BIND (DNS)

ручное обновление записи

nsupdate
    > server hst03.company.ru
    > zone airpbx.ru
    > update add 90.16.127.98.in-addr.arpa 600 IN PTR testr.company.ru.
    > send
    > update add testr.company.ru. 600 IN A 98.127.16.90
    > send 

Проверка конфигурации BIND

named-checkconf /var/named/etc/named.conf

Перезапуск конфигурации BIND

rndc reload

Bind DNSSec

Enable zone for DNSSec

inline-signing yes;
dnssec-policy "default";

Check Bind config

named-checkconf /etc/bind/named.conf
named-checkzone domain.com /var/lib/bind/masters/domain.com
rndc reconfig

Bind zone status

rndc zonestatus domain.com IN public

Bind DNSSec status

rndc dnssec -status domain.com IN public

Dig query DNSSec

dig @127.0.0.1 domain.com +dnssec +multiline
dig @127.0.0.1 domain.com DNSKEY +multiline

Dig query get DS RR record for parent zone

(d=domain.com; dig +norecurse "$d". DNSKEY | dnssec-dsfromkey -f - "$d")

DNSSec Web anchors

https://dnsviz.net/d/pluto.prosp.domain.com/dnssec/

Bind change ORIGIN inside zone

Zone file:

$ORIGIN domain.com.
time                    CNAME   ntp.in
$TTL 43200      ; 12 hours
alias1                 A       1.2.3.4
$TTL 3600       ; 1 hour
alias2                  A       11.22.33.44
$ORIGIN alias2.domain.com.
$TTL 600        ; 10 minutes
*                       CNAME   alias2.domain.com.

DNS length limit

DNS has a length limit of 255 characters. If your record is longer, you need to split it into parts. An example of such a record: TXT.

"v=spf1 ip4:1.1.1.0/24 include:spf.protection.outlook.com " "include:amazonses.com"

Please note that BIND glues the record, so you need to put the space yourself.

BIND NXDOMAIN response for specified domains

To configure your BIND server using a Response Policy Zone (RPZ) to return an NXDOMAIN response for specified domains, you'll need to edit your RPZ configuration zone file. Here's how you can implement the DNS changes recommended by Apple:

1. Edit the RPZ zone file: You'll need to add entries for the domains mask.icloud.com and mask-h2.icloud.com in your RPZ zone file to return NXDOMAIN for these domains.
2. Steps to configure:

3. Open your RPZ zone file: You have mentioned that your RPZ zone file is rpz.local. Locate and open this file with your preferred text editor. It might be somewhere like /etc/bind/, depending on your server setup.

   sudo nano /etc/bind/rpz.local
   

4. Add RPZ rules: Add the following lines to the RPZ zone file to return NXDOMAIN for the specified domains:

   ; RPZ records for blocking Apple Private Relay
   $TTL 60
   @ IN SOA localhost. root.localhost. (
         2023101501   ; serial number
         1h           ; refresh
         15m          ; retry
         30d          ; expiry
         2h           ; minimum
   )
   ; Define the zone's nameserver
   IN NS localhost.
   
   ; Block domains by returning NXDOMAIN
   mask.icloud.com      CNAME   .   ; Returns NXDOMAIN for mask.icloud.com
   mask-h2.icloud.com   CNAME   .   ; Returns NXDOMAIN for mask-h2.icloud.com
   

5. Reload the BIND configuration: After updating the RPZ zone file, reload your BIND server to apply the changes. This can usually be done with the following command:

   sudo rndc reload
   

6. Test the Configuration: Use a tool like dig to test that the DNS server is responding with NXDOMAIN for the domains you've configured:

dig @your_dns_server mask.icloud.com
dig @your_dns_server mask-h2.icloud.com

The response should indicate NXDOMAIN for both queries.