Hyperlocal recursive servers questions

Greg Choules gregchoules+bindusers at googlemail.com
Fri Dec 27 22:28:59 UTC 2024 

Hi Roberto.
Instead of defining "." as type "static-stub" you should define it as type
"mirror". This shows you how:
https://bind9.readthedocs.io/en/v9.18.32/reference.html#namedconf-statement-type%20mirror

Cheers, Greg

On Fri, 27 Dec 2024 at 21:41, Roberto Braga <robertocarlosbragarp at gmail.com>
wrote:

> Hello, if you could help me review this situation, I would appreciate it.
>
> It is necessary to configure a server that all clients in the blocks below
> must use as a recursive DNS.
>
> For this, I must use 2 servers:
>
> The first, like Recursive DNS itself, is what clients will use to
> configure DNS.
>
> The second, as a copy of root, must be consulted to the first if it does
> not have a cache.
>
> Forming a hyperlocal recursive DNS composed of 1 computer with the address
> that clients will use as DNS and 1 computer with the root copy (slave of
> the root servers).
>
> The blocks are:
> 201.31.238.0/28 (passed on to customers using CGNAT);
> 2804:a8:c4ad::/56 (passed to clients directly, 1 /64 block for each
> client);
>
> The client must use as DNS server: 201.31.238.9 and 2804:a8:c4ad:d1::9
>
> The scheme below is working, but I would like someone more experienced who
> can review and identify if I'm doing it correctly, if there are flaws or
> how I can improve this structure... Thank you.
>
> *First server configuration (Recursive DNS):*
>
> *file /etc/bind/named.conf.options:*
> options {
>         directory "/var/cache/bind";
>         dnssec-validation auto;
>         auth-nxdomain no;
>         qname-minimization disabled;
>         listen-on { 201.31.238.9; 127.0.0.1; };
>         listen-on-v6 { 2804:a8:c4ad:d1::9; ::1; fe80::a00:27ff:fe7a:d1a7;
> };
>         recursion yes;
>
>         allow-query {
>             127.0.0.0/8;
>             201.31.238.0/28;
>             ::1;
>             2804:a8:c4ad::/56;
>         };
>
>         allow-recursion {
>             127.0.0.0/8;
>             201.31.238.0/28;
>             ::1;
>             2804:a8:c4ad::/56;
>         };
> };
>
> *file /etc/bind/named.conf.default-zones:*
> // prime the server with knowledge of the root servers
> //zone "." {
> //      type hint;
> //      file "/usr/share/dns/root.hints";
> //};
>
> zone "." {
>         type static-stub;
>         server-addresses { 201.31.238.7; 2804:a8:c4ad:d1::7; };
> };
>
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
>
>
> *Configuration of the second server (DNS acting as a copy of the root):*
>
>
> *file /etc/bind/named.conf.options:*
> options {
>        allow-query {
>             127.0.0.0/8;
>             201.31.238.0/28;
>             ::1;
>             2804:a8:c4ad::/56;
>         };
>
>         allow-recursion {
>             127.0.0.0/8;
>             201.31.238.0/28;
>             ::1;
>             2804:a8:c4ad::/56;
>         };
> };
>
>
> *file /etc/bind/named.conf.default-zones:*
>
> // prime the server with knowledge of the root servers
>
> //zone "." {
> //      type hint;
> //      file "/usr/share/dns/root.hints";
> //};
>
>
> zone "." {
>         type slave;
>         file "rootzone.db";
>         notify no;
>         masters {
>                 199.9.14.201; # b.root-servers.net
>                 192.33.4.12; # c.root-servers.net
>                 199.7.91.13; # d.root-servers.net
>                 192.5.5.241; # f.root-servers.net
>                 192.112.36.4; # g.root-servers.net
>                 193.0.14.129; # k.root-servers.net
>                 192.0.47.132; # xfr.cjr.dns.icann.org
>                 192.0.32.132; # xfr.lax.dns.icann.org
>                 2001:500:200::b; # b.root-servers.net
>                 2001:500:2::c; # c.root-servers.net
>                 2001:500:2d::d; # d.root-servers.net
>                 2001:500:2f::f; # f.root-servers.net
>                 2001:500:12::d0d; # g.root-servers.net
>                 2001:7fd::1; # k.root-servers.net
>                 2620:0:2830:202::132; # xfr.cjr.dns.icann.org
>                 2620:0:2d0:202::132; # xfr.lax.dns.icann.org
>         };
> };
>
>
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
>         type master;
>         file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
>         type master;
>         file "/etc/bind/db.255";
> };
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241227/5b09b2f2/attachment.htm>

More information about the bind-users mailing list