Table of Contents
an authoritative dns server (SOA dns) will be used to declare that the server is authoritative for certain domain names.
which will make it easy to define lots of sub-domains without having to change the registrar settings.
I chose to use nsd, but I could have used knot
it's preferable to install the domain name server in a virtual machine rather than in the hypervisor to make backups easier.
nsd
install the nsd package available in Debian
aptitude install nsd
we'll have to edit a few files, then edit an additional file for each dns zone
nsd.conf
/etc/nsd/nsd.conf:
# NSD configuration file for Debian.
#
# See the nsd.conf(5) man page.
#
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
# reference config file.
server:
# log only to syslog.
log-only-syslog: yes
ip-address: 2a02:8428:753:5002:97dc:9048:0:53
ip-address: 192.168.1.7
# use this number of cpu cores
server-count: 1
# We recommend leaving this empty, otherwise use "/var/db/nsd/nsd.db"
database: ""
# the default file used for the nsd-control addzone and delzone commands
# zonelistfile: "/var/db/nsd/zone.list"
# The unprivileged user that will run NSD, can also be set to "" if
# user privilige protection is not needed
username: nsd
# Default file where all the log messages go
#logfile: "/var/log/nsd.log"
# Use this pid file instead of the platform specific default
pidfile: "/var/run/nsd.pid"
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
hide-version: yes
hide-identity: yes
# Enable if privilege "jail" is needed for unprivileged user. Note
# that other file paths may break when using chroot
# chroot: "/etc/nsd/"
# The default zone transfer file
# xfrdfile: "/var/db/nsd/xfrd.state"
# The default working directory before accessing zone files
# zonesdir: "/etc/nsd"
# The following line includes additional configuration files from the
# /etc/nsd/nsd.conf.d directory.
include: "/etc/nsd/nsd.conf.d/*.conf"
we add a zone file, in my case I have a zone for err404.numericore.com and sub-domains like visio.err404.numericore.com and another zone for ikce.numericore.com
zones.conf
/etc/nsd/nsd.conf.d/zones.conf:
zone:
name: ikce.numericore.com
zonefile: /etc/nsd/nsd.conf.d/ikce.numericore.com.zone
zone:
name: err404.numericore.com
zonefile: /etc/nsd/nsd.conf.d/err404.numericore.com.zone
err404.numericore.com.zone
Beware, there's a trap that has stuck me for quite a long time:
in the line @ IN SOA ns.err404.numericore.com. err404.numericore.com. (the field err404.numericore.com. is actually an email address
on the other hand, be careful not to forget the period after domain names
I use public ip:
- in ipv4 I'll use the box's public ip and redirect port 53 to the machine hosting my dns service
- in ipv6 I'll directly indicate the public ipv6 of the machine hosting my dns service
the line containing Serial is simply a serial number that must be strictly increasing each time the file is updated, so we'll often use a current date and increment
/etc/nsd/nsd.conf.d/err404.numericore.com.zone:
$ORIGIN err404.numericore.com.
$TTL 7200
@ IN SOA ns.err404.numericore.com. err404.numericore.com. (
2021042514 ; Serial
7200 ; Refresh
1800 ; Retry
1209600 ; Expire
86400 ) ; Minimum
; NAMESERVERS
@ IN NS ns.err404.numericore.com.
ns IN A 77.129.238.159
ns IN AAAA 2a02:8428:753:5002:97dc:9048:0:53
; A RECORDS
@ A 77.129.238.159
@ AAAA 2a02:8428:753:5002:fcb3:ff:fe8a:3b80
visio A 77.129.238.159
visio AAAA 2a02:8428:753:5002:fcb3:ff:fe8a:3b80
$ORIGIN err404.numericore.com. will be used as variable for the rest of the file
@ will be replaced by the variable $ORIGIN
so we will define ip for err404.numericore.com and visio.err404.numericore.com.
the box
and finally, on the box, redirect ports 53 to the ip of the machine hosting the authoritative dns server –authoritative–.