named.conf

// This is an example named.conf
// you really should do some reading of your own

acl "ns1" {
		192.18.1.2;
        fd12:3456:789a:1::53;
	};

acl "ns2" {
        192.18.6.2;
        fd12:6543:a987:1::53;
    };


options {
		directory "/var/named";
		notify no;

        // explicity list which interfaces to listen
        // ipv6
        // https://deepthought.isc.org/article/AA-00821/0/Is-it-possible-to-configure-BIND-to-use-both-IPv6-and-IPv4-on-the-same-server.html
        listen-on-v6 { any; };

        // ipv4
        // https://www.cyberciti.biz/faq/unix-linux-bsd-bind-dns-listenon-configuration/
        listen-on { any; };

		// enable dnssec
		// ref: https://www.howtoforge.com/configuring-dnssec-on-bind9-9.7.3-on-debian-squeeze-ubuntu-11.10-p3#-enabling-dnssec-on-the-resolving-dns-server
		dnssec-enable yes;
		dnssec-validation yes;
		dnssec-lookaside auto;


		forward first;
		forwarders {
			9.9.9.9;				// quad 9
			216.146.35.35;			// dyn
      74.82.42.42;			// hurricane electric
			64.6.65.6;				// verisign
			209.244.0.4;			// level 3
			1.1.1.1;				// cloudflare

			2620:fe::fe;			// quad 9
      2001:470:20::2;         // hurricane electric
			2001:67c:28a4::;        // https://blog.uncensoreddns.org/dns-servers/
			2620:74:1c::2:2;		// verisign
			2001:4860:4860::8888;	// google
      2001:470:1f04:ebf::2;   // http://servers.opennicproject.org/

			};

		allow-transfer { none; };
		interface-interval 0;
		max-transfer-time-in 5;
		// Hide the BIND version
		version "[91285]";


		dump-file 	"/var/named/data/cache_dump.db";
		statistics-file "/var/named/data/named_stats.txt";
		memstatistics-file "/var/named/data/named_mem_stats.txt";
		pid-file "/run/named/named.pid";
		session-keyfile "/var/run/named/session.key";

		/* Path to ISC DLV key */
		bindkeys-file "/etc/named.iscdlv.key";
		managed-keys-directory "/var/named/dynamic";

		// allow recursion
		recursion yes;
		allow-recursion { any; };
		allow-recursion-on { ns1; ns2; };
		allow-query-cache-on { ns1; ns2; };

        // random record return order
        // http://www.zytrax.com/books/dns/ch7/queries.html#recursion
        rrset-order {order random;};


		// rate limiting
		// ref -> http://www.redbarn.org/dns/ratelimits
		//ref -> http://www.zytrax.com/books/dns/ch7/hkpng.html#rate-limit
		//ref -> http://lists.redbarn.org/pipermail/ratelimits/2013-February/000234.html
        // ref -> https://deepthought.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html
		rate-limit {
				responses-per-second 45; // covers non-empty identical queries
				referrals-per-second 25;
				nxdomains-per-second 17;
				nodata-per-second 15;
				errors-per-second 15;  // need high error-per-second because the farm seems to generate a lot
				all-per-second 70;  // covers all queries from client
				exempt-clients {
                       ns1; // avoid blocking ns1
                        ns2; // avoid blocking ns2
			    	};
				slip 0;	// just silently drop all limited requests
				window 600;
			};

};

logging {
	channel named_log {
		file "/var/log/named.log" versions 7 size 7m;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
		};

    channel rate_limit_log {
        file "/var/log/rate-limit.log" versions 5 size 1m;
        severity info;
        print-category yes;
        print-severity yes;
        print-time yes;
        };

	channel system_log {
		syslog local3;
		severity info;
		print-category yes;
		};

    channel system_log_error {
        syslog local3;
        severity error;
        print-category yes;
        };

    channel system_log_warning {
        syslog local3;
        severity warning;
        print-category yes;
        };

	channel null { null; };

	channel update_debug {
		file "/var/log/update-debug.log" versions 5 size 1m;
		severity debug 3;
		print-category yes;
		print-severity yes;
		print-time yes;
		};

	channel security_info {
		file "/var/log/named-auth.log" versions 5 size 2m;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
		};

	channel security_warning {
		file "/var/log/named-auth.log" versions 5 size 2m;
		severity warning;
		print-category yes;
		print-severity yes;
		print-time yes;
		};

	category "update" { "update_debug"; };
	// if you want more verbose security logging/output
	// change the channgel to security_info
	category "security" { "security_warning"; "system_log"; };
	category "default" { "named_log"; "system_log"; };
	category "lame-servers" { "null"; };
	category "rate-limit" { "system_log"; rate_limit_log; };
	category "xfer-in" { "system_log"; };
	category "xfer-out" { "system_log"; };
	category "query-errors" { "system_log"; };

    // see if we can get more info about query-errors
    category "queries" { "system_log_warning"; };
};

zone "." {
		type hint;
		file "named.root";
	};

zone "0.0.127.IN-ADDR.ARPA" {
		type master;
		file "localhost.rev";
		allow-query { any; };
		allow-transfer { none; };
	};


// stats found at http://www.linuxquestions.org/questions/linux-server-73/bind-memory-usage-keeps-increasing-886348/
statistics-channels {
inet 127.0.0.1 port 9999 allow { 127.0.0.1; };
};

// defeat dns ANY queries via iptables magic
// -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|00ff0001|" --algo bm --to 65535 -m recent --set --name dnsanyquery --rsource
// -A INPUT -p udp -m udp --dport 53 -m string --hex-string "|00ff0001|" --algo bm --to 65535 -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery --rsource -j DROP

// same thing but with firewall-cmd
// firewall-cmd --permanent --zone public --direct --add-rule ipv4 filter INPUT 0 -p udp -m udp --dport 53 -m string --hex-string "|00ff0001|" --algo bm --to 65535 -m recent --set --name dnsanyquery --rsource
// firewall-cmd --permanent --zone public --direct --add-rule ipv4 filter INPUT 1 -p udp -m udp --dport 53 -m string --hex-string "|00ff0001|" --algo bm --to 65535 -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery --rsource -j DROP

// this bit here includes the malware & adserver zone generated by grab_blocklists.sh
// Include AD Server blocklist
include "/var/named/masters/ad_block.txt";

// Include Malware blocklist
include "/var/named/masters/malware_block.txt";

// Include doh canary doain
include "/var/named/masters/use-application-dns.net.zone";