Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

75%
+4 −0
Q&A How do I set up my own DNS on my LAN, with delegation of public domains?

What you describe is a typical mixed authoritative/recursive resolver setup. Such a DNS server setup will respond from its own data about zones for which it has explicit configuration, and will per...

posted 10mo ago by Canina‭  ·  edited 10mo ago by Canina‭

Answer
#3: Post edited by user avatar Canina‭ · 2023-07-22T10:47:04Z (10 months ago)
  • **What you describe is a typical mixed authoritative/recursive resolver setup.**
  • Exactly how to set it up depends on the DNS server software you're running; for example, `BIND` is going to be different from `dnsmasq` is going to be different from `Unbound`. The general approach, however, is the same. (It's also worth noting that no proper DNS server will see host names listed in `/etc/hosts`.)
  • First, set up your choice of DNS server software in a "recursive resolver" configuration. [For example, with BIND](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-recursion), you'll likely want to add something like `allow-recursion { 192.168.1.0/24; };` to the `options {}` block of your `named.conf`. Take care to not enable recursion for hosts that should not be allowed to use your DNS resolver for recursive queries.
  • Second, choose a zone in which to group your local hosts, and add that. If you don't know what zone name to choose, I strongly recommend `home.arpa` ([RFC 8375](https://tools.ietf.org/html/rfc8375)). Again, with BIND as an example, add to `named.conf` *outside* of the `options {}` block a [`zone`](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-zone) block:
  • zone "home.arpa" {
  • type master;
  • allow-transfer { none; };
  • file "home.arpa.db";
  • };
  • Then create a `home.arpa.db` file which lists the hosts in question. The simplest incarnation of this can be something similar to:
  • @ SOA ns . 1 300 300 2592000 30
  • @ NS ns
  • ns A 192.168.1.123 ; the IP address of your DNS server machine
  • phone A 192.168.1.99
  • desktop A 192.168.1.33
  • printer A 192.168.1.44
  • laptop A 192.168.1.55
  • ; ... and so on ...
  • If you are only running a single DNS server for the zone, the only number in the `SOA` record that really matters is the last one, which is the negative response time-to-live (expressed in seconds); it controls how long "no such host" responses are cached by caching downstream resolvers. The first number in the `SOA` record (the `1`) is the zone serial number; increment it when you make changes to the zone data.
  • Once you have the DNS zone set up, perform whatever magic is required to make your DNS server software (re)load it. Again BIND as an example, this might be `rndc reload`. Check your system logs to ensure that no errors are reported.
  • You can then experiment a little with `dig` to check that things are working properly (`+norec` means "no recursion"; `+short` causes printing only of the relevant portion of the response, in this case an IPv4 address since we ask for `A` records):
  • $ dig @192.168.1.123 phone.home.arpa a +short +norec
  • 192.168.1.99
  • $ dig @192.168.1.123 linux.codidact.com a +short
  • ...
  • $
  • This can be expanded upon to allow for example dynamic updates, but if you are contemplating using `/etc/hosts`, the above will get you much the same results.
  • **What you describe is a typical mixed authoritative/recursive resolver setup.** Such a DNS server setup will respond from its own data about zones for which it has explicit configuration, and will perform recursive resolution for any other names on behalf of clients.
  • Exactly how to set it up depends on the DNS server software you're running; for example, `BIND` is going to be different from `dnsmasq` is going to be different from `Unbound`. The general approach, however, is the same. (It's also worth noting that no proper DNS server will see host names listed in `/etc/hosts`.)
  • First, set up your choice of DNS server software in a "recursive resolver" configuration. [For example, with BIND](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-recursion), you'll likely want to add something like `allow-recursion { 192.168.1.0/24; };` to the `options {}` block of your `named.conf`. Take care to not enable recursion for hosts that should not be allowed to use your DNS resolver for recursive queries.
  • Second, choose a zone in which to group your local hosts, and add that. If you don't know what zone name to choose, I strongly recommend `home.arpa` ([RFC 8375](https://tools.ietf.org/html/rfc8375)). Again, with BIND as an example, add to `named.conf` *outside* of the `options {}` block a [`zone`](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-zone) block:
  • zone "home.arpa" {
  • type master;
  • allow-transfer { none; };
  • file "home.arpa.db";
  • };
  • Then create a `home.arpa.db` file which lists the hosts in question. The simplest incarnation of this can be something similar to:
  • @ SOA ns . 1 300 300 2592000 30
  • @ NS ns
  • ns A 192.168.1.123 ; the IP address of your DNS server machine
  • phone A 192.168.1.99
  • desktop A 192.168.1.33
  • printer A 192.168.1.44
  • laptop A 192.168.1.55
  • ; ... and so on ...
  • If you are only running a single DNS server for the zone, the only number in the `SOA` record that really matters is the last one, which is the negative response time-to-live (expressed in seconds); it controls how long "no such host" responses are cached by caching downstream resolvers. The first number in the `SOA` record (the `1`) is the zone serial number; increment it when you make changes to the zone data.
  • Once you have the DNS zone set up, perform whatever magic is required to make your DNS server software (re)load it. Again BIND as an example, this might be `rndc reload`. Check your system logs to ensure that no errors are reported.
  • You can then experiment a little with `dig` to check that things are working properly (`+norec` means "no recursion"; `+short` causes printing only of the relevant portion of the response, in this case an IPv4 address since we ask for `A` records):
  • $ dig @192.168.1.123 phone.home.arpa a +short +norec
  • 192.168.1.99
  • $ dig @192.168.1.123 linux.codidact.com a +short
  • ...
  • $
  • This can be expanded upon to allow for example dynamic updates, but if you are contemplating using `/etc/hosts`, the above will get you much the same results.
#2: Post edited by user avatar Canina‭ · 2023-07-22T10:45:30Z (10 months ago)
Can't believe I forgot the SOA and NS RRs
  • **What you describe is a typical mixed authoritative/recursive resolver setup.**
  • Exactly how to set it up depends on the DNS server software you're running; for example, `BIND` is going to be different from `dnsmasq` is going to be different from `Unbound`. The general approach, however, is the same. (It's also worth noting that no proper DNS server will see host names listed in `/etc/hosts`.)
  • First, set up your choice of DNS server software in a "recursive resolver" configuration. [For example, with BIND](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-recursion), you'll likely want to add something like `allow-recursion { 192.168.1.0/24; };` to the `options {}` block of your `named.conf`. Take care to not enable recursion for hosts that should not be allowed to use your DNS resolver for recursive queries.
  • Second, choose a zone in which to group your local hosts, and add that. If you don't know what zone name to choose, I strongly recommend `home.arpa` ([RFC 8375](https://tools.ietf.org/html/rfc8375)). Again, with BIND as an example, add to `named.conf` *outside* of the `options {}` block a [`zone`](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-zone) block:
  • zone "home.arpa" {
  • type master;
  • allow-transfer { none; };
  • file "home.arpa.db";
  • }
  • Then create a `home.arpa.db` file which lists the hosts in question. The simplest incarnation of this can be something similar to:
  • phone A 192.168.1.99
  • desktop A 192.168.1.33
  • printer A 192.168.1.44
  • laptop A 192.168.1.55
  • ; ... and so on ...
  • Once you have the DNS zone set up, perform whatever magic is required to make your DNS server software (re)load it. Again BIND as an example, this might be `rndc reload`. Check your system logs to ensure that no errors are reported.
  • You can then experiment a little with `dig` to check that things are working properly (`+norec` means "no recursion"; `+short` causes printing only of the relevant portion of the response, in this case an IPv4 address since we ask for `A` records):
  • $ dig @192.168.1.123 phone.home.arpa a +short +norec
  • 192.168.1.99
  • $ dig @192.168.1.123 linux.codidact.com a +short
  • ...
  • $
  • This can be expanded upon to allow for example dynamic updates, but if you are contemplating using `/etc/hosts`, the above will get you much the same results.
  • **What you describe is a typical mixed authoritative/recursive resolver setup.**
  • Exactly how to set it up depends on the DNS server software you're running; for example, `BIND` is going to be different from `dnsmasq` is going to be different from `Unbound`. The general approach, however, is the same. (It's also worth noting that no proper DNS server will see host names listed in `/etc/hosts`.)
  • First, set up your choice of DNS server software in a "recursive resolver" configuration. [For example, with BIND](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-recursion), you'll likely want to add something like `allow-recursion { 192.168.1.0/24; };` to the `options {}` block of your `named.conf`. Take care to not enable recursion for hosts that should not be allowed to use your DNS resolver for recursive queries.
  • Second, choose a zone in which to group your local hosts, and add that. If you don't know what zone name to choose, I strongly recommend `home.arpa` ([RFC 8375](https://tools.ietf.org/html/rfc8375)). Again, with BIND as an example, add to `named.conf` *outside* of the `options {}` block a [`zone`](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-zone) block:
  • zone "home.arpa" {
  • type master;
  • allow-transfer { none; };
  • file "home.arpa.db";
  • };
  • Then create a `home.arpa.db` file which lists the hosts in question. The simplest incarnation of this can be something similar to:
  • @ SOA ns . 1 300 300 2592000 30
  • @ NS ns
  • ns A 192.168.1.123 ; the IP address of your DNS server machine
  • phone A 192.168.1.99
  • desktop A 192.168.1.33
  • printer A 192.168.1.44
  • laptop A 192.168.1.55
  • ; ... and so on ...
  • If you are only running a single DNS server for the zone, the only number in the `SOA` record that really matters is the last one, which is the negative response time-to-live (expressed in seconds); it controls how long "no such host" responses are cached by caching downstream resolvers. The first number in the `SOA` record (the `1`) is the zone serial number; increment it when you make changes to the zone data.
  • Once you have the DNS zone set up, perform whatever magic is required to make your DNS server software (re)load it. Again BIND as an example, this might be `rndc reload`. Check your system logs to ensure that no errors are reported.
  • You can then experiment a little with `dig` to check that things are working properly (`+norec` means "no recursion"; `+short` causes printing only of the relevant portion of the response, in this case an IPv4 address since we ask for `A` records):
  • $ dig @192.168.1.123 phone.home.arpa a +short +norec
  • 192.168.1.99
  • $ dig @192.168.1.123 linux.codidact.com a +short
  • ...
  • $
  • This can be expanded upon to allow for example dynamic updates, but if you are contemplating using `/etc/hosts`, the above will get you much the same results.
#1: Initial revision by user avatar Canina‭ · 2023-07-21T18:36:31Z (10 months ago) 
**What you describe is a typical mixed authoritative/recursive resolver setup.**

Exactly how to set it up depends on the DNS server software you're running; for example, `BIND` is going to be different from `dnsmasq` is going to be different from `Unbound`. The general approach, however, is the same. (It's also worth noting that no proper DNS server will see host names listed in `/etc/hosts`.)

First, set up your choice of DNS server software in a "recursive resolver" configuration. [For example, with BIND](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-recursion), you'll likely want to add something like `allow-recursion { 192.168.1.0/24; };` to the `options {}` block of your `named.conf`. Take care to not enable recursion for hosts that should not be allowed to use your DNS resolver for recursive queries.

Second, choose a zone in which to group your local hosts, and add that. If you don't know what zone name to choose, I strongly recommend `home.arpa` ([RFC 8375](https://tools.ietf.org/html/rfc8375)). Again, with BIND as an example, add to `named.conf` *outside* of the `options {}` block a [`zone`](https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-zone) block:

    zone "home.arpa" {
      type master;
      allow-transfer { none; };
      file "home.arpa.db";
    }

Then create a `home.arpa.db` file which lists the hosts in question. The simplest incarnation of this can be something similar to:

    phone A 192.168.1.99
    desktop A 192.168.1.33
    printer A 192.168.1.44
    laptop A 192.168.1.55
    ; ... and so on ...

Once you have the DNS zone set up, perform whatever magic is required to make your DNS server software (re)load it. Again BIND as an example, this might be `rndc reload`. Check your system logs to ensure that no errors are reported.

You can then experiment a little with `dig` to check that things are working properly (`+norec` means "no recursion"; `+short` causes printing only of the relevant portion of the response, in this case an IPv4 address since we ask for `A` records):

    $ dig @192.168.1.123 phone.home.arpa a +short +norec
    192.168.1.99
    $ dig @192.168.1.123 linux.codidact.com a +short
    ...
    $

This can be expanded upon to allow for example dynamic updates, but if you are contemplating using `/etc/hosts`, the above will get you much the same results.