Recently, the admin of the current server that has been hosting my blog gave me the option to upgrade my current server configuration, but I needed to spend some cash, and get my own domain name (done). I decided to go the godaddy.com route to purchase a domain name.
Well, with purchasing my domain, and getting a my virtual Linux server comes setting up DNS. I have no prior experience setting up DNS using BIND so (insert thread). The admin of the virtual server, which also admins the equipment on which the virtual server resides recommended setting up BIND on the virtual server to use his DNS servers, and keep the version of BIND running on my virtual server protected by having BIND run in "stealth mode".
In the order of
simplicity I am going to establish the following values in the spirit of KISS
Distribution:
Red Hat (Scientific Linux 6.0 Carbon)
Domain name:
mysite.com
Static WAN IP:
1.2.3.4
Static WAN IP (netmask):
255.255.255.255 or /32
Question 1
How would I configure the
named.conf file to be setup in "stealth mode" so that I am using the local copy of BIND on the virtual server to point to a master DNS server?
Question 1.1
What would a sample
named.conf look like for using BIND in stealth?
Question 1.2
What would a sample
mysite.zone file look like for stealth setup?
Questions 2
What would a sample
named.conf file look like for authoritative server look like?
Question 2.1
What would a sample
mysite.zone file look like for an authoritative server look like?
Here are snippets for my current
named.conf and
mysite.zone
named.conf
Code:
##########################################################################
# File: /etc/named.conf
##########################################################################
# BIND configuration file
#########################################################################
# maintained by: me
##########################################################################
# Examples: /usr/share/doc/bind*/sample/ for example configuration files
##########################################################################
# CHANGELOG:
# 1. change1
#########################################################################
// Only one "options" statement is allowed in this configuration file.
options
{
directory "/var/named"; // default directory
// SECURITY - version statement - inhibited
// avoids hacking any known weaknesses
version "not currently available";
// Additions added from Red Hat config - named.conf
// listen-on-v6 port { ::1; };
listen-on port 53 { 127.0.0.1; };
listen-on port 53 { any; };
// specify dump file
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Addtions added from Red Hat config - named.conf
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
// Path to ISC DLV key
bindkeys-file "/etc/named.iscdlv.key";
};
// Logging for DNS and BIND
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
// INTERNAL - provide recursive queries and caching for goodguys
view "goodguys" {
match-clients { 127.0.0.1; }; // local network
recursion yes;
// ZONE - allows the name server
// ZONE - to talk to the 13 authoritative name servers
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
// ZONE - mysite.com
zone "mysite.com" {
type master;
// private zone file including local hosts
file "zones/internal/master.mysite.com.internal";
};
// ZONE - required local host domain - commented out to get working - already exists
//zone "localhost" in {
// type master;
// file "zones/internal/master.localhost";
// allow-update { none; };
// };
// ZONE - required reverse map
zone "0.0.127.in-addr.arpa" in {
type master;
file "zones/internal/localhost.rev";
allow-update { none; };
};
}; // INTERNAL - endview
// EXTERNAL - provides view for badguys
view "external" { // What the Internet will see
// This view will contain zones you want to serve only to "external"
// clients that have addresses that are not on your directly attached
// LAN interface subnets:
match-clients { any; };
match-destinations { any; };
// you'd prbably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
recursion no;
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
// the class "in" stands for Internet
zone "3.2.1.in-addr.arpa" {
type master;
file "zones/external/84.114.207.in-addr.arpa.zone";
};
zone "mysite.com" {
type master;
file "zones/external/mysite.com.zone";
allow-update { none; };
};
// EXTERNAL - endview
};
mysite.zone
Code:
; File: /var/named/zones/external/mysite.com.zone
;
; Zone file for mysite.com
;
; The full Forward zone file
;
;
$TTL 86400
@ IN SOA ns1.mysite.com. admin.mysite.com. (
200110507 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ; minimum, seconds
)
IN NS ns1.mysite.com
IN NS ns2.mysite.com
www IN A 1.2.3.4
Any and all suggestions and examples are greatly appreciated.
cheers
-C
