代码: 全选
options {
directory "/etc/namedb";
allow-transfer { 192.168.1.0/24; };
allow-query { 192.168.1.0/24; };
listen-on port 53 { 192.168.1.1; };
};
zone "localhost" {
type master;
notify no;
file "localhost";
};
zone "127.IN-ADDR.ARPA" {
type master;
notify no;
file "127";
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
type master;
file "loopback.v6";
};
zone "diverge.org" {
type master;
notify no;
file "diverge.org";
};
zone "1.168.192.in-addr.arpa" {
type master;
notify no;
file "1.168.192";
};
zone "." in {
type hint;
file "root.cache";
};
Note that in my named.conf the root (".") section is last, that is because there is another domain called diverge.org on the internet (I happen to own it) so I want the resolver to look out on the internet last. This is not normally the case on most systems.
Another very important thing to remember here is that if you have an internal setup, in other words no live internet connection and/or no need to do root server lookups, comment out the root (".") zone. It may cause lookup problems if a particular client decides it wants to reference a domain on the internet, which our server couldn't resolve itself.
Looks like a pretty big mess, upon closer examination it is revealed that many of the lines in each section are somewhat redundant. So we should only have to explain them a few times.
Lets go through the sections of named.conf:
25.2.1.1. options
This section defines some global parameters, most noticeable is the location of the DNS tables, on this particular system, they will be put in /etc/namedb as indicated by the "directory" option.
Following are the rest of the params:
allow-transfer
[INDENT]This option lists which remote DNS servers acting as secondaries are allowed to do zone transfers, i.e. are allowed to read all DNS data at once. For privacy reasons, this should be restricted to secondary DNS servers only. [/INDENT]
allow-query
[INDENT]This option defines hosts from what network may query this name server at all. Restricting queries only to the local network (192.168.1.0/24) prevents queries arriving on the DNS server's external interface, and prevent possible privacy issues.[/INDENT]
listen-on port
[INDENT]This option defined the port and associated IP addresses this server will run named(8) on. Again, the "external" interface is not listened here, to prevent queries getting received from "outside".[/INDENT]
The rest of the named.conf file consists of “zone”s. A zone is an area that can have items to resolve attached, e.g. a domain can have hostnames attached to resolve into IP addresses, and a reverse-zone can have IP addresses attached that get resolved back into hostnames. Each zone has a file associated with it, and a table within that file for resolving that particular zone. As is readily apparent, their format in named.conf is strikingly similar, so I will highlight just one of their records:
25.2.1.2. zone “diverge.org”type
The type of a zone is usually of type "master" in all cases except for the root zone “.” and for zones that a secondary (backup) service is provided - the type obviously is "secondary" in the latter case.
notify
[INDENT]Do you want to send out notifications to secondaries when your zone changes? Obviously not in this setup, so this is set to "no".[/INDENT]
file
[INDENT]This option sets the filename in our /etc/namedb directory where records about this particular zone may be found. For the "diverge.org" zone, the file /etc/namedb/diverge.org is used.[/INDENT]