Haack's Wiki

User Tools

Site Tools

Trace:
computing:bind9dns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:bind9dns [2025/12/28 04:18] oemb1905computing:bind9dns [2025/12/28 08:43] (current) oemb1905
Line 29: Line 29:
   * Configuring your Registrar's GLUE records, i.e., registering and pointing nameservers   * Configuring your Registrar's GLUE records, i.e., registering and pointing nameservers
  
-This tutorial presumes you already have working and sufficiently hardened VM/VPS with LAMP stack and access to PTR for three different external IPs. If you don't know what some or all of that is, take a step back and start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] before proceeding. If you feel comfortable so far, and you have three different VMs/VPSs setup and ready, well then carry on. +This tutorial presumes you already have three working and sufficiently hardened VMs/VPSs with LAMP stacks and access to PTR for each of the three different external IPs they leverage, six if you include IPv6. If you don't know what some or all of that is, take a step back and start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] before proceeding. If you feel comfortable so far, and you have three different VMs/VPSs setup and ready, well then carry on. 
  
 ------------------------------------------- -------------------------------------------
Line 104: Line 104:
 </code> </code>
  
-As you can see, ns2 and ns3 restrict all access on 80/443 to ns1. This is because there is no need to access these nodes directly, as both bind9 and later webmin will directly instruct these slaves with their configurations. Ns1, on the other hand, should be publicly accessible by design. We will secure it later with a strong password (25 characters or more), a reverse proxy, and fail2ban. One can additionally, if they so choose, add source-IP rules to the master node, but I think this is overkill. In my case, I want the master node to be accessible to me everywhere. The 10000-10010 range is for the webmin clustering features. +As you can see, ns2 and ns3 restrict all access on 80/443 to ns1. This is because there is no need to access these nodes directly, as both bind9 and later webmin will directly instruct these slaves with their configurations. Ns1, on the other hand, should be publicly accessible by design. We will secure it later with a strong password (25 characters or more), a reverse proxy, and fail2ban. One can additionally, if they so choose, add source-IP rules to the master node, but I think this is overkill. In my case, I want the master node to be accessible to me everywhere. The 10000-10010 range is for the webmin clustering features. Of course, none of the above is helpful unless you've registered your intended name servers with your registrar and established your glue records. I use Dynadot, and you first register the name servers, associate the IPs, and then you can leverage those nameservers, just like their nameservers, globally throughout their DNS host panel. Here' what the name registration panel looks like: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_21-47-30.png?direct&800 |}} 
 + 
 +Once the basics of your nodes and your registrar have the prerequisite configurations in place, we can move on to configuring the Bind9 server
  
 === Part 2 - Setting up the Bind9 sever(s) === === Part 2 - Setting up the Bind9 sever(s) ===
Line 182: Line 186:
 </code> </code>
  
-Now that the family and cat website zone is created, we need to establish its DNS records again as well:+Now that the family and cat website zone is re-created, we can now establish its DNS records in the zone record file in ''/var/cache/bind/db.felinefantasy.club'' as follows:
  
 <code bash>$TTL 86400 <code bash>$TTL 86400
Line 236: Line 240:
 At this point, we're still dealing strictly with bind9 and have not setup webmin or the automated clustering features. We will do that soon, but there's still one thing we need to cover how to do on the command line and that's DNSSEC. Below, let's create keys in the proper directory (mind this) and then sign them: At this point, we're still dealing strictly with bind9 and have not setup webmin or the automated clustering features. We will do that soon, but there's still one thing we need to cover how to do on the command line and that's DNSSEC. Below, let's create keys in the proper directory (mind this) and then sign them:
  
 +<code bash>
 cd /var/cache/bind cd /var/cache/bind
 dnssec-keygen -a ED25519 -b 256 -n ZONE haacksnetworking.com dnssec-keygen -a ED25519 -b 256 -n ZONE haacksnetworking.com
Line 241: Line 246:
 SALT=$(openssl rand -hex 8) SALT=$(openssl rand -hex 8)
 dnssec-signzone -S -K /var/cache/bind -A -3 $SALT -N INCREMENT -o haacksnetworking.com -t db.haacksnetworking.com dnssec-signzone -S -K /var/cache/bind -A -3 $SALT -N INCREMENT -o haacksnetworking.com -t db.haacksnetworking.com
 +</code>
  
 You can of course just run the ''openssl'' salt generation command by itself and manually insert the value, but someone had this online and I thought it was cool to share, whereby it creates a variable called SALT and then populates it into the subsequent command. Hilarious, and entirely not needed, but super fun. Once this is done, you've built the keys, you've signed the domain with them, and now you need to change the ''named'' entry to reflect the signed zone instead, and then finally update your registrar with the key and key values that you chose. First, let's update ''nano /etc/bind/named.conf.local'' with the signed record file location, for which I am using the ''felinefantasy.club'' zone record as an example, but this would apply to whatever zone you signed: You can of course just run the ''openssl'' salt generation command by itself and manually insert the value, but someone had this online and I thought it was cool to share, whereby it creates a variable called SALT and then populates it into the subsequent command. Hilarious, and entirely not needed, but super fun. Once this is done, you've built the keys, you've signed the domain with them, and now you need to change the ''named'' entry to reflect the signed zone instead, and then finally update your registrar with the key and key values that you chose. First, let's update ''nano /etc/bind/named.conf.local'' with the signed record file location, for which I am using the ''felinefantasy.club'' zone record as an example, but this would apply to whatever zone you signed:
Line 250: Line 256:
     allow-transfer { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; };     allow-transfer { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; };
     also-notify { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; };     also-notify { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; };
 +    };
 </code> </code>
  
Line 265: Line 272:
   A1B2C3D4E5F67890123456789ABCDEF0123456789ABCDEF0123456789ABCDEF   A1B2C3D4E5F67890123456789ABCDEF0123456789ABCDEF0123456789ABCDEF
      
-Enter all of these values, adjusting as needed, into your registrar's DNSSEC section for this particular domain and you should be good to go. With this, we've completed the CLI portion of this tutorial. You can now, create a master bind9 server, two zones, two slaves that assist that master, and DNSSEC for any of those created zones/domains. The only caveat is that bind9 lacks an internal clustering system, so you do have to do the one-time config entry on each slave any time you create a new zone. This instructs the slave that it is an authority for this record and informs it as to who its master is for that zone/record. Our next job is to cover how to setup webmin and how to confgiure webmin to perform the same tasks we just did in the CLI with its bind9 web interface. +Enter all of these values, adjusting as needed, into your registrar's DNSSEC section for this particular domain and you should be good to go. With this, we've completed the CLI portion of this tutorial. You can now, create a master bind9 server, two zones, two slaves that assist that master, and DNSSEC for any of those created zones/domains. The only caveat is that bind9 lacks an internal clustering system, so you do have to do the one-time config entry on each slave any time you create a new zone. This instructs the slave that it is an authority for this record and informs it as to who its master is for that zone/record. Our next job is to cover how to setup webmin and how to confgiure webmin to perform the same tasks we just did in the CLI with its bind9 web interface. Before moving on, make sure to verify your DNSSEC record with dig as follows ''dig felinefantasy.club DNSKEY +dnssec @8.28.86.113''. You should see some output resembling: 
 + 
 +<code bash> 
 +; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> felinefantasy.club DNSKEY +dnssec @8.28.86.113 
 +;; global options: +cmd 
 +;; Got answer: 
 +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28842 
 +;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 
 +;; WARNING: recursion requested but not available 
 + 
 +;; OPT PSEUDOSECTION: 
 +; EDNS: version: 0, flags: do; udp: 1232 
 +; COOKIE: 411d85836fb93c0a010000006950b1756dbe071f8d5e5758 (good) 
 +;; QUESTION SECTION: 
 +;felinefantasy.club. IN DNSKEY 
 + 
 +;; ANSWER SECTION: 
 +felinefantasy.club. 86400 IN DNSKEY 256 3 15 gsJX9BVwpBouYbMo1LcGAazEdI2dLR7jRoUvf0xghlU= 
 +felinefantasy.club. 86400 IN DNSKEY 257 3 15 X89v0cFjUj9aJ7iowuBsWB+kWlU/f1wDKkjlN9fU7bU= 
 +felinefantasy.club. 86400 IN RRSIG DNSKEY 15 2 86400 20260123015214 20251224015214 5092 felinefantasy.club. M5mol/xWAMN3Z3Sq0QQtRlejACeJkI0MaZT2iD70DS8YkGTB1lY0NUil s+Ly1vMOWF9pPxNMRNbaHSJpx888AQ== 
 +felinefantasy.club. 86400 IN RRSIG DNSKEY 15 2 86400 20260123015214 20251224015214 31408 felinefantasy.club. 8AFRfVowlWV9Gi65eZu+zWW6yg0ADCbUE/T6L1lou5Sls9kHE2M33HIM NaD0oMQHMyN+cLyIBfjR+aLR3acuCg== 
 + 
 +;; Query time: 100 msec 
 +;; SERVER: 8.28.86.113#53(8.28.86.113) (UDP) 
 +;; WHEN: Sat Dec 27 21:26:29 MST 2025 
 +;; MSG SIZE  rcvd: 399 
 +</code>
  
 ------------------------------------------- -------------------------------------------
Line 289: Line 322:
   host=ns1.haacksnetworking.com   # ns2/ns3 on other nodes   host=ns1.haacksnetworking.com   # ns2/ns3 on other nodes
      
-Remember, you are configuring this on each node. Recall that we already pre-built all firewall rules in advance, allowing the slaves, in my case .114 and .115, to receive 80/443 and 10000-10010 requests from the master at .113. These are rules not present on the master .113, for example. Make sure to recall and make sense of those rules as we build the cluster. The next step is to create our Let's Encrypt certs for each domain. To do this, build the certs normally on the default ''000-default.conf'' virtual host. Run ''certbot'' to create a certificate and let acme build a second vhost for 443, something like ''000-default-le-ssl.conf'' or something similar. Once this is done, you simply swap the contents of the two blocks with the reverse proxy vhost confs instead. You only need to change ''ServerName nsX.haacksnetworking.com'' and nothing else. This is just a routine step I do to avoid self-signed or cert-only options which are annoying. So, once you built the cert and have both vhosts, swap them out and restart the services. First, let's enable the reverse proxy and TLS modules, reload the service, then create a LE cert with certbot on the default host: +Remember, you are configuring this on each node. Recall that we already pre-built all firewall rules in advance, allowing the slaves, in my case .114 and .115, to receive 80/443 and 10000-10010 requests from the master at .113. These are rules not present on the master .113, for example. Make sure to recall and make sense of those rules as we build the cluster. Before we move on, let's make sure all of our webmin changes are active by restarting the service: 
 + 
 +  /etc/webmin/restart 
 + 
 +The next step is to create our Let's Encrypt certs for each domain. To do this, build the certs normally on the default ''000-default.conf'' virtual host. Run ''certbot'' to create a certificate and let acme build a second vhost for 443, something like ''000-default-le-ssl.conf'' or something similar. Once this is done, you simply swap the contents of the two blocks with the reverse proxy vhost confs instead. You only need to change ''ServerName nsX.haacksnetworking.com'' and nothing else. This is just a routine step I do to avoid self-signed or cert-only options which are annoying. So, once you built the cert and have both vhosts, swap them out and restart the services. First, let's enable the reverse proxy and TLS modules, reload the service, then create a LE cert with certbot on the default host: 
  
   a2enmod proxy proxy_http proxy_wstunnel rewrite ssl headers   a2enmod proxy proxy_http proxy_wstunnel rewrite ssl headers
Line 344: Line 381:
 </code> </code>
  
-Make sure to restart apache2 ''sudo systemctl restart apache2'' after this. You should not have any errors so long as you adapted the locations and domains above to your use-case. If you do, it's likely because you did not perform my trick correctly, i.e., you had failures on cert creation above. Use the apache configuration test tool, double check your steps, and carry on once you got things sorted. We are now going to setup the cluster and then use the cluster to enter another zone, an A record, and the corresponding DNSSEC signature for the zone/domain. The first step is to navigate to ''Webmin Servers Index;; on ns1.haacksnetworking.com's webmin sidebar and select ''Register a new server'' once in that panel. It should look something like this:+Make sure to restart apache2 ''sudo systemctl restart apache2'' after this. You should not have any errors so long as you adapted the locations and domains above to your use-case. If you do, it's likely because you did not perform my trick correctly, i.e., you had failures on cert creation above. Use the apache configuration test tool, double check your steps, and carry on once you got things sorted. We are now going to setup the cluster and then use the cluster to enter another zone, an A record, and the corresponding DNSSEC signature for the zone/domain. The first step is to navigate to "Webmin Servers Indexon ns1.haacksnetworking.com's webmin sidebar and select "Register a new serveronce in that panel. It should look something like this:
  
 {{ :computing:screenshot_from_2025-12-27_20-47-13.png?direct&800 |}} {{ :computing:screenshot_from_2025-12-27_20-47-13.png?direct&800 |}}
Line 365: Line 402:
 {{ :computing:screenshot_from_2025-12-27_21-06-35.png?direct&800 |}} {{ :computing:screenshot_from_2025-12-27_21-06-35.png?direct&800 |}}
  
-Once you do that, we can create zone.+Before we create our first master zone using webmin's bind9 GUI, let's activate rndcTo do that, navigate to Bind9 Server > Setup RNDC. Here's what that looks like below. Just click yes, and you are all set:
  
-image of that+{{ :computing:screenshot_from_2025-12-27_22-35-32.png?direct&800 |}}
  
-Later ononce zone is created, it should be noted that the webmin tooling creates redundant transfer to rule on the slaves. It can be left and is harmless, but here's where it populates in case you are curious(If you know how to disable thisping me on Matrix):+Once you do thatwe can now create a new master zone. Here's what that looks like. For me, all the default values are fine: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_22-06-24.png?direct&800 |}} 
 + 
 +Doing this creates the zone on ns1. It looks a little different structurally than what I created on the CLI, but syntactically, it is equivalent. It used a different naming convention for the name of the zone file, but it is completely arbitrary. Here is ''/etc/bind/named.conf.local'' on ns1 for the newly created zone: 
 + 
 +<code bash> 
 +zone "cloudcommunity.club"
 +        type master; 
 +        file "/var/cache/bind/cloudcommunity.club.hosts.signed"; 
 +        allow-transfer { 
 +                8.28.86.114; 
 +                8.28.86.115; 
 +                2604:fa40:0:10::12; 
 +                2604:fa40:0:10::13; 
 +                }; 
 +        also-notify { 
 +                8.28.86.114; 
 +                8.28.86.115; 
 +                2604:fa40:0:10::12; 
 +                2604:fa40:0:10::13; 
 +                }; 
 +        }; 
 +</code> 
 + 
 +The IPv6 addresses above did not populate despite me having those entered in webmin under Bind9 Server > Zone defaults. You can see them in that area below and you can see that test.club domain lacks them despite being populated there as seen in the screenshot below: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_22-16-32.png?direct&800 |}} 
 + 
 +This glitch is a bit annoying, but it is not strictly required for the zone to function as only IPv4 is sufficient. If, however, you want to add the IPv6 entries, you do so by navigating to Bind9 Server > Zone Name > Edit Zone Options and simply add them: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_22-11-48.png?direct&800 |}} 
 + 
 +It is not required to change anything on the slaves because these are master node entries and the slaves don't require any of these blocksThe slaves, on the other hand, have created corresponding zone entries like follows in ''/etc/bind/named.conf.local'': 
 + 
 +<code bash> 
 +zone "cloudcommunity.club"
 +        type slave; 
 +        masters { 
 +                8.28.86.113; 
 +                2604:fa40:0:10::11; 
 +                }; 
 +        allow-transfer { 
 +                8.28.86.113; 
 +                2604:fa40:0:10::11; 
 +                }; 
 +        file "/var/lib/bind/cloudcommunity.club.hosts"; 
 +        }; 
 +</code> 
 + 
 +Webmin redundantly creates the transfer rule, but that won't hurt or change anything because it is moot due to the ''type slave;'' declaration earlier. Therefore, this can be left along during initial zone and record creation as it is harmless. If you want to remove those redundant entriesyou go to Webmin on ns1 > Webmin Servers Index > Click ns2 or ns3 as needed > Bind9 Server > Zone > Edit Zone Options. In there, you can easily remove the redundant entries:
  
 {{ :computing:screenshot_from_2025-12-27_21-16-25.png?direct&800 |}} {{ :computing:screenshot_from_2025-12-27_21-16-25.png?direct&800 |}}
  
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/28 03:42//+Of course, you could also shell into the slaves and remove those transfer rules via the CLI, this is just to show that both methods work and are dealing with the exact same bind9 underbelly. Once we do that, we can !!FINALLY!! create A, AAAA, dmarc, spf, and or any other records we need. Here's what the zone's landing page looks like and what the record pages within it look like: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_22-37-52.png?direct&800 |}} 
 +{{ :computing:screenshot_from_2025-12-27_22-38-38.png?direct&800 |}} 
 +{{ :computing:screenshot_from_2025-12-27_22-39-12.png?direct&800 |}} 
 +{{ :computing:screenshot_from_2025-12-27_22-40-16.png?direct&800 |}} 
 + 
 +Now, we do some host testing again. Repeat host commands above 
 + 
 +  host cloudcommunity.club ns1.haacksnetworking.com 
 +  host cloudcommunity.club ns2.haacksnetworking.com 
 +  host cloudcommunity.club ns3.haacksnetworking.com 
 +   
 +Once that's working, let's setup DNSSEC using the webmin gui on master ns1. To do that navigate to Bind9 DNS Server > Zone > Setup DNS Key: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_22-50-57.png?direct&8800 |}} 
 +   
 +Once the DNSSEC key is created and the zone signed, you will, just like above, have to navigate over to your registrar and enter in the algorithm, digest, digest tag, and key tag. To see those values, just select Bind9 DNS Server > Zone > Setup DNS Key and instead of showing you the option to create it anew, it now shows the key you just created: 
 + 
 +{{ :computing:screenshot_from_2025-12-27_22-55-45.png?direct&800 |}} 
 +   
 +As a final step, we can use the dig command to verify the record against all nodes: 
 + 
 +  dig cloudcommunity.club DNSKEY +dnssec @8.28.86.113 
 +  dig cloudcommunity.club DNSKEY +dnssec @8.28.86.114 
 +  dig cloudcommunity.club DNSKEY +dnssec @8.28.86.115 
 +   
 +Each node should report the following: 
 + 
 +<code bash> 
 +; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> cloudcommunity.club DNSKEY +dnssec @8.28.86.113 
 +;; global options: +cmd 
 +;; Got answer: 
 +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21022 
 +;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 
 +;; WARNING: recursion requested but not available 
 + 
 +;; OPT PSEUDOSECTION: 
 +; EDNS: version: 0, flags: do; udp: 1232 
 +; COOKIE: f9d0bef39e0c56da010000006950c6e270c6a99b26e97171 (good) 
 +;; QUESTION SECTION: 
 +;cloudcommunity.club. IN DNSKEY 
 + 
 +;; ANSWER SECTION: 
 +cloudcommunity.club. 3600 IN DNSKEY 256 3 15 yCykkNhKUB0H3F7B+F1ydS6lmTaQAhRkVLgq6Fy6xWo= 
 +cloudcommunity.club. 3600 IN DNSKEY 257 3 15 g61Yq+dJTUxZpQDvQfqqK59CUv3IsDXyO8Sy229YVic= 
 +cloudcommunity.club. 3600 IN RRSIG DNSKEY 15 2 3600 20260123020922 20251224020922 188 cloudcommunity.club. sbVDXR4RZpR0s2eXn3wyyJ4JGO2AZpX/81UiOp/6fv9BWlVhkGXnsr50 JMHTFiKTVRwPtfRFONdrU1VUhrScDQ== 
 +cloudcommunity.club. 3600 IN RRSIG DNSKEY 15 2 3600 20260123020922 20251224020922 30893 cloudcommunity.club. AjoUcCUneoXo/sTDgyfbAJV5wc/TxuJN50Uhs2WY6B8FfBV586ZCcell ztTYercorXsQf1mtHXpSh5bKZBscCg== 
 + 
 +;; Query time: 100 msec 
 +;; SERVER: 8.28.86.113#53(8.28.86.113) (UDP) 
 +;; WHEN: Sat Dec 27 22:57:54 MST 2025 
 +;; MSG SIZE  rcvd: 402 
 +</code> 
 + 
 +=== Part 4 - Optional Unbound Recursive Resolver === 
 + 
 +Now that you can create any record you please and sign your zones/domains with DNSSEC using both the CLI and the webmin Bind9 DNS server GUI, we can optionally secure each node with unbound DNS for added privacy and speed. 
 + 
 +  sudo apt install unbound 
 +   
 +The full unbound tutorial, including lan-side setups, can be found [[https://wiki.haacksnetworking.org/doku.php?id=computing:unbounddns|Unbound]]. For this setup, however, a simple config in ''/etc/unbound/unbound.conf'' such as this should work: 
 + 
 +  server: 
 +    # Bind to localhost only 
 +    interface: 127.0.0.1 
 +    interface: ::1 
 +    port: 5335 
 +    do-ip4: yes 
 +    do-ip6: yes 
 +    prefer-ip6: yes 
 +    access-control: 127.0.0.0/8 allow 
 +    access-control: 0.0.0.0/0 refuse 
 +    access-control: ::0/0 refuse 
 +    # Optimize for 8 cores 
 +    num-threads:
 +    msg-cache-slabs:
 +    rrset-cache-slabs:
 +    infra-cache-slabs:
 +    key-cache-slabs:
 +    # Cache settings for high query volume 
 +    cache-max-ttl: 86400 
 +    cache-min-ttl: 3600 
 +    rrset-cache-size: 128m 
 +    msg-cache-size: 64m 
 +    key-cache-size: 32m 
 +    neg-cache-size: 8m 
 +    # Enable prefetch and expired responses 
 +    prefetch: yes 
 +    prefetch-key: yes 
 +    serve-expired: yes 
 +    serve-expired-ttl: 3600 
 +    # DNSSEC validation for DANE 
 +    #do-dnssec: yes 
 +    harden-dnssec-stripped: yes 
 +    harden-referral-path: yes 
 +    harden-below-nxdomain: yes 
 +    harden-algo-downgrade: no 
 +    # Performance tweaks 
 +    #so-rcvbuf: 4m 
 +    #so-sndbuf: 4m 
 +    edns-buffer-size: 1232 
 +    outgoing-range: 4096 
 +    num-queries-per-thread: 1024 
 +    jostle-timeout: 200 
 +    #low-resolver-mem: no 
 +    # Logging (minimal) 
 +    verbosity: 1 
 +    log-queries: no 
 +    log-replies: no 
 +    use-syslog: yes 
 +    # Security and privacy 
 +    hide-identity: yes 
 +    hide-version: yes 
 +    use-caps-for-id: yes 
 +    qname-minimisation: yes 
 +    harden-large-queries: yes 
 +    harden-glue: yes 
 +    aggressive-nsec: yes 
 +    # Protocol settings 
 +    do-tcp: yes 
 +    do-udp: yes 
 +    # Disable subnetcache 
 +    module-config: "validator iterator" 
 +   
 +It's crucial to bind unbound to 5335 since bind9 is already listening on 53. In order to have local recursive queries use unbound, we need to hijack all outbound resolver queries to ''/etc/resolv.conf'' to use 5335. To be clear, make sure ''/etc/resolv.conf'' has the following entries: 
 + 
 +  nameserver ::1 
 +  nameserver 127.0.0.1 
 + 
 +After that, adjust the ufw rules to hijack all 53 url queries and send them to 5335. Open ''/etc/ufw/before.rules'' and enter the following block at the end: 
 + 
 +<code bash> 
 +# === Added NAT table for local DNS redirection to Unbound on port 5335 === 
 +*nat 
 +:PREROUTING ACCEPT [0:0] 
 +:OUTPUT ACCEPT [0:0] 
 +:POSTROUTING ACCEPT [0:0] 
 + 
 +# Redirect local DNS queries sent to 127.0.0.1:53 → 127.0.0.1:5335 
 +-A OUTPUT -d 127.0.0.1/32 -p udp --dport 53 -j REDIRECT --to-ports 5335 
 +-A OUTPUT -d 127.0.0.1/32 -p tcp --dport 53 -j REDIRECT --to-ports 5335 
 + 
 +COMMIT 
 +# === End of added section === 
 +</code> 
 + 
 +Make sure you can ping a common website on both ipv4 and ipv6 and you should be good to go: 
 + 
 +  ping4 google.com 
 +  ping6 google.com 
 +   
 +If you are interested in setting up one of these authoritative Bind9 DNS clusters that are configured to use either CLI or the convenient webmin interface, just hit me up on Matrix. I'm available here: 
 + 
 +  * [[https://matrix.to/#/@haacksnetworking:gnulinux.club|Haack's Networking on Matrix]] 
 + 
 + --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/28 08:26//
computing/bind9dns.1766895498.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki