Raspberry Pi Secondary DNS Server
Domain Information
Domain : chorke.org
Subdomain : bgd.chorke.org (public)
CNAME of dev : cki00.ddns.net (noip.com)
Netowrk Information
GTW : 10.19.83.1 (Gateway/Router)
DMZ : 10.19.83.5 (bgd.chorke.org & Name server)
LAN : 10.19.83.0/24 (Private network & range 0~255)
Install
sudo su
apt update && apt upgrade
apt install bind9 bind9utils bind9-doc dnsutils
#apt purge bind9 bind9utils bind9-doc dnsutils
#sudo apt autoremove
nano /etc/default/bind9
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-u bind -4"
Primary Options
nano /etc/bind/named.conf.options
acl internals {
127.0.0.0/24; # 0-255
10.19.83.0/24; # 0-255
};
acl externals {
10.19.83.0/29; # 0-7
!10.19.83.0/24; # 0-255
};
options {
directory "/var/cache/bind";
auth-nxdomain no;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
listen-on port 53 {
127.0.0.1;
10.19.83.5;
};
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
8.8.8.8; # Google DNS
8.8.4.4; # Google DNS
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
recursion yes;
listen-on-v6 { none; };
allow-transfer { none; };
allow-query { internals; };
allow-recursion { internals; };
};
Primary Zones
nano /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
zone "bgd.chorke.org" {
type master;
file "/etc/bind/zones/db.bgd.chorke.org"; # zone file path
allow-update { key rndc-key; };
allow-transfer {
10.19.83.3;
10.19.83.4;
};
};
zone "83.19.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.83.19.10"; # 10.19.83.0/24 subnet
allow-update { key rndc-key; };
allow-transfer {
10.19.83.3;
10.19.83.4;
};
};
// consider adding the 1918 zones here
// include "/etc/bind/zones.rfc1918";
Forward Zone
mkdir /etc/bind/zones
cp /etc/bind/db.local /etc/bind/zones/db.bgd.chorke.org
nano /etc/bind/zones/db.bgd.chorke.org
;
; BIND forward data file
;
$TTL 600 ; 10M
$ORIGIN bgd.chorke.org.
@ IN SOA ns0.bgd.chorke.org. root.bgd.chorke.org. (
201908121 ; Serial YYYYmmddI
3600 ; Refresh 01H
600 ; Retry 10M
86400 ; Expire 01D
600 ) ; Negative Cache TTL 10M
; NS Records
@ IN NS ns0.bgd.chorke.org.
@ IN NS ns1.bgd.chorke.org.
@ IN NS ns2.bgd.chorke.org.
@ IN A 10.19.83.5
; A Records Name Servers
ns0 A 10.19.83.5
ns1 A 10.19.83.3
ns2 A 10.19.83.4
; A Records 10.19.83.0/24
apn A 10.19.83.2
av5 A 10.19.83.9
gtw A 10.19.83.1
mac A 10.19.83.10
one A 10.19.83.8
pi3 A 10.19.83.3
pih A 10.19.83.4
piw A 10.19.83.5
ras A 10.19.83.12
sha A 10.19.83.11
; CNAME
ftp CNAME ns0
dmz CNAME ns0
Reverse Zone
cp /etc/bind/db.127 /etc/bind/zones/db.83.19.10
nano /etc/bind/zones/db.83.19.10
;
; BIND reverse data file
;
$TTL 600 ; 10M
$ORIGIN 83.19.10.in-addr.arpa.
@ IN SOA ns0.bgd.chorke.org. root.bgd.chorke.org. (
201908121 ; Serial YYYYmmddI
3600 ; Refresh 01H
600 ; Retry 10M
86400 ; Expire 01D
600 ) ; Negative Cache TTL 10M
; NS Records
@ IN NS ns0.bgd.chorke.org.
@ IN NS ns1.bgd.chorke.org.
@ IN NS ns2.bgd.chorke.org.
; PTR Records
1 IN PTR gtw.bgd.chorke.org.
2 IN PTR apn.bgd.chorke.org.
3 IN PTR ns1.bgd.chorke.org.
3 IN PTR pi3.bgd.chorke.org.
4 IN PTR ns2.bgd.chorke.org.
4 IN PTR pih.bgd.chorke.org.
5 IN PTR dmz.bgd.chorke.org.
5 IN PTR ftp.bgd.chorke.org.
5 IN PTR ns0.bgd.chorke.org.
5 IN PTR piw.bgd.chorke.org.
8 IN PTR one.bgd.chorke.org.
9 IN PTR av5.bgd.chorke.org.
10 IN PTR mac.bgd.chorke.org.
11 IN PTR sha.bgd.chorke.org.
12 IN PTR ras.bgd.chorke.org.
Secondary Options
nano /etc/bind/named.conf.options
acl internals {
127.0.0.0/24; # 0-255
10.19.83.0/24; # 0-255
};
acl externals {
10.19.83.0/29; # 0-7
!10.19.83.0/24; # 0-255
};
options {
directory "/var/cache/bind";
auth-nxdomain no;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
listen-on port 53 {
127.0.0.1;
10.19.83.3;
};
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
8.8.8.8; # Google DNS
8.8.4.4; # Google DNS
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
recursion yes;
listen-on-v6 { none; };
allow-transfer { none; };
allow-query { internals; };
allow-recursion { internals; };
};
Secondary Zones
nano /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
zone "bgd.chorke.org" {
type slave;
file "db.bgd.chorke.org"; # zone file path
masters { 10.19.83.5; };
};
zone "83.19.10.in-addr.arpa" {
type slave;
file "db.83.19.10"; # 10.19.83.0/24 subnet
masters { 10.19.83.5; };
};
// consider adding the 1918 zones here
// include "/etc/bind/zones.rfc1918";
Server
named-checkconf -z
named-checkzone bgd.chorke.org /etc/bind/zones/db.bgd.chorke.org
named-checkzone 83.19.10.in-addr.arpa /etc/bind/zones/db.83.19.10
update-rc.d bind9 enable
/etc/init.d/bind9 restart
service bind9 restart
netstat -tulpn
netstat -tap
reboot
rndc dumpdb -cache
rndc flush
rndc reload
Client
sudo nano /etc/dhcpcd.conf
# Chorke Academia, Inc.
#static domain_name_servers=10.19.83.5 10.19.83.1
static domain_search=bgd.chorke.org
#static host_name=pih
sudo systemctl restart dhcpcd
sudo systemctl daemon-reload
Debug
@rem clear windows dns cache
ipconfig /flushdns
ipconfig /displaydns
# clear macos dns cache
sudo killall -HUP mDNSResponder
# clear ubuntu dns cache
sudo systemd-resolve --flush-caches
sudo systemd-resolve --statistics
#sudo /etc/init.d/dns-clean start
#from local area network
dig @10.19.83.5 chorke.org
dig @10.19.83.5 bgd.chorke.org
dig @10.19.83.5 apn.bgd.chorke.org
dig @10.19.83.5 ddn.bgd.chorke.org
dig @10.19.83.5 gtw.bgd.chorke.org
#from horizon/world wide
dig @bgd.chorke.org chorke.org
dig @bgd.chorke.org -x 10.19.83.1
dig @bgd.chorke.org bgd.chorke.org
dig @bgd.chorke.org apn.bgd.chorke.org
dig @bgd.chorke.org ddn.bgd.chorke.org
dig @bgd.chorke.org gtw.bgd.chorke.org
#from lan only
nslookup chorke.org
nslookup bgd.chorke.org
nslookup apn.bgd.chorke.org
nslookup ddn.bgd.chorke.org
nslookup gtw.bgd.chorke.org
References
- How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04
- How To Configure BIND as a Private Network DNS Server on Ubuntu 16.04
- How To Configure BIND as a Private Network DNS Server on Ubuntu 18.04
- Set Up Authoritative DNS Server on Ubuntu 18.04, 16.04 with BIND9
- Raspberry Pi Bind9 DNS/DDNS (Dynamic DNS) Server
- Stealth (DMZ/Hidden Master) Name Server
- Configuring a DNS Server in Raspberry Pi
- Setting up Private DNS Server with BIND9
- DNS Sample External Domain Zone file
- BIND Definition of Address List Match
- Stealth (Split/DMZ) DNS Server
- List of Statements