I'm implementing a caching resolver under FreeBSD 13.1 running on a RaspberryPI. Bind 9.18.11
My named.conf is below. My question is do these look like workable options? I include logging and a statistics channel in my preliminary implementations for more detail on what's going on. That will go away eventually. Any comments are welcome. Thanks, Bob named.conf: acl rfc1918-nets { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; include "/usr/local/etc/namedb/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; inet ::1 port 953 allow { ::1; } keys { rndc-key; }; }; options { directory "/usr/local/etc/namedb/working"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; secroots-file "/var/cache/bind/secroots.txt"; memstatistics-file "/var/stats/named_mem_stats.txt"; managed-keys-directory "/var/cache/bind"; session-keyfile "/var/cache/bind/session.key"; recursion yes; masterfile-format text; minimal-responses no; empty-zones-enable yes; empty-server "raspberrypi-00.ddisupport.tech"; empty-contact "robert\.mcdonald.ddiarchitect.tech"; querylog yes; query-source address 172.27.255.99; transfer-source 172.27.255.99; notify-source 172.27.255.99; request-nsid yes; server-id hostname; zone-statistics full; dnssec-validation auto; dnssec-accept-expired no; listen-on { 127.0.0.1; }; listen-on { 172.27.255.99; }; listen-on-v6 { ::1; }; allow-query { ::1; 127.0.0.1; rfc1918-nets; }; allow-query-cache { ::1; 127.0.0.1; rfc1918-nets; }; allow-recursion { ::1; 127.0.0.1; rfc1918-nets; }; }; zone "localhost" { type master; file "/usr/local/etc/namedb/primary/localhost-forward.db"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/primary/localhost-reverse.db";}; statistics-channels { inet 172.27.255.99 port 28079 allow { rfc1918-nets; }; }; logging { channel default_log { file "/var/log/named/default" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel auth_servers_log { file "/var/log/named/auth_servers" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel dnssec_log { file "/var/log/named/dnssec" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel zone_transfers_log { file "/var/log/named/zone_transfers" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel ddns_log { file "/var/log/named/ddns" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel client_security_log { file "/var/log/named/client_security" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel rate_limiting_log { file "/var/log/named/rate_limiting" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel rpz_log { file "/var/log/named/rpz" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel dnstap_log { file "/var/log/named/dnstap" versions 3 size 1m; print-time yes; print-category yes; print-severity yes; severity info; }; channel queries_log { file "/var/log/named/queries" versions 600 size 20m; print-time yes; print-category yes; print-severity yes; severity info; }; channel query-errors_log { file "/var/log/named/query-errors" versions 5 size 20m; print-time yes; print-category yes; print-severity yes; severity dynamic; }; channel default_syslog { print-time yes; print-category yes; print-severity yes; syslog daemon; severity info; }; channel default_debug { print-time yes; print-category yes; print-severity yes; file "/var/log/named/named.debug"; severity dynamic; }; category default { default_syslog; default_debug; default_log; }; category config { default_syslog; default_debug; default_log; }; category dispatch { default_syslog; default_debug; default_log; }; category network { default_syslog; default_debug; default_log; }; category general { default_syslog; default_debug; default_log; }; category resolver { auth_servers_log; default_debug; }; category cname { auth_servers_log; default_debug; }; category delegation-only { auth_servers_log; default_debug; }; category lame-servers { auth_servers_log; default_debug; }; category edns-disabled { auth_servers_log; default_debug; }; category dnssec { dnssec_log; default_debug; }; category notify { zone_transfers_log; default_debug; }; category xfer-in { zone_transfers_log; default_debug; }; category xfer-out { zone_transfers_log; default_debug; }; category update{ ddns_log; default_debug; }; category update-security { ddns_log; default_debug; }; category unmatched{ client_security_log; default_debug; }; category client{ client_security_log; default_debug; }; category security { client_security_log; default_debug; }; category rate-limit { rate_limiting_log; default_debug; }; category spill { rate_limiting_log; default_debug; }; category database { rate_limiting_log; default_debug; }; category rpz { rpz_log; default_debug; }; category queries { queries_log; }; category query-errors {query-errors_log; }; // // Log messages relating to the "dnstap" DNS traffic capture system (if you // are not using dnstap, then you may want to comment out this category and // associated channel). // category dnstap { dnstap_log; default_debug; }; };
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users