Debian 9 Stretch
Sponsored Link

Install BIND
2017/06/21
 
Configure DNS server which resolves domain name or IP address. BIND uses 53/TCP,UDP.
[1] Install BIND 9.
root@dlp:~#
apt -y install bind9 bind9utils dnsutils
[2] Configure BIND.
This example is set with grobal IP address [172.16.0.80/29], Private IP address [10.0.0.0/24], Domain name [srv.world]. However, Please use your own IPs and domain name when you set config on your server. ( Actually, [172.16.0.80/29] is for private IP address, though. )
root@dlp:~#
vi /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
# comment out

#
include "/etc/bind/named.conf.default-zones";
# add

include "/etc/bind/named.conf.internal-zones";
include "/etc/bind/named.conf.external-zones";
root@dlp:~#
vi /etc/bind/named.conf.internal-zones
# create new

# define for internal section

view "internal" {
        match-clients {
                localhost;
                10.0.0.0/24;
        };
        # set zone for internal
        zone "srv.world" {
                type master;
                file "/etc/bind/srv.world.lan";
                allow-update { none; };
        };
        # set zone for internal *note
        zone "0.0.10.in-addr.arpa" {
                type master;
                file "/etc/bind/0.0.10.db";
                allow-update { none; };
        };
        include "/etc/bind/named.conf.default-zones";
};
root@dlp:~#
vi /etc/bind/named.conf.external-zones
# create new

# define for external section

view "external" {
        match-clients { any; };
        # allow any query
        allow-query { any; };
        # prohibit recursions
        recursion no;
        # set zone for external
        zone "srv.world" {
                type master;
                file "/etc/bind/srv.world.wan";
                allow-update { none; };
        };
        # set zone for external *note
        zone "80.0.16.172.in-addr.arpa" {
                type master;
                file "/etc/bind/80.0.16.172.db";
                allow-update { none; };
        };
};


# *note : For How to write for reverse resolving, Write network address reversely like below
# 10.0.0.0/24
# network address           ⇒ 10.0.0.0
# range of network          ⇒ 10.0.0.0 - 10.0.0.255
# how to write              ⇒ 0.0.10.in-addr.arpa

# 172.16.0.80/29
# network address           ⇒ 172.16.0.80
# range of network          ⇒ 172.16.0.80 - 172.16.0.87
# how to write              ⇒ 80.0.16.172.in-addr.arpa
[3] Limit ranges you allow to access if needed.
root@dlp:~#
vi /etc/bind/named.conf.options 
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };
        # query range you allow
        allow-query { localhost; 10.0.0.0/24; };
        # the range to transfer zone files
        allow-transfer { localhost; 10.0.0.0/24; };
        # recursion range you allow
        allow-recursion { localhost; 10.0.0.0/24; };
        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        # change if not use IPV6
        listen-on-v6 { none; };
};
 
Tweet