init commit

README.md

@@ -0,0 +1,16 @@
+# Bind9 config
+
+My current bind9 configuration for local datacenter.
+
+## Setup
+
+Generating tsig & rndc key for dynamic DNS updates.
+
+```bash
+tsig-keygen -a hmac-sha512 >> /etc/bind/keys.conf
+tsig-keygen -a hmac-sha512 rndc-key >> /etc/bind/keys.conf
+```
+
+## Using as a template
+
+The main files to edit are the `named.conf.local` and `zones/*` files. These are currently referencing `schleppe` as a TLD. First rename or crate a new `zones/db.[YOUR_DOMAIN_HERE]` file, then update `named.conf.local` import to reflect name change. 

db.0

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

db.127

@@ -0,0 +1,13 @@
+;
+; BIND reverse data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+1.0.0	IN	PTR	localhost.

db.255

@@ -0,0 +1,12 @@
+;
+; BIND reverse data file for broadcast zone
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

db.empty

@@ -0,0 +1,14 @@
+; BIND reverse data file for empty rfc1918 zone
+;
+; DO NOT EDIT THIS FILE - it is used for multiple zones.
+; Instead, copy it, edit named.conf, and use that copy.
+;
+$TTL	86400
+@	IN	SOA	localhost. root.localhost. (
+			      1		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			  86400 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.

db.local

@@ -0,0 +1,14 @@
+;
+; BIND data file for local loopback interface
+;
+$TTL	604800
+@	IN	SOA	localhost. root.localhost. (
+			      2		; Serial
+			 604800		; Refresh
+			  86400		; Retry
+			2419200		; Expire
+			 604800 )	; Negative Cache TTL
+;
+@	IN	NS	localhost.
+@	IN	A	127.0.0.1
+@	IN	AAAA	::1

named.conf

@@ -0,0 +1,13 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
+// structure of BIND configuration files in Debian, *BEFORE* you customize 
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+include "/etc/bind/named.conf.log";
+include "/etc/bind/keys.conf";

named.conf.default-zones

@@ -0,0 +1,30 @@
+// prime the server with knowledge of the root servers
+zone "." {
+	type hint;
+	file "/usr/share/dns/root.hints";
+};
+
+// be authoritative for the localhost forward and reverse zones, and for
+// broadcast zones as per RFC 1912
+
+zone "localhost" {
+	type master;
+	file "/etc/bind/db.local";
+};
+
+zone "127.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.127";
+};
+
+zone "0.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.0";
+};
+
+zone "255.in-addr.arpa" {
+	type master;
+	file "/etc/bind/db.255";
+};
+
+

named.conf.local

@@ -0,0 +1,22 @@
+controls {
+	inet 127.0.0.1 port 953
+	allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+
+zone "schleppe" {
+	type master;
+	file "/etc/bind/zones/db.schleppe";
+
+	update-policy { grant tsig-key zonesub any; };
+};
+
+zone "rosendal" {
+	type master;
+	file "/etc/bind/zones/db.rosendal";
+};
+
+zone "kazan" {
+	type master;
+	file "/etc/bind/zones/db.kazan";
+};
+

named.conf.log

@@ -0,0 +1,16 @@
+logging {
+  channel bind_log {
+    file "/var/log/named/named.log" versions 3 size 5m;
+    severity debug;
+    print-category yes;
+    print-severity yes;
+    print-time yes;
+  };
+
+  category default { bind_log; };
+  category update { bind_log; };
+  category update-security { bind_log; };
+  category security { bind_log; };
+  category queries { bind_log; };
+  category lame-servers { null; };
+};

named.conf.options

@@ -0,0 +1,32 @@
+acl trustedclients {
+  10.0.0.0/24;
+  10.0.10.0/24;
+  localhost;
+  localnets;
+};
+
+options {
+  directory "/var/cache/bind";
+  forwarders {
+    1.1.1.1;
+    1.1.0.0;
+  };
+
+//  recursion no;			// disabled recursion on authoritative DNS server
+  allow-recursion { trustedclients; };
+//  allow-transfer { trustedclients; }; 	// disallow zone transfer
+  allow-query { trustedclients; };
+  allow-update { none; };
+ 
+  // dnssec-validation auto;
+  // dnssec-enable yes;
+  // dnssec-validation yes;
+  // dnssec-lookaside auto;
+
+  auth-nxdomain no;    # conform to RFC1035
+  listen-on-v6 { any; };
+
+  // hide version number.
+  version none;
+};
+

rndc.conf

@@ -0,0 +1,7 @@
+include "/etc/bind/keys.conf";
+
+options {
+	default-key "rndc-key";
+	default-server 127.0.0.1;
+	default-port 953;
+};

zones.rfc1918

@@ -0,0 +1,20 @@
+zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
+ 
+zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
+
+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };

zones/db.kazan

@@ -0,0 +1,23 @@
+$TTL 900
+@	IN	SOA	ns1	root (
+	        9		 ;<serial-number>
+	        900		 ;<time-to-refresh>
+	        900		 ;<time-to-retry>
+		604800		 ;<time-to-expire>
+	        900		 ;<minimum-TTL>
+ 
+	)		 
+
+;List Nameservers
+@	IN	NS	ns1.kazan.
+@	IN	NS	ns3.kazan.
+
+; Kubernetes cluster
+ctrlr-1		IN	A	10.0.0.170
+worker-1	IN	A	10.0.0.171
+worker-2	IN	A	10.0.0.172
+
+;Address to NS name mapping
+ns1.kazan.	IN	A	10.0.0.72
+ns3.kazan.	IN	A	10.0.0.72
+

zones/db.rosendal

@@ -0,0 +1,24 @@
+$TTL 900
+@	IN	SOA	ns1	root (
+	        9		 ;<serial-number>
+	        900		 ;<time-to-refresh>
+	        900		 ;<time-to-retry>
+		604800		 ;<time-to-expire>
+	        900		 ;<minimum-TTL>
+ 
+	)		 
+
+;List Nameservers
+@	IN	NS	ns1.schleppe.
+@	IN	NS	ns3.schleppe.
+
+;Address to name mapping
+hera.rosendal.		IN	A	10.0.0.210
+clio.rosendal.		IN	A	10.0.0.211
+shotwell.rosendal.	IN	A	10.0.0.200
+photos.rosendal.	IN	A	10.0.0.200
+
+;Address to NS name mapping
+ns1.schleppe.	IN	A	10.0.0.72
+ns3.schleppe.	IN	A	10.0.0.72
+

zones/db.schleppe

@@ -0,0 +1,98 @@
+$ORIGIN .
+$TTL 900	; 15 minutes
+schleppe		IN SOA	ns1.schleppe. root.schleppe. (
+				28         ; serial
+				900        ; refresh (15 minutes)
+				900        ; retry (15 minutes)
+				604800     ; expire (1 week)
+				900        ; minimum (15 minutes)
+				)
+			NS	ns1.schleppe.
+			NS	ns2.schleppe.
+$ORIGIN schleppe.
+ns1			A	10.0.0.72
+ns2			A	10.0.0.98
+adam			A	10.0.0.78
+adtech			A	10.0.0.122
+allerlottis		A	10.0.0.31
+ambrosia		A	10.0.0.50
+anna			A	10.0.0.40
+ansible			A	10.0.0.56
+apc			A	10.0.0.8
+apocalypse		A	10.0.0.97
+apollo			A	10.0.0.60
+argus			A	10.0.0.136
+bestprojectever		A	10.0.0.129
+bifrost			A	10.0.0.53
+bitwarden		A	10.0.0.138
+blog			A	10.0.0.59
+bragi			A	10.0.0.76
+brewpi			A	10.0.0.102
+castdeck		A	10.0.0.57
+cerberus		A	10.0.0.80
+chip			A	10.0.0.101
+clio			A	10.0.0.77
+deichman		A	10.0.0.120
+drone			A	10.0.0.62
+duplicati		A	10.0.0.139
+elastic			A	10.0.0.55
+elastic-2		A	10.0.0.187
+elastic-3		A	10.0.0.188
+fjordmap		A	10.0.0.83
+fleet-agent-01		A	10.0.0.64
+fleet-server		A	10.0.0.63
+gambit			A	10.0.0.127
+git			A	10.0.0.37
+gjallarbru		A	10.0.0.79
+grafana			A	10.0.0.86
+headscale		A	10.0.0.143
+heimdall		A	10.0.0.30
+hitler			A	10.0.0.66
+homeassistant		A	10.0.0.82
+imgproxy		A	10.0.0.36
+immich			A	10.0.0.123
+influx			A	10.0.0.86
+irpie			A	10.0.0.100
+jelly			A	10.0.0.49
+jensmc			A	10.0.0.33
+k8s-ambrosia		A	10.0.0.151
+k8s-anna		A	10.0.0.153
+k8s-apollo		A	10.0.0.152
+k8s-cerberus		A	10.0.0.154
+k8s-lb			A	10.0.0.150
+k8s-storage		A	10.0.0.155
+kazan			A	10.0.0.150
+$ORIGIN kazan.schleppe.
+*			A	10.0.0.150
+$ORIGIN schleppe.
+kosekroken		A	10.0.0.95
+mainframe		A	10.0.0.61
+memestream		A	10.0.0.71
+mikrotik		A	10.0.0.160
+mikrotik-CRS305		A	10.0.0.160
+mikrotik-CSS326		A	10.0.0.4
+mikrotik-CSS610		A	10.0.0.5
+minecraft		A	10.0.0.65
+mondrian		A	10.0.0.32
+mosaic			A	10.0.0.38
+motd-larry		A	10.0.0.121
+planetposen		A	10.0.0.84
+plex			A	10.0.0.85
+prome			A	10.0.0.88
+router			A	10.0.0.1
+seasoned		A	10.0.0.54
+skyblock		A	10.0.0.96
+splunk			A	10.0.0.89
+tesla			A	10.0.0.35
+tibbervibber		A	10.0.0.34
+uap			A	10.0.0.3
+usw			A	10.0.0.2
+valg			A	10.0.0.87
+varnish			A	10.0.0.11
+vault			A	10.0.0.165
+vinlottis		A	10.0.0.90
+vinlottis-beta		A	10.0.0.91
+wagovipps		A	10.0.0.58
+wf-video		A	10.0.0.166
+wireguard		A	10.0.0.75
+xwiki			A	10.0.0.171