Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:DNS"
m (→Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)) |
m (→bind9: added note to disable DNSSEC on the latest debian bind9.8 bits, at least) |
||
| Line 57: | Line 57: | ||
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local): | in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local): | ||
| + | |||
| + | '''NOTE:''' bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work. | ||
=== Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) === | === Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) === | ||
Revision as of 21:43, 4 October 2012
We have a DNS running.
Contents
configs
The main zonefile atm is edited with vim on cvpn-dns.
This server is available at 172.31.0.5 or 212.12.52.216.
You can either be secondary and transfer the zonefile or query this server.
If you are a secondary you need to add your server here so it can be included in the zonefile.
secondarys
- ns.sliepen.hack (172.31.116.1)
- ns1.syn2cat.hack (195.24.78.86 and 2a01:608:ccc::ccc)
- ns1.crest.dn42 (172.22.228.6) with 1Mbit/s upstream, ns2.crest.dn42 (172.22.228.85) and ns3.crest.dn42 (172.22.228.84) with 100Mbit/s upstream
- ns.yojimbo.hack (10.103.252.85)
HowTo
NSD + unbound
unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.
nsd
In /etc/nsd/nsd3.conf add at bottom:
zone:
name: "hack"
zonefile: "hack.zone"
allow-notify: 127.0.0.1 NOKEY
allow-notify: 172.31.0.5 NOKEY
request-xfr: 172.31.0.5 NOKEY
unbound
In /etc/unbound/unbound.conf add at bottom:
forward-zone: name: "hack" forward-addr: 172.31.0.5 forward-addr: 172.31.116.1 forward-zone: name: "dn42" forward-addr: 172.22.228.85 forward-addr: 172.22.222.6
bind9
Should-Do´s:
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.
Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)
zone "hack" {
type static-stub;
server-addresses { 172.31.0.5; 172.31.2.51; };
};
zone "dn42" {
type static-stub;
server-addresses { 172.22.228.2; 172.22.136.243; 172.22.131.88; 172.22.53.51; };
};
zone "31.172.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; 172.31.2.51; };
};
zone "100.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; 172.31.2.51; };
};
zone "101.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; 172.31.2.51; };
};
zone "102.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; 172.31.2.51; };
};
zone "103.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; 172.31.2.51; };
};
Bind as secondary
zone "hack" {
type slave;
file "slave/slave.hack";
masters { 172.31.0.5; };
};
Old Bind as Forwarder
zone "hack" {
type forward;
forwarders { 172.31.0.5; };
};
maradns
maradns as secondary
getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack
Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.
dnsmasq
Add to /etc/dnsmasq.conf:
server=/hack/172.31.0.5 server=/31.172.in-addr.arpa/172.31.0.5 server=/100.10.in-addr.arpa/172.31.0.5 server=/101.10.in-addr.arpa/172.31.0.5 server=/102.10.in-addr.arpa/172.31.0.5 server=/103.10.in-addr.arpa/172.31.0.5
