add lain dns configuration lain

7 files changed, 146 insertions, 0 deletions

diff --git a/dns/README.md b/dns/README.md
new file mode 100644
index 0000000..87f0056
--- /dev/null
+++ b/dns/README.md
@@ -0,0 +1,35 @@
+Details of the DNS configuration for lain *(my homeserver)*.
+
+The files in this directory will allow you to spin up two instances of
+the BIND9 nameserver *(binary is "named")*
+
+These are configured for my IP addresses and domain names, but should
+act as a good template.
+
+If you have questions, feel free to reach out to me via contact info
+you have for me, or through [gen@nyble.dev](mailto:gen@nyble.dev).
+
+**configuration**  
+The server has two IP addresses provisioned to it. In this case, those
+are `192.168.88.27` as the "primary" address, and `192.168.88.53` as the
+"secondary" address that I only use for the local DNS server.
+
+***primary IP address***  
+For my configuration, this is `192.168.88.27`. This is the primary IP
+of the server and what I have my router port forwarded to pass tcp
+80/443 *(http/https)* and udp 53 *(dns)* to.
+
+This address is also what the public instance of BIND listens on. The
+associated files are `etc/named-public.conf`, the files in `var/named/`
+excluding the `private` subdirectory, and
+`etc/systemd/system/named-public.service`.
+
+***secondary IP address***  
+This IP is only used for local DNS resolution. It will do recursive
+resolution on my local network, `192.168.88.0/24`, and answer queries
+for the `my.dreamy.place` subdomain *(responding with the primary IP*
+*for `A` records, and the secondary IP for `NS` records)*
+
+Associated files are `etc/named-private.conf`, the files in
+`var/named/private/`, and the `etc/systemd/system/named-private.service`
+systemd service file.
diff --git a/dns/etc/named-private.conf b/dns/etc/named-private.conf
new file mode 100644
index 0000000..df0e9a0
--- /dev/null
+++ b/dns/etc/named-private.conf
@@ -0,0 +1,33 @@
+options {
+    # where will zonefiles be located for authoritative queries?
+    directory "/var/named/private";
+    pid-file "/run/named/named-private.pid";
+
+    # these are where recursive DNS queries are forwarded. The first
+    # entry here is my router's DNS, the next three are well-known,
+    # popular, open resolvers. (clouflare, quad9, and google)
+    forwarders {
+        192.168.88.1;
+        1.1.1.1;
+        9.9.9.10;
+        8.8.8.8;
+    };
+
+    # this is the "alternate" IP address that I only use for local-dns
+    listen-on { 192.168.88.53; };
+
+    # only allow recursive lookup from my local network.
+    allow-recursion { 192.168.88.0/24; };
+    allow-transfer { none; };
+    allow-update { none; };
+
+    version none;
+    hostname none;
+    server-id none;
+};
+
+# specifying the zonefile for the domain i am using
+zone "my.dreamy.place" IN {
+	type master;
+	file "my.dreamy.place.local-zone";
+};
diff --git a/dns/etc/named-public.conf b/dns/etc/named-public.conf
new file mode 100644
index 0000000..ce4ef04
--- /dev/null
+++ b/dns/etc/named-public.conf
@@ -0,0 +1,28 @@
+options {
+    # the default directory for zonefiles, this is okay
+    directory "/var/named";
+    pid-file "/run/named/named-public.pid";
+
+    # this is the "primary" local address of my server; this is the
+    # address I use primarily
+    listen-on { 192.168.88.27; };
+
+    # do not allow recursive resolution. If you only wanted to host an
+    # authoritative zone and did not care about resolving to a local-ip
+    # when on local, you could turn this on but only for your local
+    # network. There are security considerations with running an open
+    # dns resolver.
+    allow-recursion { none; };
+    allow-transfer { none; };
+    allow-update { none; };
+
+    version none;
+    hostname none;
+    server-id none;
+};
+
+# tell named what domain it is authority for and what the zonefile is named
+zone "my.dreamy.place" IN {
+	type master;
+	file "my.dreamy.place.zone";
+};
diff --git a/dns/etc/systemd/system/named-private.service b/dns/etc/systemd/system/named-private.service
new file mode 100644
index 0000000..fec5cf7
--- /dev/null
+++ b/dns/etc/systemd/system/named-private.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Private Internet domain name server
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/named -c /etc/named-private.conf -f -u named
+ExecReload=/usr/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dns/etc/systemd/system/named-public.service b/dns/etc/systemd/system/named-public.service
new file mode 100644
index 0000000..d4f3ebc
--- /dev/null
+++ b/dns/etc/systemd/system/named-public.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Public Internet domain name server
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/named -c /etc/named-public.conf -f -u named
+ExecReload=/usr/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/dns/var/named/my.dreamy.place.zone b/dns/var/named/my.dreamy.place.zone
new file mode 100644
index 0000000..e768a6a
--- /dev/null
+++ b/dns/var/named/my.dreamy.place.zone
@@ -0,0 +1,15 @@
+$ORIGIN my.dreamy.place.
+$TTL 15m
+
+@ IN SOA ns1.my.dreamy.place hostmaster.dreamy.place (
+	1	; serial
+	1h	; refresh
+	15m	; retry
+	7d	; expire
+	1h	; minimum ttl
+)
+
+	NS	ns1
+	A	160.32.249.182
+
+ns1	A	160.32.249.182
diff --git a/dns/var/named/private/my.dreamy.place.local-zone b/dns/var/named/private/my.dreamy.place.local-zone
new file mode 100644
index 0000000..4d6dae0
--- /dev/null
+++ b/dns/var/named/private/my.dreamy.place.local-zone
@@ -0,0 +1,15 @@
+$ORIGIN my.dreamy.place.
+$TTL 15m
+
+@ IN SOA ns1.my.dreamy.place hostmaster.dreamy.place (
+	2	; serial
+	1h	; refresh
+	15m	; retry
+	7d	; expire
+	1h	; minimum ttl
+)
+
+	NS	ns1
+	A	192.168.88.27
+
+ns1	A	192.168.88.53