// Changed by /local/bin/named_changes Sun Dec 18 07:37:56 AM CST 202212c13
// listen-on-v6 port 53 { ::1; };33c34,44
/* Enable serving of DNSSEC related data - enable on both authoritative58d68
and recursive servers DNSSEC aware servers */
forwarders {
208.67.222.222;
8.8.8.8;
};
// dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;
I have an unregistered domain home.test.
Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?
/var/named/named.ca have all the a through m root servers.
Do I need to add forwarders?
Here are the changes between the original /etc/named.conf and changes
I have made for
$ named -v
BIND 9.18.9 (Stable Release) <id:>
$ dif /var/local/vorig/etc/named.conf_vinstall /etc/named.conf
0a1
// Changed by /local/bin/named_changes Sun Dec 18 07:37:56 AM CST 202212c13
< listen-on-v6 port 53 { ::1; };
---
// listen-on-v6 port 53 { ::1; };33c34,44
< dnssec-validation yes;
---
/* Enable serving of DNSSEC related data - enable on both authoritative58d68
and recursive servers DNSSEC aware servers */
forwarders {
208.67.222.222;
8.8.8.8;
};
// dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;
< include "/etc/named.root.key";
snipped my zone/arpa directives.
I have an unregistered domain home.test.
acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }
and further down ...
allow-recursion { our_nets; };
allow-query { our_nets; };
allow-transfer { our_nets; };
On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:
I have an unregistered domain home.test.
Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?
It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf
acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }
and further down ...
allow-recursion { our_nets; };
allow-query { our_nets; };
allow-transfer { our_nets; };
Here are the changes between the original /etc/named.conf and changes
I have made for
$ named -v
BIND 9.18.9 (Stable Release) <id:>
$ dif /var/local/vorig/etc/named.conf_vinstall /etc/named.conf
0a1
// Changed by /local/bin/named_changes Sun Dec 18 07:37:56 AM CST 202212c13
< listen-on-v6 port 53 { ::1; };
---
// listen-on-v6 port 53 { ::1; };33c34,44
< dnssec-validation yes;
---
/* Enable serving of DNSSEC related data - enable on both authoritative58d68
and recursive servers DNSSEC aware servers */
forwarders {
208.67.222.222;
8.8.8.8;
};
// dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;
< include "/etc/named.root.key";
snipped my zone/arpa directives.
Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:
I have an unregistered domain home.test.
Don't use that. Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.
Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:
I have an unregistered domain home.test.
Don't use that.
Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.
On Sun, 18 Dec 2022 10:57:29 -0500, Marco Moock <mo01@posteo.de> wrote:
Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:
I have an unregistered domain home.test.
Don't use that. Use mydomain.home.arpa instead because home.arpa. is
reserved for exactly that purpose and maybe .test will be a gTLD in
future.
Thanks I hadn't heard about that one. A quick search leads to https://www.rfc-editor.org/rfc/rfc8375
which confirms it's purpose.
Unlike the rfc2606 reserved tlds including .test, .arpa is not rejected by software such as kerberos.
On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:
I have an unregistered domain home.test.
Anything special I should add/remove to /etc/named.conf so my DNS server
does not send any of my local records upstream?
It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf
acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }
and further down ...
allow-recursion { our_nets; };
allow-query { our_nets; };
allow-transfer { our_nets; };
Do I need to add forwarders?
Unlike the rfc2606 reserved tlds including .test, .arpa is not
rejected by software such as kerberos.
On Sun, 18 Dec 2022 16:57:29 +0100, Marco Moock wrote:
Am 18.12.2022 um 07:41:18 Uhr schrieb Bit Twister:
I have an unregistered domain home.test.
Don't use that.
Thought that is what TLD test was for.
in https://www.rfc-editor.org/rfc/rfc2606.txt
Anything special I should add/remove to /etc/named.conf so my DNS server >>> does not send any of my local records upstream?
It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf
acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }
and further down ...
allow-recursion { our_nets; };
allow-query { our_nets; };
allow-transfer { our_nets; };
Frap, no matter what I try, it always fails. Does not help whatever I research. Latest changes
# systemctl restart named
which fails.
# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'
Snippet from
cat -n /etc/named.conf
20 /* allow-query { localhost; }; */
21 /*
22 https://bind9.readthedocs.io/en/v9_16_4/security.html
23 */
24
25 // Set up an ACL named "bogusnets" that blocks
26 // RFC1918 space and some reserved space, which is
27 // commonly used in spoofing attacks.
28 acl bogusnets {
29 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
30 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
31 };
32
33 acl our-nets { 127.0.0.0/8; 192.168.0.0/24; };
34 options {
35 allow-recursion { our-nets; };
36 allow-query { our-nets; };
37 allow-transfer { our-nets; };
38 blackhole { bogusnets; };
39 };
On Sun, 18 Dec 2022 15:15:51 -0000 (UTC), Jim Jackson wrote:
On 2022-12-18, Bit Twister <BitTwister@mouse-potato.com> wrote:
I have an unregistered domain home.test.
Anything special I should add/remove to /etc/named.conf so my DNS server >>> does not send any of my local records upstream?
It would only do that if an "outside" DNS client queried your server
and asked for it. I run a local domain, and put this in my named.conf
acl our_nets { 127.0.0.0/8; 192.168.0.0/24; }
and further down ...
allow-recursion { our_nets; };
allow-query { our_nets; };
allow-transfer { our_nets; };
Frap, no matter what I try, it always fails. Does not help whatever I research. Latest changes
# systemctl restart named
which fails.
# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'
Snippet from
cat -n /etc/named.conf
20 /* allow-query { localhost; }; */
21 /*
22 https://bind9.readthedocs.io/en/v9_16_4/security.html
23 */
24
25 // Set up an ACL named "bogusnets" that blocks
26 // RFC1918 space and some reserved space, which is
27 // commonly used in spoofing attacks.
28 acl bogusnets {
29 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
30 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
31 };
32
33 acl our-nets { 127.0.0.0/8; 192.168.0.0/24; };
34 options {
35 allow-recursion { our-nets; };
36 allow-query { our-nets; };
37 allow-transfer { our-nets; };
38 blackhole { bogusnets; };
39 };
On Sun, 18 Dec 2022 18:23:57 -0600, Bit Twister wrote:
and further down ...
allow-recursion { our_nets; };
allow-query { our_nets; };
allow-transfer { our_nets; };
Frap, no matter what I try, it always fails. Does not help whatever I
research. Latest changes
# systemctl restart named
which fails.
# systemctl status named
Dec 18 18:16:46 wb.home.test systemd[1]: Starting named.service...
Dec 18 18:16:46 wb.home.test : /etc/named.conf:28: unknown option 'acl'
Dec 18 18:16:46 wb.home.test : /etc/named.conf:33: unknown option 'acl'
Dec 18 18:16:46 wb.home.test: /etc/named.conf:34: unknown option 'options'
Gotta say that it doesn't look like you are running ISC BIND 9's named(8),
as those are all valid named.conf options for ISC BIND 9 named(8).
Could your named.service be trying to start /some other/ resolver instead?
have you run named-checkconf to see if there are errors with your configuration file?
Gotta say that it doesn't look like you are running ISC BIND 9's named(8),
as those are all valid named.conf options for ISC BIND 9 named(8).
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 299 |
Nodes: | 16 (2 / 14) |
Uptime: | 36:40:20 |
Calls: | 6,682 |
Files: | 12,222 |
Messages: | 5,343,112 |