Debian: DNS Server

From ReceptiveIT
Jump to: navigation, search

Important Configuration

To create a new RNDC key.

rndc-confgen -c random-rndc.key -k random-rndc-key

Copy the rndc key stuff off the screen to a file.

named.conf.options

options {
 version "10.100.100";
 directory "/var/cache/bind";
 
 forwarders {
  1.2.3.4;
  5.6.7.8;
 };
 
 auth-nxdomain no;
 
 allow-transfer {
  10.11.12.13;    # Secondary DNS
 };
};

named.conf.local

include "/etc/bind/random-rndc.key";
zone "fqdn.com.au" IN {
 type master;
 file "master/db.fqdn.com.au";
};
zone "3.2.1.in-addr.arpa" {
 type master;
 file "master/db.1.2.3.rev";
 allow-transfer {
  key "random-rndc-key";
 };
 also-notify {
  10.11.12.14;
 };
};

zone "otherfqdn.com.au" IN {
 type slave;
 file "slave/db.otherfqdn.com.au";
 masters {
  10.11.12.13;
 };
};

Sample Zone File

 $TTL 604800
;
; db.fqdn.com.au
;
@ IN SOA ns1.hosting.com.au. dnsmaster.hosting.com.au. (
     2006080101 ; serial
             3H ; refresh
            30M ; retry
             1W ; expire
             1D ; minimum
)

; NS Records
@         1D IN NS ns1.hosting.com.au.
@         1D IN NS ns2.hosting.com.au.

; MX Records
@         1D IN MX 10 mail.fqdn.com.au.
@         1D IN MX 20 smtp.fqdn.com.au.

; A Records
@         1D IN A 1.2.3.10
www       1D IN A 1.2.3.10
mail      1D IN A 1.2.3.20
smtp      1D IN A 1.2.3.30

; CNAME Records
fred      1D IN CNAME www

Sample Zone File - Reverse DNS

$TTL 604800
; 
; Reverse DNS for fqdn.com.au
; db.1.2.3.rev
;
@ IN SOA ns1.hosting.com.au. dnsmaster.hosting.com.au. (
     2006080101 ; serial
             3H ; refresh
            30M ; retry
             1W ; expire
             1D ; minimum
)

; NS Records
@         IN NS ns1.hosting.com.au.
@         IN NS ns2.hosting.com.au.

10        IN PTR www.fqdn.com.au.
20        IN PTR mail.fqdn.com.au.
30        IN PTR smtp.fqdn.com.au.

Split DNS Views

It is possible for you DNS server to hand out different information, and to behave differently, depending on who is asking.

named.conf.options

options {
  directory "/var/cache/bind";

  // If there is a firewall between you and nameservers you want
  // to talk to, you might need to uncomment the query-source
  // directive below.  Previous versions of BIND always asked
  // questions using port 53, but BIND 8.1 and later use an unprivileged
  // port by default.

  // query-source address * port 53;

  // If your ISP provided one or more IP addresses for stable
  // nameservers, you probably want to use them as forwarders.
  // Uncomment the following block, and insert the addresses replacing
  // the all-0's placeholder.

  // forwarders {
  //      0.0.0.0;
  // };

  auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };

  version "0";
  recursion no;
  allow-query { any; };
};

named.conf.acl

acl "dns_slaves" {
 202.12.13.14;
};

acl "lan_hosts" {
 127.0.0.1;
 192.168.1.0/24;
 192.168.2.0/24;
};

named.conf

include "/etc/bind/named.conf.acl";
include "/etc/bind/named.conf.options";

view "internal" {
  match-clients { lan_hosts; };
  allow-transfer { lan_hosts; };
  recursion yes;
  notify no;

  // prime the server with knowledge of the root servers
  zone "." {
    type hint;
    file "/etc/bind/db.root";
  };

  // be authoritative for the localhost forward and reverse zones, and for
  // broadcast zones as per RFC 1912

  zone "localhost" {
    type master;
    file "/etc/bind/db.local";
  };

  zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
  };

  zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
  };

  zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
  };

  zone "domain.com.au" {
    type master;
    file "internal/db.domain.com.au";
    also-notify { 192.168.2.10; };
  };

  zone "domain.local" {
    type master;
    file "internal/db.domain.local";
    also-notify { 192.168.2.10; };
  };

  zone "1.168.192.in-addr.arpa" {
    type master;
    file "internal/db.1.168.192.in-addr.arpa";
    also-notify { 192.168.2.10; };
  };

  zone "2.168.192.in-addr.arpa" {
    type slave;
    file "internal/db.2.168.192.in-addr.arpa";
    masters { 192.168.2.10; };
  };
};

view "external" {
 match-clients { !localnets; any; };
 recursion no;
 allow-transfer { dns_slaves; };

  zone "domain.com.au" {
    type master;
    file "external/db.domain.com.au";
    also-notify { 202.1.2.3; };
  };
};