From 2fad38490e36bd2f0328b82c38448d9675e662e8 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 7 Mar 2021 23:11:31 -0500 Subject: [PATCH] example of using bind but switching to unbound shortly since it supports dns over tls/https --- bind/db.0.2.10.in-addr.arpa | 23 ++++++++ bind/named.conf | 114 ++++++++++++++++++++++++++++++++++++ bind/named.conf.upstream | 45 ++++++++++++++ wrt-setup-local | 24 +++----- 4 files changed, 191 insertions(+), 15 deletions(-) create mode 100644 bind/db.0.2.10.in-addr.arpa create mode 100644 bind/named.conf create mode 100644 bind/named.conf.upstream diff --git a/bind/db.0.2.10.in-addr.arpa b/bind/db.0.2.10.in-addr.arpa new file mode 100644 index 0000000..522be5a --- /dev/null +++ b/bind/db.0.2.10.in-addr.arpa @@ -0,0 +1,23 @@ +; -*- zone -*- +$TTL 30 +@ IN SOA cmc.b8.nz. postmaster.iankelling.org. ( + 2021030716 ; serial + 1d 1d 4w 1M ; refresh retry expire minimum + ) +@ NS cmc.b8.nz. +;; systemd overrides 1 with _gateway, when its the gateway. laaame. +1 PTR cmc.b8.nz. +2 PTR kd.b8.nz. +3 PTR sy.b8.nz. +4 PTR wrt2.b8.nz. +5 PTR x2.b8.nz. +6 PTR x2w.b8.nz. +7 PTR syw.b8.nz. +8 PTR amy.b8.nz. +9 PTR bb8.b8.nz. +12 PTR demohost.b8.nz. +14 PTR wrt3.b8.nz. +19 PTR brother.b8.nz. +23 PTR amyw.b8.nz. +25 PTR hp.b8.nz. +;; todo: add transmission diff --git a/bind/named.conf b/bind/named.conf new file mode 100644 index 0000000..91f58fd --- /dev/null +++ b/bind/named.conf @@ -0,0 +1,114 @@ +// This is the primary configuration file for the BIND DNS server named. + +// deploy with: +// named-checkconf named.conf && named-checkzone 0.2.10.in-addr db.0.2.10.in-addr.arpa && scp named.conf db.0.2.10.in-addr.arpa 10.2.0.1:/etc/bind; ssh 10.2.0.1 /etc/init.d/named restart + + +options { + + listen-on { localnets; localhost; }; + listen-on-v6 { localnets; localhost; }; + directory "/tmp"; + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + + auth-nxdomain no; # conform to RFC1035 +}; + +#acl trusted { 10.2.0.7; 10.2.0.3; 10.2.0.2; }; +acl "trusted" { 10.2.0.7; }; +view "trusted" { + match-clients { "trusted"; }; + forwarders { + 1.1.1.1 ; + 1.0.0.1 ; + 2606:4700:4700::1111 ; + 2606:4700:4700::1001 ; + }; + forward only ; + + // prime the server with knowledge of the root servers + zone "." { + type hint; + file "/etc/bind/db.root"; + }; + + // be authoritative for the localhost forward and reverse zones, and for + // broadcast zones as per RFC 1912 + + zone "localhost" { + type master; + file "/etc/bind/db.local"; + }; + + zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; + }; + + zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; + }; + + zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; + }; + + zone "0.2.10.in-addr.arpa" { + type master; + file "/etc/bind/db.0.2.10.in-addr.arpa"; + }; +}; + + +acl "guest" { localnets; localhost; }; +view "guest" { + match-clients { "guest"; }; + + forwarders { + 1.1.1.3 ; + 1.0.0.3 ; + 2606:4700:4700::1113 ; + 2606:4700:4700::1003 ; + }; + forward only ; + // prime the server with knowledge of the root servers + zone "." { + type hint; + file "/etc/bind/db.root"; + }; + + // be authoritative for the localhost forward and reverse zones, and for + // broadcast zones as per RFC 1912 + + zone "localhost" { + type master; + file "/etc/bind/db.local"; + }; + + zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; + }; + + zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; + }; + + zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; + }; + + zone "0.2.10.in-addr.arpa" { + type master; + file "/etc/bind/db.0.2.10.in-addr.arpa"; + }; +}; diff --git a/bind/named.conf.upstream b/bind/named.conf.upstream new file mode 100644 index 0000000..ca52cb8 --- /dev/null +++ b/bind/named.conf.upstream @@ -0,0 +1,45 @@ +// This is the primary configuration file for the BIND DNS server named. + +options { + directory "/tmp"; + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + auth-nxdomain no; # conform to RFC1035 +}; + +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; diff --git a/wrt-setup-local b/wrt-setup-local index 4dbdc04..1f0a2d5 100755 --- a/wrt-setup-local +++ b/wrt-setup-local @@ -748,7 +748,13 @@ uset dhcp.@dnsmasq[0].local # if you delete it, it goes back to the default. this seems # to be a decent workaround. # todo: setup /etc/resolv.conf to point to 127.0.0.1 -uset dhcp.@dnsmasq[0].resolvfile=/dev/null +uset dhcp.@dnsmasq[0].resolvfile /dev/null + +# by default it will send out ipv6 dns, like this +# NetworkManager[953]: [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers => 'fd58:5801:8e02::1' +# but i dont want ipv6 dns, just keep it simple to ipv4. +uset dhcp.@odhcpd[0].dns 10.2.0.1 + # disabled for now. i want to selectively enable it # for specific hosts. @@ -770,22 +776,10 @@ EOF # to start. mkdir -p /mnt/usb/tftpboot v cedit /etc/dnsmasq.conf <