BIND Setup - Serve internal LAN, query outside results
Clash Royale CLAN TAG#URR8PPP
Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)
I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).
I can paste the contents of my configuration, but thought I would start here.
I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.
Thanks!
IllusionMan
EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.
linux dns
add a comment |
Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)
I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).
I can paste the contents of my configuration, but thought I would start here.
I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.
Thanks!
IllusionMan
EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.
linux dns
It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53
add a comment |
Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)
I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).
I can paste the contents of my configuration, but thought I would start here.
I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.
Thanks!
IllusionMan
EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.
linux dns
Setting up a internal private server for some testing on our corp LAN. I want it to be authoratative for a internal domain and hosts, but be able to resolve stuff on the internet (google, yahoo etc.)
I can get the internal part working just fine, but when i try to resolve something public, it fails. I am probably missing one simple flag in my /etc/named.conf (BTW, RHEL 7.3 is my OS).
I can paste the contents of my configuration, but thought I would start here.
I started very simple, just to get it working and then plan to add more as i go along. I just need to fix the external resolving issue i am currently having.
Thanks!
IllusionMan
EDIT: Nervermind. Think I figured it out. I had to setup 'forwarders' in the options section and turn on recursion. Right now, it is working the way i want.
linux dns
linux dns
edited Dec 20 '18 at 7:09
Rui F Ribeiro
39k1479130
39k1479130
asked Jun 24 '17 at 17:46
theillusionman
11
11
It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53
add a comment |
It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53
It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53
It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53
add a comment |
1 Answer
1
active
oldest
votes
Here's the contents of my /etc/bind
on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key
and /etc/bind/bind.keys
. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)
named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//end named.conf
named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "."
type hint;
file "/etc/bind/db.root";
;
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost"
type master;
file "/etc/bind/db.local";
;
zone "127.in-addr.arpa"
type master;
file "/etc/bind/db.127";
;
zone "0.in-addr.arpa"
type master;
file "/etc/bind/db.0";
;
zone "255.in-addr.arpa"
type master;
file "/etc/bind/db.255";
;
//end named.conf.default-zones
named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "fake.tld"
type master;
notify no;
file "/etc/bind/db.fake.tld";
;
zone "99.99.10.in-addr.arpa"
type master;
notify no;
file "/etc/bind/db.10.99.99";
;
//end named.conf.local
named.conf.options:
options
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders
8.8.8.8;
;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
;
//end named.conf.options
db.0:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.0
db.10.99.99:
$TTL 3D ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@ IN SOA ns.fake.tld. root.fake.tld. (
2017012811 ; serial number
1638 ; ns refresh
204 ; ns retry
10485 ; authority expiry
256 ); min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
IN NS ns.fake.tld.
; hostname in this case is the last quad of the IP address
1 IN PTR gw.fake.tld.
2 IN PTR ns.fake.tld.
3 IN PTR dhcp.fake.tld.
10 IN PTR fileserver.fake.tld.
;end db.10.99.99
db.127:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
;end db.127
db.255:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.255
db.empty:
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.empty
db.fake.tld:
$TTL 604800
@ IN SOA ns.fake.tld. root.fake.tld. (
2017062019 ; Serial
; YYYYMMDDVV
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.fake.tld.
@ IN A 10.99.99.2
gw IN A 10.99.99.1
ns IN A 10.99.99.2
dhcp IN A 10.99.99.3
fileserver IN A 10.99.99.10
gitlab IN A 10.99.99.7
;end db.fake.tld
db.local:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
;end db.local
db.root:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
;end db.root
zones.rfc1918:
zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
// end zones.rfc1918
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f373157%2fbind-setup-serve-internal-lan-query-outside-results%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Here's the contents of my /etc/bind
on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key
and /etc/bind/bind.keys
. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)
named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//end named.conf
named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "."
type hint;
file "/etc/bind/db.root";
;
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost"
type master;
file "/etc/bind/db.local";
;
zone "127.in-addr.arpa"
type master;
file "/etc/bind/db.127";
;
zone "0.in-addr.arpa"
type master;
file "/etc/bind/db.0";
;
zone "255.in-addr.arpa"
type master;
file "/etc/bind/db.255";
;
//end named.conf.default-zones
named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "fake.tld"
type master;
notify no;
file "/etc/bind/db.fake.tld";
;
zone "99.99.10.in-addr.arpa"
type master;
notify no;
file "/etc/bind/db.10.99.99";
;
//end named.conf.local
named.conf.options:
options
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders
8.8.8.8;
;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
;
//end named.conf.options
db.0:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.0
db.10.99.99:
$TTL 3D ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@ IN SOA ns.fake.tld. root.fake.tld. (
2017012811 ; serial number
1638 ; ns refresh
204 ; ns retry
10485 ; authority expiry
256 ); min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
IN NS ns.fake.tld.
; hostname in this case is the last quad of the IP address
1 IN PTR gw.fake.tld.
2 IN PTR ns.fake.tld.
3 IN PTR dhcp.fake.tld.
10 IN PTR fileserver.fake.tld.
;end db.10.99.99
db.127:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
;end db.127
db.255:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.255
db.empty:
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.empty
db.fake.tld:
$TTL 604800
@ IN SOA ns.fake.tld. root.fake.tld. (
2017062019 ; Serial
; YYYYMMDDVV
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.fake.tld.
@ IN A 10.99.99.2
gw IN A 10.99.99.1
ns IN A 10.99.99.2
dhcp IN A 10.99.99.3
fileserver IN A 10.99.99.10
gitlab IN A 10.99.99.7
;end db.fake.tld
db.local:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
;end db.local
db.root:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
;end db.root
zones.rfc1918:
zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
// end zones.rfc1918
add a comment |
Here's the contents of my /etc/bind
on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key
and /etc/bind/bind.keys
. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)
named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//end named.conf
named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "."
type hint;
file "/etc/bind/db.root";
;
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost"
type master;
file "/etc/bind/db.local";
;
zone "127.in-addr.arpa"
type master;
file "/etc/bind/db.127";
;
zone "0.in-addr.arpa"
type master;
file "/etc/bind/db.0";
;
zone "255.in-addr.arpa"
type master;
file "/etc/bind/db.255";
;
//end named.conf.default-zones
named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "fake.tld"
type master;
notify no;
file "/etc/bind/db.fake.tld";
;
zone "99.99.10.in-addr.arpa"
type master;
notify no;
file "/etc/bind/db.10.99.99";
;
//end named.conf.local
named.conf.options:
options
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders
8.8.8.8;
;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
;
//end named.conf.options
db.0:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.0
db.10.99.99:
$TTL 3D ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@ IN SOA ns.fake.tld. root.fake.tld. (
2017012811 ; serial number
1638 ; ns refresh
204 ; ns retry
10485 ; authority expiry
256 ); min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
IN NS ns.fake.tld.
; hostname in this case is the last quad of the IP address
1 IN PTR gw.fake.tld.
2 IN PTR ns.fake.tld.
3 IN PTR dhcp.fake.tld.
10 IN PTR fileserver.fake.tld.
;end db.10.99.99
db.127:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
;end db.127
db.255:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.255
db.empty:
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.empty
db.fake.tld:
$TTL 604800
@ IN SOA ns.fake.tld. root.fake.tld. (
2017062019 ; Serial
; YYYYMMDDVV
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.fake.tld.
@ IN A 10.99.99.2
gw IN A 10.99.99.1
ns IN A 10.99.99.2
dhcp IN A 10.99.99.3
fileserver IN A 10.99.99.10
gitlab IN A 10.99.99.7
;end db.fake.tld
db.local:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
;end db.local
db.root:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
;end db.root
zones.rfc1918:
zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
// end zones.rfc1918
add a comment |
Here's the contents of my /etc/bind
on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key
and /etc/bind/bind.keys
. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)
named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//end named.conf
named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "."
type hint;
file "/etc/bind/db.root";
;
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost"
type master;
file "/etc/bind/db.local";
;
zone "127.in-addr.arpa"
type master;
file "/etc/bind/db.127";
;
zone "0.in-addr.arpa"
type master;
file "/etc/bind/db.0";
;
zone "255.in-addr.arpa"
type master;
file "/etc/bind/db.255";
;
//end named.conf.default-zones
named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "fake.tld"
type master;
notify no;
file "/etc/bind/db.fake.tld";
;
zone "99.99.10.in-addr.arpa"
type master;
notify no;
file "/etc/bind/db.10.99.99";
;
//end named.conf.local
named.conf.options:
options
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders
8.8.8.8;
;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
;
//end named.conf.options
db.0:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.0
db.10.99.99:
$TTL 3D ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@ IN SOA ns.fake.tld. root.fake.tld. (
2017012811 ; serial number
1638 ; ns refresh
204 ; ns retry
10485 ; authority expiry
256 ); min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
IN NS ns.fake.tld.
; hostname in this case is the last quad of the IP address
1 IN PTR gw.fake.tld.
2 IN PTR ns.fake.tld.
3 IN PTR dhcp.fake.tld.
10 IN PTR fileserver.fake.tld.
;end db.10.99.99
db.127:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
;end db.127
db.255:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.255
db.empty:
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.empty
db.fake.tld:
$TTL 604800
@ IN SOA ns.fake.tld. root.fake.tld. (
2017062019 ; Serial
; YYYYMMDDVV
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.fake.tld.
@ IN A 10.99.99.2
gw IN A 10.99.99.1
ns IN A 10.99.99.2
dhcp IN A 10.99.99.3
fileserver IN A 10.99.99.10
gitlab IN A 10.99.99.7
;end db.fake.tld
db.local:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
;end db.local
db.root:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
;end db.root
zones.rfc1918:
zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
// end zones.rfc1918
Here's the contents of my /etc/bind
on Debian with a config working the way you say you want - authoritative for a fake domain/tld (called fake.tld) on the local LAN using non-routable addresses (10.99.99.0/24 in my case) with reverse DNS for LAN addresses, and other lookups for "real" DNS sent out to the world (in this case, forwarded to google's 8.8.8.8). The only files not represented here are the /etc/bind/rndc.key
and /etc/bind/bind.keys
. File names are in bold, end of file indicator commented in the appropriate style for that file (ie, ; in a zone file)
named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//end named.conf
named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "."
type hint;
file "/etc/bind/db.root";
;
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost"
type master;
file "/etc/bind/db.local";
;
zone "127.in-addr.arpa"
type master;
file "/etc/bind/db.127";
;
zone "0.in-addr.arpa"
type master;
file "/etc/bind/db.0";
;
zone "255.in-addr.arpa"
type master;
file "/etc/bind/db.255";
;
//end named.conf.default-zones
named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "fake.tld"
type master;
notify no;
file "/etc/bind/db.fake.tld";
;
zone "99.99.10.in-addr.arpa"
type master;
notify no;
file "/etc/bind/db.10.99.99";
;
//end named.conf.local
named.conf.options:
options
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders
8.8.8.8;
;
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 any; ;
;
//end named.conf.options
db.0:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.0
db.10.99.99:
$TTL 3D ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@ IN SOA ns.fake.tld. root.fake.tld. (
2017012811 ; serial number
1638 ; ns refresh
204 ; ns retry
10485 ; authority expiry
256 ); min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
IN NS ns.fake.tld.
; hostname in this case is the last quad of the IP address
1 IN PTR gw.fake.tld.
2 IN PTR ns.fake.tld.
3 IN PTR dhcp.fake.tld.
10 IN PTR fileserver.fake.tld.
;end db.10.99.99
db.127:
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
;end db.127
db.255:
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.255
db.empty:
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS localhost.
;end db.empty
db.fake.tld:
$TTL 604800
@ IN SOA ns.fake.tld. root.fake.tld. (
2017062019 ; Serial
; YYYYMMDDVV
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.fake.tld.
@ IN A 10.99.99.2
gw IN A 10.99.99.1
ns IN A 10.99.99.2
dhcp IN A 10.99.99.3
fileserver IN A 10.99.99.10
gitlab IN A 10.99.99.7
;end db.fake.tld
db.local:
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
;end db.local
db.root:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 3, 2013
; related version of root zone: 2013010300
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35
; End of File
;end db.root
zones.rfc1918:
zone "10.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "16.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "17.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "18.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "19.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "20.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "21.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "22.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "23.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "24.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "25.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "26.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "27.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "28.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "29.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "30.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "31.172.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
zone "168.192.in-addr.arpa" type master; file "/etc/bind/db.empty"; ;
// end zones.rfc1918
answered Jun 24 '17 at 18:26
ivanivan
3,5071414
3,5071414
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f373157%2fbind-setup-serve-internal-lan-query-outside-results%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It is a bad idea to have the same server being both authoritative and recursive. You should split these 2 functions into 2 separate servers.
– Patrick Mevzek
Jun 25 '17 at 10:53