wiki/services/dns/Configuration.md

# Forwarder setup

Configuration of common resolver softwares, to forward DNS queries for `.dn42` (and reverse DNS) to `fd42:d42:d42:54::1` (or `172.23.0.53`).

## BIND

If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
by adding the following to /etc/bind/named.conf.local

```
zone "dn42" {
  type forward;
  forwarders { 172.23.0.53; };
};
zone "20.172.in-addr.arpa" {
  type forward;
  forwarders { 172.23.0.53; };
};
zone "22.172.in-addr.arpa" {
  type forward;
  forwarders { 172.23.0.53; };
};
zone "23.172.in-addr.arpa" {
  type forward;
  forwarders { 172.23.0.53; };
};
```

**Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.

## dnsmasq

If you are running dnsmasq under openwrt, you just have to add 

```
config dnsmasq
        option boguspriv '0'
        option rebind_protection '1'
        list rebind_domain 'dn42'
        list server '/dn42/172.23.0.53'
        list server '/20.172.in-addr.arpa/172.23.0.53'
        list server '/22.172.in-addr.arpa/172.23.0.53'
        list server '/23.172.in-addr.arpa/172.23.0.53'
```

to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42` 
with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.

Attention: If you go with the default config you'll have to disable "boguspriv" in the first dnsmasq config section.

For normal dnsmasq use

```
server=/dn42/172.23.0.53
server=/20.172.in-addr.arpa/172.23.0.53
server=/22.172.in-addr.arpa/172.23.0.53
server=/23.172.in-addr.arpa/172.23.0.53
```
in `dnsmasq.conf`.

## PowerDNS recursor
Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the **forward-zone-recurse** is _**one line**_.

```
dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
forward-zones-recurse=dn42=172.23.0.53,hack=172.23.0.53,ffhh=172.23.0.53,ffac=172.23.0.53,020=172.23.0.53,adm=172.23.0.53,ffa=172.23.0.53,ffhb=172.23.0.53,ffc=172.23.0.53,ffda=172.23.0.53,ffdh=172.23.0.53,ff3l=172.23.0.53,fffl=172.23.0.53,ffffm=172.23.0.53,fffr=172.23.0.53,fffd=172.23.0.53,ffgl=172.23.0.53,fflln=172.23.0.53,ffbcd=172.23.0.53,ffbgl=172.23.0.53,ffgoe=172.23.0.53,ffgt=172.23.0.53,ffh=172.23.0.53,helgo=172.23.0.53,ffhef=172.23.0.53,ffj=172.23.0.53,ffka=172.23.0.53,ffki=172.23.0.53,ffhl=172.23.0.53,fflux=172.23.0.53,ffms=172.23.0.53,mueritz=172.23.0.53,ffnord=172.23.0.53,ffnw=172.23.0.53,ffoh=172.23.0.53,ffpb=172.23.0.53,ffpi=172.23.0.53,ffrade=172.23.0.53,ffrgb=172.23.0.53,ffrg=172.23.0.53,rzl=172.23.0.53,ffsaar=172.23.0.53,fftr=172.23.0.53,fftdf=172.23.0.53,ffwk=172.23.0.53,ffgro=172.23.0.53,ffwk=172.23.0.53,ffwp=172.23.0.53,ffw=172.23.0.53,20.172.in-addr.arpa=172.23.0.53,22.172.in-addr.arpa=172.23.0.53,23.172.in-addr.arpa=172.23.0.53,31.172.in-addr.arpa=172.23.0.53,c.f.ip6.arpa=172.23.0.53
```

## MaraDNS
Put this in your mararc:

```
ipv4_alias["dn42_root"] = "172.23.0.53"
root_servers["dn42."] = "dn42_root"
root_servers["20.172.in-addr.arpa."] = "dn42_root"
root_servers["22.172.in-addr.arpa."] = "dn42_root"
root_servers["23.172.in-addr.arpa."] = "dn42_root"
```

## Unbound

`unbound.conf` for forwarding requests to `172.23.0.53`.


```
server:
      domain-insecure: "dn42"
      domain-insecure: "20.172.in-addr.arpa"
      domain-insecure: "21.172.in-addr.arpa"
      domain-insecure: "22.172.in-addr.arpa"
      domain-insecure: "23.172.in-addr.arpa"
      domain-insecure: "d.f.ip6.arpa"
      local-zone: "20.172.in-addr.arpa." nodefault
      local-zone: "21.172.in-addr.arpa." nodefault
      local-zone: "22.172.in-addr.arpa." nodefault
      local-zone: "23.172.in-addr.arpa." nodefault
      local-zone: "d.f.ip6.arpa." nodefault

forward-zone: 
      name: "dn42"
      forward-addr: fd42:d42:d42:54::1
      forward-addr: 172.23.0.53

forward-zone: 
      name: "20.172.in-addr.arpa"
      forward-addr: fd42:d42:d42:54::1
      forward-addr: 172.23.0.53

forward-zone: 
      name: "21.172.in-addr.arpa"
      forward-addr: fd42:d42:d42:54::1
      forward-addr: 172.23.0.53

forward-zone: 
      name: "22.172.in-addr.arpa"
      forward-addr: fd42:d42:d42:54::1
      forward-addr: 172.23.0.53

forward-zone: 
      name: "23.172.in-addr.arpa"
      forward-addr: fd42:d42:d42:54::1
      forward-addr: 172.23.0.53

forward-zone:
      name: "d.f.ip6.arpa"
      forward-addr: fd42:d42:d42:54::1
      forward-addr: 172.23.0.53
```

## JunOS (SRX 12.1X46)
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
```
restart named-service
```
Config (vlan.0 is presumed to be your LAN/Trust interface)
```
system {
   services {
      dns {
         dns-proxy {
            interface {
               vlan.0;
            }
        default-domain dn42 {
           forwarders {
              172.23.0.53;
           }
        }
        default-domain 20.172.in-addr.arpa {
               forwarders {
                  172.23.0.53;
               }
            }
        default-domain 22.172.in-addr.arpa {
               forwarders {
                  172.23.0.53;
               }
            }
            default-domain 23.172.in-addr.arpa {
               forwarders {
                  172.23.0.53;
               }
            }
     }
      }
   }
}
```

## MS DNS
Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa" using 172.23.0.53 as forwarder. Ignore the error message that the server is not authoritative.
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`# Forwarder setup`

old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			Configuration of common resolver softwares, to forward DNS queries for `.dn42` (and reverse DNS) to `fd42:d42:d42:54::1` (or `172.23.0.53`).
Rearrainge stuff 2015-01-01 12:34:15 -07:00
			`## BIND`

			`If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains`
Updated Configuration (markdown) 2019-06-02 10:13:31 +00:00			`by adding the following to /etc/bind/named.conf.local`
Rearrainge stuff 2015-01-01 12:34:15 -07:00
			```
			`zone "dn42" {`
			`type forward;`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forwarders { 172.23.0.53; };`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`};`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`zone "20.172.in-addr.arpa" {`
			`type forward;`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forwarders { 172.23.0.53; };`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`};`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`zone "22.172.in-addr.arpa" {`
			`type forward;`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forwarders { 172.23.0.53; };`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`};`
			`zone "23.172.in-addr.arpa" {`
			`type forward;`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forwarders { 172.23.0.53; };`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`};`
			```

Updated Configuration (markdown) 2019-06-02 10:13:31 +00:00			Note: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.

Rearrainge stuff 2015-01-01 12:34:15 -07:00			`## dnsmasq`

			`If you are running dnsmasq under openwrt, you just have to add`

			```
			`config dnsmasq`
			`option boguspriv '0'`
			`option rebind_protection '1'`
			`list rebind_domain 'dn42'`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`list server '/dn42/172.23.0.53'`
			`list server '/20.172.in-addr.arpa/172.23.0.53'`
			`list server '/22.172.in-addr.arpa/172.23.0.53'`
			`list server '/23.172.in-addr.arpa/172.23.0.53'`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			```

included restart into the `dnsmasq restart` command 2017-08-21 03:39:52 +00:00			to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq restart`. After that you are able to resolve `.dn42`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.`

			`Attention: If you go with the default config you'll have to disable "boguspriv" in the first dnsmasq config section.`

			`For normal dnsmasq use`

			```
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`server=/dn42/172.23.0.53`
			`server=/20.172.in-addr.arpa/172.23.0.53`
			`server=/22.172.in-addr.arpa/172.23.0.53`
			`server=/23.172.in-addr.arpa/172.23.0.53`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			```
			in `dnsmasq.conf`.

			`## PowerDNS recursor`
Updated Configuration (markdown) 2015-06-16 19:04:37 +00:00			`Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS), the forward-zone-recurse is _one line_.`
Rearrainge stuff 2015-01-01 12:34:15 -07:00
			```
			`dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			forward-zones-recurse=dn42=172.23.0.53,hack=172.23.0.53,ffhh=172.23.0.53,ffac=172.23.0.53,020=172.23.0.53,adm=172.23.0.53,ffa=172.23.0.53,ffhb=172.23.0.53,ffc=172.23.0.53,ffda=172.23.0.53,ffdh=172.23.0.53,ff3l=172.23.0.53,fffl=172.23.0.53,ffffm=172.23.0.53,fffr=172.23.0.53,fffd=172.23.0.53,ffgl=172.23.0.53,fflln=172.23.0.53,ffbcd=172.23.0.53,ffbgl=172.23.0.53,ffgoe=172.23.0.53,ffgt=172.23.0.53,ffh=172.23.0.53,helgo=172.23.0.53,ffhef=172.23.0.53,ffj=172.23.0.53,ffka=172.23.0.53,ffki=172.23.0.53,ffhl=172.23.0.53,fflux=172.23.0.53,ffms=172.23.0.53,mueritz=172.23.0.53,ffnord=172.23.0.53,ffnw=172.23.0.53,ffoh=172.23.0.53,ffpb=172.23.0.53,ffpi=172.23.0.53,ffrade=172.23.0.53,ffrgb=172.23.0.53,ffrg=172.23.0.53,rzl=172.23.0.53,ffsaar=172.23.0.53,fftr=172.23.0.53,fftdf=172.23.0.53,ffwk=172.23.0.53,ffgro=172.23.0.53,ffwk=172.23.0.53,ffwp=172.23.0.53,ffw=172.23.0.53,20.172.in-addr.arpa=172.23.0.53,22.172.in-addr.arpa=172.23.0.53,23.172.in-addr.arpa=172.23.0.53,31.172.in-addr.arpa=172.23.0.53,c.f.ip6.arpa=172.23.0.53
Rearrainge stuff 2015-01-01 12:34:15 -07:00			```

			`## MaraDNS`
			`Put this in your mararc:`

			```
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`ipv4_alias["dn42_root"] = "172.23.0.53"`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`root_servers["dn42."] = "dn42_root"`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`root_servers["20.172.in-addr.arpa."] = "dn42_root"`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`root_servers["22.172.in-addr.arpa."] = "dn42_root"`
			`root_servers["23.172.in-addr.arpa."] = "dn42_root"`
			```

			`## Unbound`

Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`unbound.conf` for forwarding requests to `172.23.0.53`.
Rearrainge stuff 2015-01-01 12:34:15 -07:00

			```
			`server:`
			`domain-insecure: "dn42"`
overhaul unbound configuration 2018-01-01 02:04:51 +00:00			`domain-insecure: "20.172.in-addr.arpa"`
			`domain-insecure: "21.172.in-addr.arpa"`
			`domain-insecure: "22.172.in-addr.arpa"`
			`domain-insecure: "23.172.in-addr.arpa"`
			`domain-insecure: "d.f.ip6.arpa"`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`local-zone: "20.172.in-addr.arpa." nodefault`
overhaul unbound configuration 2018-01-01 02:04:51 +00:00			`local-zone: "21.172.in-addr.arpa." nodefault`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`local-zone: "22.172.in-addr.arpa." nodefault`
			`local-zone: "23.172.in-addr.arpa." nodefault`
			`local-zone: "d.f.ip6.arpa." nodefault`

			`forward-zone:`
			`name: "dn42"`
old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			`forward-addr: fd42:d42:d42:54::1`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forward-addr: 172.23.0.53`
Rearrainge stuff 2015-01-01 12:34:15 -07:00
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`forward-zone:`
			`name: "20.172.in-addr.arpa"`
old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			`forward-addr: fd42:d42:d42:54::1`
overhaul unbound configuration 2018-01-01 02:04:51 +00:00			`forward-addr: 172.23.0.53`

			`forward-zone:`
			`name: "21.172.in-addr.arpa"`
old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			`forward-addr: fd42:d42:d42:54::1`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forward-addr: 172.23.0.53`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`forward-zone:`
			`name: "22.172.in-addr.arpa"`
old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			`forward-addr: fd42:d42:d42:54::1`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forward-addr: 172.23.0.53`
Rearrainge stuff 2015-01-01 12:34:15 -07:00
			`forward-zone:`
			`name: "23.172.in-addr.arpa"`
old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			`forward-addr: fd42:d42:d42:54::1`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forward-addr: 172.23.0.53`
Rearrainge stuff 2015-01-01 12:34:15 -07:00
			`forward-zone:`
			`name: "d.f.ip6.arpa"`
old -> new DNS: fd42:d42:d42:{53 -> 54}::1 2020-03-03 20:06:44 +00:00			`forward-addr: fd42:d42:d42:54::1`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`forward-addr: 172.23.0.53`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			```

			`## JunOS (SRX 12.1X46)`
			`Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:`
			```
			`restart named-service`
			```
			`Config (vlan.0 is presumed to be your LAN/Trust interface)`
			```
			`system {`
			`services {`
			`dns {`
			`dns-proxy {`
			`interface {`
			`vlan.0;`
			`}`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`default-domain dn42 {`
			`forwarders {`
			`172.23.0.53;`
			`}`
			`}`
			`default-domain 20.172.in-addr.arpa {`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`forwarders {`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`172.23.0.53;`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`}`
			`}`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`default-domain 22.172.in-addr.arpa {`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`forwarders {`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`172.23.0.53;`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`}`
Updated Configuration (markdown) 2015-08-22 22:44:42 +02:00			`}`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`default-domain 23.172.in-addr.arpa {`
			`forwarders {`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`172.23.0.53;`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`}`
			`}`
Replace old DNS Server with 172.23.0.53 2016-12-29 16:48:31 +00:00			`}`
Rearrainge stuff 2015-01-01 12:34:15 -07:00			`}`
			`}`
			`}`
Updated Configuration (markdown) 2017-07-03 13:25:26 +02:00			```

			`## MS DNS`
			`Add a "Conditional Forward" (de: "Bedingte Weiterleitung") for each of "dn42", "20.172.in-addr.arpa", "22.172.in-addr.arpa", "23.172.in-addr.arpa" using 172.23.0.53 as forwarder. Ignore the error message that the server is not authoritative.`