servercode/bind9.txt

# Bind 9 DNS CHEAT SHEET IS BASED ON DEBIAN - REDHAT / FEDORA use completely different folder structure than DEBIAN for bind:
https://www.isc.org/bind/

# DEBIAN # /etc/bind # /var/lib/bind
https://wpcademy.com/how-to-install-bind9-dns-server-on-ubuntu-step-by-step/
https://www.linuxtechi.com/install-configure-bind-9-dns-server-ubuntu-debian/
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-private-network-dns-server-on-debian-9

# FEDORA # /etc/named.conf # /etc/named #/var/named # /usr/share/ipa
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-bind

# DMZ STEALTH SERVER, SPLIT-HORIZON, SPLIT-BRAIN DNS
https://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/
https://www.zytrax.com/books/dns/ch4/#split

# Misc re-used commands
named -v
dig -t txt -c chaos VERSION.BIND @192.168.1.140
rndc flush
sudo systemctl status named
sudo systemctl restart bind9
sudo systemctl status bind9
suso systemctl restart bind9.service
sudo service bind9 restart
sudo named-checkconf
sudo named-checkzone intensewebs.com /var/lib/bind/db.intensewebs.com
sudo tail -f /var/log/syslog

sudo apt update && sudo apt upgrade -y
sudo apt install -y bind9 bind9utils bind9-doc dnsutils
cd /etc/bind

# Copy/Backup your files
sudo cp /etc/bind/named.conf.options /etc/bind/named.conf.options.backup
sudo vi /etc/bind/named.conf.options
 
acl trustedclients {
        localhost;
        localnets;
	192.168.1.140   #ns1.intensewebs.com
	192.168.1.141   #ns2.intensewebs.com
	192.168.1.142   #ns3.intensewebs.com
	192.168.1.143   #ns4.intensewebs.com
        192.168.1.0/24;
        192.168.2.0/24;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { trustedclients; };
        allow-query-cache { trustedclients; };
        allow-recursion { trustedclients; };

        forwarders {
                9.9.9.9;
                149.112.112.112;
        };

        dnssec-validation no;

        listen-on-v6 { any; };
};

# NOTE: DNSSec disabled as it was found to cause issues for Ubuntu 20.04

# 4) Define zone files backup the existing file named.conf.local e.g.

sudo cp -f /etc/bind/named.conf.local /etc/bind/bak.named.conf.local.bak
 sudo vi named.conf.local
 so it looks something like this
  
zone "intensewebs.com" {
        type master;
        file "/var/lib/bind/db.intensewebs.com";
        allow-transfer { 192.168.1.141; };
        also-notify { 192.168.1.141; };
};

zone "nukvm.org" {
        type master;
        file "/var/lib/bind/db.nukvm.org";
        allow-transfer { 192.168.1.141; };
        also-notify { 192.168.1.141; };
};

zone "iweb.city" {
        type master;
        file "/var/lib/bind/db.iweb.city";
        allow-transfer { 192.168.1.141; };
        also-notify { 192.168.1.141; };
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/var/lib/bind/db.1.168.192";
        allow-transfer { 192.168.1.141; };
        also-notify { 192.168.1.141; };
};
 check the file for errors
 sudo named-checkconf
 
# 5) Create a forward lookup zone in /var/lib/bind. Copy an existing file to one with the name used before e.g.
# sudo cp /etc/bind/db.local /var/lib/bind/db.intensewebs.com
# sudo vi db.intensewebs.com

$ORIGIN intensewebs.com.
$TTL    604800
;
@       IN      SOA     ns1.intensewebs.com. dns.intensewebs.com. (
                             60         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
                IN      NS      ns1.intensewebs.com.
                IN      NS      ns2.intensewebs.com.
;
                IN      MX      10      mail.intensewebs.com.
;
alma1   IN      A       192.168.1.121
git     IN      A       192.168.1.123
pg      IN      A       192.168.1.126
;
ns1     IN      A       192.168.1.140
ns2     IN      A       192.168.1.141
tdebian IN      A       192.168.1.200
tfedora IN      A       192.168.1.202
tdebian2        IN      A       192.168.1.203
tfedora2        IN      A       192.168.1.204
sd      IN      A       192.168.1.222
superdog        IN      A       192.168.1.223
;
ftp     IN      A       74.63.233.135
mail    IN      A       74.63.233.135
webmail IN      A       74.63.233.135
www     IN      A       74.63.233.135
;
t       IN      A       129.146.170.34
lab     IN      A       129.146.170.34
;
u       IN      A       129.153.118.150
;
$ORIGIN corp.intensewebs.com.
;
@       IN      NS     ipa1.corp.intensewebs.com.
;
        IN      NS     ipa1.corp.intensewebs.com.
        IN      NS     ipa2.corp.intensewebs.com.
;
ipa1    IN      A      192.168.1.124
ipa2    IN      A      192.168.1.125
_____________________________________________________________________ex
# check the file syntax
sudo named-checkzone intensewebs.com db.intensewebs.com
 
6) Create a reverse lookup zone
using same name specified in named-  edit the file e.g.
sudo vi db.1.168.192

$TTL    604800
@       IN      SOA     ns1.intensewebs.com. dns.intensewebs.com. (
                             58         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
        IN      NS      ns1.intensewebs.com.
        IN      NS      ns2.intensewebs.com.

ns1.intensewebs.com.    IN      A       192.168.1.140
ns2.intensewebs.com.    IN      A       192.168.1.141
3       IN      PTR     giti.iweb.city
4       IN      PTR     ng1.iweb.city
66      IN      PTR     gitea.nukvm.org
121     IN      PTR     alma1.intensewebs.com
123     IN      PTR     git.intensewebs.com
124     IN      PTR     ipa1.intensewebs.com
125     IN      PTR     ipa2.intensewebs.com
126     IN      PTR     pg.intensewebs.com
140     IN      PTR     ns1.intensewebs.com
141     IN      PTR     ns2.intensewebs.com
200     IN      PTR     tdebian.intensewebs.com
201     IN      PTR     tnginx.iweb.city
222     IN      PTR     sd.intensewebs.com
223     IN      PTR     superdog.intensewebs.com

sudo named-checkzone 1.168.192.in-addr.arpa db.1.168.192
 
7) Edit the server's DNS entry to use it's own DNS server

vi /etc/resolv.conf
domain intensewebs.com
search intensewebs.com
nameserver 192.168.1.140
nameserver 192.168.1.141


8) Start and test DNS
sudo systemctl start named
sudo systemctl enable named

sudo systemctl start bind9

 sudo systemctl status bind9
 sudo systemctl status named
 
 test DNS is working e.g.
 host git.intensewebs.com
 host 192.168.1.122
 ping www.amazon.com

---------------------------------------

SECONDARY
sudo vi /etc/bind/named.conf.local

zone "intensewebs.com" {
        type slave;
        file "/var/lib/bind/db.intensewebs.com";
	masters { 192.168.1.140; };
};

zone "nukvm.org" {
        type slave;
        file "/var/lib/bind/db.nukvm.org";
        masters { 192.168.1.140; };
};

zone "iweb.city" {
        type slave;
        file "/var/lib/bind/db.iweb.city";
        masters { 192.168.1.140; };
};

zone "1.168.192.in-addr.arpa" {
        type slave;
        file "/var/lib/bind/db.1.168.192";
	masters { 192.168.1.140; };
};

sudo systemctl restart bind9
sudo systemctl status bind9

sudo vi /etc/bind/named.conf.options
 
acl trustedclients {
        localhost;
        localnets;
	192.168.1.140   #ns1.intensewebs.com
	192.168.1.141   #ns2.intensewebs.com
	192.168.1.142   #ns3.intensewebs.com
	192.168.1.143   #ns4.intensewebs.com
        192.168.1.0/24;
        192.168.2.0/24;
};

options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { trustedclients; };
        allow-query-cache { trustedclients; };
        allow-recursion { trustedclients; };

        forwarders {
                9.9.9.9;
                149.112.112.112;
        };

        dnssec-validation no;

        listen-on-v6 { any; };
};