what is the point ?
I need help to configure my /etc/named.conf not a mailing list of bind related subjects…
I assume the address 191.168.x.y is a typo as 191 is not private address space.
essentially you are telling your nameserver it must only allow queries for itself
You already setup recursion - now you are limiting recursion to the nameserver itself
That is kicking yourself in the butt - should be something upstream
ok thanks, I didn’t see that it is a A class address I’ll rename the network like this
[orange PPPOE router ]192.168.1.0/24=redzone [nuc i7 manjaro router] 192.168.2.0/24=greenzone[green conputers]
I think it’s what I want … I want DNS answer 192.168.2.0/24 requests… or say me what’s wrong ?
Ok so how to do it for all 192.168.2.0/24 computers ?
I don’t understand I want the 192.168.1.254 be the DNS server used to the redzone… What should I do ?
i want :
[greenzone computers] => DNS REQUEST => 192.168.2.254/eth1[nuc i7 router]eth0\192.168.1.0/24 => DNS REQUEST => 192.168.1.254/lan[orange PPPOE router]
actually my /etc/named.conf looks like :
options {
directory "/var/named";
pid-file "/run/named/named.pid";
listen-on-v6 { none; };
listen-on port 53 { 192.168.1.254; };
recursion yes;
allow-query { 192.168.2.254; };
allow-recursion { 192.168.2.254; };
forwarders { 192.168.1.254; };
dnssec-validation auto;
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
I know it’s wrong (as you said) but I don’t know what to do yet…
as you tell me there are “errors” I tryed that :
options {
directory "/var/named";
pid-file "/run/named/named.pid";
listen-on-v6 { none; };
listen-on port 53 { 192.168.1.254; };
recursion yes;
# allow-query { 192.168.2.254; };
# allow-recursion { 192.168.2.254; };
# forwarders { 192.168.1.254; };
dnssec-validation auto;
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
without any success…
There is so many things which needs to be in place.
You need some kind of forwarder address(es)
Most commonly your ISP nameservers are used or google ns or …
# examples
forwarders {
8.8.8.8;
8.8.1.1;
};
The problem with your issue is - there is no one-size-fits all - which is why the community is - I am - reluctant to be specific …
bind is second to none - one of the best nameserver implementations - but it is hard to configure - there is so many places it can go wrong - especially if you don’t understand the concept - and you have repeatedly told us - you don’t …
Yes, in my case my ISP (Orange) from it’s box (Orange PPPOE) at 192.168.1.254 fixed address.
My problem is that I don’t create a website or webserver or any else webservice… I just create a bridge to isolate a network from a compromised network.
I don’t want add any “zone” name to internet DNS servers… I just want relay DNS request such as
“google. com”
through the bridge to my ISP router, nothing more…
All example I seen want to add servers somewhere in the network. There is no example of simple bridge DNS request repeater…
That’s why I need help…
I just told you …
There is simpler methods - such as - pi-hole
but it’s not “192.168.1.254” I don’t want bypass my ISP router parameters.
in fact my ISP DNS servers are :
- 80.10.246.134
- 81.253.149.5
but factually I want use my ISP DNS services… I don’t really want bypass it using google one - 8.8.8.8
- 8.8.4.4
why use an unknown private society (lumen. com) dns (8.8.1.1) ?
As I stated - examples
You don’t see a problem installing distro with DE as a headless system? 
What does that even mean? Should he go to the gym? I’m glad manjaro is using some special kernel that can overcome DDoS. Such a simple solution, no idea why businesses are paying for DDoS protection when all they could do is install Manjaro on a NUC.
Goes where? To the basement? Again, I’m glad that you think Manjaro uses some special kernel that can overcome DDoS.
Anyway, you’re saying your TV is attacking you? I think you shouldn’t say that too loudly or someone will call someone…
Not sure what you are saying here, but I’m sure top secret military systems are secured with iptables rules in filter table.
Sure it does… 
Dropping packets in filter table (where every packet is already connection-tracked) requires 0 CPU power. It’s magic.
I tryed :
options {
directory "/var/named";
pid-file "/run/named/named.pid";
listen-on-v6 { none; };
listen-on port 53 { 192.168.1.254; };
recursion yes;
forwarders { 192.168.1.254; };
dnssec-validation auto;
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
and
options {
directory "/var/named";
pid-file "/run/named/named.pid";
listen-on-v6 { none; };
listen-on port 53 { 192.168.1.254; };
recursion yes;
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation auto;
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
with a stop and start of named service
systemctl stop named
systemctl start named
systemctl status named
Doesn’t work…
once again I can access 192.168.1.254 from greenzone
DHCP protocol
TCP/IP protocol
HTTP(S) protocol
Firewall forward as I can see
DNS Résolution
If I have to show you my “conf” files, please ask …
Why hostname and server-id none ?
I eard version “must” be 4 isn’t it ?
This is my running config - you cannot use it for anything …
I am contantly experimenting - so I advise you not to copy paste anything …
$ cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/zones.rfc1918";
$ cat /etc/bind/named.conf.options
options {
directory "/etc/bind";
// For AdBlock
response-policy {
zone "rpz.net.nix.dk";
# zone "urlhaus.zone";
};
# allow-query {
# trusted-network;
# };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
# forwarders {
# 91.239.100.100;
# 89.233.43.71;
# 81.136.89.6;
# 83.136.89.4;
# };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
//auth-nxdomain yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
#acl "trusted-network" {
# 172.30.30.0/24;
# ::1;
# 127.0.0.0/8;
#};
cat /etc/bind/named.conf.local
## AdBlock
zone "rpz.net.nix.dk" {
type master;
file "/etc/bind/db.rpz.net.nix.dk";
masterfile-format text;
allow-query { none; };
};
#zone "urlhaus.zone" {
# type master;
# file "urlhaus.rpz";
# allow-query { any; };
# allow-update { none; };
# allow-transfer { none; };
#};
### net.nix.dk zone
zone "net.nix.dk" {
type master;
file "/etc/bind/db.net.nix.dk";
# allow-update { 172.30.30.0/24; };
};
### uex.dk zone
#zone "uex.dk" {
# type master;
# file "/etc/bind/db.uex.dk";
#};
### ptr
zone "30.30.172.in-addr.arpa" {
type master;
file "/etc/bind/db.172.30.30";
allow-update { 172.30.30.0/24; };
};
cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
$ cat /etc/bind/zones.rfc1918
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
#zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
There is documentation for this kind of question.
https://bind9.readthedocs.io/en/v9.18.19/reference.html#namedconf-statement-version
1 Like
this is Chinese to me…
as I said I don’t create “zone” I don’t have owned webserver/webservice to expose… I don’t have DMZ configuration…
look at my “/etc/dhcp.conf”
# red masternet
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name-servers 192.168.1.254;
option domain-name "helheim";
option routers 192.168.1.254;
}
# green subnet
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.1 192.168.2.253;
option domain-name-servers 192.168.2.254;
option domain-name "asgard";
option routers 192.168.2.254;
option broadcast-address 192.168.2.255;
default-lease-time 600;
max-lease-time 7200;
}
# blue subnet
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.1 192.168.3.253;
option domain-name-servers 192.168.3.254;
option domain-name "vanaheim";
option routers 192.168.3.254;
option broadcast-address 192.168.3.255;
default-lease-time 600;
max-lease-time 7200;
}
# static ip attribution for eth1
host heimdall
{
hardware ethernet XX:XX:XX:XX:XX:XX; # eth1 (greenzone) mac address of the nuc i7
server-name "heimdall";
fixed-address 192.168.2.254;
}
# static ip attribution for wlp0
host heimdallwifi
{
hardware ethernet YY:YY:YY:YY:YY:YY; # wifi mac address of the nuc i7
server-name "heimdall";
fixed-address 192.168.3.254;
}
it’s simple only 2 subnetwork (green and blue) and one masternetwork (red) nothing complex…
Then don’t bother …
If you don’t understand the don’t try to implement it …
thank you !!!
that’s make sense…
I told you I have no personal owned domain to include to DNS system…
I just forward DNS requests from browsers… (chrome, firefox, thunderbird, games, etc…)
Then use the DNS server of your ISP. Find out these IP addresses, there are at least two, use them in your DHCP config and send these to your clients.
nice idea…
what I did is in /etc/dhcpd.conf:
option domain-name "helheim";
option domain-name-servers 192.168.1.254;
option routers 192.168.1.254;
option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name-servers 192.168.1.254;
option domain-name "helheim";
option routers 192.168.1.254;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.1 192.168.2.253;
option domain-name-servers 192.168.1.254; # <- what to do
option domain-name "asgard";
option routers 192.168.2.254;
option broadcast-address 192.168.2.255;
default-lease-time 600;
max-lease-time 7200;
}
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.1 192.168.3.253;
option domain-name-servers 192.168.1.254; # <- what to do
option domain-name "vanaheim";
option routers 192.168.3.254;
option broadcast-address 192.168.3.255;
default-lease-time 600;
max-lease-time 7200;
}
host heimdall
{
hardware ethernet XX:XX:XX:XX:XX:XX;
server-name "heimdall";
fixed-address 192.168.2.254;
}
host heimdallwifi
{
hardware ethernet YY:YY:YY:YY:YY:YY;
server-name "heimdall";
fixed-address 192.168.3.254;
}
As linus torvald said… 🖕 F*CK YOU bind !!! 🖕
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.