslog; default_debug; }; X category security { full_syslog; default_debug; }; X category os { full_syslog; default_debug; }; X category insist { full_syslog; default_debug; }; X category maintenance { my_default_syslog; default_debug; }; X # X # no per-zone load logging messages (they clog /dev/log) X # X category load { notice_syslog; default_debug; }; X # X # only important check-* messages (they are noise) X # X category response-checks { notice_syslog; default_debug; }; X}; X X# where does everyone live? X# Xzone "." { X type hint; X file "/etc/namedb/named.root"; X}; X X# X# the ipv4 and ipv6 loopback reverse-lookup zones... X# X X# the primary IPv6 "loopback" network X# Xzone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { X type master; X file "/etc/namedb/master/0.IP6.INT"; X}; X Xzone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { X type master; X file "/etc/namedb/master/0.IP6.INT"; X}; X X# a "top-level" domain to name the loopback interface(s)... X# Xzone "localhost" { X type master; X file "/etc/namedb/master/localhost"; X}; X X# Here's a pedantic example of how reverse zones should be delegated X# so that you can manage each sub-zone from a separate file... X# Xzone "127.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/127"; X}; X Xzone "0.127.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/127.0"; X}; X Xzone "0.0.127.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/127.0.0"; X}; X Xzone "255.127.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/127.255"; X}; X Xzone "255.255.127.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/127.255.255"; X}; X X# the following two zones are as per RFC 1912... X# Xzone "0.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/0"; X}; X Xzone "255.IN-ADDR.ARPA" { X type master; X file "/etc/namedb/master/255"; X}; X X# Note that every caching nameserver should be authoritative for X# all locally trusted domains. X X# If you already have authoritative information for the RFC-1918 X# reverse zones on some other server then you might secondary it here X# and if so you should switch to including "named-rfc1918-slave.conf" X# and edit it as appropriate. X# X#include "/etc/namedb/named-rfc1918-slave.conf"; Xinclude "/etc/namedb/named-rfc1918.conf"; X Xinclude "/etc/namedb/named-slave.conf"; X Xinclude "/etc/namedb/named-master.conf"; END-of-named.conf echo x - named-master.conf sed 's/^X//' >named-master.conf << 'END-of-named-master.conf' X#ident "@(#)namedb:$Id$" X# X# named-master.conf - for zones we are primary for X# X X# example primary server config: X# X# zone "Berkeley.EDU" { X# type master; X# file "/etc/named/master/berkeley.edu"; X# }; X X# zone "32.128.IN-ADDR.ARPA" { X# type master; X# file "/etc/named/master/128.32"; X# }; END-of-named-master.conf echo x - named-slave.conf sed 's/^X//' >named-slave.conf << 'END-of-named-slave.conf' X#ident "@(#)namedb:$Id$" X# X# named-slave.conf - for zones we secondary X# X# Note that every caching nameserver should be authoritative for X# all locally trusted domains. X X# example secondary server config: X# X# zone "Berkeley.EDU" { X# type slave; X# file "/var/named/slave/berkeley.edu"; X# masters { X# 128.32.130.11; X# 128.32.133.1; X# }; X# }; X X# zone "32.128.IN-ADDR.ARPA" { X# type slave; X# file "/var/named/slave/128.32"; X# masters { X# 128.32.130.11; X# 128.32.133.1; X# }; X# }; END-of-named-slave.conf echo x - named-rfc1918.conf sed 's/^X//' >named-rfc1918.conf << 'END-of-named-rfc1918.conf' X#ident "@(#)namedb:$Id$" X# X# named-rfc1918.conf - for primary of RFC 1918, etc. reverse zones X# X X# These zones are by default just stubs that'll prevent network X# queries for information that cannot possibly be found to be anywhere X# else (unless you do happen to use these networks locally, in which X# case you're either now half-way to configuring reverse lookups for X# them, or else if you already have authoritative information on some X# other server then you might secondary it here and you should switch X# to including "named-rfc1918-slave.conf" in your "named.conf" file. X X# an ACL is used to restrict queries to only those private hosts that X# should know this information.... In BIND-9 split-horizon configs X# should be used too. X# X# NOTE: we assume there's a global local_nets_query acl defined within X# the file that includes this file that will allow authorised local X# multi-homed hosts to look at these zones. X# X# Note that if you are running your nameserver as a cache you will X# likely eventually get queries to look up PTRs in these zones, either X# from your own servers who see connections apparently coming from X# private networks (assuming you don't filter them out, as you X# probably should), or from incorrectly configured machines on your X# own network(s) [eg. if you are an access provider]. You can X# probably just ignore the log entries these queries will generate if X# you're sure they originate from remote systems that you do not X# control. X# Xacl rfc1918_query { X 10.0.0.0/8 ; X 127.0.0.1 ; X 172.16.0.0/12 ; X 192.168.0.0/16 ; X 192.0.2.0/24 ; X 169.254.0.0/16 ; X} ; X X// RFC 1918 zones X// Xzone "10.in-addr.arpa" { X type master ; X file "/etc/namedb/master/10" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "16.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.16" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "17.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.17" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "18.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.18" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "19.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.19" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "20.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.20" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "21.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.21" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "22.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.22" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "23.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.23" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "24.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.24" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "25.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.25" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "26.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.26" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "27.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.27" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "28.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.28" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "29.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.29" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "30.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.30" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "31.172.in-addr.arpa" { X type master ; X file "/etc/namedb/master/172.31" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X X# pedantically there are 255 sub-zones for 192.168.*.0 Xzone "168.192.in-addr.arpa" { X type master ; X file "/etc/namedb/master/192.168" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X X// other reserved zones X// X X# 169.254.0.0/16 IANA LINKLOCAL (DHCP client auto-config space) X# Xzone "254.169.in-addr.arpa" { X type master ; X file "/etc/namedb/master/169.254" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X X# 192.0.2.0/24 IANA NET-TEST X# Xzone "2.0.192.in-addr.arpa" { X type master ; X file "/etc/namedb/master/192.0.2" ; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; END-of-named-rfc1918.conf echo x - named-rfc1918-slave.conf sed 's/^X//' >named-rfc1918-slave.conf << 'END-of-named-rfc1918-slave.conf' X#ident "@(#)namedb:$Id$" X# X# named-rfc1918-slave.conf - for RFC 1918, etc. reverse zones X# X X# NOTE: you'll want to do a global substitute of "N.N.N.N" to replace X# it with the IP# of your local primary nameserver for these zones, X# and perhaps you'll add another local authoritative server for X# redundancy too. X X# an ACL is used to restrict queries to only those private hosts that X# should know this information.... In BIND-9 split-horizon configs X# should be used too. X# X# NOTE: we assume there's a global local_nets_query acl defined within X# the file that includes this file that will allow authorised local X# multi-homed hosts to look at these zones. X# X# Note that if you are running your nameserver as a cache you will X# likely eventually get queries to look up PTRs in these zones, either X# from your own servers who see connections apparently coming from X# private networks (assuming you don't filter them out, as you X# probably should), or from incorrectly configured machines on your X# own network(s) [eg. if you are an access provider]. You can X# probably just ignore the log entries these queries will generate if X# you're sure they originate from remote systems that you do not X# control. X# Xacl rfc1918_query { X 10.0.0.0/8 ; X 127.0.0.1 ; X 172.16.0.0/12 ; X 192.168.0.0/16 ; X 192.0.2.0/24 ; X 169.254.0.0/16 ; X} ; X X# NOTICE: You might also want to change "slave" to "/var/named/slave" below X X// RFC 1918 zones X// Xzone "10.in-addr.arpa" { X type slave ; X file "slave/10" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "16.172.in-addr.arpa" { X type slave ; X file "slave/172.16" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "17.172.in-addr.arpa" { X type slave ; X file "slave/172.17" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "18.172.in-addr.arpa" { X type slave ; X file "slave/172.18" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "19.172.in-addr.arpa" { X type slave ; X file "slave/172.19" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "20.172.in-addr.arpa" { X type slave ; X file "slave/172.20" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "21.172.in-addr.arpa" { X type slave ; X file "slave/172.21" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "22.172.in-addr.arpa" { X type slave ; X file "slave/172.22" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "23.172.in-addr.arpa" { X type slave ; X file "slave/172.23" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "24.172.in-addr.arpa" { X type slave ; X file "slave/172.24" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "25.172.in-addr.arpa" { X type slave ; X file "slave/172.25" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "26.172.in-addr.arpa" { X type slave ; X file "slave/172.26" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "27.172.in-addr.arpa" { X type slave ; X file "slave/172.27" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "28.172.in-addr.arpa" { X type slave ; X file "slave/172.28" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "29.172.in-addr.arpa" { X type slave ; X file "slave/172.29" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "30.172.in-addr.arpa" { X type slave ; X file "slave/172.30" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "31.172.in-addr.arpa" { X type slave ; X file "slave/172.31" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X Xzone "168.192.in-addr.arpa" { X type slave ; X file "slave/192.168" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X X// other reserved zones X// X X# 169.254.0.0/16 IANA LINKLOCAL (DHCP client auto-config space) X# Xzone "254.169.in-addr.arpa" { X type slave ; X file "slave/169.254" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; X X# 192.0.2.0/24 IANA NET-TEST X# Xzone "2.0.192.in-addr.arpa" { X type slave ; X file "slave/192.0.2" ; X masters { X N.N.N.N; X }; X allow-query { X local_nets_query ; X rfc1918_query ; X } ; X} ; END-of-named-rfc1918-slave.conf echo x - named.root sed 's/^X//' >named.root << 'END-of-named.root' X; This file holds the information on root name servers needed to X; initialize cache of Internet domain name servers X; (e.g. reference this file in the "cache . " X; configuration file of BIND domain name servers). X; X; This file is made available by InterNIC X; under anonymous FTP as X; file /domain/named.root X; on server FTP.INTERNIC.NET X; -OR- RS.INTERNIC.NET X; X; last update: Jan 29, 2004 X; related version of root zone: 2004012900 X; X; X; formerly NS.INTERNIC.NET X; X. 3600000 IN NS A.ROOT-SERVERS.NET. XA.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 X; X; formerly NS1.ISI.EDU X; X. 3600000 NS B.ROOT-SERVERS.NET. XB.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 X; X; formerly C.PSI.NET X; X. 3600000 NS C.ROOT-SERVERS.NET. XC.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 X; X; formerly TERP.UMD.EDU X; X. 3600000 NS D.ROOT-SERVERS.NET. XD.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 X; X; formerly NS.NASA.GOV X; X. 3600000 NS E.ROOT-SERVERS.NET. XE.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 X; X; formerly NS.ISC.ORG X; X. 3600000 NS F.ROOT-SERVERS.NET. XF.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 X; X; formerly NS.NIC.DDN.MIL X; X. 3600000 NS G.ROOT-SERVERS.NET. XG.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 X; X; formerly AOS.ARL.ARMY.MIL X; X. 3600000 NS H.ROOT-SERVERS.NET. XH.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 X; X; formerly NIC.NORDU.NET X; X. 3600000 NS I.ROOT-SERVERS.NET. XI.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 X; X; operated by VeriSign, Inc. X; X. 3600000 NS J.ROOT-SERVERS.NET. XJ.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 X; X; operated by RIPE NCC X; X. 3600000 NS K.ROOT-SERVERS.NET. XK.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 X; X; operated by ICANN X; X. 3600000 NS L.ROOT-SERVERS.NET. XL.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 X; X; operated by WIDE X; X. 3600000 NS M.ROOT-SERVERS.NET. XM.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 X; End of File END-of-named.root echo c - master/ mkdir -p master/ > /dev/null 2>&1 echo x - master/0 sed 's/^X//' >master/0 << 'END-of-master/0' X;#ident "@(#)namedb/master:$Id$" X X$TTL 6w ; the default TTL for all records listed in this file X X;$ORIGIN 0.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 8h ) ; negative response TTL X IN NS localhost. X IN TXT "To stop bogus queries for net 0, as per RFC 1912." X X; there should be no other records in here. END-of-master/0 echo x - master/0.IP6.INT sed 's/^X//' >master/0.IP6.INT << 'END-of-master/0.IP6.INT' X; $NetBSD: loopback.v6,v 1.1 2000/03/01 11:06:28 itojun Exp $ X X$TTL 24w ; the default TTL for all records listed in this file X X;$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int X;$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa X@ IN SOA localhost. hostmaster.localhost. ( X 2003073113 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 16h ) ; negative response TTL X IN NS localhost. X IN TXT "The IPv6 loopback net reverse zone." X IN PTR localhost. X X; there should be no other records in here. END-of-master/0.IP6.INT echo x - master/127 sed 's/^X//' >master/127 << 'END-of-master/127' X;#ident "@(#)namedb/master:$Id$" X X$TTL 6w ; the default TTL for all records listed in this file X X;$ORIGIN 127.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 8h ) ; negative response TTL X IN NS localhost. X IN TXT "The IPv4 LOOPBACK net reverse parent zone." X X; delegate sub-zones X0 IN NS localhost. X255 IN NS localhost. END-of-master/127 echo x - master/127.0 sed 's/^X//' >master/127.0 << 'END-of-master/127.0' X;#ident "@(#)namedb/master:$Id$" X X$TTL 6w ; the default TTL for all records listed in this file X X;$ORIGIN 0.127.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 8h ) ; negative response TTL X IN NS localhost. X IN TXT "The IPv4 LOOPBACK net intermediate reverse zone." X X; delegate sub-zone(s) X0 IN NS localhost. END-of-master/127.0 echo x - master/127.0.0 sed 's/^X//' >master/127.0.0 << 'END-of-master/127.0.0' X;#ident "@(#)namedb/master:$Id$" X X$TTL 24w ; the default TTL for all records listed in this file X X;$ORIGIN 0.0.127.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2003073113 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 16h ) ; negative response TTL X IN NS localhost. X IN TXT "The IPv4 LOOPBACK net reverse zone." X X; reverse lookup for the loopback network interface and its RFC-1101 X; network name, as well as an A RR that gives the netmask: X; X0 IN PTR loopback-net.localhost. X IN A 255.0.0.0 X IN TXT "The loopback interface network and its netmask." X X; NOTE: do NOT create a "localhost.your.domain" vanity A record -- use a CNAME instead! X; X1 IN PTR localhost. X IN TXT "The pointer to _the_ canonical localhost." X X; there can be no other records in this zone. END-of-master/127.0.0 echo x - master/127.255 sed 's/^X//' >master/127.255 << 'END-of-master/127.255' X;#ident "@(#)namedb:$Id$" X X$TTL 6w ; the default TTL for all records listed in this file X X;$ORIGIN 255.127.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 8h ) ; negative response TTL X IN NS localhost. X IN TXT "The IPv4 LOOPBACK net's intermediate broadcast reverse zone." X X; delegate sub-zones X255 IN NS localhost. END-of-master/127.255 echo x - master/127.255.255 sed 's/^X//' >master/127.255.255 << 'END-of-master/127.255.255' X;#ident "@(#)namedb/master:$Id$" X X$TTL 6w ; the default TTL for all records listed in this file X X;$ORIGIN 255.255.127.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 8h ) ; negative response TTL X IN NS localhost. X IN TXT "The IPv4 LOOPBACK net's broadcast reverse zone." X X255 PTR loopback-bcast.localhost. X IN TXT "The loopback network broadcast (usually unused)." END-of-master/127.255.255 echo x - master/255 sed 's/^X//' >master/255 << 'END-of-master/255' X;#ident "@(#)namedb:$Id$" X X$TTL 6w ; the default TTL for all records listed in this file X X;$ORIGIN 255.IN-ADDR.ARPA. X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 8h ) ; negative response TTL X IN NS localhost. X IN TXT "To stop bogus queries for net 255, as per RFC 1912." X X; there should be no other records in here. END-of-master/255 echo x - master/localhost sed 's/^X//' >master/localhost << 'END-of-master/localhost' X;#ident "@(#)namedb/master:$Id$" X X$TTL 24w ; the default TTL for all records listed in this file X X;$ORIGIN localhost. X@ IN SOA localhost. hostmaster.localhost. ( X 2003073113 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 24w ; Expire time (24w max for BIND-8.2.3) X 16h ) ; negative response TTL X IN NS localhost. X IN A 127.0.0.1 ; as per RFC 1912 X IN AAAA ::1 X IN HINFO VIRTUAL UNKNOWN X IN TXT "The default loopback interface" X X; these names in the localhost zone are for RFC-1101 network names X Xloopback-net IN A 127.0.0.0 X IN HINFO NETWORK NONE X IN TXT "The default IPv4 loopback network" X Xloopback-bcast IN A 127.255.255.255 X IN HINFO NETWORK NONE X IN TXT "The default IPv4 loopback broadcast address (unused in most stacks)." X X; there can be no other records in here. END-of-master/localhost echo x - master/rfc1918.template sed 's/^X//' >master/rfc1918.template << 'END-of-master/rfc1918.template' X;#ident "@(#)namedb:$Id$" X X$TTL 4h X X; RFC1918, etc. *.in-addr.arpa X@ IN SOA localhost. hostmaster.localhost. ( X 2001092700 ; Serial number (yyyymmddhh) X 8h ; Refresh Interval X 2h ; Refresh Retry Interval X 1w ; Expire time X 3h ) ; negative response TTL X IN NS localhost. X IN TXT "It's mine, all MINE!" END-of-master/rfc1918.template exit ln -s rfc1918.template master/10 ln -s rfc1918.template master/169.254 ln -s rfc1918.template master/172.16 ln -s rfc1918.template master/172.17 ln -s rfc1918.template master/172.18 ln -s rfc1918.template master/172.19 ln -s rfc1918.template master/172.20 ln -s rfc1918.template master/172.21 ln -s rfc1918.template master/172.22 ln -s rfc1918.template master/172.23 ln -s rfc1918.template master/172.24 ln -s rfc1918.template master/172.25 ln -s rfc1918.template master/172.26 ln -s rfc1918.template master/172.27 ln -s rfc1918.template master/172.28 ln -s rfc1918.template master/172.29 ln -s rfc1918.template master/172.30 ln -s rfc1918.template master/172.31 ln -s rfc1918.template master/192.0.2 ln -s rfc1918.template master/192.168 .