Linux/BIND

Summary
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.

Description:

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

Quick Installation
Install bind, bind tools, and config files: yum install bind bind-utils caching-nameserver

Start with sample configuration files: cp /usr/share/doc/bind-9*/sample/etc/* /etc/ cp /usr/share/doc/bind-9*/sample/var/named/* /var/named/

Add the following line under the "options" section of /etc/named.conf: listen-on { 127.0.0.1; 10.1.100.1; };

Comment out example zones in "view "internal"" section
 * 1)       zone "my.internal.zone" {
 * 2)               type master;

Comment out the "key ddns_key" and "view "external"" sections: #{ #};
 * 1) key ddns_key
 * 1)       algorithm hmac-md5;
 * 2)       secret "use /usr/sbin/dns-keygen to generate TSIG keys";
 * 1) view   "external"

Configure /etc/resolv.conf: search test.lab nameserver 127.0.0.1

Have bind auto start on boot: chkconfig named on

Start bind: service named restart

Test bind: dig www.google.com

Installation
BIND 9 Configuration Reference

"'The Linux DNS Server is called bind or named; we need version 9. It should already be installed on your system, which can be verified using rpm -q bind.'"

$ yum info bind Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server. Description: BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly.

$ yum info caching-nameserver Summary: Default BIND configuration files for a caching nameserver Description: The caching-nameserver package includes the configuration files which will make the ISC BIND named DNS name server act as a simple caching nameserver. A caching nameserver is a DNS Resolver, as defined in RFC 1035, section 7. ISC BIND named(8) provides a very efficient, flexible and robust resolver as well as a server of authoritative DNS data - many users use this package along with BIND to implement their primary system DNS resolver service. If you would like to set up a caching name server, you'll need to install bind, bind-libs, and bind-utils along with this package.

Installation: yum install bind caching-nameserver chkconfig named on

The package caching-nameserver is needed for several files found in /var/named.

Optional xserver bind configuration tool: yum install system-config-bind

The following files need to be configured:
 * /etc/named.conf
 * /etc/resolv.conf
 * /etc/sysconfig/named (optional)
 * /var/named/example.com.zone
 * /var/named/192.168.5.zone

A sample named.conf file can be found here: /usr/share/doc/bind-9.3.4/sample/etc/named.conf

cp /usr/share/doc/bind-9.3.3/sample/etc/named.conf /etc/named.conf cp /usr/share/doc/bind-9.3.3/sample/etc/named.root.hints /etc/named.root.hints cp /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones /etc/named.rfc1912.zones cp /usr/share/doc/bind-9.3.3/sample/etc/rndc.conf /etc/rndc.key chown root:named /etc/named* cat /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/named.root chown root:named /var/named/named.root
 * 1) overwrite...
 * 1) optional..
 * 1) var stuff

See Default named.conf

The file /etc/named.caching-nameserver.conf has only local resolver lines. There are a few differences in the "options" section that the sample named.conf does not include, which appear to be restrictive in nature. The can be incorporated into the named.conf if needs be.

The file /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones is missing the following that /etc/named.rfc1912.zones has (but named.root.hints has it): zone "." IN { type hint; file "named.ca"; };

/etc/resolv.conf: search t0e.org nameserver 127.0.0.1

To regenerate the rndc key: [root@hal ~]# cat /etc/rndc.key key "rndckey" { algorithm      hmac-md5; secret         "wp8YV4CpRykpGe7G8g465Bk0QvVIH8ksd26nst79EZfl8ZaarKD5B0Y4C4zO"; }; [root@hal ~]# rndc-confgen -a wrote key file "/etc/rndc.key" [root@hal ~]# cat /etc/rndc.key key "rndckey" { algorithm hmac-md5; secret "jyUnvqHOZWGfZnm46KvfoA=="; };

The changes to make to the sample conf file are as follows: options {  ...   listen-on { 127.0.0.1; 10.10.10.1; }; }; view "internal" {  ...   zone "t0e.org" IN { type master; file "t0e.org.zone"; allow-update { key "rndckey"; }; notify yes; };  zone "10.10.10.in-addr.arpa" { type master; file "t0e.org.rev"; allow-update { key "rndckey"; }; notify yes; }; /* comment out all default zones zone "my.internal.zone" { ...  zone "my.slave.internal.zone" { ...    // DISABLE COMMENTS masters { / * put master nameserver IPs here * / 127.0.0.1; } ; ...  zone "my.ddns.internal.zone" { }  */ }; /* comment out "ddns_key" section, and do include key ddns_key { ... }; */ include "/etc/rndc.key"; /* comment out "external" section view   "external" { // DISABLE COMMENTS ... }; */

The OLD /etc/named.conf I use: options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; listen-on { 127.0.0.1; 10.10.10.3; 10.10.20.3; }; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndckey; }; }; include "/etc/rndc.key"; zone "t0e.org" IN { type master; file "t0e.org.zone"; allow-update { key "rndckey"; }; notify yes; }; zone "10.10.10.in-addr.arpa" { type master; file "t0e.org.rev"; allow-update { key "rndckey"; }; notify yes; };

The /var/named/t0e.org.zone I use: $TTL   300     ; 5 minutes t0e.org. IN SOA hal.t0e.org. hel.t0e.org. (                                20070714        ; serial number                                 300             ; refresh (5 minutes)                                 3600            ; retry (1 hour)                                 604800          ; expire (1 week)                                 3600            ; minimum TTL (1 hour)                                 ) NS     hal.t0e.org. fw                     A       10.10.10.1 hal                    A       10.10.10.3

The /var/named/t0e.org.rev I use: $TTL   300     ; 5 minutes 10.10.10.in-addr.arpa. IN SOA hal.t0e.org. hal.t0e.org. (                                20070714        ; serial number                                 300             ; refresh (5 minutes)                                 3600            ; retry (1 hour)                                 604800          ; expire (1 week)                                 3600            ; minimum TTL (1 hour)                                 ) NS     hal.t0e.org. 1                      PTR     fw.t0e.org. 3                      PTR     hal.t0e.org.

Records
Zone: zone "lab" { type master; file "/etc/bind/db.lab"; allow-query { lindonlab; }; };

@		IN SOA	ns.keylabs.com. admin.keylabs.com. (			2011052800     ; serial DONT FORGET CHANGE			10800           ; Refresh after 3 hours			3600            ; Retry after 1 hour			604800          ; Expire after 1 week			86400 )         ; Minimum TTL of 1 day
 * Domain 'lab'

IN	NS	ns.keylabs.com. IN	NS	ns2.keylabs.com.
 * KeyLabs Name servers

IN	MX 10	ASPMX.L.GOOGLE.COM.
 * MX Record

IN 	TXT	v=spf1 include:_spf.google.com ~all
 * TXT Record

iso		IN	A	216.119.202.4
 * Address Record

admin.tr	IN	A	216.119.202.4
 * Quick Subdomain

files		IN	CNAME	iso   ;; cname to local domain portal		IN	CNAME	oeey.com. ;; notice end '.'
 * CNAME

1		IN	PTR	ws1.oeey.com.
 * PTR

Reverse
zone "202.119.216.in-addr.arpa" { type master; file "/etc/bind/rev.202.119.216"; };

@		IN SOA	ns.keylabs.com. admin.keylabs.com. (			2011052800     ; serial DONT FORGET CHANGE			10800           ; Refresh after 3 hours			3600            ; Retry after 1 hour			604800          ; Expire after 1 week			86400 )         ; Minimum TTL of 1 day
 * Domain 'lab'

IN	NS	ns.keylabs.com. IN	NS	ns2.keylabs.com.
 * KeyLabs Name servers

1		IN	PTR	ws-192-1.keylabs.com. 2		IN	PTR	ws-192-2.keylabs.com.
 * reverse mapping
 * KeyLabs ( 216.119.192.0 - 216.119.192.253 )

Google Applications
MX Server Settings:
 * name			ttl class rr	pref name
 * example.com.		IN MX    10	mail.example.com.

IN MX 10	ASPMX.L.GOOGLE.COM. IN MX 20	ALT1.ASPMX.L.GOOGLE.COM. IN MX 20	ALT2.ASPMX.L.GOOGLE.COM. IN MX 30	ASPMX2.GOOGLEMAIL.COM. IN MX 30	ASPMX3.GOOGLEMAIL.COM. IN MX 30	ASPMX4.GOOGLEMAIL.COM. IN MX 30	ASPMX5.GOOGLEMAIL.COM. IN TXT		v=spf1 include:_spf.google.com ~all calendar		CNAME		ghs.google.com. docs			CNAME		ghs.google.com. mail			CNAME		ghs.google.com.
 * GOOGLE APPS
 * GOOGLE APPS

Root Hints
// //  The 'named.root' root cache hints zone for the bind DNS 'named' nameserver. // //  named's cache must be primed with the addresses of the root zone '.' nameservers. //  The root zone file can be obtained by querying the root 'A' nameserver: //    $ dig. ns @198.41.0.4 > named.root //  Or by download via FTP / HTTP: //    $ wget ftp://ftp.rs.internic.net/domain/named.root // //  Every view that is to provide recursive service must include this zone. // zone "." IN { type hint; file "named.root"; }

Secondary Name Server
Install bind, bind tools, and config files: yum install bind bind-utils

Get root hints: dig. ns @198.41.0.4 > /etc/named.root.hints

/etc/named.conf: // general options options {       // Those options should be used carefully because they disable port // randomization // query-source   port 53; // query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file              "data/cache_dump.db"; statistics-file        "data/named_stats.txt"; memstatistics-file     "data/named_mem_stats.txt";

allow-transfer { 216.119.206.253; }; allow-recursion { 216.119.192.0/20; }; version "Not disclosed"; };

// reduce log verbosity on issues outside our control logging { category lame-servers { null; }; };

// prime the server with knowledge of the root servers zone "." {       type hint; file "/etc/named.root.hints"; };

// // Reverse DNS //

zone "206.119.216.in-addr.arpa" { type slave; file "slaves/rev.206.119.216.cache"; masters { 216.119.206.253; }; };

// // Oeey domains below here //

zone "oeey.com" { type slave; file "slaves/db.oeey.cache"; masters { 216.119.206.253; }; };

DNS Security
Secure dynamic DNS howto

Secure BIND Template v7.1 14 May 2009 TEAM CYMRU noc@cymru.com

Hide Version
Check Version: dig @[NS_SERVER] -c CH -t txt version.bind nslookup -q=txt -class=CHAOS version.bind. 0 dig @nameserver version.bind txt chaos nslookup -type=txt -class=chaos version.bind nameserver

options {        ...         version "not disclosed"; };

version "surely you must be joking";

References:
 * How To Hide BIND DNS Sever Version - http://www.cyberciti.biz/faq/hide-bind9-dns-sever-version/
 * Determining/hiding BIND version number - http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html
 * The FreeBSD Diary -- What version of bind are you running? - http://www.freebsddiary.org/bind-version.php

Log Queries
logging {       /* ..... */        channel query_log { //file "data/query.log"; syslog kern; severity debug; };       category queries { query_log; }; };

References:
 * DNS BIND logging Clause - http://www.zytrax.com/books/dns/ch7/logging.html
 * Troubleshooting - https://help.ubuntu.com/8.04/serverguide/C/dns-troubleshooting.html
 * Bind 9 query logging - https://lists.isc.org/pipermail/bind-users/2009-January/074967.html

Firewall
DNS uses UDP port 53 iptables -A INPUT -p udp -i eth0 --destination-port 53 -j ACCEPT

BUT:

"Remember that queries can be TCP-based as well as UDP-based, so you must allow traffic from queriers to TCP port 53 as well as UDP port 53, and from your name server to TCP port 53." 

"By default host uses UDP when making queries. The -T option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests." 

"Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer. Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server..." http://www.cyberciti.biz/tips/linux-iptables-12-how-to-block-or-open-dnsbind-service-port-53.html]

IPv4 Only
Add "-4" to the bind9 config

/etc/default/bind9: RESOLVCONF=yes OPTIONS="-4 -u bind"
 * 1) run resolvconf?
 * 1) startup options for the server

Source: Configure BIND 9 For IPv4 (or IPv6) Only | Ubuntu Tutorials

Dynamic DNS
Dynamic DNS (DDNS)

See also dhcpd

/var/named/chroot/etc/named.conf: zone "dnsknowledge.com" IN { type master; file "dnsknowledge.com.zone"; allow-update { key rndckey; }; };

zone "1.168.192.in-addr.arpa" IN { type master; file "1.168.192.in-addr.arpa.zone"; allow-update { key rndckey; }; };
 * 1) reverse zone

References:
 * CentOS Linux Setup Dynamic DNS (DDNS) - http://www.dnsknowledge.com/tutorials/centos-tutorials/bind-9/howto-setup-dynamic-dns-ddns/

DNS Cache Poisoning Bug
Use: // query-source   port 53;

how do I find out if my DNS server is open to such attack: $ dig +short @{name-server-ip} porttest.dns-oarc.net txt $ dig +short @ns1.example.com porttest.dns-oarc.net txt $ dig +short @208.67.222.222 porttest.dns-oarc.net txt

Good: z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18"

Bad: z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net. "125.22.47.139 is POOR: 42 queries in 8.4 seconds from 1 ports with std dev 0.00"

With nslookup: nslookup -type=txt -timeout=30 porttest.dns-oarc.net nslookup -type=txt -timeout=30 porttest.dns-oarc.net ns1.your-isp.com nslookup -type=txt -timeout=30 porttest.dns-oarc.net NS-SERVER-IP

Tools:
 * DoxPara - DNS Checker

Information and Alerts:
 * The DNS Bug: Why You Should Care | Linux Journal
 * Understanding Kaminsky's DNS Bug | Linux Journal
 * US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

References:
 * Find Out If My DNS Server Free From DNS Cache Poisoning Bug Or Not
 * Verify DNS Cache Poisoning Bug Using Windows XP / Vista / 2003 / 2008 System Command Prompt
 * Security Alert: FreeBSD-SA-08:06.bind DNS cache Poisoning

How do I share a dynamic zone between multiple views
Frequently Asked Questions about BIND 9: Q: How do I share a dynamic zone between multiple views? A: You choose one view to be master and the second a slave and transfer the zone between views.

Journal file creation failed
When trying to add a new client record... Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': adding an RR at 'KENDAWG.t0e.org' A Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': adding an RR at 'KENDAWG.t0e.org' TXT Jun 16 10:23:09 hal named[29054]: journal file t0e.org.zone.jnl does not exist, creating it Jun 16 10:23:09 hal named[29054]: t0e.org.zone.jnl: create: permission denied Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': error: journal open failed: unexpected error Jun 16 10:23:09 hal dhcpd: Unable to add forward map from KENDAWG.t0e.org to 10.10.10.229: timed out


 * 1) This did not work...
 * 2) cd /var/named
 * 3) touch t0e.org.zone.jnl
 * 4) chown root:named t0e.org.zone.jnl
 * 5) service named restart

cd /var/ chown -R named:named named service named restart
 * 1) This did work...

Unexpected RCODE (SERVFAIL)
I get several RCODE error messages in the /var/log/messages log file. These are caused by bad external name servers, not our DNS server.


 * How to Stop the "unexpected RCODE (SERVFAIL)" Messages?
 * Log messages for BIND 8 named, named-xfer, ndc and some for BIND 9

Updating Zone Info
This article may indicate a way to generate the .jnl files: nsupdate

Important note: Editing the Zone files while dynamic updates are active...

When dynamic update is enabled for a zone, the zone can no longer be manually edited as normal.

The DNS server keeps a journal (.jnl) file of incoming updates. The file is not automatically syncronized with the zone file, but can be forced with the "rndc stop" command. Extreme care has to be exercised when manually updating a zone subject to dynamic updates.

When using BIND 9.3 the following can be used, which does not require that named be stopped:

1. rndc freeze example.com 2. edit the zone 3. rndc unfreeze example.com

Remember to increment the serial number in the zone file as you make changes.

Freeze failed not found
[root@fw ~]# rndc freeze rndc: 'freeze' failed: unexpected end of input [root@fw ~]# rndc freeze t0e.org rndc: 'freeze' failed: not found [root@fw ~]# rndc freeze t0e.org internal rndc: 'freeze' failed: unknown class/type

This is caused by the "view" configuration.

Unable to freeze zone - Bind DNS - problem with views?

[http://www.plug.org/pipermail/plug/2007-November/028417.html Unable to freeze zone - Bind DNS - problem with views? Reply]: rndc freeze t0e.org in internal

client query (cache) denied
Error: ns named[13434]: client 65.46.140.82#36817: query (cache) 'txfrwll/AAAA/IN' denied

Cause:
 * This means a recursive request came from the client and was denied. This is good if the client is not an internal system.

Solution:
 * If the client is an internal system that should allow for recursion, add it to the allow-recursion.

For example: allow-recursion { 10.0.0.0/8; };

client update denied
Error: ns named[13434]: client 71.195.222.228#54866: update 'keylabs.com/IN' denied

Cause:
 * Some client attempted to update your DNS records. Bastards.

"Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol." 

"This is a "feature" of some (newer) windows versions, that try to register their name in the nameserver that they got configured (e.g. via dhcp). I think there is a registry key to disable this behaviour, this should help you to fix the problem." 

Solution:
 * If the client is a DHCP server that you want to allow an update DNS transfer through, add it to the allow-transfer:

Example: allow-transfer { 216.119.202.2; }

lame server resolving
Error: Sep 16 04:16:37 ns named[13434]: lame server resolving 'networking.itags.org' (in 'itags.org'?): 74.86.171.244#53

Cause:
 * "A lame server is one that's not responding to a name request it is expected to handle. "
 * "lame-servers - Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution."

Solution:
 * If you don't want to be notifed of these, you can turn off the logging of this event:

logging { // Do not log zones that aren't registered in this server (lame servers) category lame-servers { null; }; };

unexpected RCODE resolving
Error: Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'ns3.fs.net/A/IN': 216.165.108.10#53 Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'ns1.fs.net/A/IN': 216.165.108.10#53 Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'www.scs.stanford.edu/A/IN': 216.165.108.10#53

Sep 16 06:57:43 ns named[13691]: unexpected RCODE (REFUSED) resolving 'gapingvoid.com/A/IN': 87.117.237.205#53 Sep 16 06:57:43 ns named[13691]: unexpected RCODE (REFUSED) resolving 'gapingvoid.com/A/IN': 87.117.237.66#53

Cause:
 * Problems with external Name Servers

Solution:
 * Nothing you can do. You can hide "lame-servers" which should hide this error.

References:
 * Unexpected rcode (SERVFAIL) - KhoLiX Wiki

underscore - bad owner name
Record: a_b    A  10.1.1.1

Error: fio.onpar.net.zone:37: a_b.fio.onpar.net: bad owner name (check-names) zone fio.onpar.net/IN: loading master file fio.onpar.net.zone: bad owner name (check-names) _default/fio.onpar.net/IN: bad owner name (check-names)

Cause: a_b.fio.onpar.net    A  10.1.1.1
 * Bind doesn't like underscores, but you can get around this by using the full domain name:

Default named.conf
// // Sample named.conf BIND DNS server 'named' configuration file // for the Red Hat BIND distribution. // // See the BIND Administrator's Reference Manual (ARM) for details, in: //  file:///usr/share/doc/bind-*/arm/Bv9ARM.html // Also see the BIND Configuration GUI : /usr/bin/system-config-bind and // its manual. // options {	/* make named use port 53 for the source of all queries, to allow * firewalls to block all ports except 53: */	query-source   port 53; query-source-v6 port 53; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file 		"data/cache_dump.db"; statistics-file 	"data/named_stats.txt"; memstatistics-file 	"data/named_mem_stats.txt";

}; logging { /*     If you want to enable debugging, eg. using the 'rndc trace' command, *     named will try to write the 'named.run' file in the $directory (/var/named). *     By default, SELinux policy does not allow named to modify the /var/named directory, *     so put the default debug log file in data/ : */       channel default_debug { file "data/named.run"; severity dynamic; };	}; // // All BIND 9 zones are in a "view", which allow different zones to be served // to different types of client addresses, and for options to be set for groups // of zones. // // By default, if named.conf contains no "view" clauses, all zones are in the // "default" view, which matches all clients. // // If named.conf contains any "view" clause, then all zones MUST be in a view; // so it is recommended to start off using views to avoid having to restructure // your configuration files in the future. // view "localhost_resolver" { /* This view sets up named to be a localhost resolver ( caching only nameserver ). * If all you want is a caching-only nameserver, then you need only define this view: */	match-clients 		{ localhost; }; match-destinations	{ localhost; }; recursion yes; # all views must contain the root hints zone: include "/etc/named.root.hints";

/* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should * ONLY be served to localhost clients: */	include "/etc/named.rfc1912.zones"; }; view "internal" { /* This view will contain zones you want to serve only to "internal" clients that connect via your directly attached LAN interfaces - "localnets". */	match-clients		{ localnets; }; match-destinations	{ localnets; }; recursion yes; // all views must contain the root hints zone: include "/etc/named.root.hints";

// include "named.rfc1912.zones"; // you should not serve your rfc1912 names to non-localhost clients. // These are your "authoritative" internal zones, and would probably // also be included in the "localhost_resolver" view above :

zone "my.internal.zone" { type master; file "my.internal.zone.db"; };	zone "my.slave.internal.zone" { type slave; file "slaves/my.slave.internal.zone.db"; masters { /* put master nameserver IPs here */ 127.0.0.1; } ; // put slave zones in the slaves/ directory so named can update them };		zone "my.ddns.internal.zone" { type master; allow-update { key ddns_key; }; file "slaves/my.ddns.internal.zone.db"; // put dynamically updateable zones in the slaves/ directory so named can update them };			}; key ddns_key {	algorithm hmac-md5; secret "use /usr/sbin/dns-keygen to generate TSIG keys"; }; view   "external" { /* This view will contain zones you want to serve only to "external" clients * that have addresses that are not on your directly attached LAN interface subnets: */	match-clients		{ !localnets; !localhost; }; match-destinations	{ !localnets; !localhost; };

recursion no; // you'd probably want to deny recursion to external clients, so you don't       // end up providing free DNS service to all takers

// all views must contain the root hints zone: include "/etc/named.root.hints";

// These are your "authoritative" external zones, and would probably // contain entries for just your web and mail servers:

zone "my.external.zone" { type master; file "my.external.zone.db"; }; };