Commit 1479200a authored by Evan Hunt's avatar Evan Hunt

[master] DDoS mitigation features

3938.	[func]		Added quotas to be used in recursive resolvers
			that are under high query load for names in zones
			whose authoritative servers are nonresponsive or
			are experiencing a denial of service attack.

			- "fetches-per-server" limits the number of
			  simultaneous queries that can be sent to any
			  single authoritative server.  The configured
			  value is a starting point; it is automatically
			  adjusted downward if the server is partially or
			  completely non-responsive. The algorithm used to
			  adjust the quota can be configured via the
			  "fetch-quota-params" option.
			- "fetches-per-zone" limits the number of
			  simultaneous queries that can be sent for names
			  within a single domain.  (Note: Unlike
			  "fetches-per-server", this value is not
			  self-tuning.)
			- New stats counters have been added to count
			  queries spilled due to these quotas.

			See the ARM for details of these options. [RT #37125]
parent e8f98ec8
......@@ -767,7 +767,28 @@
3939. [func] Improve UPDATE forwarding performance by allowing TCP
connections to be shared. [RT #37039]
3938. [placeholder]
3938. [func] Added quotas to be used in recursive resolvers
that are under high query load for names in zones
whose authoritative servers are nonresponsive or
are experiencing a denial of service attack.
- "fetches-per-server" limits the number of
simultaneous queries that can be sent to any
single authoritative server. The configured
value is a starting point; it is automatically
adjusted downward if the server is partially or
completely non-responsive. The algorithm used to
adjust the quota can be configured via the
"fetch-quota-params" option.
- "fetches-per-zone" limits the number of
simultaneous queries that can be sent for names
within a single domain. (Note: Unlike
"fetches-per-server", this value is not
self-tuning.)
- New stats counters have been added to count
queries spilled due to these quotas.
See the ARM for details of these options. [RT #37125]
3937. [func] Added some debug logging to better indicate the
conditions causing SERVFAILs when resolving.
......
......@@ -2216,6 +2216,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
if (result == DNS_R_OPTERR)
(void)ns_client_addopt(client, client->message,
&client->opt);
ns_client_log(client, NS_LOGCATEGORY_CLIENT,
NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
"message parsing failed: %s",
isc_result_totext(result));
ns_client_error(client, result);
goto cleanup;
}
......
......@@ -173,6 +173,8 @@ options {\n\
dnssec-enable yes;\n\
dnssec-validation yes; \n\
dnssec-accept-expired no;\n\
fetches-per-zone 0;\n\
fetch-quota-params 100 0.1 0.3 0.7;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
max-recursion-depth 7;\n\
......@@ -180,6 +182,7 @@ options {\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
fetches-per-server 0;\n\
"
#ifdef HAVE_GEOIP
"\
......
......@@ -15,8 +15,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.h,v 1.118 2012/01/31 23:47:31 tbox Exp $ */
#ifndef NAMED_SERVER_H
#define NAMED_SERVER_H 1
......@@ -51,6 +49,7 @@ struct ns_server {
isc_quota_t xfroutquota;
isc_quota_t tcpquota;
isc_quota_t recursionquota;
dns_acl_t *blackholeacl;
dns_acl_t *keepresporder;
char * statsfile; /*%< Statistics file name */
......
......@@ -217,6 +217,9 @@ struct dumpcontext {
isc_mem_t *mctx;
isc_boolean_t dumpcache;
isc_boolean_t dumpzones;
isc_boolean_t dumpadb;
isc_boolean_t dumpbad;
isc_boolean_t dumpfail;
FILE *fp;
ISC_LIST(struct viewlistentry) viewlist;
struct viewlistentry *view;
......@@ -2385,7 +2388,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
unsigned int dlzargc;
char **dlzargv;
const cfg_obj_t *disabled;
const cfg_obj_t *obj;
const cfg_obj_t *obj, *obj2;
const cfg_listelt_t *element;
in_port_t port;
dns_cache_t *cache = NULL;
......@@ -3044,6 +3047,53 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
}
dns_adb_setadbsize(view->adb, max_adb_size);
/*
* Set up ADB quotas
*/
{
isc_uint32_t fps, freq;
double low, high, discount;
obj = NULL;
result = ns_config_get(maps, "fetches-per-server", &obj);
INSIST(result == ISC_R_SUCCESS);
obj2 = cfg_tuple_get(obj, "fetches");
fps = cfg_obj_asuint32(obj2);
obj2 = cfg_tuple_get(obj, "response");
if (!cfg_obj_isvoid(obj2)) {
const char *resp = cfg_obj_asstring(obj2);
isc_result_t r;
if (strcasecmp(resp, "drop") == 0)
r = DNS_R_DROP;
else if (strcasecmp(resp, "fail") == 0)
r = DNS_R_SERVFAIL;
else
INSIST(0);
dns_resolver_setquotaresponse(view->resolver,
dns_quotatype_server, r);
}
obj = NULL;
result = ns_config_get(maps, "fetch-quota-params", &obj);
INSIST(result == ISC_R_SUCCESS);
obj2 = cfg_tuple_get(obj, "frequency");
freq = cfg_obj_asuint32(obj2);
obj2 = cfg_tuple_get(obj, "low");
low = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
obj2 = cfg_tuple_get(obj, "high");
high = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
obj2 = cfg_tuple_get(obj, "discount");
discount = (double) cfg_obj_asfixedpoint(obj2) / 100.0;
dns_adb_setquota(view->adb, fps, freq, low, high, discount);
}
/*
* Set resolver's lame-ttl.
*/
......@@ -3503,6 +3553,27 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
INSIST(result == ISC_R_SUCCESS);
dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "fetches-per-zone", &obj);
INSIST(result == ISC_R_SUCCESS);
obj2 = cfg_tuple_get(obj, "fetches");
dns_resolver_setfetchesperzone(view->resolver, cfg_obj_asuint32(obj2));
obj2 = cfg_tuple_get(obj, "response");
if (!cfg_obj_isvoid(obj2)) {
const char *resp = cfg_obj_asstring(obj2);
isc_result_t r;
if (strcasecmp(resp, "drop") == 0)
r = DNS_R_DROP;
else if (strcasecmp(resp, "fail") == 0)
r = DNS_R_SERVFAIL;
else
INSIST(0);
dns_resolver_setquotaresponse(view->resolver,
dns_quotatype_zone, r);
}
#ifdef ALLOW_FILTER_AAAA
obj = NULL;
result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
......@@ -5507,6 +5578,7 @@ load_configuration(const char *filename, ns_server_t *server,
ns_cachelist_t cachelist, tmpcachelist;
ns_cfgctx_t *nzctx;
unsigned int maxsocks;
isc_uint32_t softquota = 0;
ISC_LIST_INIT(viewlist);
ISC_LIST_INIT(builtin_viewlist);
......@@ -5701,11 +5773,22 @@ load_configuration(const char *filename, ns_server_t *server,
configure_server_quota(maps, "tcp-clients", &server->tcpquota);
configure_server_quota(maps, "recursive-clients",
&server->recursionquota);
if (server->recursionquota.max > 1000)
isc_quota_soft(&server->recursionquota,
server->recursionquota.max - 100);
else
isc_quota_soft(&server->recursionquota, 0);
if (server->recursionquota.max > 1000) {
int margin = ISC_MAX(100, ns_g_cpus + 1);
if (margin > server->recursionquota.max - 100) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"'recursive-clients %d' too low when "
"running with %d worker threads",
server->recursionquota.max, ns_g_cpus);
CHECK(ISC_R_RANGE);
}
softquota = server->recursionquota.max - margin;
} else
softquota = (server->recursionquota.max * 90) / 100;
isc_quota_soft(&server->recursionquota, softquota);
CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
ns_g_aclconfctx, ns_g_mctx,
......@@ -6854,7 +6937,6 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
result = isc_quota_init(&server->recursionquota, 100);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
result = dns_aclenv_init(mctx, &server->aclenv);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
......@@ -7865,12 +7947,20 @@ dumpdone(void *arg, isc_result_t result) {
goto cleanup;
}
}
if ((dctx->dumpadb || dctx->dumpbad || dctx->dumpfail) &&
dctx->cache == NULL && dctx->view->view->cachedb != NULL)
dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
if (dctx->cache != NULL) {
dns_adb_dump(dctx->view->view->adb, dctx->fp);
dns_resolver_printbadcache(dctx->view->view->resolver,
dctx->fp);
dns_badcache_print(dctx->view->view->failcache,
"SERVFAIL cache", dctx->fp);
if (dctx->dumpadb)
dns_adb_dump(dctx->view->view->adb, dctx->fp);
if (dctx->dumpbad)
dns_resolver_printbadcache(dctx->view->view->resolver,
dctx->fp);
if (dctx->dumpfail)
dns_badcache_print(dctx->view->view->failcache,
"SERVFAIL cache", dctx->fp);
dns_db_detach(&dctx->cache);
}
if (dctx->dumpzones) {
......@@ -7954,6 +8044,9 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
dctx->mctx = server->mctx;
dctx->dumpcache = ISC_TRUE;
dctx->dumpadb = ISC_TRUE;
dctx->dumpbad = ISC_TRUE;
dctx->dumpfail = ISC_TRUE;
dctx->dumpzones = ISC_FALSE;
dctx->fp = NULL;
ISC_LIST_INIT(dctx->viewlist);
......@@ -7977,15 +8070,36 @@ ns_server_dumpdb(ns_server_t *server, char *args) {
ptr = next_token(&args, " \t");
if (ptr != NULL && strcmp(ptr, "-all") == 0) {
/* also dump zones */
dctx->dumpzones = ISC_TRUE;
dctx->dumpcache = ISC_TRUE;
ptr = next_token(&args, " \t");
} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
dctx->dumpzones = ISC_FALSE;
dctx->dumpcache = ISC_TRUE;
/* this is the default */
ptr = next_token(&args, " \t");
} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
/* only dump zones, suppress caches */
dctx->dumpadb = ISC_FALSE;
dctx->dumpbad = ISC_FALSE;
dctx->dumpcache = ISC_FALSE;
dctx->dumpfail = ISC_FALSE;
dctx->dumpzones = ISC_TRUE;
ptr = next_token(&args, " \t");
} else if (ptr != NULL && strcmp(ptr, "-adb") == 0) {
/* only dump adb, suppress other caches */
dctx->dumpbad = ISC_FALSE;
dctx->dumpcache = ISC_FALSE;
dctx->dumpfail = ISC_FALSE;
ptr = next_token(&args, " \t");
} else if (ptr != NULL && strcmp(ptr, "-bad") == 0) {
/* only dump badcache, suppress other caches */
dctx->dumpadb = ISC_FALSE;
dctx->dumpcache = ISC_FALSE;
dctx->dumpfail = ISC_FALSE;
ptr = next_token(&args, " \t");
} else if (ptr != NULL && strcmp(ptr, "-fail") == 0) {
/* only dump servfail cache, suppress other caches */
dctx->dumpadb = ISC_FALSE;
dctx->dumpbad = ISC_FALSE;
dctx->dumpcache = ISC_FALSE;
ptr = next_token(&args, " \t");
}
......@@ -8114,12 +8228,24 @@ ns_server_dumpsecroots(ns_server_t *server, char *args, isc_buffer_t **text) {
isc_result_t
ns_server_dumprecursing(ns_server_t *server) {
FILE *fp = NULL;
dns_view_t *view;
isc_result_t result;
CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
"could not open dump file", server->recfile);
fprintf(fp,";\n; Recursing Queries\n;\n");
fprintf(fp, ";\n; Recursing Queries\n;\n");
ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
for (view = ISC_LIST_HEAD(server->viewlist);
view != NULL;
view = ISC_LIST_NEXT(view, link))
{
fprintf(fp, ";\n; Active fetch domains [view: %s]\n;\n",
view->name);
dns_resolver_dumpfetches(view->resolver,
isc_statsformat_file, fp);
}
fprintf(fp, "; Dump complete\n");
cleanup:
......
......@@ -338,6 +338,9 @@ init_desc(void) {
SET_RESSTATDESC(cookieok, "COOKIE client ok", "CookieClientOk");
SET_RESSTATDESC(badvers, "bad EDNS version", "BadEDNSVersion");
SET_RESSTATDESC(badcookie, "bad cookie rcode", "BadCookieRcode");
SET_RESSTATDESC(zonequota, "spilled due to zone quota", "ZoneQuota");
SET_RESSTATDESC(serverquota, "spilled due to server quota",
"ServerQuota");
INSIST(i == dns_resstatscounter_max);
......
......@@ -107,7 +107,7 @@ command is one of the following:\n\
Add zone to given view. Requires new-zone-file option.\n\
delzone [-clean] zone [class [view]]\n\
Removes zone from given view. Requires new-zone-file option.\n\
dumpdb [-all|-cache|-zones] [view ...]\n\
dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]\n\
Dump cache(s) to the dump file (named_dump.db).\n\
flush Flushes all of the server's caches.\n\
flush [view] Flushes the server's cache for a view.\n\
......
......@@ -312,7 +312,7 @@
</varlistentry>
<varlistentry>
<term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
<term><userinput>dumpdb <optional>-all|-cache|-zone|-adb|-bad|-fail</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
<listitem>
<para>
Dump the server's caches (default) and/or zones to
......@@ -601,13 +601,17 @@
</varlistentry>
<varlistentry>
<term><userinput>recursing</userinput></term>
<listitem>
<para>
Dump the list of queries <command>named</command> is currently recursing
on.
</para>
</listitem>
<term><userinput>recursing</userinput></term>
<listitem>
<para>
Dump the list of queries <command>named</command> is currently
recursing on, and the list of domains to which iterative
queries are currently being sent. (The second list includes
the number of fetches currently active for the given domain,
and how many have been passed or dropped because of the
<option>fetches-per-zone</option> option.)
</para>
</listitem>
</varlistentry>
<varlistentry>
......
......@@ -68,7 +68,7 @@ SUBDIRS="acl additional allow_query addzone autosign builtin
cacheclean case checkconf @CHECKDS@ checknames checkzone
cookie @COVERAGE@ database digdelv dlv dlvauto dlz dlzexternal
dname dns64 dnssec dsdigest dscp ecdsa ednscompliance
emptyzones filter-aaaa formerr forward geoip glue gost
emptyzones fetchlimit filter-aaaa formerr forward geoip glue gost
ixfr inline legacy limits logfileconfig lwresd masterfile
masterformat metadata mkeys notify nslookup nsupdate pending
pipelined @PKCS11_TEST@ reclimit redirect resolver rndc
......
#!/usr/bin/perl
#
# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# This is a tool for sending queries via UDP to specified address and
# port, then exiting without waiting for a response.
#
# Usage: ditch.pl [-s <address>] [-p <port>] [filename]
#
# Input (in filename, if specified, otherwise stdin) is a series of one
# or more DNS names and types to send as queries, e.g.:
#
# www.example.com A
# www.example.org MX
#
# If not specified, address defaults to 127.0.0.1, port to 53.
require 5.006.001;
use strict;
use Getopt::Std;
use Net::DNS;
use Net::DNS::Packet;
use IO::File;
use IO::Socket;
sub usage {
print ("Usage: ditch.pl [-s address] [-p port] [file]\n");
exit 1;
}
my %options={};
getopts("s:p:t:", \%options);
my $addr = "127.0.0.1";
$addr = $options{s} if defined $options{s};
my $port = 53;
$port = $options{p} if defined $options{p};
my $file = "STDIN";
if (@ARGV >= 1) {
my $filename = shift @ARGV;
open FH, "<$filename" or die "$filename: $!";
$file = "FH";
}
my $input = "";
while (defined(my $line = <$file>) ) {
chomp $line;
next if ($line =~ m/^ *#/);
my @tokens = split (' ', $line);
my $packet;
if ($Net::DNS::VERSION > 0.68) {
$packet = new Net::DNS::Packet();
$@ and die $@;
} else {
my $err;
($packet, $err) = new Net::DNS::Packet();
$err and die $err;
}
my $q = new Net::DNS::Question($tokens[0], $tokens[1], "IN");
$packet->header->rd(1);
$packet->push(question => $q);
my $sock = IO::Socket::INET->new(PeerAddr => $addr, PeerPort => $port,
Proto => "udp",) or die "$!";
my $bytes = $sock->send($packet->data);
#print ("sent $bytes bytes to $addr:$port:\n");
#print (" ", unpack("H* ", $packet->data), "\n");
$sock->close;
}
close $file;
#!/usr/bin/perl -w
#
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
#
# Don't respond if the "norespond" file exists; otherwise respond to
# any A or AAAA query.
#
use IO::File;
use IO::Socket;
use Net::DNS;
use Net::DNS::Packet;
my $sock = IO::Socket::INET->new(LocalAddr => "10.53.0.4",
LocalPort => 5300, Proto => "udp") or die "$!";
my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
print $pidf "$$\n" or die "cannot write pid file: $!";
$pidf->close or die "cannot close pid file: $!";
sub rmpid { unlink "ans.pid"; exit 1; };
$SIG{INT} = \&rmpid;
$SIG{TERM} = \&rmpid;
for (;;) {
$sock->recv($buf, 512);
print "**** request from " , $sock->peerhost, " port ", $sock->peerport, "\n";
my $packet;
if ($Net::DNS::VERSION > 0.68) {
$packet = new Net::DNS::Packet(\$buf, 0);
$@ and die $@;
} else {
my $err;
($packet, $err) = new Net::DNS::Packet(\$buf, 0);
$err and die $err;
}
print "REQUEST:\n";
$packet->print;
$packet->header->qr(1);
my @questions = $packet->question;
my $qname = $questions[0]->qname;
my $qtype = $questions[0]->qtype;
my $donotrespond = 0;
if (-e 'norespond') {
$donotrespond = 1;
} else {
$packet->header->aa(1);
if ($qtype eq "A") {
$packet->push("answer",
new Net::DNS::RR($qname .
" 300 A 192.0.2.1"));
} elsif ($qtype eq "AAAA") {
$packet->push("answer",
new Net::DNS::RR($qname .
" 300 AAAA 2001:db8:beef::1"));
}
}
if ($donotrespond == 0) {
$sock->send($packet->data);
print "RESPONSE:\n";
$packet->print;
print "\n";
}
}
#!/bin/sh
#
# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
rm -f */named.memstats */ans.run */named.recursing
rm -f dig.out*
rm -f ans4/norespond
rm -f ns3/named.conf ns3/named.stats ns3/named_dump.db
rm -f burst.input.*
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone "." {
type master;
file "root.db";
};
zone "example.info." {
type master;
file "example-info.db";
};
; Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id$
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.roo