DHCP DNS for a router with 2 ethernet interfaces and 1 wifi interface

Horned · 4 October 2023 14:57

Yes, in my case my ISP (Orange) from it’s box (Orange PPPOE) at 192.168.1.254 fixed address.

My problem is that I don’t create a website or webserver or any else webservice… I just create a bridge to isolate a network from a compromised network.

I don’t want add any “zone” name to internet DNS servers… I just want relay DNS request such as
“google. com”
through the bridge to my ISP router, nothing more…

All example I seen want to add servers somewhere in the network. There is no example of simple bridge DNS request repeater…

That’s why I need help…

linux-aarhus · 4 October 2023 15:00

I just told you …

There is simpler methods - such as - pi-hole

Horned · 4 October 2023 15:10

but it’s not “192.168.1.254” I don’t want bypass my ISP router parameters.
in fact my ISP DNS servers are :

80.10.246.134
81.253.149.5
but factually I want use my ISP DNS services… I don’t really want bypass it using google one
8.8.8.8
8.8.4.4

why use an unknown private society (lumen. com) dns (8.8.1.1) ?

linux-aarhus · 4 October 2023 15:12

As I stated - examples

zbe · 4 October 2023 15:22

You don’t see a problem installing distro with DE as a headless system?

What does that even mean? Should he go to the gym? I’m glad manjaro is using some special kernel that can overcome DDoS. Such a simple solution, no idea why businesses are paying for DDoS protection when all they could do is install Manjaro on a NUC.

Goes where? To the basement? Again, I’m glad that you think Manjaro uses some special kernel that can overcome DDoS.

Anyway, you’re saying your TV is attacking you? I think you shouldn’t say that too loudly or someone will call someone…

Not sure what you are saying here, but I’m sure top secret military systems are secured with iptables rules in filter table.

Sure it does… Dropping packets in filter table (where every packet is already connection-tracked) requires 0 CPU power. It’s magic.

Horned · 4 October 2023 15:25

I tryed :

options {
	directory "/var/named";
	pid-file "/run/named/named.pid";

	listen-on-v6 { none; };

	listen-on port 53 { 192.168.1.254; };

	recursion yes;
	forwarders { 192.168.1.254; };
	dnssec-validation auto;
	allow-transfer { none; };
	allow-update { none; };

	version none;
	hostname none;
	server-id none;
};

and

options {
	directory "/var/named";
	pid-file "/run/named/named.pid";

	listen-on-v6 { none; };

	listen-on port 53 { 192.168.1.254; };

	recursion yes;
	forwarders { 8.8.8.8; 8.8.4.4; };
	dnssec-validation auto;
	allow-transfer { none; };
	allow-update { none; };

	version none;
	hostname none;
	server-id none;
};

with a stop and start of named service
systemctl stop named
systemctl start named
systemctl status named
Doesn’t work…
once again I can access 192.168.1.254 from greenzone
DHCP protocol
TCP/IP protocol
HTTP(S) protocol
Firewall forward as I can see
DNS Résolution

If I have to show you my “conf” files, please ask …

Why hostname and server-id none ?
I eard version “must” be 4 isn’t it ?

linux-aarhus · 4 October 2023 15:38

This is my running config - you cannot use it for anything …

I am contantly experimenting - so I advise you not to copy paste anything …

$ cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones.rfc1918";

$ cat /etc/bind/named.conf.options 
options {
        directory "/etc/bind";

        // For AdBlock
        response-policy {
                zone "rpz.net.nix.dk";
#               zone "urlhaus.zone";
        };

#       allow-query {
#               trusted-network;
#       };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

#       forwarders {
#               91.239.100.100;
#               89.233.43.71;
#               81.136.89.6;
#               83.136.89.4;
#       };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation no;
        //auth-nxdomain yes;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

#acl "trusted-network" {
#       172.30.30.0/24;
#       ::1;
#       127.0.0.0/8;
#};

cat /etc/bind/named.conf.local
## AdBlock
zone "rpz.net.nix.dk" {
        type master;
        file "/etc/bind/db.rpz.net.nix.dk";
        masterfile-format text;
        allow-query { none; };
};

#zone "urlhaus.zone" {
#       type master;
#       file "urlhaus.rpz";
#       allow-query { any; };
#       allow-update { none; };
#       allow-transfer { none; };
#};

### net.nix.dk zone
zone "net.nix.dk" {
        type master;
        file "/etc/bind/db.net.nix.dk";
#       allow-update { 172.30.30.0/24; };
};

### uex.dk zone
#zone "uex.dk" {
#       type master;
#       file "/etc/bind/db.uex.dk";
#};

### ptr
zone "30.30.172.in-addr.arpa" {
        type master;
        file "/etc/bind/db.172.30.30";
        allow-update { 172.30.30.0/24; };
};

cat /etc/bind/named.conf.default-zones 
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

$ cat /etc/bind/zones.rfc1918 
zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
#zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

xabbu · 4 October 2023 15:41

There is documentation for this kind of question.

https://bind9.readthedocs.io/en/v9.18.19/reference.html#namedconf-statement-version

Horned · 4 October 2023 15:48

this is Chinese to me…

as I said I don’t create “zone” I don’t have owned webserver/webservice to expose… I don’t have DMZ configuration…

look at my “/etc/dhcp.conf”

# red masternet
subnet 192.168.1.0 netmask 255.255.255.0 {
	option domain-name-servers 192.168.1.254;
	option domain-name "helheim";
	option routers 192.168.1.254;
}
# green subnet
subnet 192.168.2.0 netmask 255.255.255.0 {
	range 192.168.2.1 192.168.2.253;
	option domain-name-servers 192.168.2.254;
	option domain-name "asgard";
	option routers 192.168.2.254;
	option broadcast-address 192.168.2.255;
	default-lease-time 600;
	max-lease-time 7200;
}
# blue subnet
subnet 192.168.3.0 netmask 255.255.255.0 {
	range 192.168.3.1 192.168.3.253;
	option domain-name-servers 192.168.3.254;
	option domain-name "vanaheim";
	option routers 192.168.3.254;
	option broadcast-address 192.168.3.255;
	default-lease-time 600;
	max-lease-time 7200;
}
# static ip attribution for eth1
host heimdall
{
	hardware ethernet XX:XX:XX:XX:XX:XX; # eth1 (greenzone) mac address of the nuc i7
	server-name "heimdall";
	fixed-address 192.168.2.254;
}
# static ip attribution for wlp0
host heimdallwifi
{
	hardware ethernet YY:YY:YY:YY:YY:YY; # wifi mac address of the nuc i7
	server-name "heimdall";
	fixed-address 192.168.3.254;
}

it’s simple only 2 subnetwork (green and blue) and one masternetwork (red) nothing complex…

linux-aarhus · 4 October 2023 15:49

Then don’t bother …

If you don’t understand the don’t try to implement it …

Horned · 4 October 2023 15:51

thank you !!!

that’s make sense…

Horned · 4 October 2023 16:01

I told you I have no personal owned domain to include to DNS system…

I just forward DNS requests from browsers… (chrome, firefox, thunderbird, games, etc…)

xabbu · 4 October 2023 16:09

Then use the DNS server of your ISP. Find out these IP addresses, there are at least two, use them in your DHCP config and send these to your clients.

Horned · 4 October 2023 17:02

nice idea…
what I did is in /etc/dhcpd.conf:

option domain-name "helheim";
option domain-name-servers 192.168.1.254;
option routers 192.168.1.254;
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
authoritative;
default-lease-time 600;
max-lease-time 7200;

subnet 192.168.1.0 netmask 255.255.255.0 {
	option domain-name-servers 192.168.1.254;
	option domain-name "helheim";
	option routers 192.168.1.254;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
	range 192.168.2.1 192.168.2.253;
	option domain-name-servers 192.168.1.254; # <- what to do
	option domain-name "asgard";
	option routers 192.168.2.254;
	option broadcast-address 192.168.2.255;
	default-lease-time 600;
	max-lease-time 7200;
}
subnet 192.168.3.0 netmask 255.255.255.0 {
	range 192.168.3.1 192.168.3.253;
	option domain-name-servers 192.168.1.254; # <- what to do
	option domain-name "vanaheim";
	option routers 192.168.3.254;
	option broadcast-address 192.168.3.255;
	default-lease-time 600;
	max-lease-time 7200;
}
host heimdall
{
	hardware ethernet XX:XX:XX:XX:XX:XX;
	server-name "heimdall";
	fixed-address 192.168.2.254;
}
host heimdallwifi
{
	hardware ethernet YY:YY:YY:YY:YY:YY;
	server-name "heimdall";
	fixed-address 192.168.3.254;
}

As linus torvald said… 🖕 F*CK YOU bind !!! 🖕

system · 7 October 2023 07:02

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.