example of using bind

but switching to unbound shortly since it supports dns over tls/https

diff --git a/bind/db.0.2.10.in-addr.arpa b/bind/db.0.2.10.in-addr.arpa
new file mode 100644 (file)
index 0000000..522be5a
--- /dev/null
+++ b/bind/db.0.2.10.in-addr.arpa
@@ -0,0 +1,23 @@
+; -*- zone -*-
+$TTL 30
+@ IN SOA cmc.b8.nz. postmaster.iankelling.org. (
+       2021030716 ; serial
+        1d 1d 4w 1M ; refresh retry expire minimum
+       )
+@      NS      cmc.b8.nz.
+;; systemd overrides 1 with _gateway, when its the gateway. laaame.
+1      PTR     cmc.b8.nz.
+2      PTR     kd.b8.nz.
+3      PTR     sy.b8.nz.
+4      PTR     wrt2.b8.nz.
+5      PTR     x2.b8.nz.
+6      PTR     x2w.b8.nz.
+7      PTR     syw.b8.nz.
+8      PTR     amy.b8.nz.
+9      PTR     bb8.b8.nz.
+12     PTR     demohost.b8.nz.
+14     PTR     wrt3.b8.nz.
+19     PTR     brother.b8.nz.
+23     PTR     amyw.b8.nz.
+25     PTR     hp.b8.nz.
+;; todo: add transmission

diff --git a/bind/named.conf b/bind/named.conf
new file mode 100644 (file)
index 0000000..91f58fd
--- /dev/null
+++ b/bind/named.conf
@@ -0,0 +1,114 @@
+// This is the primary configuration file for the BIND DNS server named.
+
+// deploy with:
+// named-checkconf named.conf && named-checkzone 0.2.10.in-addr db.0.2.10.in-addr.arpa && scp named.conf db.0.2.10.in-addr.arpa 10.2.0.1:/etc/bind; ssh 10.2.0.1 /etc/init.d/named restart
+
+
+options {
+
+  listen-on { localnets; localhost; };
+  listen-on-v6 { localnets; localhost; };
+       directory "/tmp";
+
+       // If your ISP provided one or more IP addresses for stable
+       // nameservers, you probably want to use them as forwarders.
+       // Uncomment the following block, and insert the addresses replacing
+       // the all-0's placeholder.
+
+
+       auth-nxdomain no;    # conform to RFC1035
+};
+
+#acl trusted { 10.2.0.7; 10.2.0.3; 10.2.0.2; };
+acl "trusted" { 10.2.0.7; };
+view "trusted" {
+  match-clients { "trusted"; };
+  forwarders {
+    1.1.1.1 ;
+    1.0.0.1 ;
+    2606:4700:4700::1111 ;
+    2606:4700:4700::1001 ;
+  };
+  forward only ;
+
+  // prime the server with knowledge of the root servers
+  zone "." {
+          type hint;
+          file "/etc/bind/db.root";
+  };
+
+  // be authoritative for the localhost forward and reverse zones, and for
+  // broadcast zones as per RFC 1912
+
+  zone "localhost" {
+          type master;
+          file "/etc/bind/db.local";
+  };
+
+  zone "127.in-addr.arpa" {
+          type master;
+          file "/etc/bind/db.127";
+  };
+
+  zone "0.in-addr.arpa" {
+          type master;
+          file "/etc/bind/db.0";
+  };
+
+  zone "255.in-addr.arpa" {
+          type master;
+          file "/etc/bind/db.255";
+  };
+
+  zone "0.2.10.in-addr.arpa" {
+    type master;
+    file "/etc/bind/db.0.2.10.in-addr.arpa";
+  };
+};
+
+
+acl "guest" { localnets;  localhost; };
+view "guest" {
+  match-clients { "guest"; };
+
+  forwarders {
+    1.1.1.3 ;
+    1.0.0.3 ;
+    2606:4700:4700::1113 ;
+    2606:4700:4700::1003 ;
+  };
+  forward only ;
+  // prime the server with knowledge of the root servers
+  zone "." {
+          type hint;
+          file "/etc/bind/db.root";
+  };
+
+  // be authoritative for the localhost forward and reverse zones, and for
+  // broadcast zones as per RFC 1912
+
+  zone "localhost" {
+          type master;
+          file "/etc/bind/db.local";
+  };
+
+  zone "127.in-addr.arpa" {
+          type master;
+          file "/etc/bind/db.127";
+  };
+
+  zone "0.in-addr.arpa" {
+          type master;
+          file "/etc/bind/db.0";
+  };
+
+  zone "255.in-addr.arpa" {
+          type master;
+          file "/etc/bind/db.255";
+  };
+
+  zone "0.2.10.in-addr.arpa" {
+    type master;
+    file "/etc/bind/db.0.2.10.in-addr.arpa";
+  };
+};

diff --git a/bind/named.conf.upstream b/bind/named.conf.upstream
new file mode 100644 (file)
index 0000000..ca52cb8
--- /dev/null
+++ b/bind/named.conf.upstream
@@ -0,0 +1,45 @@
+// This is the primary configuration file for the BIND DNS server named.
+
+options {
+       directory "/tmp";
+
+       // If your ISP provided one or more IP addresses for stable
+       // nameservers, you probably want to use them as forwarders.
+       // Uncomment the following block, and insert the addresses replacing
+       // the all-0's placeholder.
+
+       // forwarders {
+       //      0.0.0.0;
+       // };
+
+       auth-nxdomain no;    # conform to RFC1035
+};
+
+// prime the server with knowledge of the root servers
+zone "." {
+       type hint;
+       file "/etc/bind/db.root";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+       type master;
+       file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+       type master;
+       file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+       type master;
+       file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+       type master;
+       file "/etc/bind/db.255";
+};

diff --git a/wrt-setup-local b/wrt-setup-local
index 4dbdc0456085a099a7f2cbcce38520c356811a05..1f0a2d547cf90223d71b5646a688ed6e329809e3 100755 (executable)
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -748,7 +748,13 @@ uset dhcp.@dnsmasq[0].local
 # if you delete it, it goes back to the default. this seems
 # to be a decent workaround.
 # todo: setup /etc/resolv.conf to point to 127.0.0.1
 # if you delete it, it goes back to the default. this seems
 # to be a decent workaround.
 # todo: setup /etc/resolv.conf to point to 127.0.0.1

-uset dhcp.@dnsmasq[0].resolvfile=/dev/null
+uset dhcp.@dnsmasq[0].resolvfile /dev/null
+
+# by default it will send out ipv6 dns, like this
+# NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
+# but i dont want ipv6 dns, just keep it simple to ipv4.
+uset dhcp.@odhcpd[0].dns 10.2.0.1
+

 
 # disabled for now. i want to selectively enable it
 # for specific hosts.
 
 # disabled for now. i want to selectively enable it
 # for specific hosts.


@@ -770,22 +776,10 @@ EOF
 # to start.
 mkdir -p /mnt/usb/tftpboot
 v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
 # to start.
 mkdir -p /mnt/usb/tftpboot
 v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true

+# no dns
+port=0

 server=/b8.nz/#
 ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 server=/b8.nz/#
 ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz

-ptr-record=2.0.2.10.in-addr.arpa.,kd.b8.nz
-ptr-record=3.0.2.10.in-addr.arpa.,sy.b8.nz
-ptr-record=4.0.2.10.in-addr.arpa.,wrt2.b8.nz
-ptr-record=5.0.2.10.in-addr.arpa.,x2.b8.nz
-ptr-record=6.0.2.10.in-addr.arpa.,xw2.b8.nz
-ptr-record=7.0.2.10.in-addr.arpa.,syw.b8.nz
-ptr-record=8.0.2.10.in-addr.arpa.,amy.b8.nz
-ptr-record=9.0.2.10.in-addr.arpa.,bb8.b8.nz
-ptr-record=12.0.2.10.in-addr.arpa.,demohost.b8.nz
-ptr-record=14.0.2.10.in-addr.arpa.,wrt3.b8.nz
-ptr-record=19.0.2.10.in-addr.arpa.,brother.b8.nz
-ptr-record=23.0.2.10.in-addr.arpa.,amyw.b8.nz
-ptr-record=25.0.2.10.in-addr.arpa.,hp.b8.nz
-ptr-record=.0.2.10.in-addr.arpa.,transmission.b8.nz

 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind