Table of Contents

Ubuntu - Bind - Configure Bind9 - My Configuration

This is my current configuration.

named.conf

/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the·
// structure of BIND configuration files in Debian, *BEFORE* you customize·
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
 
include "/etc/bind/named.conf.logging";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
// include "/etc/bind/named.conf.default-zones";

NOTE: The last line is commented out as I am using views, and therefore configured in the /etc/bind/named.conf.local file.

Without this, errors are seen when trying to start bind.

named[2211]: /etc/bind/named.conf.default-zones:2: when using 'view' statements, all zones must be in views
named[2211]: loading configuration: failure
named[2211]: exiting (due to fatal error)

named.conf.logging

/etc/bind/named.conf.logging
//logging {
//  channel querylog{
//    file "/var/log/named/querylog";
//    severity debug 3;
//    print-category yes;
//    print-time yes;
//    print-severity yes;
//  };
//  category queries { querylog;};
//};
 
 
 
logging {
  channel default_file {
    file "/var/log/named/default.log" versions 3 size 5m;
    severity dynamic;
//    severity debug 3;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel general_file {
    file "/var/log/named/general.log" versions 3 size 5m;
    severity dynamic;
//    severity debug 3;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel database_file {
    file "/var/log/named/database.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel security_file {
    file "/var/log/named/security.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel config_file {
    file "/var/log/named/config.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel resolver_file {
    file "/var/log/named/resolver.log" versions 3 size 5m;
    severity dynamic;
    print-time yes;
  };
  channel xfer-in_file {
    file "/var/log/named/xfer-in.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel xfer-out_file {
    file "/var/log/named/xfer-out.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel notify_file {
    file "/var/log/named/notify.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel client_file {
    file "/var/log/named/client.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel unmatched_file {
    file "/var/log/named/unmatched.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel queries_file {
    file "/var/log/named/queries.log" versions 3 size 5m;
//    severity debug 3;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel network_file {
    file "/var/log/named/network.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel update_file {
    file "/var/log/named/update.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel dispatch_file {
    file "/var/log/named/dispatch.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel dnssec_file {
    file "/var/log/named/dnssec.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
  channel lame-servers_file {
    file "/var/log/named/lame-servers.log" versions 3 size 5m;
    severity dynamic;
    print-category yes;
    print-time yes;
    print-severity yes;
  };
 
  category default { default_file; };
  category general { general_file; };
  category database { database_file; };
  category security { security_file; };
  category config { config_file; };
  category resolver { resolver_file; };
  category xfer-in { xfer-in_file; };
  category xfer-out { xfer-out_file; };
  category notify { notify_file; };
  category client { client_file; };
  category unmatched { unmatched_file; };
  category queries { queries_file; };
  category network { network_file; };
  category update { update_file; };
  category dispatch { dispatch_file; };
  category dnssec { dnssec_file; };
  category lame-servers { lame-servers_file; };
};

NOTE: Extensive logging is done, over and beyond the default.


named.conf.options

/etc/bind/named.conf.options
acl "trusted" {
     192.168.1.0/24;
     192.168.50.0/24;
     192.168.70.0/24;
     172.16.0.0/16;
     localhost;
     localnets;
};
 
 
options {
  directory "/var/cache/bind";
 
  // version statement - inhibited for security
  // (avoids hacking any known weaknesses)»·
  version "ShareWiz DNS";
 
  // If there is a firewall between you and nameservers you want
  // to talk to, you may need to fix the firewall to allow multiple
  // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
 
  // If your ISP provided one or more IP addresses for stable·
  // nameservers, you probably want to use them as forwarders.··
  // Uncomment the following block, and insert the addresses replacing·
  // the all-0's placeholder.
 
  // forwarders {
  //   0.0.0.0;
  // };
 
  forwarders {
    // Sure Public DNS
    //83.137.248.244;
    //93.187.151.197;
 
    // Google Public DNS
    //8.8.8.8;
    //8.8.4.4;
 
    // OpenDNS
    //208.67.222.222;
    //208.67.220.220;
 
    // PI-Hole.
    192.168.1.26;
    192.168.1.25;
  };
 
 
  //========================================================================
  // If named logs error messages about the root key being expired,
  // you will need to update your keys.  See https://www.isc.org/named-keys
  //========================================================================
  #dnssec-validation auto;
  dnssec-enable no;
  dnssec-validation no;
 
  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
 
  allow-query { any; };
  allow-transfer { trusted; };
  #allow-recursion { trusted; };
};

named.conf.local

/etc/bind/named.conf.local
//
// Do any local configuration here.
//
 
 
acl slaves {
//    195.234.42.0/24;    // XName
//    193.218.105.144/28; // XName
//    193.24.212.232/29;  // XName
//    212.227.123.29;  // 1&1  slv2.1and1.co.uk
//  192.168.1.26;
//  192.168.1.25;
};
 
// Any IPs added here will not have ads blocked.
// For Virginia.
acl allow_ads {
//    192.168.1.64;
    192.168.1.70;
    192.168.1.75;
    192.168.1.90;
    192.168.1.96;
};
 
acl internals {
    192.168.1.0/24;
    192.168.50.0/24;
    192.168.70.0/24;
    172.16.0.0/16;
    !allow_ads;
    127.0.0.0/8;
};
 
view "allow_ads" {
    match-clients { allow_ads; };
    recursion yes;
 
//    type forward;
//    forwarders {
//        8.8.8.8;
//    };
 
    include "/etc/bind/named.conf.default-zones";
};
 
view "internal" {
    match-clients { internals; };
    recursion yes;
 
    zone "sharewiz.net" {
        type master;
        file "/etc/bind/internals/db.sharewiz.net";
        allow-transfer { slaves; };
        allow-update { none; };
    };
 
    zone "drdizzy.com" {
        type master;
        file "/etc/bind/internals/db.drdizzy.com";
        allow-transfer { slaves; };        
        allow-update { none; };
    };
 
    zone "magicalentertainmentandsound.com" {
        type master;
        file "/etc/bind/internals/db.magicalentertainmentandsound.com";
        allow-transfer { slaves; };        
        allow-update { none; };
    };
 
    # Set zone for reverse
    zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/internals/1.168.192.db";
        allow-transfer { slaves; };        
        allow-update { none; };
    };
 
    include "/etc/bind/ad-blacklist";
    include "/etc/bind/named.conf.default-zones";
};
 
view "external" {
    match-clients { any; };
    allow-query { any; };·
    recursion no;
 
    zone "sharewiz.net" {
        type master;
        file "/etc/bind/externals/db.sharewiz.net";
        allow-transfer { slaves; };
        allow-update { none; };
    };
 
    zone "drdizzy.com" {
        type master;
        file "/etc/bind/externals/db.drdizzy.com";
        allow-transfer { slaves; };
        allow-update { none; };
    };
 
    zone "magicalentertainmentandsound.com" {
        type master;
        file "/etc/bind/externals/db.magicalentertainmentandsound.com";
        allow-transfer { slaves; };
        allow-update { none; };
    };
 
    # Set zone for reverse.
    zone "35.134.42.5.in-addr.arpa" {
        type master;
        file "/etc/bind/externals/35.134.42.5.db";
        allow-transfer { slaves; };        
        allow-update { none; };
    };
};

ad-blacklist

ad-blacklist
// For more information about this list, see: https://pgl.yoyo.org/adservers/
// ----
// last updated:    Tue, 27 Feb 2018 18:17:25 GMT
// entries:         2595
// format:          bindconfig
// credits:         Peter Lowe - pgl@yoyo.org - https://pgl.yoyo.org/
// this URL:        http://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig&showintro=0&mimetype=plaintext
// other formats:   https://pgl.yoyo.org/adservers/formats.php
 
zone "101com.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "101order.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "123found.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "123freeavatars.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "180hits.de" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "180searchassistant.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "207.net" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "20a840a14a0ef7d6.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "247media.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "24log.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "24log.de" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "24pm-affiliation.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "2mdn.net" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "2o7.net" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "360yield.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "3lift.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "4affiliate.net" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "4d5.net" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "50websads.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "518ad.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "51yes.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "600z.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "777partner.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "77tracking.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "7bpeople.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
zone "7f1au20glg.com" { type master; notify no; file "/etc/bind/internals/ad-null.zone"; };
...

NOTE: See Ad List for the full list.

If a refreshed file is downloaded, the default file is points to may be “null.zone.file”;.

To change this to point to the /etc/bind/internals/ad-null.zone, run the following in vi:

:%s#null.zone.file#/etc/bind/internals/ad-null.zone#g

Internals - ad-null.zone

/etc/bind/internals/ad-null.zone
; Ads get redirected to 127.0.0.1
 
$TTL      86400
@         IN      SOA     ads.sharewiz.net. root.sharewiz.net. (
                       2017030601 ; Serial
                            86400 ; Refresh
                              300 ; Retry
                           604800 ; Expire
                             3600 ; Negative Cache TTL
);
 
; define the name server
          IN      NS      ns1.sharewiz.net.
; define the hostnames
@         IN      A       127.0.0.1
*         IN      A       127.0.0.1

Internals - 1.168.192.db

/etc/bind/internals/1.168.192.db
; sharewiz.net
$TTL    86400
@       IN      SOA     ns1.sharewiz.net. root.sharewiz.net. (
                     2020031901 ; Serial
                           3600 ; Refresh
                           1800 ; Retry
                        2419200 ; Expire
                          86400 ; Negative Cache TTL
);
 
; define the name server
        IN      NS      ns1.sharewiz.net.·
ns1     IN      A       5.42.134.35
 
; define the range of this domain
        IN      PTR     sharewiz.net.
        IN      A       255.255.255.0
 
; define the hostnames
1       IN      PTR     gateway.sharewiz.net.
1       IN      PTR     router.sharewiz.net.
2       IN      PTR     server1.sharewiz.net.
2       IN      PTR     mail.sharewiz.net.
2       IN      PTR     ftp.sharewiz.net.
2       IN      PTR     webmail.sharewiz.net.
2       IN      PTR     wiki.sharewiz.net.
2       IN      PTR     www.sharewiz.net.
10      IN      PTR     unifi.sharewiz.net.
15      IN      PTR     ap1.sharewiz.net.
69      IN      PTR     peter.sharewiz.net.
70      IN      PTR     virginia.sharewiz.net.
80      IN      PTR     felix.sharewiz.net.
90      IN      PTR     felix2.sharewiz.net.
99      IN      PTR     extender.sharewiz.net.
100     IN      PTR     printer.sharewiz.net.
 
; define drdizzy.com
        IN      PTR     drdizzy.com.
        IN      PTR     www.drdizzy.com.
 
; define magicalentertainmentandsound.com
        IN      PTR     magicalentertainmentandsound.com.
        IN      PTR     www.magicalentertainmentandsound.com.

Internals - db.sharewiz.net

/etc/bind/internals/db.sharewiz.net
; sharewiz.net
$TTL      86400
@         IN      SOA     ns1.sharewiz.net. root.sharewiz.net. (
                       2020031901 ; Serial
                             3600 ; Refresh
                             1800 ; Retry
                          2419200 ; Expire
                            86400 ; Negative Cache TTL
);
 
; define the name server
          IN      NS      ns1.sharewiz.net.
 
; define the name server IP address
          IN      A       192.168.1.2
 
; define the mail exchanger
          IN      MX      10 mail.sharewiz.net.
mail      IN      A       192.168.1.2
 
; define the hostnames
gateway   IN      A       192.168.1.1
router    IN      A       192.168.1.1
ns1       IN      A       192.168.1.2
ftp       IN      A       192.168.1.2
server1   IN      A       192.168.1.2
webmail   IN      A       192.168.1.2
wiki      IN      A       192.168.1.2
www       IN      A       192.168.1.2
;www       CNAME   @
*         IN      A       192.168.1.2
@         IN      A       192.168.1.2
nas       IN      A       192.168.1.5
switch    IN      A       192.168.1.20
shield    IN      A       192.168.1.64
peter     IN      A       192.168.1.69
virginia  IN      A       192.168.1.70
felix     IN      A       192.168.1.80
felix2    IN      A       192.168.1.90
printer   IN      A       192.168.1.100
extender  IN      A       192.168.1.250
 
; define the SPF
sharewiz.net.        IN      TXT     "v=spf1 a ip4:5.42.134.35 -all"
;sharewiz.net.        IN      SPF     "v=spf1 a ip4:5.42.134.35 -all"
 
; define the DMARC
;_dmarc  IN      TXT     "v=DMARC1;p=none;rua=mailto:peter@sharewiz.net;ruf=mailto:peter@sharewiz.net"
_dmarc.sharewiz.net. IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:peter@sharewiz.net; ruf=mailto:peter@sharewiz.net; rf=afrf; pct=100; ri=86400"

Externals - 35.134.42.5.db

/etc/bind/externals/35.134.42.5.db
; sharewiz.net
$TTL    86400
@       IN      SOA     ns1.sharewiz.net. root.sharewiz.net. (
                     2016101801 ; Serial
                           3600 ; Refresh
                           1800 ; Retry
                        2419200 ; Expire
                          86400 ; Negative Cache TTL
 
);
 
; define the name server
;        IN      NS      ns1.server1.net.
        IN      NS      ns1.sharewiz.net.
ns1     IN      A       5.42.134.35
;        IN      NS      ns1.drdizzy.com.
 
; define the range of this domain
        IN      PTR     sharewiz.net.
;        IN      A       255.255.255.248
 
; define the hostnames
        IN      PTR     ns1.sharewiz.net.
        IN      PTR     router.sharewiz.net.
        IN      PTR     server1.sharewiz.net.
        IN      PTR     mail.sharewiz.net.
        IN      PTR     ftp.sharewiz.net.
        IN      PTR     web.sharewiz.net.
        IN      PTR     webmail.sharewiz.net.
        IN      PTR     www.sharewiz.net.
 
; define drdizzy.com
        IN      PTR     drdizzy.com.
        IN      PTR     www.drdizzy.com.
 
; define magicalentertainmentandsound.com
        IN      PTR     magicalentertainmentandsound.com.
        IN      PTR     www.magicalentertainmentandsound.com.

Externals - db.sharewiz.net

/etc/bind/externals/db.sharewiz.net
; sharewiz.net
$TTL    86400
@       IN      SOA     ns1.sharewiz.net. root.sharewiz.net. (
                     2016101605 ; Serial
                           3600 ; Refresh
                           1800 ; Retry
                        2419200 ; Expire
                          86400 ; Negative Cache TTL
);
 
; define the name server
        IN      NS      ns1.sharewiz.net.
;»IN»·NS»·slv2.1and1.co.uk.
 
; define the name server IP address
        IN      A       5.42.134.35
 
; define the mail exchanger
        IN      MX      10 mail.sharewiz.net.
mail    IN      A       5.42.134.35
 
; define the hostnames
ns1     IN      A       5.42.134.35
ftp     IN      A       5.42.134.35
router  IN      A       5.42.134.35
server1 IN      A       5.42.134.35
webmail IN      A       5.42.134.35
www     IN      A       5.42.134.35
;www     CNAME   @
*»      IN»·    A»      5.42.134.35
 
; define the SPF
sharewiz.net.»IN»·TXT»"v=spf1 a ip4:5.42.134.35 -all"
;sharewiz.net.»·IN»·SPF»"v=spf1 a ip4:5.42.134.35 -all"
 
; define the SenderID
;sharewiz.net. IN  TXT "spf2.0/pra a include:mail.sharewiz.net -all"
 
; define the DMARC
;_dmarc  IN»TXT»"v=DMARC1;p=none;rua=mailto:peter@sharewiz.net;ruf=mailto:peter@sharewiz.net"
_dmarc.sharewiz.net. IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:peter@sharewiz.net; ruf=mailto:peter@sharewiz.net; rf=afrf; pct=100; ri=86400"