<div dir="ltr">Hi Roberto.<div>Instead of defining "." as type "static-stub" you should define it as type "mirror". This shows you how: <a href="https://bind9.readthedocs.io/en/v9.18.32/reference.html#namedconf-statement-type%20mirror">https://bind9.readthedocs.io/en/v9.18.32/reference.html#namedconf-statement-type%20mirror</a></div><div><br></div><div>Cheers, Greg</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, 27 Dec 2024 at 21:41, Roberto Braga <<a href="mailto:robertocarlosbragarp@gmail.com">robertocarlosbragarp@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello, if you could help me review this situation, I would appreciate it.<br><br>It is necessary to configure a server that all clients in the blocks below must use as a recursive DNS.<br><br>For this, I must use 2 servers:<br><br>The first, like Recursive DNS itself, is what clients will use to configure DNS.<br><br>The second, as a copy of root, must be consulted to the first if it does not have a cache. <br><br>Forming a hyperlocal recursive DNS composed of 1 computer with the address that clients will use as DNS and 1 computer with the root copy (slave of the root servers).<br><br>The blocks are:<br><a href="http://201.31.238.0/28" target="_blank">201.31.238.0/28</a> (passed on to customers using CGNAT);<br>2804:a8:c4ad::/56 (passed to clients directly, 1 /64 block for each client);<br><br>The client must use as DNS server: 201.31.238.9 and 2804:a8:c4ad:d1::9<br><br>The scheme below is working, but I would like someone more experienced who can review and identify if I'm doing it correctly, if there are flaws or how I can improve this structure... Thank you.<br><br><b>First server configuration (Recursive DNS):</b><br><br><i>file /etc/bind/named.conf.options:</i><br>options {<br> directory "/var/cache/bind";<br> dnssec-validation auto;<br> auth-nxdomain no;<br> qname-minimization disabled;<br> listen-on { 201.31.238.9; 127.0.0.1; };<br> listen-on-v6 { 2804:a8:c4ad:d1::9; ::1; fe80::a00:27ff:fe7a:d1a7; };<br> recursion yes;<br><br> allow-query {<br> <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a>;<br> <a href="http://201.31.238.0/28" target="_blank">201.31.238.0/28</a>;<br> ::1;<br> 2804:a8:c4ad::/56;<br> };<br><br> allow-recursion {<br> <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a>;<br> <a href="http://201.31.238.0/28" target="_blank">201.31.238.0/28</a>;<br> ::1;<br> 2804:a8:c4ad::/56;<br> };<br>};<br><br><i>file /etc/bind/named.conf.default-zones:</i><br>// prime the server with knowledge of the root servers<br>//zone "." {<br>// type hint;<br>// file "/usr/share/dns/root.hints";<br>//};<br><br>zone "." {<br> type static-stub;<br> server-addresses { 201.31.238.7; 2804:a8:c4ad:d1::7; };<br>};<br><br><br>// be authoritative for the localhost forward and reverse zones, and for<br>// broadcast zones as per RFC 1912<br><br>zone "localhost" {<br> type master;<br> file "/etc/bind/db.local";<br>};<br><br>zone "127.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.127";<br>};<br><br>zone "0.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.0";<br>};<br><br>zone "255.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.255";<br>};<br><br><br><b>Configuration of the second server (DNS acting as a copy of the root):</b><br><br><br><i>file /etc/bind/named.conf.options:</i><br>options {<br> allow-query {<br> <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a>;<br> <a href="http://201.31.238.0/28" target="_blank">201.31.238.0/28</a>;<br> ::1;<br> 2804:a8:c4ad::/56;<br> };<br><br> allow-recursion {<br> <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a>;<br> <a href="http://201.31.238.0/28" target="_blank">201.31.238.0/28</a>;<br> ::1;<br> 2804:a8:c4ad::/56;<br> };<br>};<br><br><br><i>file /etc/bind/named.conf.default-zones:</i><br><br>// prime the server with knowledge of the root servers<br><br>//zone "." {<br>// type hint;<br>// file "/usr/share/dns/root.hints";<br>//};<br><br><br>zone "." {<br> type slave;<br> file "rootzone.db"; <br> notify no;<br> masters {<br> 199.9.14.201; # <a href="http://b.root-servers.net" target="_blank">b.root-servers.net</a><br> 192.33.4.12; # <a href="http://c.root-servers.net" target="_blank">c.root-servers.net</a><br> 199.7.91.13; # <a href="http://d.root-servers.net" target="_blank">d.root-servers.net</a><br> 192.5.5.241; # <a href="http://f.root-servers.net" target="_blank">f.root-servers.net</a><br> 192.112.36.4; # <a href="http://g.root-servers.net" target="_blank">g.root-servers.net</a><br> 193.0.14.129; # <a href="http://k.root-servers.net" target="_blank">k.root-servers.net</a><br> 192.0.47.132; # <a href="http://xfr.cjr.dns.icann.org" target="_blank">xfr.cjr.dns.icann.org</a><br> 192.0.32.132; # <a href="http://xfr.lax.dns.icann.org" target="_blank">xfr.lax.dns.icann.org</a><br> 2001:500:200::b; # <a href="http://b.root-servers.net" target="_blank">b.root-servers.net</a><br> 2001:500:2::c; # <a href="http://c.root-servers.net" target="_blank">c.root-servers.net</a><br> 2001:500:2d::d; # <a href="http://d.root-servers.net" target="_blank">d.root-servers.net</a><br> 2001:500:2f::f; # <a href="http://f.root-servers.net" target="_blank">f.root-servers.net</a><br> 2001:500:12::d0d; # <a href="http://g.root-servers.net" target="_blank">g.root-servers.net</a><br> 2001:7fd::1; # <a href="http://k.root-servers.net" target="_blank">k.root-servers.net</a><br> 2620:0:2830:202::132; # <a href="http://xfr.cjr.dns.icann.org" target="_blank">xfr.cjr.dns.icann.org</a><br> 2620:0:2d0:202::132; # <a href="http://xfr.lax.dns.icann.org" target="_blank">xfr.lax.dns.icann.org</a><br> };<br>};<br><br><br><br>// be authoritative for the localhost forward and reverse zones, and for<br>// broadcast zones as per RFC 1912<br><br>zone "localhost" {<br> type master;<br> file "/etc/bind/db.local";<br>};<br><br>zone "127.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.127";<br>};<br><br>zone "0.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.0";<br>};<br><br>zone "255.in-addr.arpa" {<br> type master;<br> file "/etc/bind/db.255";<br>};</div>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>