Hyperlocal recursive servers questions
Roberto Braga
robertocarlosbragarp at gmail.com
Fri Dec 27 21:40:41 UTC 2024
Hello, if you could help me review this situation, I would appreciate it.
It is necessary to configure a server that all clients in the blocks below
must use as a recursive DNS.
For this, I must use 2 servers:
The first, like Recursive DNS itself, is what clients will use to configure
DNS.
The second, as a copy of root, must be consulted to the first if it does
not have a cache.
Forming a hyperlocal recursive DNS composed of 1 computer with the address
that clients will use as DNS and 1 computer with the root copy (slave of
the root servers).
The blocks are:
201.31.238.0/28 (passed on to customers using CGNAT);
2804:a8:c4ad::/56 (passed to clients directly, 1 /64 block for each client);
The client must use as DNS server: 201.31.238.9 and 2804:a8:c4ad:d1::9
The scheme below is working, but I would like someone more experienced who
can review and identify if I'm doing it correctly, if there are flaws or
how I can improve this structure... Thank you.
*First server configuration (Recursive DNS):*
*file /etc/bind/named.conf.options:*
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no;
qname-minimization disabled;
listen-on { 201.31.238.9; 127.0.0.1; };
listen-on-v6 { 2804:a8:c4ad:d1::9; ::1; fe80::a00:27ff:fe7a:d1a7; };
recursion yes;
allow-query {
127.0.0.0/8;
201.31.238.0/28;
::1;
2804:a8:c4ad::/56;
};
allow-recursion {
127.0.0.0/8;
201.31.238.0/28;
::1;
2804:a8:c4ad::/56;
};
};
*file /etc/bind/named.conf.default-zones:*
// prime the server with knowledge of the root servers
//zone "." {
// type hint;
// file "/usr/share/dns/root.hints";
//};
zone "." {
type static-stub;
server-addresses { 201.31.238.7; 2804:a8:c4ad:d1::7; };
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
*Configuration of the second server (DNS acting as a copy of the root):*
*file /etc/bind/named.conf.options:*
options {
allow-query {
127.0.0.0/8;
201.31.238.0/28;
::1;
2804:a8:c4ad::/56;
};
allow-recursion {
127.0.0.0/8;
201.31.238.0/28;
::1;
2804:a8:c4ad::/56;
};
};
*file /etc/bind/named.conf.default-zones:*
// prime the server with knowledge of the root servers
//zone "." {
// type hint;
// file "/usr/share/dns/root.hints";
//};
zone "." {
type slave;
file "rootzone.db";
notify no;
masters {
199.9.14.201; # b.root-servers.net
192.33.4.12; # c.root-servers.net
199.7.91.13; # d.root-servers.net
192.5.5.241; # f.root-servers.net
192.112.36.4; # g.root-servers.net
193.0.14.129; # k.root-servers.net
192.0.47.132; # xfr.cjr.dns.icann.org
192.0.32.132; # xfr.lax.dns.icann.org
2001:500:200::b; # b.root-servers.net
2001:500:2::c; # c.root-servers.net
2001:500:2d::d; # d.root-servers.net
2001:500:2f::f; # f.root-servers.net
2001:500:12::d0d; # g.root-servers.net
2001:7fd::1; # k.root-servers.net
2620:0:2830:202::132; # xfr.cjr.dns.icann.org
2620:0:2d0:202::132; # xfr.lax.dns.icann.org
};
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241227/8c082d0a/attachment-0001.htm>
More information about the bind-users
mailing list