I have an unregistered domain home.test.

Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?

/var/named/named.ca have all the a through m root servers.

Do I need to add forwarders?

Here are the changes between the original /etc/named.conf and changes
I have made for
$ named -v
BIND 9.18.9 (Stable Release) <id:>


$ dif /var/local/vorig/etc/named.conf_vinstall /etc/named.conf
0a1

// Changed by /local/bin/named_changes Sun Dec 18 07:37:56 AM CST 2022

12c13
< listen-on-v6 port 53 { ::1; };
---

// listen-on-v6 port 53 { ::1; };

33c34,44
< dnssec-validation yes;
---

/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */

forwarders {
208.67.222.222;
8.8.8.8;
};

// dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;

58d68
< include "/etc/named.root.key";


snipped my zone/arpa directives.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:

I have an unregistered domain home.test.

Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?

It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf

acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

/var/named/named.ca have all the a through m root servers.

Do I need to add forwarders?

Here are the changes between the original /etc/named.conf and changes
I have made for
$ named -v
BIND 9.18.9 (Stable Release) <id:>

$ dif /var/local/vorig/etc/named.conf_vinstall /etc/named.conf
0a1

// Changed by /local/bin/named_changes Sun Dec 18 07:37:56 AM CST 2022

12c13
< listen-on-v6 port 53 { ::1; };
---

// listen-on-v6 port 53 { ::1; };

33c34,44
< dnssec-validation yes;
---

/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */

forwarders {
208.67.222.222;
8.8.8.8;
};

// dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;

58d68
< include "/etc/named.root.key";

snipped my zone/arpa directives.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:

I have an unregistered domain home.test.

Don't use that. Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 18.12.2022 um 15:15:51 Uhr schrieb Jim Jackson:

acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

You need to add ::1, fe80::/10, fd00::/8 and your GUA address.

You can only restrict the recursion to your net if you are not
authoritative for public domains.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 15:15:51 -0000 (UTC), Jim Jackson wrote:

On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:

I have an unregistered domain home.test.

Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?

It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf

acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }

Should there be a semicolon after that line?

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

Just not winning:

After these changes
/* allow-query { localhost; }; */

acl test { 127.0.0.0/8; 192.168.0.0/24; };

allow-recursion { test; };

allow-query { test; };

allow-transfer { test; };

and systemctl restart named I get

Dec 18 16:57:12 wb.home.test systemd[1]: Starting named.service...
Dec 18 16:57:12 wb.home.test : /etc/named.conf:22: unknown option 'acl'

Do I need to add forwarders?

Here are the changes between the original /etc/named.conf and changes
I have made for
$ named -v
BIND 9.18.9 (Stable Release) <id:>


$ dif /var/local/vorig/etc/named.conf_vinstall /etc/named.conf
0a1

// Changed by /local/bin/named_changes Sun Dec 18 07:37:56 AM CST 2022

12c13
< listen-on-v6 port 53 { ::1; };
---

// listen-on-v6 port 53 { ::1; };

33c34,44
< dnssec-validation yes;
---

/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */

forwarders {
208.67.222.222;
8.8.8.8;
};

// dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;

58d68
< include "/etc/named.root.key";


snipped my zone/arpa directives.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 10:57:29 -0500, Marco Moock <mo01@posteo.de> wrote:

Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:

I have an unregistered domain home.test.

Don't use that. Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.

Thanks I hadn't heard about that one. A quick search leads to https://www.rfc-editor.org/rfc/rfc8375
which confirms it's purpose.

Unlike the rfc2606 reserved tlds including .test, .arpa is not rejected by software such as kerberos.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 16:57:29 +0100, Marco Moock wrote:

Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:

I have an unregistered domain home.test.

Don't use that.

Thought that is what TLD test was for.

search for
four domain names are reserved
in https://www.rfc-editor.org/rfc/rfc2606.txt

Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 15:04:24 -0500, David W. Hodgins wrote:

On Sun, 18 Dec 2022 10:57:29 -0500, Marco Moock <mo01@posteo.de> wrote:

Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:

I have an unregistered domain home.test.

Don't use that. Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.

Thanks I hadn't heard about that one. A quick search leads to https://www.rfc-editor.org/rfc/rfc8375
which confirms it's purpose.

Unlike the rfc2606 reserved tlds including .test, .arpa is not rejected by software such as kerberos.

Frap, guessing it will be another week of work for me to convert from .test to .arpa. :(

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 15:15:51 -0000 (UTC), Jim Jackson wrote:

On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:

I have an unregistered domain home.test.

Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?

It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf

acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

Frap, no matter what I try, it always fails. Does not help whatever I
research. Latest changes

# systemctl restart named
which fails.

# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'

Snippet from
cat -n /etc/named.conf
20 /* allow-query { localhost; }; */
21 /*
22 https://bind9.readthedocs.io/en/v9_16_4/security.html
23 */
24
25 // Set up an ACL named "bogusnets" that blocks
26 // RFC1918 space and some reserved space, which is
27 // commonly used in spoofing attacks.
28 acl bogusnets {
29 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
30 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
31 };
32
33 acl our-nets { 127.0.0.0/8; 192.168.0.0/24; };
34 options {
35 allow-recursion { our-nets; };
36 allow-query { our-nets; };
37 allow-transfer { our-nets; };
38 blackhole { bogusnets; };
39 };

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 18:03:14 -0500, Bit Twister <BitTwister@mouse-potato.com> wrote:

Do I need to add forwarders?

All of the changes from what you had before other then the tld are not needed unless you intend to make the name server accessible to the public.

Using rfc1918 addresses such as 192.168... in bind means the addresses would
be useless for access from outside of the lan anyway, so it makes no sense
to offer access to the public.

The default bind setup in Mageia is set up to restrict access to localhost.

Change it to allow access from anywhere, but use the firewall to block all incoming port 53 access from outside of the lan.

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 18.12.2022 schrieb "David W. Hodgins" <dwhodgins@nomail.afraid.org>:

Unlike the rfc2606 reserved tlds including .test, .arpa is not
rejected by software such as kerberos.

.arpa is legitimate, see the reverse zones in-addr.arpa and ip6.arpa.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 18.12.2022 schrieb Bit Twister <BitTwister@mouse-potato.com>:

On Sun, 18 Dec 2022 16:57:29 +0100, Marco Moock wrote:

Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:

I have an unregistered domain home.test.

Don't use that.

Thought that is what TLD test was for.

I don't think so:
| ".test" is recommended for use in testing of current or new DNS
| related code.

in https://www.rfc-editor.org/rfc/rfc2606.txt

I recommend home.arpa, this is what you are looking for:

https://www.rfc-editor.org/rfc/rfc8375

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Anything special I should add/remove to /etc/named.conf so my DNS server >>> does not send any of my local records upstream?

It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf

acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

Frap, no matter what I try, it always fails. Does not help whatever I research. Latest changes

# systemctl restart named
which fails.

# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'

have you run named-checkconf to see if there are errors with your
configuration file?

Snippet from
cat -n /etc/named.conf
20 /* allow-query { localhost; }; */
21 /*
22 https://bind9.readthedocs.io/en/v9_16_4/security.html
23 */
24
25 // Set up an ACL named "bogusnets" that blocks
26 // RFC1918 space and some reserved space, which is
27 // commonly used in spoofing attacks.
28 acl bogusnets {
29 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
30 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
31 };
32
33 acl our-nets { 127.0.0.0/8; 192.168.0.0/24; };
34 options {
35 allow-recursion { our-nets; };
36 allow-query { our-nets; };
37 allow-transfer { our-nets; };
38 blackhole { bogusnets; };
39 };

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 18 Dec 2022 18:23:57 -0600, Bit Twister wrote:

On Sun, 18 Dec 2022 15:15:51 -0000 (UTC), Jim Jackson wrote:

On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:

I have an unregistered domain home.test.

Anything special I should add/remove to /etc/named.conf so my DNS server >>> does not send any of my local records upstream?

It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf

acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

Frap, no matter what I try, it always fails. Does not help whatever I research. Latest changes

# systemctl restart named
which fails.

# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'

Gotta say that it doesn't look like you are running ISC BIND 9's named(8),
as those are all valid named.conf options for ISC BIND 9 named(8).

Could your named.service be trying to start /some other/ resolver instead?

Snippet from
cat -n /etc/named.conf
20 /* allow-query { localhost; }; */
21 /*
22 https://bind9.readthedocs.io/en/v9_16_4/security.html
23 */
24
25 // Set up an ACL named "bogusnets" that blocks
26 // RFC1918 space and some reserved space, which is
27 // commonly used in spoofing attacks.
28 acl bogusnets {
29 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
30 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
31 };
32
33 acl our-nets { 127.0.0.0/8; 192.168.0.0/24; };
34 options {
35 allow-recursion { our-nets; };
36 allow-query { our-nets; };
37 allow-transfer { our-nets; };
38 blackhole { bogusnets; };
39 };

--
Lew Pitcher
"In Skills, We Trust"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2 Jan 2023 21:18:21 -0000 (UTC), Lew Pitcher wrote:

On Sun, 18 Dec 2022 18:23:57 -0600, Bit Twister wrote:

and further down ...

allow-recursion { our_nets; };

allow-query { our_nets; };

allow-transfer { our_nets; };

Frap, no matter what I try, it always fails. Does not help whatever I
research. Latest changes

# systemctl restart named
which fails.

# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'

Gotta say that it doesn't look like you are running ISC BIND 9's named(8),
as those are all valid named.conf options for ISC BIND 9 named(8).

Could your named.service be trying to start /some other/ resolver instead?

]$ systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: di>
Drop-In: /etc/systemd/system/named.service.d
└─xx__named.conf
Active: active (running) since Mon 2023-01-02 17:49:12 CST; 1h 14min ago
Process: 3472 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == >
Process: 3715 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (>

$ /usr/sbin/named -v
BIND 9.18.10 (Stable Release) <id:>

I believe the options were in the wrong place.
I finally have it running.

Many thanks to all who replied.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 2 Jan 2023 20:27:39 -0000 (UTC), Jim Jackson wrote:

have you run named-checkconf to see if there are errors with your configuration file?

Have not tried it since I finally configured the zones correctly.
All is working.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 02 Jan 2023 16:18:21 -0500, Lew Pitcher <lew.pitcher@digitalfreehold.ca> wrote:

Gotta say that it doesn't look like you are running ISC BIND 9's named(8),
as those are all valid named.conf options for ISC BIND 9 named(8).

This was all corrected previously ... https://groups.google.com/g/comp.os.linux.networking/c/VbXkJmgyxXg/m/2Yrzj5rTBgAJ

Regards, Dave Hodgins

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)