This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. {{tag>linux router dns dhcp bind ip ipv6 radvd host dig nslookup}} ======DHCP / DNS Setup====== =====Outdated===== I have moved my DNS and DHCP servers to Docker, [[https://wiki.kptree.net/doku.php?id=docker_notes:docker-dns#docker_-_dns_server|Docker-DNS Server]]. I am still using ISC_Bind9, but am now using ISC_Kea for DHCP as ISC_Bind is no longer supported as of 2022. ++++tl;dr;| Further to this I am no looking at backups for both these services on my local area network. Whilst these services worked reliably well, when ever I shutdown the the router with DNS/DHCP servers my LAN would stop working. Hence the need for back-up DNS. Many of my home server applications now are set up to operate via https via Traefik and this also relies upon correct local DNS resolution. Hence DNS is even more critical. The DHCP server is less critical, however all the IT equipment that relies upon DHCP will not function without this service. Most my critical services have static IP address. These notes still have some utility. I will presumably archive (tl;dr; roll-up) eventually. Actually my router that I was running these services was totally lost when upgrading from Debian 11 to Debian 12, circa June 2023. So I had to rebuild from scratch using these various notes. This went reasonably well as the notes seemed suitable for purpose. This setup was primarily written in 2017 and is based upon ISC Bind9 and ISC DHCP, which are the main internet backbone software used for DNS and DHCP. I no longer use ISC DHCP as this has been formally replaced by ISC Kea. (2022) ISC has a newer DHCP software called Kea that is designed to replace ISC DHCP. Kea was primarily developed around 2014-2020. They also are currently developing a monitor for Kea and Bind9 called Stork. A future plan would be to review and replace ISC DHCP with Kea and also implement Stork. ++++ ===Main references used (2017)=== An interesting older resource is BigDinosaur Blog [[https://blog.bigdinosaur.org/running-bind9-and-isc-dhcp/|Running BIND9 and ISC-DHCP]]. ++Unfortunately, no longer readily available, Kill-9 Ubuntu 16.04 based Router, Part 2 - DHCP| does not seem to be saved on [[https://web.archive.org/|Wayback Machine Internet Archive]], but [[https://web.archive.org/web/20190410000003/https://killtacknine.com/building-an-ubuntu-16-04-router-part-5-dns/|Part 5 - DNS]] is. (As are [[https://web.archive.org/web/20190410005152/https://killtacknine.com/building-an-ubuntu-16-04-router-part-6-remote-access/|Building an Ubuntu 16.04 Router Part 6: Remote Access]], [[https://web.archive.org/web/20190410001839/https://killtacknine.com/building-an-ubuntu-16-04-router-part-7-proxies-and-caching//|Building an Ubuntu 16.04 Router Part 7: Proxies and Caching]] & [[https://web.archive.org/web/20190410000841/https://killtacknine.com/building-an-ubuntu-16-04-router-part-8-monitoring/|Building an Ubuntu 16.04 Router Part 8: Monitoring]]. It looks like parts 2 and 3 are missing only.)++ Another reference is Lani's Weblog - Make your [[https://lani78.com/2012/07/23/make-your-dhcp-server-dynamically-update-your-dns-records-on-ubuntu-12-04-precise-pangolin/|DHCP server dynamically update your DNS records]] on Ubuntu 12.04 (Precise Pangolin). Also dragon.org.uk [[https://blogging.dragon.org.uk/dns-bind9-dhcp-ubuntu-16-04-2/|DNS with bind9 and DHCP on Ubuntu 16.04]].\\ *[[https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-debian-9|How To Configure BIND as a Private Network DNS Server on Debian 9]]\\ *[[https://computingforgeeks.com/configure-slave-bind-dns-server-on-debian/|Configure BIND Slave DNS Server on Debian 11]] *[[https://www.lisenet.com/2018/configure-dhcp-failover-with-dynamic-dns-on-centos-7/|Configure DHCP Failover with Dynamic DNS on CentOS 7]] *[[https://mindref.blogspot.com/2010/12/debian-dhcp-failover.html|Debian DHCP server failover]] *[[https://computingforgeeks.com/configure-slave-bind-dns-server-on-debian/|Configure BIND Slave DNS Server on Debian 11 | Debian 10]] *[[https://www.zytrax.com/books/dns/|DNS for Rocket Scientists]] - <fc #9400d3>This is a good general description</fc> =====DNS Setup===== First install or ensure already installed the DNS server software: "sudo apt install bind9" Next check the named.conf configuration file, "less /etc/bind/named.conf". This can remain as default as below. However the configuration files noted there in will need to be set up. We will copy the existing files to default: *''sudo cp /etc/bind/named.conf.options /etc/bind/default.named.conf.options'' *''sudo cp /etc/bind/named.conf.local /etc/bind/default.named.conf.local'' *''sudo cp /etc/bind/named.conf.default-zones /etc/bind/default.named.conf.default-zones'' ====Bind9 Control Nomenclature==== There are a number of "names" that are used with bind9 dns. * "bind9" is the DNS software is known as isc_bind9, and systemctl in some Linux refers to the service as bind9.service. * "named" is the normal name of the isc-bind9 code that is call to start the application * "rndc" is an application used to control a running bind9 instance, e.g. ''rndc reload'' to reload the configuration ====Setting Bind9 to IPv4 Mode==== ''sudo vim /etc/default/bind9'' or ''sudo vim /etc/default/named'', set following parameter: ''OPTIONS="-u bind -4"'' ====named.conf==== The ''/etc/bind/named.conf'' is not changed, and should look as below. ++++named.conf|<code> // Default contents of /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; </code>++++ Next modify the named.conf.options configuration file, ''sudo vim /etc/bind/named.conf.options'', as noted below. ++++name.conf.options|<code> options { directory "/var/cache/bind"; auth-nxdomain no; # conform to RFC1035 forwarders { 9.9.9.9; 1.1.1.1; 1.0.0.1; //208.67.222.222; //208.67.220.220; }; allow-query { 192.168.1/24; 127.0.0.1; }; allow-transfer { 192.168.1/24; 127.0.0.1; }; // listen-on-v6 { any; }; }; </code>++++ The forwarders section contains the DNS servers to be checked if this DNS does not have the record. I have been using OpenDNS to allow some free security screening, IP 208.67.222.222 and 208.67.220.220. I have stop using these. IP 9.9.9.9, Quadnine provides some protection bad web sites. Similar for 1.1.1.1 and 1.0.0.1. from Another common option is to use Google DNS at 8.8.8.8 and 8.8.4.4. I avoid using Google products as there is something unclean about free services that extra value by tracking you. ====rndc-key==== Next create a cryptographic key file using ''sudo /usr/sbin/rndc-confgen -a'', note that this command can take quite some time to complete, a number of minutes. The command produces a key file ''/etc/bind/rndc.key''. ++++rndc.key|<code> key "rndc-key" { algorithm hmac-md5; secret "LBLC2Dg8v6hYNE/ecnd6Ag=="; }; </code>++++ Configure the DNS zones ''sudo vim /etc/bind/named.conf.local'' ++++named.conf.local|<code> key "rndc-key" { algorithm hmac-md5; secret "LBLC2Dg8v6hYNE/ecnd6Ag=="; }; zone "kptree.net" { type master; file "/var/lib/bind/db.kptree.net"; allow-update { key rndc-key; }; }; zone "168.192.in-addr.arpa" { type master; file "/var/lib/bind/db.168.192"; allow-update { key rndc-key; }; }; </code>++++ ====lookup zone definition file==== Modify the forward lookup zone definition file ''sudo vim /var/lib/bind/db.kptree.net'' ++++db.kptree.net|<code> ; This line indicates that the object we're configuring below (in this case, ; kptree.net) has its origin at the "." domain. "." is the root domain ; from which all the TLDs branch. ; Note the comment character is ; not the usual # $ORIGIN . ; Next line defines the DNS time-to-live setting $TTL 907200 ; 1 week 3 days 12 hours ; The next set of lines are the "Start of Authority" record and define ; important info about the domain. In my case, we're defining kptree.net ; that router.kptree.net is its source host, and webmaster@kptree.net ; and saying is the domain maintainer. For the e-mail address, we use a ; dot instead of an @. ; The lines after that define the zone serial number, which is used to ; keep track of when the zone file was modified, and then some interval ; which you can leave as default. kptree.net IN SOA router.kptree.net. root.kptree.net. ( 2019072101 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) ; Next, we define the hosts necessary to make the domain function. First, ; we add an "NS Record" to define the domain's name server... NS router.kptree.net. ; ...then an "A Record" for the domain server's IP address... A 192.168.1.12 ; This is the LAN address of the html server ; that is hairpin NATed ; ...and finally "MX Records" so that e-mail for the domain's e-mail ; addresses goes to the right place. MX 00 mail.kptree.net. ; ; NOTE THE TRAILING PERIODS. THEY ARE EXTREMELY IMPORTANT. ; ; ; Now we're ready to begin adding hosts, but first we need another origin ; statement to indicate that the hosts added below originate not from ".", ; like the domain itself; rather, they originate from "kptree.net". ; $ORIGIN kptree.net. ; ; Again, NOTE THE TRAILING PERIOD. ; Now we add A records for the non-DHCP hosts in the domain: router A 192.168.1.1 ;switch A 192.168.1.3 ; This manage switch was bricked a while ago. kptreeserver A 192.168.1.5 mediaserver A 192.168.1.7 wiki A 192.168.1.9 kpts A 192.168.1.10 cloud A 192.168.1.11 www A 192.168.1.12 ; www is directed to the html server wwwserver A 192.168.1.12 ;photo A 192.168.1.16 ; photo is directed to the html server ;photoserver A 192.168.1.17 mail A 192.168.1.12 ; mail is directed to the html server mailserver A 192.168.1.18 ; There seems to be no white space allowed before the name. </code>++++ **Note:** //To allow all LAN traffic to correctly flow to the html server and reverse proxy to sub-domain servers the DNS origin and all sub-domains must point to the main html server.// ====define reverse zone==== Define the reverse zone, ''sudo vim /var/lib/bind/db.168.192'' ++++db.168.192|<code> # Again, we have an origin record and a TTL entry... $ORIGIN . $TTL 907200 ; 1 week 3 days 12 hours ; note the name of the reverse domain: "db.168.192". This ; is a special name format used only by reverse lookup domains. 168.192.in-addr.arpa IN SOA router.kptree.net. admin.kptree.net. ( 2017072101 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) NS router.kptree.net. ; ; Just like above, we now set our origin away from "." to the actual domain ; name, which is "1.168.192.in-addr-arpa", and then we add records. However, ; this time, we're adding "PTR records", or pointer records. $ORIGIN 1.168.192.in-addr.arpa. $TTL 259200 ; 3 days 1 PTR router.kptree.net. ; 3 PTR switch.kptree.net. ; This managed switch is bricked. 5 PTR kptreeserver.kptree.net. 10 PTR kpts.kptree.net. 12 PTR wwwserver.kptree.net. 12 PTR www.kptree.net. 12 PTR kptree.net. ; 17 PTR photoserver.kptree.net. ; not used at the moment ; 12 PTR photo.kptree.net. 18 PTR mailserver.kptree.net. 12 PTR mail.kptree.net. </code>++++ If and of the above files are changed the serial number should be incremented up before updating the the DNS service, "sudo systemctl restart bind9". A common technique is to use the date followed by a small single or double digit number, e.g. 2017072101. The configuration file can be tested with: * ''sudo named-checkconf /etc/bind/named.conf'' The zone files checked with: * ''sudo named-checkzone 168.192.in-addr.arpa /var/lib/bind/db.168.192'' for the reverse zone file. * It is important that the first input parameter ''168.192.in-addr-arpa'' matches the reverse address used in the SOA address used. The subsequent origin statements can be for lower address ranges, e.g. ''$origin 1.168.192.in-addr.arpa.''. * Again note the following fullstop after the origin address. * ''sudo named-checkzone kptree.net /var/lib/bind/db.kptree.net'' for the forward zone file. If not using IPv6 bind may still look for IPv6 unnecessarily filling up log files. To prevent perform the following: *''sudo vim /etc/default/bind9'' *add the ''-4'' in the line: ''OPTIONS="-u bind -4"'' *Also ensure to comment out "listen-on-v6 { any; };" in the file ''sudo vim /etc/bind/named.conf.options'' ====Fixing BIND's journal out of sync with zone error==== Almost all ways caused by manually editing the zone file, which causes it to become out of sync with the automatic DHCP update. Solution is to: *Stop bind9 (''sudo systemctl stop bind9'') *Delete the problem zone file ending ing .jnl. It can be found in the same directory as the zone files: (/var/lib/bind/) *Then start bind9 (''sudo systemctl start bind9'') Before performing a manual update on a zone file use ''rndc freeze'' before editing and ''rndc thaw'' after. See ''man rndc'' for information on his command. ====Split Horizon DNS==== Split horizon DNS or split DNS allows the DNS query to be treated differently depending upon the source of the query. It is is usually used for internal services that can not be reached off LAN. I am not sure how split DNS addresses the use of SSL certificated domain names based upon external web address on local address hosts with outsome form of hairpin NAT or similar occurring. Think about it, the IP address on the local server does not match the domain certificate IP address. [[linux_router:nftables#hairpin_nat]] is used to allow services provided by hosts on the internal network to be reached externally via NAT also to be reached by internal clients behind a NAT. Split DNS is not a direct replacement of this functionality. Some external resources: * Wikipedia: [[https://en.wikipedia.org/wiki/Split-horizon_DNS|Split-horizon DNS], [[https://en.wikipedia.org/wiki/Split_horizon_route_advertisement|Split horizon route advertisement]] * [[https://www.slashroot.in/how-to-configure-split-horizon-dns-in-bind|How To Configure Split Horizon DNS in BIND]] * [[https://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/|BIND 9 Configure Views To Partition External and Internal DNS Information]] * [[https://serverfault.com/questions/381635/dynamic-dns-with-split-horizon-dns-or-hairpin-nat|Dynamic DNS with split horizon DNS or hairpin NAT]] * [[https://serverfault.com/questions/508605/why-dont-more-organizations-use-inside-to-inside-nat-or-similar-solutions-to-al|Why don't more organizations use inside-to-inside NAT or similar solutions to allow NAT hairpins?]] * [[https://www.rfc-editor.org/rfc/rfc1918|rfc1918 - Address Allocation for Private Internets]] ====Other Bind9 Stuff==== Update Root hints Data File for Bind Named Server Download latest bind9 root file to /etc/bind/db.root: ''sudo wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root'' Reload rndc: ''sudo rndc reload'' * zytrax.open [[http://www.zytrax.com/books/dns/|DNS for Rocket Scientists]] * ISC Org * [[https://kb.isc.org/docs/aa-01534|Trust levels for RRsets in BIND cache]], [[https://kb.isc.org/docs/aa-01309|Root hints - a collection of operational and configuration FAQs]], * [[https://kb.isc.org/docs/aa-01537|Why is BIND re-priming the roots from hints more often than it should?]], * [[https://ftp.isc.org/isc/bind9/cur/9.15/doc/arm/Bv9ARM.html|BIND 9 Administrator Reference Manual]], * [[https://kb.isc.org/docs/aa-00269|What has changed in the behavior of "allow-recursion" and "allow-query-cache"]]. * [[https://askubuntu.com/questions/851434/how-could-one-disable-bind9s-recursion-and-do-forwarding-only-for-dns-queries|How could one disable bind9's recursion and do forwarding only for DNS queries?]] * [[https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04|How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04]] =====DHCP Setup===== This section is outdated, ISC DHCP was replaced by ISC Kea, and ISC DHCP is no longer formally supported as of 2022. ++++Outdated tl;dr;| First install or ensure already installed the ISC DHCP server software: ''sudo apt install isc-dhcp-server'' Next edit the dhcp configuration file: ''sudo vim /etc/dhcp/dhcpd.conf'' ++++ ++++dhcp.conf| <code> ddns-updates on; ddns-update-style interim; update-static-leases on; authoritative; key rndc-key { algorithm hmac-md5; secret LBLC2Dg8v6hYNE/ecnd6Ag==;} allow unknown-clients; use-host-decl-names on; default-lease-time 1814400; #21 days max-lease-time 1814400; #21 days log-facility local7; # kptree DNS zones zone kptree.net. { primary localhost; # This server is the primary DNS server for the zone key rndc-key; # Use the key we defined earlier for dynamic updates } zone 1.168.192.in-addr.arpa. { primary localhost; # This server is the primary DNS server for the zone key rndc-key; # Use the key we defined earlier for dynamic updates } # kptree LAN scope subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.100 192.168.1.200; option subnet-mask 255.255.255.0; option routers 192.168.1.1; option domain-name-servers 192.168.1.1; option domain-name "kptree.net"; ddns-domainname "kptree.net."; ddns-rev-domainname "in-addr.arpa."; } # kptree.net groups group { # Printer #1 Epson WF7725 host printer1.kptree.net { hardware ethernet 9C:AE:D3:F0:C3:E7; fixed-address 192.168.1.4; ddns-hostname "printer1"; } # Windows 10 Virtual Machine host vwin.kptree.net { hardware Ethernet 52:54:00:27:34:F4; fixed-address 192.168.1.30; ddns-hostname "vwin"; } # Karl's iPhoneXS host karlPhone.kptree.net { hardware ethernet F0:99:B6:45:6C:F4; fixed-address 192.168.1.31; ddns-hostname "karl-phone"; } # Karl's iPadMini4 host karliPad.kptree.net { hardware ethernet 04:52:F3:1C:31:27; fixed-address 192.168.1.32; ddns-hostname "karl-ipad"; } # Eka's iPhone12 host Eka-iPhone12.kptree.net { hardware ethernet 44:90:BB:62:D2:2A; fixed-address 192.168.1.33; ddns-hostname "Eka-iPhone12"; } # Karl's iPad air host karliPadair.kptree.net { hardware ethernet 34:31:8F:5F:16:A6; fixed-address 192.168.1.34; ddns-hostname "karl-ipadair"; } # Karl's work host karl-ugl.kptree.net { hardware ethernet 5C:80:B6:A8:AE:1C; fixed-address 192.168.1.35; ddns-hostname "karl-ugl"; } # Henry's iphone host henry.iphone.kptree.net { hardware ethernet 6c:4d:73:12:99:f1; fixed-address 192.168.1.36; ddns-hostname "henry-iphone"; } # Willem's iphone host willem.iphone.kptree.net { hardware ethernet 64:c7:53:7b:01:2f; fixed-address 192.168.1.37; ddns-hostname "willem-iphone"; } # KPTreeServer1 IPMI host kpts1-ipmi.kptree.net { hardware Ethernet 00:25:90:8B:D9:DB; fixed-address 192.168.1.40; ddns-hostname "kpts1-impi"; } # Kptreeserver2 IPMI host kpts2-ipmi.kptree.net { hardware Ethernet 0C:C4:7A:F5:0E:F7; fixed-address 192.168.1.41; ddns-hostname "kpts2-impi"; } # KPTreeRouter IPMI host kptr-ipmi.kptree.net { hardware Ethernet 00:C4:7A:9F:34:41; fixed-address 192.168.1.42; ddns-hostname "kptr-ipmi"; } # APS Solar Energy Management Unit host aps-ema.kptree.net { hardware Ethernet 80:97:1B:00:36:BA; fixed-address 192.168.1.50; ddns-hostname "aps-ema"; } # OpenSprinkler host sprinkler.kptree.net { hardware Ethernet 00:69:69:2D:31:00; fixed-address 192.168.1.51; ddns-hostname "sprinkler"; } # Study Desktop - dt1 host dt1.kptree.net { hardware ethernet 00:d8:61:34:dc:0e; fixed-address 192.168.1.71; ddns-hostname "dt1"; } # Study Desktop - dt1-wifi host dt-wifi-1.kptree.net { hardware ethernet F4:D1:08:A6:96:72; fixed-address 192.168.1.72; ddns-hostname "dt-wifi-1"; } # Erich Desktop - sdt25 host edt25.kptree.net { hardware ethernet 00:8e:25:79:05:cc; fixed-address 192.168.1.73; ddns-hostname "sdt25"; } # Henry's work host henry-desk.kptree.net { hardware ethernet 30:5A:3A:82:9D:35; fixed-address 192.168.1.74; ddns-hostname "henry-desk"; } # Study Desktop - sdt1-wifi host sdt-wifi-1.kptree.net { hardware ethernet 8C:1D:96:94:AD:13; fixed-address 192.168.1.76; ddns-hostname "sdt-wifi-1"; } # Study Desktop - sdt25 host sdt25.kptree.net { hardware ethernet 1C:69:7A:D2:FD:91; fixed-address 192.168.1.77; ddns-hostname "sdt25"; } # RPi 1 host RPi1.kptree.net { hardware ethernet E4:5F:01:3B:55:6F; fixed-address 192.168.1.75; ddns-hostname "RPi1"; } # WiFi Access Point #1 host wifi-ap1.kptree.net { hardware Ethernet 80:37:73:EC:D3:1E; fixed-address 192.168.1.90; ddns-hostname "wifi-ap1"; } # WiFi Access Point #2 host wifi-ap2.kptree.net { hardware Ethernet C0:FF:D4:8B:24:FE; fixed-address 192.168.1.91; ddns-hostname "wifi-ap2"; } } </code>++++ The configuration file can be tested with: ''sudo dhcpd -t'' Restart the DHCP and DNS servers to update for latest configurations changes. DNS: ''sudo systemctl restart bind9'' and DHCP: ''sudo systemctl restart isc-dhcp-server''.\\ \\ To see active leases use command ''sudo dhcp-lease-list''.\\ ISC has stopped supporting ISC-DHCP client and relay versions as of 2022 and indicated that they plan to eventually stop support of server version. They seem to recommend migration to ISC-Kea, the ISC-DHCP replacement. ====isc-dhcp-server defaults file==== The default isc-dhcp-server configuration files is: ''sudo vim /etc/default/isc-dhcp-server''. Ensure the interface(s) that the DHCP server is to server requests upon is indicated, for example: *INTERFACESv4="br0" *INTERFACESv6="br0" ====isc-dhcp-server log file comments==== Unfortunately the log / journal for isc-dhcp-server contains the following comment for each system interface that is not assigned in ''/etc/default/isc-dhcp-server''. **//This is a warning, not an error!//** As such it can generally be ignored. ++++Example isc-dhcp-server warning|<code> No subnet declaration for eno4 (no IPv4 addresses). ** Ignoring requests on eth1. If this is not what you want, please write a subnet declaration in your dhcpd.conf file for the network segment to which interface eno4 is attached. ** </code> ++++ ======ipv6====== =====radvd===== ipv6 requires router advertisement to be functional to operate correctly. In Linux the radvd program performs this function and can be set up independently or with dhcp. The radvd daemon provides basic advertisement functionality, dhcp6 can give additional functionality. * ''sudo apt install radvd'' * ''sudo vim /etc/radvd.conf'' * ++radvd.conf|<code>interface br0 { AdvSendAdvert on; AdvLinkMTU 1440; MinRtrAdvInterval 60; MaxRtrAdvInterval 180; prefix 2001:470:1f2d:178::/64 { AdvOnLink on; AdvRouterAddr on; AdvPreferredLifetime 600; AdvValidLifetime 3600; }; # route ::/0 { # }; route 2001:470:1f2d:178::3/0 { }; }; </code> ++ * ''sudo systemctl status radvd.service'' * ++/lib/systemd/system/radvd.service|<code># It's not recommended to modify this file in-place, because it # will be overwritten during upgrades. If you want to customize, # the best way is to use the "systemctl edit" command. [Unit] Description=Router advertisement daemon for IPv6 Documentation=man:radvd(8) After=network.target ConditionPathExists=/etc/radvd.conf [Service] Type=forking ExecStartPre=/usr/sbin/radvd --logmethod stderr_clean --configtest ExecStart=/usr/sbin/radvd --logmethod stderr_clean ExecReload=/usr/sbin/radvd --logmethod stderr_clean --configtest ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/radvd.pid # Set the CPU scheduling policy to idle which is for running very low priority background jobs CPUSchedulingPolicy=idle # Allow for binding to low ports and doing raw network access CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW # Set up a new file system namespace and mounts private /tmp and /var/tmp directories # so this service cannot access the global directories and other processes cannot # access this service's directories. PrivateTmp=yes # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, # but no physical devices such as /dev/sda. PrivateDevices=yes # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. ProtectSystem=full # The directories /home, /root and /run/user are made inaccessible and empty for processes # invoked by this unit. ProtectHome=yes # Ensures that the service process and all its children can never gain new privileges NoNewPrivileges=yes [Install] WantedBy=multi-user.target </code>++ =====DNS Check Commands===== ====local dns nameserver==== The local name resolver can be seen in ''/etc/resolv.conf''. Usually this can not be effectively directly edited as it is controlled by other parts of the system that will wrote over it. ====dig==== * ''dig bing.com'', this will provide the name resolution information for this site. * ''dig @1.1.1.1 wiki.kptree.net'' will check name resolution @ the specified resolver. This can help determine name propagation. * ''dig mail.kptree.net'' will return mail server information * ''dig @9.9.9.9 mail.kptree.net'' will return mail server information @ the specified resolver ====host==== * ''host mail.kptree.net'' * ''host kptree.net'' ====nslookup==== * ''nslookup wiki.kptree.net'' * ''nslookup -type=mx mail.kptree.net'' for mail server information * ''nslookup -type=mx -debug mail.kptree.net'' more verbose ====secure DNS==== *''echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64'' to query current SPKI pin for Quad9 *This also seems to work for other DNS resolvers, 1.1.1.1 (Cloudflare), 8.8.8.8 (Google) *Stackexchange.com: *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|how-to-use-dns-over-tls-with-bind9-forwarders]] *[[https://unix.stackexchange.com/questions/755905/how-to-test-if-dns-over-tls-dot-with-bind9-forwarders-is-actually-working|how-to-test-if-dns-over-tls-dot-with-bind9-forwarders-is-actually-working]] *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]] *[[https://engineering.fb.com/2018/12/21/security/dns-over-tls/|DNS over TLS: Encrypting DNS end-to-end]] *[[https://www.b1c1l1.com/blog/2018/04/23/encrypted-recursive-dns-with-dns-over-tls-unbound-and-cloudflare/|Encrypted Recursive DNS with DNS over TLS, Unbound, and Cloudflare]] *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]] *[[https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en|ICANN - DNSSEC – What Is It and Why Is It Important?]] *[[https://quad9.net/support/faq/|QUAD9 FAQ]] *[[https://www.linuxbabe.com/ubuntu/dns-over-tls-resolver-nginx|How to Easily Set Up a DNS over TLS Resolver with Nginx on Ubuntu]] *[[https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/|DNSSEC with BIND 9 A Beginner's Guide to DNSSEC with BIND 9]] *Some online DNSSEC analysers: *[[https://dnssec-analyzer.verisignlabs.com/|VERISIGN DNSSEC Analyzer]] *[[https://dnsviz.net/|dnsviz.net]] *Bind9 read the docs: *[[https://bind9.readthedocs.io/en/latest/chapter5.html|DNSSEC]] *[[https://bind9.readthedocs.io/en/latest/dnssec-guide.html|dnssec-guide]] *[[https://dnsprivacy.org/dns_privacy_clients/|DNS Privacy Project - DNS Privacy Clients]] Says Bind9 does not not natively support TLS. =====ipv6 links===== *[[https://jochen.kirstaetter.name/enabling-dns-for-ipv6-infrastructure/|Enabling DNS for IPv6 infrastructure]] *[[https://simpledns.plus/private-ipv6|Simple DNS Plus]] *[[https://tldp.org/HOWTO/html_single/Linux+IPv6-HOWTO/#HINTS-DAEMONS-ISC-DHCP|Linux IPv6 HOWTO (en)]] <- linux_router:nftables|Prev page ^ linux_router:start|Start page ^ linux_router:tc|Next page ->