Run in a chroot
Address/interface to listen on
Use 0.0.0.0 to listen on all
interface: 127.0.0.1 # interface: 192.168.1.1
We also have the option of specifying the outgoing interface
This is applicable if you have multiple links to the internet
and wish to restrict vpn traffic to a particular one
Protocols to use
do-ip6: no do-ip4: yes do-udp: yes do-tcp: yes
Specify the CIDR blocks to allow or deny
On an internet reachable host, use iptables too
access-control: 127.0.0.0/8 allow access-control: 10.0.0.0/8 allow access-control: 192.168.0.0/16 allow access-control: 172.16.0.0/12 allow access-control: 0.0.0.0/0 refuse
Next, we manually download the root hints
"wget -qO root.hints https://www.internic.net/domain/named.cache"
File containing trust anchors. A trust anchor specifies the key used to sign the DNS root and forms the foundation for chains of trust
Do not provide
hide-identity: yes hide-version : yes
Will trust glue only if it is within the servers authority.
Suppose I want to set ns.etherarp.net as the NS for etherarp.net,
then I need to set recotd 'ns' as a glue record
When sending a query to the authority NS,
use a mix of uppercase and lowercase
Best to leave this set to "no" (default) as it can cause unreliability
Performance and computational options.
If you don't have a multicore/hyperthreaded machine (e.g. running on embedded router) then set num-threads to 1 (disable multithreading )
The slabs must take a value approximately double the number of threads
this value must be a power of 2
num-threads: 4 msg-cache-slabs: 2 rrset-cache-slabs: 2 key-cache-slabs: 2 infra-cache-slabs: 2
The RRset cache record values like A,NS
These values are appropriate for a desktop or server
On a small embedded device like a router, use values like 2m
Message cache size.
Msg cache contains metadata, things like AD bit etc
This should be 1/2 the size of the rrset-cache
**>Prefetch the message cache
**>When popular entries are about to expire, we
Override records with short TTL (time to live)
we do --not-- update records below this time
Don't make it longer than ~300s, you may get stale records
Override records with long TTL
Don't keep cached records for longer than 30h (10800)
Suppose you have a special dns provider for accessing US netflix
You can set a forward zone here so that queries to netflix are selectively forwarded to that server
forward-zone: name: "netflix.com" forward-addr: 198.51.100.0/24
There is also a type of zone known as a stub zone.
In contrast to a forward zone, a stub zone does not perform recursion,
and so the stub server must be authoritative
stub-zone: name: "2.4.10.in-addr.arpa." stub-addr: "10.4.0.53"
local-data: "gateway IN A 192.168.1.1" local-data: "foo-pc IN A 192.168.1.2" local-data: "bar-pc IN A 192.168.1.3" local-data-ptr: "gateway IN A 192.168.1.1"
We can split our config into multiple files.
Let's add a file containing local records to block ad domains
Forward to an external resolver
forward-zone: name: "." forward-addr: 126.96.36.199 forward-addr: 188.8.131.52