named.conf file

The “named.conf” file

When it comes to DNS and BIND, one of the most important files is the one called “named.conf“, that is located at the following path:

/etc/named.conf

Default settings

Out of the box, I mean immediately after the installation of BIND you’ll see the following content inside the file “named.conf”, see below.

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { localhost; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Changes to be made on “named.conf”

For our LAB is going to be enough to just modify a few lines, in line number 13th we’re going to add the IP Address of our CentOS 7 machine, that represents the actual server itself.

DNS – BIND – named.conf file server_IP_address

On line 21rst we’re going to add the network where our server will provide DNS services, in our LAB that is going to be 192.168.0.0/24

DNS – BIND – named.conf file – Network

On line 58th we’re going to add both the Forward and the Reverse zones settings, feel free to copy the text from below and adapt it to your own LAB.

zone "tdtlab.com" IN {
        type master;
        file "dns.fwd.zone.tdtlab.com";
        allow-update {none;};
};
zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "dns.rev.zone.tdtlab.com";
        allow-update {none;};
};

Basically we’re defining the “Domain Name” (tdtlab.com)of our LAB and both the Forward and Reverse configuration files, where we have to add each an every new device to be served by the DNS.

DNS – BIND – named.conf file – Forward and Reverse zones

Syntax errors validation

It is always a good idea and also a best practice to validate the syntax of the “named.conf” file before trying to start the service, for that purpose you can use the following CLI command.

named-checkconf /etc/named.conf
Checking for sintax errors

Be aware this tool only checks the syntax, but not the semantics of a named configuration file i.e. it can check for syntax errors or typographical errors but cannot check for wrong MX/A address assigned by you. Nevertheless, this is an excellent tool for troubleshooting DNS server related problems.

Where to go next?