Introduction
This page describes how Alexis Huxley installed and configured his DNS server and no-ip dynamic DNS updater.
Procedure
- If needed, set up an authoritative DNS server as follows:
- Set some environment variables used by this procedure:
AUTH_ZONES="<zone#1> <zone#2> ..." # E.g. AUTH_ZONES="pasta.net 1.168.192 3.168.192 10.168.192"
- Install the packages required for the DNS server by running:
apt-get install bind9
- Initialise the local configuration by running:
> /etc/bind/named.conf.local # Stop lots of IPv6 errors log entries by disabling IPv6 support echo "OPTIONS=\"-u bind -4\"" >> /etc/default/bind9 perl -pi -e 's@(listen-on-v6)@// $1@' /etc/bind/named.conf.options > /etc/bind/named.conf.local
- Generate /etc/bind/named.conf.local for the zones by running:
{ for AUTH_ZONE in $AUTH_ZONES; do [[ $AUTH_ZONE =~ ^[0-9] ]] && ZONE_SUFFIX=.in-addr.arpa || ZONE_SUFFIX= echo "zone \"$AUTH_ZONE$ZONE_SUFFIX\" {" echo " type master;" echo " file \"/etc/bind/db.$AUTH_ZONE\";" echo "};" echo done } >> /etc/bind/named.conf.local - Creating the corresponding zone files, as in these examples:
ditalini# head /etc/bind/db.pasta.net $ORIGIN pasta.net. $TTL 1h pasta.net. IN SOA ns.pasta.net. root.pasta.net. ( 1487674547 1d 2h 4w 1h ) pasta.net. IN NS ditalini ; cannot be 'ns' since CNAME illegal pasta.net. IN MX 10 fusilli ; cannot be 'mail' since CNAME illegal filer IN CNAME fettuce-on-storage-net gateway IN CNAME fregula i2p IN CNAME gigli imap IN CNAME fusilli ditalini# head /etc/bind/db.1.168.192 $ORIGIN 1.168.192.in-addr.arpa. $TTL 1h 1.168.192.in-addr.arpa. IN SOA ns.pasta.net. root.pasta.net. ( 1487674547 1d 2h 4w 1h ) 1.168.192.in-addr.arpa. IN NS ditalini.pasta.net. 1 IN PTR fregula.pasta.net. 2 IN PTR corzetti.pasta.net. 3 IN PTR ditalini.pasta.net. 6 IN PTR fiori.pasta.net. 7 IN PTR torchio.pasta.net. ditalini#
- In /etc/resolv.conf, make sure the nameserver is set to 127.0.0.1.
- Run:
service bind9 restart
- Set some environment variables used by this procedure:
- If you wish to access your systems’ “public” hostnames from inside the home network and you just set up an authoritative DNS server then:
- Edit /etc/bind/named.conf.options and set:
options { ... response-policy { zone "rpz"; }; }; - Edit /etc/bind/named.conf.local and add the stanza:
zone "rpz" { type master; file "/etc/bind/db.rpz"; }; - Create /etc/bind/db.rpz containing something like:
$TTL 1h @ IN SOA ns.pasta.net. root.pasta.net. ( 1487674547 1d 2h 4w 1h ) @ IN NS localhost. ; cannot be 'ns' since CNAME illegal ; redirect externally-valid names to internal IPs www.pasta.freemyip.com IN CNAME www.pasta.net. jira.pasta.freemyip.com IN CNAME www.pasta.net. svn.pasta.freemyip.com IN CNAME www.pasta.net. repo.pasta.freemyip.com IN CNAME www.pasta.net. ... ; blacklist google-analytics.com IN CNAME . *.google-analytics.com IN CNAME . rdata.io IN CNAME . *.rdata.io IN CNAME . udp.dog IN CNAME . *.udp.dog IN CNAME .
- Run:
service bind9 restart
- Edit /etc/bind/named.conf.options and set:
- If needed, set up a dynamic DNS updater as follows:
- Run:
apt-get install inadyn
- Edit /etc/default/inadyn and set:
RUN_DAEMON="yes"
- Edit /etc/inadyn.conf and modify/add the following settings:set username, password, etc. Be sure to add also:
#logfile /var/log/inadyn/inadyn.log syslog system default@no-ip.com username <your-no-ip.com-login> password <your-no-ip.com-password> alias <your-1st-no-ip-hostname> alias <your-2nd-no-ip-hostname> ... forced-update 86400
(The last entry should prevent regular mails from no-ip.com asking telling you hostnames are expiring.)
- Run:
systemctl restart inadyn
- Run:
See also
- Computing
- Alexis Huxley
- https://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zones-rpz/
- https://www.bortzmeyer.org/rpz-faire-mentir-resolveur-dns.html
- http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html (search the page for ‘rpz’)