broken trust chain with my DNS setup
Peter
legacyone at virginmedia.com
Tue Mar 9 16:50:17 UTC 2021
https://bridgemode.bounceme.net/DNS%20BIND%20setup2.txt
%ProgramFiles%\ISC BIND 9\bin run CMD rndc-confgen -a
folder managed-keys in ect
file rndc.conf in etc
include "C:\Program Files\ISC BIND 9\etc\rndc.key";
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
file named.root in etc
ftp.internic.net
file localhost in etc
$TTL 86400
@ IN SOA @ root (
0 ; Serial
8H ; Refresh
15M ; Retry
1W ; Expire
1D) ; Minimum TTL
IN NS @
IN A 127.0.0.1
IN AAAA ::1
file 127.0.0.zone in etc
$TTL 3D
@ IN SOA localhost. root.localhost. (
1 ; serial
8H ; refresh
2H ; retry
4W ; expiry
1D ) ; minimum
IN NS localhost.
1 IN PTR localhost.
Main PC file named.conf in ect
acl private { 192.168.255.54; };
acl loopbackPC { 127.0.0.1; };
acl PClooplookup { 192.168.255.53; };
acl bogusnets { 0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12;! 192.168.255.56;! 192.168.255.55;! 192.168.255.54;! 192.168.255.53; 192.168.0.0/16; 169.254.0.0/16; };
acl Rebinding { ::ffff:127.0.0.1/128; ::ffff:192.168.0.0/120; ::ffff:172.16.0.0/116; ::ffff:10.0.0.0/120; ::1/128; 127.0.0.0/24;0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 169.254.0.0/16; };
options {
version none;
hostname none;
server-id none;
deny-answer-addresses { "Rebinding";} except-from { "private";"loopbackPC";"PClooplookup"; };
directory "C:\Program Files\ISC BIND 9\etc";
listen-on-v6 { ::1; };
listen-on port 53 { 127.0.0.1; 192.168.255.56;192.168.255.55; };
avoid-v4-udp-ports { 53;67;68;69;533;445;500;135;137;138;139;546;547;1900;3702;4500;5000;5004;5005; };
use-v4-udp-ports { range 1 65535; };
avoid-v6-udp-ports { 53;67;68;69;533;445;500;135;137;138;139;546;547;1900;3702;4500;5000;5004;5005; };
use-v6-udp-ports { range 1 65535; };
blackhole { bogusnets; };
// dnssec-enable yes;
managed-keys-directory "managed-keys";
lame-ttl 0;
max-recursion-depth 1000;
max-recursion-queries 1000;
resolver-query-timeout 30000;
querylog yes;
};
view private {
match-clients { private; };
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone "localhost" { type master; file "localhost";
};
// local reverse zone
zone "0.0.127.in-addr.arpa" { type master; file "127.0.0.zone";
};
};
view loopbackPC {
match-clients { loopbackPC; };
forward only;
forwarders { 192.168.255.53; };
query-source address 192.168.255.56 port *;
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone "localhost" { type master; file "localhost";
};
// local reverse zone
zone "0.0.127.in-addr.arpa" { type master; file "127.0.0.zone";
};
};
view PClooplookup {
match-clients { PClooplookup; };
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone "localhost" { type master; file "localhost";
};
// local reverse zone
zone "0.0.127.in-addr.arpa" { type master; file "127.0.0.zone";
};
};
HTPC file named.conf in ect
acl lookup2backtoPC { 192.168.255.55; };
acl lookupbacktoPC { 192.168.255.56; };
acl bogusnets { 0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12;! 192.168.255.56;! 192.168.255.55;! 192.168.255.54;! 192.168.255.53; 192.168.0.0/16; 169.254.0.0/16; };
acl Rebinding { ! 192.168.255.253; ::ffff:127.0.0.1/128; ::ffff:192.168.0.0/120; ::ffff:172.16.0.0/116; ::ffff:10.0.0.0/120; ::1/128; 127.0.0.0/24;0.0.0.0/8; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 169.254.0.0/16; };
options {
version none;
hostname none;
server-id none;
deny-answer-addresses { "Rebinding";} except-from { lookupbacktoPC; lookup2backtoPC; };
directory "C:\Program Files\ISC BIND 9\etc";
listen-on-v6 { ::1; };
listen-on port 53 { 127.0.0.1; 192.168.255.54;192.168.255.53; };
avoid-v4-udp-ports { 53;67;68;69;53;533;445;500;135;137;138;546;547;1900;3702;4500;5000;5004;5005; };
use-v4-udp-ports { range 1 65535; };
avoid-v6-udp-ports { 53;67;68;69;53;533;445;500;135;137;138;546;547;1900;3702;4500;5000;5004;5005; };
use-v6-udp-ports { range 1 65535; };
blackhole { bogusnets; };
// dnssec-enable yes;
lame-ttl 0;
max-recursion-depth 1000;
max-recursion-queries 1000;
resolver-query-timeout 30000;
managed-keys-directory "managed-keys";
querylog yes;
};
view "lookupbacktoPC" {
match-clients { lookupbacktoPC;};
forward only;
forwarders { 192.168.255.55; };
query-source address 192.168.255.53 port *;
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone "localhost" { type master; file "localhost";
};
// local reverse zone
zone "0.0.127.in-addr.arpa" { type master; file "127.0.0.zone";
};
};
view "lookup2backtoPC" {
match-clients { lookup2backtoPC; };
forward only;
forwarders { 192.168.255.56; };
query-source address 192.168.255.54 port *;
// root zone
zone "." in { type hint; file "named.root";
};
// local direct zone
zone "localhost" { type master; file "localhost";
};
// local reverse zone
zone "0.0.127.in-addr.arpa" { type master; file "127.0.0.zone";
};
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210309/f5a2b46c/attachment.htm>
More information about the bind-users
mailing list