Installation guide
232 Chapter 16. Berkeley Internet Name Domain (BIND)
When used with other /etc/named.conf statements and their options, acl statements can be
very useful in ensuring the proper use of your BIND nameserver as in this example:
acl black-hats {
10.0.2.0/24;
192.168.0.0/24;
};
acl red-hats {
10.0.1.0/24;
};
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
}
This named.conf contains two access control lists black-hats and red-hats.
• controls — Configures various security requirements necessary to use the rndc command to
administer the named service.
See Section 16.3.1.1 to see how the controls statement should look, including various options
that may only be used with it.
• include "
file-name " — Includes the specified file within the current configuration file,
allowing sensitive configuration data (such as keys) to be placed in a separate file with permissions
that prevent non-privileged users from reading it.
• key " key-name " — Defines a particular key by name. Keys are used to authenticate various
actions, such as secure updates or the use of the rndc command. Two options are used with key:
• algorithm
algorithm-name — The type of algorithm used, such as dsa or hmac-md5.
• secret " key-value " — The encrypted key.
See Section 16.3.1.2 for instruction on how to write a key statement.
• logging — Allows for the use of multiple types of logs, called channels. By using the channel
option within the logging statement, a customized type of log, with its own file name (file),
size limit (size), versioning (version), and level of importance (severity), can be constructed.
Once a customized channel has been defined, a category option is used the categorize the channel
and begin logging when named is restarted.
By default, named logs standard messages to the syslog daemon, which places them
in /var/log/messages. This occurs because several standard channels are built
into BIND with various severity levels, such as one that handles informational logging
messages (default_syslog) and another that specifically handles debugging messages
(default_debug). A default category, called default, uses the built-in channels to do normal
logging without any special configuration.
Customizing the logging process can be a very detailed process and is beyond the scope of this
chapter. For information on creating custom BIND logs, see the BIND 9 Administrator Reference
Manual.
• options — Assigns values to many assorted options, including the use of forwarders, the location
of the named working directory, the names of the various files, and much more.
The following options are among the most commonly used:
• allow-query — Specifies which hosts are allowed to query this nameserver. By default, all
hosts are allowed to query. An access control list or collection of IP addresses or networks may
be used here to only allow particular hosts to query the nameserver.