DNS Configuration

From SixXS Wiki
Jump to: navigation, search

Contents

DNS Configuration

This is meant as a few hints on how to make your DNS configuration pass the ZoneCheck tests without any warnings

Default IPv4 zones

RFC1912 recommends adding a few default zones to prevent unnecessary requests going to the root servers:

zone "0.in-addr.arpa" IN {
       type master;
       file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" IN {
       type master;
       file "/etc/bind/db.255";
};
zone "localhost" IN {
       type master;
       file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" IN {
       type master;
       file "/etc/bind/db.127";
};


The zone files may look something like this. Note that the serial number and timer values don't really matter much since every DNS server is supposed to be configured as a master, and there will of course never be any slaves for these zones:


db.0

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
    NS      localhost.


db.255

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
    NS      localhost.


db.local

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
        NS      localhost.
        A       127.0.0.1

db.127

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
       NS      localhost.
1.0.0  PTR     localhost.


A note on bind 9.4.1 and newer

Recent versions of bind have added a few built-in empty zones, which makes the above explicit configuration less necessary. The defaults will prevent these bind versions from querying the root servers for the most common queries. Note that any locally defined zone will override the built-ins, but not if the built-in is more explicit!

See http://www.isc.org/sw/bind/arm94/Bv9ARM.ch06.html#empty for the current list of empty zones, but be aware that this list may change with bind versions.

Default IPv6 zones

For IPv6 you need to add a reverse zone for the loopback address ::1 and also update the forward "localhost." zone with an AAAA record pointing to ::1.

Some versions of bind have added 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa as an empty built-in zone. This means that you must defined exactly this zone if you want ::1 to point to the name "loopback". Any less specific zone definition will not work with these bind versions.

This adds the IPv6 reverse loopback zone:

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
       type master;
       file "/etc/bind/db.ipv6-rev-loopback";
};


db.local

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
        NS      localhost.
        A       127.0.0.1
        AAAA    ::1

db.ipv6-rev-loopback

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
        NS      localhost.
        PTR     localhost.


Empty zones

Note that bind 9.4.x also adds a few other empty IPv6 reverse zones to avoid unnecessary queries going all the way to the root servers. bind 9.4.x or newer is therefore recommended when using IPv6. Users of other servers or bind versions could add these empty zones manually. The current list of built-in zones in bind 9.4.x can be found at http://www.isc.org/sw/bind/arm94/Bv9ARM.ch06.html#empty

Example zone definitions for earlier bind versions:

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
       type master;
       file "/etc/bind/db.empty";
};
zone "D.F.IP6.ARPA" {
       type master;
       file "/etc/bind/db.empty";
};
zone "8.E.F.IP6.ARPA" {
       type master;
       file "/etc/bind/db.empty";
};
zone "9.E.F.IP6.ARPA" {
       type master;
       file "/etc/bind/db.empty";
};
zone "A.E.F.IP6.ARPA" {
       type master;
       file "/etc/bind/db.empty";
};
zone "B.E.F.IP6.ARPA" {
       type master;
       file "/etc/bind/db.empty";
};

db.empty

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                             1         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
        NS      localhost.

Adding your own IPv6 data

First: Read the SixXS staffs thoughs on DNS Pollution: http://www.sixxs.net/faq/sixxs/?faq=dnsspam

This is really as simple as following the hints from the default zones above. Let's say you've got the subnet 2001:0db8:beef::/48 and want reverse DNS to resolve. You'll then need to add the zone

zone "f.e.e.b.8.b.d.0.1.0.0.2.ip6.arpa" {
       type master;
       file "master/2001:0db8:beef";
};

Note that some older documents may refer to ip6.int. This is now deprecated.

The zone files look a lot like their IPv4 counterparts: Mostly PTR records. The main difference is the number of labels, one for every nibble (4bit) in the address - a total of 34(!) labels when including the "ip6.arpa" postfix. You can save yourself a lot of work and confusion by using $ORIGIN smart, and also by including a few comments referring to the actual prefix the $ORIGIN is supposed to be mapped from.

An example master/2001:0db8:beef

;; 2001:0db8:beef::/48
$TTL 6H
@ IN    SOA     ns1.example.com. hostmaster.example.com. (
               2008012400      ; Serial
               10H             ; refresh
               3H              ; retry
               1W              ; expire
               1D )            ; minimum
       NS      ns1.example.com.
       NS      ns2.example.com.

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.5.0.0 PTR  ns1.example.com.  ;; 2001:0db8:beef:53::1

;; 2001:0db8:beef::/64 
$ORIGIN 0.0.0.0.f.e.e.b.8.b.d.0.1.0.0.2.ip6.arpa.
d.a.b.0.d.a.b.0.d.a.b.0.d.a.b.0 PTR     reallybad.example.com.
d.a.e.d.0.0.0.0.0.0.0.0.0.0.0.0 PTR     somewhatdead.example.com.

;; 2001:0db8:beef:2::/120
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.f.e.e.b.8.b.d.0.1.0.0.2.ip6.arpa.
1.0 PTR foo.example.com.  ;; 2001:0db8:beef:2::1 
2.0 PTR bar.example.com.  ;; 2001:0db8:beef:2::2

Corresponding forward zone

;; $ORIGIN example.com.
$TTL 6H
@ IN    SOA     ns1        hostmaster (
               2008012400      ; Serial
               10H             ; refresh
               3H              ; retry
               1W              ; expire
               1D )            ; minimum
       NS      ns1
       NS      ns2

ns1   A     192.168.3.1
      AAAA  2001:0db8:beef:53::1
ns2   A     10.1.2.3
      AAAA  2001:0db8:f00f::3

foo   AAAA  2001:0db8:beef:2::1 
bar   AAAA  2001:0db8:beef:2::2

reallybad    AAAA 2001:0db8:beef::bad:bad:bad:bad
somewhatdead AAAA 2001:0db8:beef::dead

Pointers

Personal tools