named.conf

This a good VPN source

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//

options {
	directory "/etc/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you might need to uncomment the query-source
	// directive below.  Previous versions of BIND always asked
	// questions using port 53, but BIND 8.1 and later use an unprivileged
	// port by default.

	// query-source address * port 53;

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	auth-nxdomain no;    # conform to RFC1035

};

// define a key - you should really change the secret since
// all Debian boxes everywhere will have the same secret 
key "key" {
        algorithm       hmac-md5;
        secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

// fortunately, using this control statement, we restrict access
// to the control port 953/tcp to only the localhost and we
// configure named to listen to 953 only on the lo interface
controls {
        inet 127.0.0.1 allow { 127.0.0.1; } keys { "key"; };

};

// prime the server with knowledge of the root servers
zone "." {
	type hint;
 	file "/etc/bind/db.hint";
};

trusted-keys {
        . 256 3 1 "AQOr2tzOGZzBbIbdEsp1ENtMtNniryEiobGUFjBDQoim9jBy1q7VUan2hJ+60eIrM1oCF6jyF2fFrnOgYRnZ0zpj"; // key id = 54074
};


zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "root-servers.net" {
	type master;
	file "/etc/bind/db.root-servers.net..signed";
};

// These lines generated with the gen-secondaries.sh script
zone "arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.arpa..signed.bak"; };
zone "in-addr.arpa." { type slave;  masters { 192.1.2.130;}; file "/etc/bind/sec/db.in-addr.arpa..signed.bak"; };
zone "192.in-addr.arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.192.in-addr.arpa..signed.bak"; };
zone "0.192.in-addr.arpa." { type slave;  masters { 192.1.2.130;}; file "/etc/bind/sec/db.0.192.in-addr.arpa..signed.bak"; };
zone "1.192.in-addr.arpa." { type slave;  masters { 192.1.2.130;}; file "/etc/bind/sec/db.1.192.in-addr.arpa..signed.bak"; };
zone "1.0.192.in-addr.arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.1.0.192.in-addr.arpa..signed.bak"; };
zone "2.0.192.in-addr.arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.2.0.192.in-addr.arpa..signed.bak"; };
zone "3.0.192.in-addr.arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.3.0.192.in-addr.arpa..signed.bak"; };
zone "4.0.192.in-addr.arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.4.0.192.in-addr.arpa..signed.bak"; };
zone "4.1.192.in-addr.arpa." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.4.1.192.in-addr.arpa..signed.bak"; };
zone "org." { type slave;  masters { 192.1.2.130;}; file "/etc/bind/sec/db.org..signed.bak"; };
zone "freeswan.org." { type slave;  masters { 192.1.2.129;}; file "/etc/bind/sec/db.freeswan.org..signed.bak"; };
zone "uml.freeswan.org." { type slave;  masters { 192.1.2.130;}; file "/etc/bind/sec/db.uml.freeswan.org..signed.bak"; };