DNS Configuration
DNS Configuration
This is meant as a few hints on how to make your DNS configuration pass the ZoneCheck tests without any warnings
Default IPv4 zones
RFC1912 recommends adding a few default zones to prevent unnecessary requests going to the root servers:
zone "0.in-addr.arpa" IN {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" IN {
type master;
file "/etc/bind/db.255";
};
zone "localhost" IN {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" IN {
type master;
file "/etc/bind/db.127";
};
The zone files may look something like this. Note that the serial number and timer values don't really matter much since every DNS server is supposed to be configured as a master, and there will of course never be any slaves for these zones:
db.0
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
db.255
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
db.local
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
A 127.0.0.1
db.127
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
1.0.0 PTR localhost.
A note on bind 9.4.1 and newer
Recent versions of bind have added a few built-in empty zones, which makes the above explicit configuration less necessary. The defaults will prevent these bind versions from querying the root servers for the most common queries. Note that any locally defined zone will override the built-ins, but not if the built-in is more explicit!
See http://www.isc.org/sw/bind/arm94/Bv9ARM.ch06.html#empty for the current list of empty zones, but be aware that this list may change with bind versions.
Default IPv6 zones
For IPv6 you need to add a reverse zone for the loopback address ::1 and also update the forward "localhost." zone with an AAAA record pointing to ::1.
Some versions of bind have added 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa as an empty built-in zone. This means that you must defined exactly this zone if you want ::1 to point to the name "loopback". Any less specific zone definition will not work with these bind versions.
This adds the IPv6 reverse loopback zone:
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "/etc/bind/db.ipv6-rev-loopback";
};
db.local
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
A 127.0.0.1
AAAA ::1
db.ipv6-rev-loopback
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
PTR localhost.
Empty zones
Note that bind 9.4.x also adds a few other empty IPv6 reverse zones to avoid unnecessary queries going all the way to the root servers. bind 9.4.x or newer is therefore recommended when using IPv6. Users of other servers or bind versions could add these empty zones manually. The current list of built-in zones in bind 9.4.x can be found at http://www.isc.org/sw/bind/arm94/Bv9ARM.ch06.html#empty
Example zone definitions for earlier bind versions:
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "/etc/bind/db.empty";
};
zone "D.F.IP6.ARPA" {
type master;
file "/etc/bind/db.empty";
};
zone "8.E.F.IP6.ARPA" {
type master;
file "/etc/bind/db.empty";
};
zone "9.E.F.IP6.ARPA" {
type master;
file "/etc/bind/db.empty";
};
zone "A.E.F.IP6.ARPA" {
type master;
file "/etc/bind/db.empty";
};
zone "B.E.F.IP6.ARPA" {
type master;
file "/etc/bind/db.empty";
};
db.empty
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
NS localhost.
Adding your own IPv6 data
First: Read the SixXS staff's thoughts on DNS Pollution: http://www.sixxs.net/faq/sixxs/?faq=dnsspam
This is really as simple as following the hints from the default zones above. Let's say you've got the subnet 2001:0db8:beef::/48 and want reverse DNS to resolve. You'll then need to add the zone
zone "f.e.e.b.8.b.d.0.1.0.0.2.ip6.arpa" {
type master;
file "master/2001:0db8:beef";
};
Note that some older documents may refer to ip6.int. This is now deprecated.
The zone files look a lot like their IPv4 counterparts: Mostly PTR records. The main difference is the number of labels, one for every nibble (4bit) in the address - a total of 34(!) labels when including the "ip6.arpa" postfix. You can save yourself a lot of work and confusion by using $ORIGIN smart, and also by including a few comments referring to the actual prefix the $ORIGIN is supposed to be mapped from.
An example master/2001:0db8:beef
;; 2001:0db8:beef::/48
$TTL 6H
@ IN SOA ns1.example.com. hostmaster.example.com. (
2008012400 ; Serial
10H ; refresh
3H ; retry
1W ; expire
1D ) ; minimum
NS ns1.example.com.
NS ns2.example.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.5.0.0 PTR ns1.example.com. ;; 2001:0db8:beef:53::1
;; 2001:0db8:beef::/64
$ORIGIN 0.0.0.0.f.e.e.b.8.b.d.0.1.0.0.2.ip6.arpa.
d.a.b.0.d.a.b.0.d.a.b.0.d.a.b.0 PTR reallybad.example.com.
d.a.e.d.0.0.0.0.0.0.0.0.0.0.0.0 PTR somewhatdead.example.com.
;; 2001:0db8:beef:2::/120
$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.f.e.e.b.8.b.d.0.1.0.0.2.ip6.arpa.
1.0 PTR foo.example.com. ;; 2001:0db8:beef:2::1
2.0 PTR bar.example.com. ;; 2001:0db8:beef:2::2
Corresponding forward zone
;; $ORIGIN example.com.
$TTL 6H
@ IN SOA ns1 hostmaster (
2008012400 ; Serial
10H ; refresh
3H ; retry
1W ; expire
1D ) ; minimum
NS ns1
NS ns2
ns1 A 192.168.3.1
AAAA 2001:0db8:beef:53::1
ns2 A 10.1.2.3
AAAA 2001:0db8:f00f::3
foo AAAA 2001:0db8:beef:2::1
bar AAAA 2001:0db8:beef:2::2
reallybad AAAA 2001:0db8:beef::bad:bad:bad:bad
somewhatdead AAAA 2001:0db8:beef::dead
