Introduction
This page describes how Alexis Huxley installed and configured his DNS server.
Procedure
- Set some environment variables used by this procedure:
AUTH_ZONES="<zone> ..." # e.g. AUTH_ZONES="pasta.net 1.168.192 3.168.192 10.168.192"
- Install the packages required for the DNS server by running:
apt-get install bind9 dnsutils
- Disable IPv6 support by completing this sub-procedure:
- Edit /etc/default/bind9 and add to OPTIONS:
OPTIONS="... -4 ..."
- Edit /etc/bind/named.conf and comment out:
// listen-on-v6 { any; }; - In the same file, also inside the
options { ... };stanza, add:filter-aaaa-on-v4 yes;
- Edit /etc/default/bind9 and add to OPTIONS:
- Generate the zone inclusions and empty zone files:
for AUTH_ZONE in $AUTH_ZONES; do [[ $AUTH_ZONE =~ ^[0-9] ]] && ZONE_SUFFIX=.in-addr.arpa || ZONE_SUFFIX= { echo -e "zone \"$AUTH_ZONE$ZONE_SUFFIX\" {" echo -e "\\ttype master;" echo -e "\\tfile \"/etc/bind/db.$AUTH_ZONE\";" echo -e "};" echo } >> /etc/bind/named.conf.local { echo -e "\$ORIGIN $AUTH_ZONE$ZONE_SUFFIX." echo -e "\$TTL 1h" echo -e "$AUTH_ZONE$ZONE_SUFFIX. IN SOA ns.$(dnsdomainname). root.$(dnsdomainname). ( $(date +%s) 1d 2h 4w 1h )" echo -e "$AUTH_ZONE$ZONE_SUFFIX. IN NS $(hostname -f)". } > /etc/bind/db.$AUTH_ZONE done - Populate the zone files.
- Restart the nameserver with:
systemctl restart bind9
- Test with:
host $(hostname -f) localhost host $(host $(hostname -f) localhost | sed -n 's/.* has address //p') localhost
- If you wish to allow
systemctl reload bind9to work (which uses rndc to communicate with named) then:- Run:
rndc-confgen
- Copy the first part of the output into /etc/bind/rndc.conf.
- Copy the second part of the output into /etc/bind/named.conf.options, but put it outside the
options { ... };stanza. - Run:
systemctl restart bind9
- Test by running:
systemctl reload bind9
- Run:
- If you wish to:
- access your systems’ “public” hostnames from inside the home network, or
- blacklist certain external hostnames (e.g. google-analytics.com)
then:
- Edit /etc/bind/named.conf.options and set:
options { ... response-policy { zone "rpz"; } qname-wait-recurse no; };(Without
qname-wait-recurse no, RPZ will not work if the internet connection goes down. See here for more details.) - Edit /etc/bind/named.conf.local and add the stanza:
zone "rpz" { type master; file "/etc/bind/db.rpz"; }; - Create an empty /etc/bind/db.rpz by running:
AUTH_ZONE=rpz ZONE_SUFFIX= { echo -e "\$TTL 1h" echo -e "$AUTH_ZONE$ZONE_SUFFIX. IN SOA ns.$(dnsdomainname). root.$(dnsdomainname). ( $(date +%s) 1d 2h 4w 1h )" echo -e "$AUTH_ZONE$ZONE_SUFFIX. IN NS $(hostname -f)". } > /etc/bind/db.$AUTH_ZONE - Populate this zone file. E.g.:
... ; redirect externally-valid names to internal IPs www.pasta.freemyip.com IN CNAME www.pasta.net. jira.pasta.freemyip.com IN CNAME www.pasta.net. svn.pasta.freemyip.com IN CNAME www.pasta.net. repo.pasta.freemyip.com IN CNAME www.pasta.net. ... ; blacklist google-analytics.com IN CNAME . *.google-analytics.com IN CNAME . rdata.io IN CNAME . *.rdata.io IN CNAME . udp.dog IN CNAME . *.udp.dog IN CNAME . ...
- Possibly of interest are DNS blacklists such as this one.
- Run:
service bind9 restart
- Test by running:
host <some-host> localhost
- Also test without an internet connection (or by removing the default route).
- If you have scripts to do this kind of update automatically then deploy them now.
- In /etc/resolv.conf, make sure the nameserver is set to 127.0.0.1.