Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Request: what is the best configuration for a caching only DNS Server (BIND) 


there is no "on size fits all" preferred configuration for any DNS Server, including a caching-only nameserver.

The configuration depends on the version of the BIND nameserver that is used, if there are any local zones that need to be configured using stub-zones or forwarding zones.

As a general rule for a caching DNS Server:

  • no authoritative zones except empty zones to block local traffic (the exact names and number of these zones depend on the Version of BIND, as newer version block RFC 1918 reverse zones by default, and the use of any "local" domain space in your organization such as ".local" for DNS-SD/Ahavi/Bonjour/mDNS)
  • stub zones or forward zones to redirecting traffic to any local authoritative zones that are not delegated from the Internet Root down
  • restrict recursion to a list of internal network
  • configuration of DNSSEC trust anchors and DLV (DNSSEC Lookaside validation)
  • disable notify and zonetransfer (not needed on caching nameserver)a

below is an example template named.conf for an caching only DNS Server




This files must be customized for your environment. This template assumes a recent BIND nameserver






acl "xfertrusted" { 
   none;   // Allow no transfers.  If we have other 
            // name servers, place them here. 

acl "trusted" { 

// Place our internal and DMZ subnets in here so that 
   // intranet and DMZ clients may send DNS queries.  This 
   // also prevents outside hosts from using our name server 
   // as a resolver for other domains.; 


trusted-keyslogging {
  // Trusted key for ISC DLV Service for DNSSEC validation
  // this need to be revied for BIND 9.7 and up 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+ju

logging {
 channel mmsuite_log { file "/var/named/mmsuite.log" size 200M versions 10; severity notice; print-category yes; print-severity yes; print-time yes; };
   channel mmsuite_syslog { syslog daemon; severity info; print-category yes; print-severity yes; print-time yes; };
   channel dnssec_log { file "/var/named/dnssec.log" size 200m versions 10; print-time yes; print-category yes; print-severity yes; severity debug 3; };
   category dnssec { dnssec_log; };
   category client { mmsuite_log; };
   category config { mmsuite_log; };
   category database { mmsuite_log; };
   category default { mmsuite_log; mmsuite_syslog; };
   category dispatch { null; };
   category dnssec { mmsuite_log; };
   category general { mmsuite_log; };
   category lame-servers { null; };
   category network { null; };
   category notify { mmsuite_log; };
   category queries { null; };
   category resolver { mmsuite_log; };
   category security { mmsuite_log; };
   category unmatched { null; };
   category update { mmsuite_log; };
   category update-security { mmsuite_log; mmsuite_syslog; };
   category xfer-in { mmsuite_log; };
   category xfer-out { mmsuite_log; };

// Set options for security 
options { 
    directory "/var/named"; 
    pid-file "/var/named/"; 
    statistics-file "/var/named/named.stats"; 
    memstatistics-file "/var/named/named.memstats"; 
    dump-file "/var/adm/named.dump"; 
    zone-statistics yes; 

    // enable DNSSEC
    dnssec-enable yes; //
All BIND 9 versions     dnssec-validation yesauto; // BIND 9.4.3-P2 and later

will use the compiled in trustanchor

  // DNSSEC Lookaside Validation
    dnssec-lookaside . trust-anchor;

    // Prevent DoS attacks by generating bogus zone transfer 
    // requests.  This will result in slower updates to the 
    // slave servers (e.g. they will await the poll interval 
    // before checking for updates). 
    notify no; 

    // Generate more efficient zone transfers.  This will place 
    // multiple DNS records in a DNS message, instead of one per 
    // DNS message. 
    transfer-format many-answers; 

    // Set the maximum zone transfer time to something more 
    // reasonable.  In this case, we state that any zone transfer 
    // that takes longer than 60 minutes is unlikely to ever 
    // complete.  WARNING:  If you have very large zone files, 
    // adjust this to fit your requirements. 
    max-transfer-time-in 60; 

    // We have no dynamic interfaces, so BIND shouldn't need to 
    // poll for interface state {UP|DOWN}. 
    interface-interval 0; 

    allow-transfer { 
none; // Zone tranfers limited to}; members
of the // "xfer" ACL. xferrecursion yes; }; allow-queryrecursion { // Accept queries from our "trusted" ACL. We will // allow anyone to query our master zones below. // This prevents us from becoming a free DNS server // to the masses. trusted; }; allow-query-cache { // Accept queries of our cache from our "trusted" ACL. trusted; }; }; view "internal-in" in { // Our internal (trusted) view. We permit the internal networks // to freely access this view. We perform recursion for our // internal hosts, and retrieve data from the cache for them. match-clients { trusted; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone "" in { // Allow queries for the 127/8 network, but not zone transfers. // Every name server, both slave and master, will be a master // for this zone. type master; file "master/db.127.0.0"; allow-query { any; }; allow-transfer { none; }; };
zone "" in { // Our internal A RR zone. There may be several of these. // because this is a caching only DNS Server, we've forwarding to the // authoritative DNS Servers type forward; forward only; forwarders {;; }; }; zone "" in {
// Our internal PTR RR zone. Again, there may be several of these. // because this is a caching only DNS Server, we've forwarding to the // authoritative DNS Servers type forward; forward only; forwarders {;; }; }; zone "local" in { // special "empty" zone to stop traffic that only appears local to be // leaked into the Internet. The exact names and numbers of this zones // need to be evaluated by using DNS monitoring tools, such as the // Men & Mice Traffic Monitor, dnstop or tcpdump
type master; file "hosts/masters/empty-zone.hosts"; }; }; // end of view // Create a view for all clients perusing the CHAOS class. // We allow internal hosts to query our version number. // This is a good idea from a support point of view. view "external-chaos" chaos { match-clients { any; }; recursion no; zone "." { type hint; file "/dev/null"; }; zone "bind" { type .local should not be used anymore as it's reserved for multicast DNS
// see RFC6762, but as it's still in use in so many companies... type master; file "hosts/masters/dbempty-zone.bindhosts"; allow-query { trusted; }; allow-transfer { none; }; }; }; -------- (empty-zone.hosts) -------------- ;; special "empty" zonefile to be used to stop local traffic on caching nameservers ;; to be leaked into the Internet ;; adjust the hostnames according to your environment $TTL 86400 @ IN SOA hostname.of.master.nameserver 2010011501 30d 1d 40w 8h @ IN NS hostname.of.master.nameserver @ IN NS hostname.of.secondary.nameserver -------- (db.bind) -------------- $TTL 1D $ORIGIN bind. @ 1D CHAOS SOA localhost. root.localhost. ( 2010012001 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum CHAOS NS localhost. version.bind. CHAOS TXT "a DNS Server Version 1" authors.bind. CHAOS TXT "are better coders than I. :)"