This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
fuss:bind [2017/02/22 18:30] – external edit 127.0.0.1 | fuss:bind [2017/12/27 22:37] – [Updating Dynamic Dns Zone Files] office | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Using bind with Tor/i2p and other DarkNet Domains ====== | ||
+ | |||
+ | If you look at [[fuss: | ||
+ | |||
+ | < | ||
+ | forward-socks4a .onion | ||
+ | |||
+ | </ | ||
+ | |||
+ | is responsible for forwarding all traffic to '' | ||
+ | |||
+ | In order to do that, bind allows you to configure a forwarder zone (perhaps one of the few cases where it is justified). | ||
+ | |||
+ | From ''/ | ||
+ | < | ||
+ | zone " | ||
+ | type forward; | ||
+ | forwarders { 127.0.0.2; }; | ||
+ | forward only; | ||
+ | }; | ||
+ | |||
+ | </ | ||
+ | |||
+ | This would make any '' | ||
+ | |||
+ | From ''/ | ||
+ | < | ||
+ | DNSPort 53 | ||
+ | DNSListenAddress 127.0.0.2 | ||
+ | |||
+ | </ | ||
+ | |||
+ | The result will be that bind will resolve all '' | ||
+ | |||
+ | The same procedure can be repeated for any DarkNet relays, proxying DNS on loopbacks: '' | ||
+ | |||
+ | ====== Turn EDNS Off ====== | ||
+ | |||
+ | Described in [[http:// | ||
+ | |||
+ | Many public DNS servers do not implement '' | ||
+ | |||
+ | The result is that log-files get jammed with messages such as ((not a joke, ISC, //"the authors of BIND"// | ||
+ | < | ||
+ | success resolving ' | ||
+ | </ | ||
+ | and causes bind to [[http:// | ||
+ | |||
+ | Security-wise, | ||
+ | |||
+ | To disable '' | ||
+ | < | ||
+ | server ::/0 { edns no; }; | ||
+ | server 0.0.0.0/0 { edns no; }; | ||
+ | </ | ||
+ | |||
+ | to the '' | ||
+ | |||
+ | ====== Updating Dynamic Dns Zone Files ====== | ||
+ | |||
+ | Zone files that are declared dynamic with a journal attached such as zones that are dynamically updated cannot be edited directly without shutting down bind - however, a better solution is to first pause dynamic updates by issuing the command: | ||
+ | <code bash> | ||
+ | rndc freeze zone.tld | ||
+ | </ | ||
+ | |||
+ | then making any changes necessary to the zone file (remembering to update the serial), and once the changes are done, unpausing the zone updates by issuing the command: | ||
+ | <code bash> | ||
+ | rndc thaw zone.tld | ||
+ | </ | ||
+ | |||
+ | When issuing the last command, isc-bind will reload the zone files, check the serial number and flush the journal file ('' | ||
+ | |||
+ | ====== Updating Records without Restarting Bind ====== | ||
+ | |||
+ | '' | ||
+ | |||
+ | In order to remove a '' | ||
+ | < | ||
+ | 12 PTR myhost.home. | ||
+ | </ | ||
+ | |||
+ | the following invocation of '' | ||
+ | <code bash> | ||
+ | nsupdate -v -k / | ||
+ | > server 192.168.1.1 | ||
+ | > zone 1.168.192.in-addr.arpa. | ||
+ | > update delete 12.1.168.192.in-addr.arpa. ptr myhost.home. | ||
+ | > send | ||
+ | > quit | ||
+ | </ | ||
+ | will: | ||
+ | - set the server to be updated to '' | ||
+ | - specify that the zone to be updated will be '' | ||
+ | - send a request to delete the reverse entry for '' | ||
+ | |||
+ | In order to remove an '' | ||
+ | < | ||
+ | myhost.home | ||
+ | </ | ||
+ | he following invocation of '' | ||
+ | <code bash> | ||
+ | nsupdate -v -k / | ||
+ | > server 192.168.1.1 | ||
+ | > zone home | ||
+ | > update delete myhost.home a | ||
+ | > send | ||
+ | > quit | ||
+ | </ | ||
+ | will: | ||
+ | - set the server to be updated to '' | ||
+ | - set the zone to be updated to '' | ||
+ | - send a request to delete the '' | ||
+ | |||
+ | After updating the zone, the command: | ||
+ | <code bash> | ||
+ | rndc reload | ||
+ | </ | ||
+ | can be used to make bind reload the zones. | ||
+ | |||