<div dir="ltr">I'm implementing a caching resolver under FreeBSD 13.1 running on a RaspberryPI. Bind 9.18.11<div><br></div><div>My named.conf is below. My question is do these look like workable options? I include logging and a statistics channel in my preliminary implementations for more detail on what's going on. That will go away eventually. Any comments are welcome.</div><div><br></div><div>Thanks,</div><div><br></div><div>Bob</div><div><br></div><div>named.conf:</div><div><br></div><div>acl rfc1918-nets {<br>        <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>;<br>        <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a>;<br>        <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a>;<br>};<br><br>include "/usr/local/etc/namedb/rndc.key";<br><br>controls {<br>        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };<br>        inet ::1 port 953 allow { ::1; } keys { rndc-key; };<br>};<br><br>options {<br>        directory       "/usr/local/etc/namedb/working";<br>        pid-file        "/var/run/named/pid";<br>        dump-file       "/var/dump/named_dump.db";<br>        statistics-file "/var/stats/named.stats";<br>        secroots-file "/var/cache/bind/secroots.txt";<br>        memstatistics-file "/var/stats/named_mem_stats.txt";<br>        managed-keys-directory "/var/cache/bind";<br>        session-keyfile "/var/cache/bind/session.key";<br>        recursion yes;<br>        masterfile-format text;<br>        minimal-responses no;<br>        empty-zones-enable yes;<br>        empty-server "raspberrypi-00.ddisupport.tech";<br>        empty-contact "robert\.mcdonald.ddiarchitect.tech";<br>        querylog yes;<br>        query-source address 172.27.255.99;<br>        transfer-source 172.27.255.99;<br>        notify-source 172.27.255.99;<br>        request-nsid yes;<br>        server-id hostname;<br>        zone-statistics full;<br>        dnssec-validation auto;<br>        dnssec-accept-expired no;<br><br>        listen-on       { 127.0.0.1; };<br>        listen-on       { 172.27.255.99; };<br>        listen-on-v6    { ::1; };<br><br>        allow-query { ::1; 127.0.0.1; rfc1918-nets; };<br>        allow-query-cache { ::1; 127.0.0.1; rfc1918-nets; };<br>        allow-recursion { ::1; 127.0.0.1; rfc1918-nets; };<br>};<br><br></div><div>zone "localhost"        { type master; file "/usr/local/etc/namedb/primary/localhost-forward.db"; };<br>zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/primary/localhost-reverse.db";};<br><br></div><div>statistics-channels {<br>        inet 172.27.255.99 port 28079 allow { rfc1918-nets; };<br>};<br><br>logging {<br>        channel default_log {<br>                file "/var/log/named/default" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel auth_servers_log {<br>                file "/var/log/named/auth_servers" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel dnssec_log {<br>                file "/var/log/named/dnssec" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel zone_transfers_log {<br>                file "/var/log/named/zone_transfers" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel ddns_log {<br>                file "/var/log/named/ddns" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel client_security_log {<br>                file "/var/log/named/client_security" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel rate_limiting_log {<br>                file "/var/log/named/rate_limiting" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel rpz_log {<br>                file "/var/log/named/rpz" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel dnstap_log {<br>                file "/var/log/named/dnstap" versions 3 size 1m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel queries_log {<br>                file "/var/log/named/queries" versions 600 size 20m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity info;<br>        };<br>        channel query-errors_log {<br>                file "/var/log/named/query-errors" versions 5 size 20m;<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                severity dynamic;<br>        };<br>        channel default_syslog {<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                syslog daemon;<br>                severity info;<br>        };<br>        channel default_debug {<br>                print-time yes;<br>                print-category yes;<br>                print-severity yes;<br>                file "/var/log/named/named.debug";<br>                severity dynamic;<br>        };<br><br>        category default { default_syslog; default_debug; default_log; };<br>        category config { default_syslog; default_debug; default_log; };<br>        category dispatch { default_syslog; default_debug; default_log; };<br>        category network { default_syslog; default_debug; default_log; };<br>        category general { default_syslog; default_debug; default_log; };<br><br>        category resolver { auth_servers_log; default_debug; };<br>        category cname { auth_servers_log; default_debug; };<br>        category delegation-only { auth_servers_log; default_debug; };<br>        category lame-servers { auth_servers_log; default_debug; };<br>        category edns-disabled { auth_servers_log; default_debug; };<br><br>        category dnssec { dnssec_log; default_debug; };<br><br>        category notify { zone_transfers_log; default_debug; };<br>        category xfer-in { zone_transfers_log; default_debug; };<br>        category xfer-out { zone_transfers_log; default_debug; };<br><br>        category update{ ddns_log; default_debug; };<br>        category update-security { ddns_log; default_debug; };<br><br>        category unmatched{ client_security_log; default_debug; };<br>        category client{ client_security_log; default_debug; };<br>        category security { client_security_log; default_debug; };<br><br>        category rate-limit { rate_limiting_log; default_debug; };<br>        category spill { rate_limiting_log; default_debug; };<br>        category database { rate_limiting_log; default_debug; };<br><br>        category rpz { rpz_log; default_debug; };<br><br><br>        category queries { queries_log; };<br><br>        category query-errors {query-errors_log; };<br>//<br>// Log messages relating to the "dnstap" DNS traffic capture system  (if you<br>// are not using dnstap, then you may want to comment out this category and<br>// associated channel).<br>//<br>        category dnstap { dnstap_log; default_debug; };<br>};</div></div>