modernize bind local snippet

1 files changed, 44 insertions, 4 deletions

diff --git a/bind/named.conf.local b/bind/named.conf.local
index 4991dd6..037baea 100644
--- a/bind/named.conf.local
+++ b/bind/named.conf.local
@@ -1,22 +1,62 @@
 include "/etc/local-JONES.DK/bind/named.conf.acl";
++acl jones_internals {
+	localhost;
+	192.168.0.0/16;
+	2a12:3d83:7021::/48;
+	fd00::/8;
+	fe80::/10;
+};
+acl not_jones_internals {
+	10.0.0.0/8;
+	100.64.0.0/10;
+	172.16.0.0/12;
+	fc00::/8;
+};
 view "internal" {
-	match-clients { 127.0.0.0/24; 192.168.222.0/24; };
+	match-clients { jones_internals; };
+	match-destinations { jones_internals; };
+	match-recursive-only yes;
+
+	allow-query { jones_internals; };
+	allow-recursion { jones_internals; };
+	allow-transfer { none; };
+//	blackhole { not_jones_internals; };
 
 	include "/etc/local-JONES.DK/bind/named.conf.fake-222";
 
 	include "/etc/local-REDPILL.DK/bind/named.conf.FSUB.DE";
 
-	include "/etc/bind/named.conf.default-zones";
+	// prime the server with knowledge of the root servers
+	zone "." {
+		type hint;
+		file "/usr/share/dns/root.hints";
+	};
+
+	plugin query "filter-aaaa.so" {
+		filter-aaaa-on-v4 yes;
+		filter-aaaa-on-v6 yes;
+		filter-aaaa { any; };
+	};
 };
 view "external" {
 	match-clients { any; };
 	recursion no;
 
-	include "/etc/bind/zones.rfc1918";
+	// https://rhn.redhat.com/errata/RHSA-2013-0550.html
+	rate-limit {
+		responses-per-second 5;
+		window 5;
+	};
+
+//	include "/etc/bind/zones.rfc1918";
 
 	include "/etc/local-JONES.DK/bind/named.conf.pri";
 
 	include "/etc/local-REDPILL.DK/bind/named.conf.FSUB.DE.internal";
 
-	include "/etc/bind/named.conf.default-zones";
+	// prime the server with knowledge of the root servers
+	zone "." {
+		type hint;
+		file "/usr/share/dns/root.hints";
+	};
 };