search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.83k stars 399 forks source link

rfc1035 in-addr.arpa.. more than a /24 tricks/suggestions? #856

Closed bcookatpcsd closed 3 months ago

bcookatpcsd commented 4 months ago

The 'age old problem'.. I'm responsible for more than a /24 and want to have proper reverse answers..

This is the simplest explanation..

https://serverfault.com/questions/837680/how-to-make-a-22-reverse-zone-in-bind-255-255-252-0

I have multiple physical locations each with multiple /20

BLDG0 10.20.0/20 10.120.0/20 10.121.0/20 172.16.0/20

BLDG16 10.20.16/20 10.120.16/20 10.121.16/20 172.16.16/20

(etc) this gives me 64 in-addr.arpa entries per Building..

As a human, sometimes I make typos.. (I'm sure I'm the only one.. )

I don't have a way to automate the creation of these zone files.. (most of them point to an on premise dnsmasq instance which populates the entries and then is referenced via a Technitium FWD)

Do you have any suggestion for an 'auto zone generation' or 'better way to reference the in-addr.arpa /24

Or is just copying and editing the zone file literally the only way..

I found this.. but could not figure out how to actually use it.. 

Advanced Forwarding
Version 2.0
Provides advanced, bulk conditional forwarding options. Supports creating groups based on client's IP address or subnet to enable different conditional forwarding configuration for each group. Supports AdGuard Upstreams config files.

Note: This app works independent of the DNS server's built-in Conditional Forwarder Zones feature.

I looked into AdGuard(Home?) and it looks like it would support a syntax of:

(etc)

I did install it, but then spent a lot of time trying to figure out how it works.. when I could have probably been finished if I just did it by hand.. (then I wasn't even sure if that was the modules indented use..) etc..

Note: This app works independent of the DNS server's built-in Conditional Forwarder Zones feature. <- I could not figure out what this meant.. or find where it was referenced.. making a zone and using the APP didn't show anything either..

If this is the correct purpose of this.. I could not figure out what needed to be removed or changed in this file:

Edit the dnsApp.config config file below as required by the DNS application. <- also not sure what/why to change in here.. I'm sure this is relevant.. but could not make what I thought/wanted to happen..

I did find the adguard-upstreams.txt within the Advanced Forwarding (docker) directory.. but spent more time than I would like to admit trying to figure it out..

presently I have a few in-addr.arpa domains defined within the text file.. but they do not work as defined

fwiw, I am trying to use this as an authoritative server for these domains.. again; possibly this is not the right 'App' for this..

Thank you in advance either way..

bcookatpcsd commented 4 months ago 
{
  "enableForwarding": true,
  "networkGroupMap": {
    "0.0.0.0/0": "everyone",
    "[::]/0": "everyone"
  },
  "groups": [
    {
      "name": "everyone",
      "enableForwarding": true,
      "adguardUpstreams": [
        {
          "proxy": null,
          "dnssecValidation": false,
          "configFile": "adguard-upstreams.txt"
        }
      ]
    }
  ]
}

Do I need to go into Apps, (this app) Config, and Save everytime I make changes to the adguard-upstreams.txt file?

ShreyasZare commented 4 months ago

Thanks for the post. Are you looking to create primary zone or conditional forwarder zone in the DNS server?

If you wish to have conditional forwarder zones, then just create one for the subnet with /16 boundary and forward it to the other DNS server managing the reverse zone. This will basically catch your /20 requests and the others and just put the burden of answering them to the forwarder. You can use the Advanced Forwarding app too but it would be complex to setup and maintain.

If you wish to have primary zone to manage these reverse zones, I would suggest that you write a bash script and use curl with the DNS server's HTTP API to create the zone and add any records needed in it. This will be the fastest and accurate way to create the zones and have them populate.

Do I need to go into Apps, (this app) Config, and Save everytime I make changes to the adguard-upstreams.txt file?

The app would check for file's date modified every minute and will reload it automatically.

bcookatpcsd commented 4 months ago

Thank you for the response..

I'm not sure why I thought the txt file would populate the gui Zones tab (it doesn't) .. and I had an extra colon..

ex.

the extra colon seems to have been the issue; I didn't see anywhere an error from parsing the file(s).. does that exist somewhere?

In this issue: https://github.com/TechnitiumSoftware/DnsServer/issues/669#issuecomment-1605305344

would the multiple txt files be caught in the backup? The backup seems to grab the whole dir..

would the syntax for the /20 be:

0/20.64.20.10.in-addr.arpa

?

I don't see any errors (but I didn't before), but this does not seem to work:

[/0/20.64.120.10.in-addr.arpa/]172.16.64.247.531

OR

If when I go into the gui and try and create zone 10.20.64.0/20 it creates

64.20.10.in-addr.arpa (for the /24)

and if I try and add 0/20.64.20.10.in-addr.arpa I get this error

Error! Could not find a part of the path '/etc/dns/zones/0/20.64.20.10.in-addr.arpa.zone'.

(which was the original issue that I thought the Advanced Forward app would do/help with..)

(hopefully this makes sense..)

Thank you (as always) in advance..

ShreyasZare commented 4 months ago

would the multiple txt files be caught in the backup? The backup seems to grab the whole dir..

Yes. The backup process does not understand how the apps operate. It will backup the whole app folder.

Error! Could not find a part of the path '/etc/dns/zones/0/20.64.20.10.in-addr.arpa.zone'.

The name of the zone is used as part of the file name on disk which is why its causing this error. Instead of using / char, you can use something like - since its just a convention and not a hard requirement to name the zone that way. So, you can create a zone with name like 0-20.64.20.10.in-addr.arpa and it will work.

Thank you (as always) in advance..

You're welcome.

bcookatpcsd commented 4 months ago

The name of the zone is used as part of the file name on disk which is why its causing this error. Instead of using / char, you can use something like - since its just a convention and not a hard requirement to name the zone that way. So, you can create a zone with name like 0-20.64.20.10.in-addr.arpa and it will work.

that will work for:

0.64.20.10.in-addr.arpa 1.64.20.10.in-addr.arpa 2.64.20.10.in-addr.arpa .. 79.64.20.10.in-addr.arpa

?

I was hoping to represent that /20 without having to break out each /24

image

:)

(when I try to delete it.. ) Error! Could not find a part of the path '/etc/dns/zones/0/20.64.20.10.in-addr.arpa.zone'.

when I deleted the 0-20 entry (which didn't seem to work..) it removed the other 0/20

ShreyasZare commented 4 months ago

I replied earlier without understanding your scenario clearly which is why there is some confusion.

Just wanted to say that the DNS server does not understand classless reverse zones. There is no such standard which requires DNS server to know it. When the server receives a reverse lookup request, it does not know what network prefix that address is using. So there is no way that the DNS server is going to help with regards to this issue.

Since you are using private IP range, I would suggest that you do not create the reverse zone per physical location. Instead, create one /16 zone (i.e. 20.10.in-addr.arpa) and then get entries added in there as per your needs or forward it to the authoritative server. If you wish to just have forwarder zones then its even better to forward entire /8 private range to the authoritative server and let it handle the response.

I would suggest that you should give a read to RFC 2317 which explains how to do delegation for classless subnets using CNAME records. But that applies only for delegation part. Since you are using private range and not doing any delegation, there is no need to follow it. Just having a reverse zone for /16 or /8 should work.

You will find that RFC 2317 uses / in zone names. It works only since the parent zone has CNAME entries with domain names that use zone names with /. The actual zones with / in the names wont be answering reverse zone requests otherwise without those CNAME entries. Which is why I said earlier that the / is used just as a convention and that you can use - char too in its place such that the CNAME at parent zone uses the same - character.

I hope this clears any confusion.