docker-bind/container/configs/named.conf.options

options {
    directory "/var/cache/bind";
    
    // Remove (hide) our bind version - no reason to disclose it
    version "";
    
    // Configure the IPs to listen on here.
    listen-on    { any; };
    listen-on-v6 { none; };

    // QUERY SOURCE - Useful for caching servers behind a firewall
    // Default: address * port *
    // Values : The IP address and port to use as the source of queries to other servers
    // If you have problems and are behind a firewall, uncomment:
    //query-source address * port *;
    
    pid-file "/var/run/named/named.pid";
    
    // statistics-file "/var/cache/bind/named.stats"; 
    // zone-statistics yes; 
    
    // If you want to allow only specific hosts to use the DNS server:
    allow-query { 127.0.0.1; };
    
    // Specify a list of IPs/masks to allow zone transfers to here.
    //
    // You can override this on a per-zone basis by specifying this inside a zone
    // block.
    //
    // Warning: Removing this block will cause BIND to revert to its default
    //          behaviour of allowing zone transfers to any host (!).
    allow-transfer { none; };
    
    
    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
    // RECURSION - Required for caching servers
    // Default: yes
    // Values : yes, no
    //
    // yes: Attempt to resolve requests we are not authoritative for
    // no : Do not resolve requests we are not authoritative for
    //
    // NOTE: Commented out because specified in each zone/view
    recursion yes;
    //recursion no;
    
    
    // ALLOW-RECURSION - Who may use our caching server?
    // Default: any;
    // Values : any, none, (addresslist)
    //
    // any    : anybody may use the caching server
    // none   : noone may use the caching server
    // address: List of IP addresses that may use the caching server.
    // allow-recursion { localhost; localnets; };
    //
    // NOTE: Commented out because specified in each zone/view
    // allow-recursion { clients; servers; lan; };
    //allow-recursion { none; };
    allow-recursion { 127.0.0.1; };
    
    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.
    
    forwarders {
        8.8.8.8;
    	8.8.4.4;
    };
    
    // FORWARD - Recommended for caching servers
    // Default: first
    // Values : first, only
    //
    // first: Query "forwarders" first, then resolve request ourself
    // only : Only query the "forwarders" to resolve requests
    //
    forward first;
    
    
    // NOTIFY - Relevant to authoritative servers
    // Default: yes
    // Values : yes, explicit, no
    //
    // yes     : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes
    // explicit: Only send DNS NOTIFY messages to "also-notify" hosts
    // no      : Never automatically send DNS NOTIFY messages
    //
    notify yes;
    
    // Need this for SRV records
    check-names master ignore;
    
    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;
    
    auth-nxdomain no;    # conform to RFC1035
};
Major Upgrade - added very detailed configs for many scenarios, with lots of examples. The server is now fully functional for an authoritative master and a recursive/forwarding cacher. You can still mount over the /etc/bind and /var/bind directories and override everything yourself. This should help many users who did not know where to start with bind. 2018-02-12 23:35:24 -05:00			`options {`
Cleanup of directory for zones back to /var/cache/bind. Also stable release tag 2018-02-28 10:50:35 -05:00			`directory "/var/cache/bind";`
Major Upgrade - added very detailed configs for many scenarios, with lots of examples. The server is now fully functional for an authoritative master and a recursive/forwarding cacher. You can still mount over the /etc/bind and /var/bind directories and override everything yourself. This should help many users who did not know where to start with bind. 2018-02-12 23:35:24 -05:00
			`// Remove (hide) our bind version - no reason to disclose it`
			`version "";`

			`// Configure the IPs to listen on here.`
			`listen-on { any; };`
			`listen-on-v6 { none; };`

			`// QUERY SOURCE - Useful for caching servers behind a firewall`
			`// Default: address * port *`
			`// Values : The IP address and port to use as the source of queries to other servers`
			`// If you have problems and are behind a firewall, uncomment:`
			`//query-source address * port *;`

			`pid-file "/var/run/named/named.pid";`

			`// statistics-file "/var/cache/bind/named.stats";`
			`// zone-statistics yes;`

			`// If you want to allow only specific hosts to use the DNS server:`
			`allow-query { 127.0.0.1; };`

			`// Specify a list of IPs/masks to allow zone transfers to here.`
			`//`
			`// You can override this on a per-zone basis by specifying this inside a zone`
			`// block.`
			`//`
			`// Warning: Removing this block will cause BIND to revert to its default`
			`// behaviour of allowing zone transfers to any host (!).`
			`allow-transfer { none; };`


			`// If there is a firewall between you and nameservers you want`
			`// to talk to, you may need to fix the firewall to allow multiple`
			`// ports to talk. See http://www.kb.cert.org/vuls/id/800113`

			`// RECURSION - Required for caching servers`
			`// Default: yes`
			`// Values : yes, no`
			`//`
			`// yes: Attempt to resolve requests we are not authoritative for`
			`// no : Do not resolve requests we are not authoritative for`
			`//`
			`// NOTE: Commented out because specified in each zone/view`
			`recursion yes;`
			`//recursion no;`


			`// ALLOW-RECURSION - Who may use our caching server?`
			`// Default: any;`
			`// Values : any, none, (addresslist)`
			`//`
			`// any : anybody may use the caching server`
			`// none : noone may use the caching server`
			`// address: List of IP addresses that may use the caching server.`
			`// allow-recursion { localhost; localnets; };`
			`//`
			`// NOTE: Commented out because specified in each zone/view`
			`// allow-recursion { clients; servers; lan; };`
			`//allow-recursion { none; };`
			`allow-recursion { 127.0.0.1; };`

			`// If your ISP provided one or more IP addresses for stable`
			`// nameservers, you probably want to use them as forwarders.`
			`// Uncomment the following block, and insert the addresses replacing`
			`// the all-0's placeholder.`

			`forwarders {`
			`8.8.8.8;`
			`8.8.4.4;`
			`};`

			`// FORWARD - Recommended for caching servers`
			`// Default: first`
			`// Values : first, only`
			`//`
			`// first: Query "forwarders" first, then resolve request ourself`
			`// only : Only query the "forwarders" to resolve requests`
			`//`
			`forward first;`


			`// NOTIFY - Relevant to authoritative servers`
			`// Default: yes`
			`// Values : yes, explicit, no`
			`//`
			`// yes : Send DNS NOTIFY messages to slave servers in zone NS records when zone changes`
			`// explicit: Only send DNS NOTIFY messages to "also-notify" hosts`
			`// no : Never automatically send DNS NOTIFY messages`
			`//`
			`notify yes;`

			`// Need this for SRV records`
			`check-names master ignore;`

			`//========================================================================`
			`// If BIND logs error messages about the root key being expired,`
			`// you will need to update your keys. See https://www.isc.org/bind-keys`
			`//========================================================================`
			`dnssec-validation auto;`

			`auth-nxdomain no; # conform to RFC1035`
			`};`