Custom DNS Zone Configuration

BIND9 DNS zone management with dynamic updates and split-horizon configuration

Custom DNS Zone Configuration

Overview

The Pimeleon router implements sophisticated DNS zone management using BIND9 with split-horizon DNS configuration, providing different responses for internal and external clients.

Split-Horizon Architecture

Internal View

Serves local network clients with full DNS services including:

  • Recursive queries via DNS filtering forwarding
  • Local zone resolution for internal domains
  • Reverse DNS lookups for local networks
  • Dynamic updates from DHCP server

External View

Provides limited DNS services for external clients:

  • No recursive queries (security measure)
  • Minimal zone information
  • Prevents DNS amplification attacks

Network Access Control

Internal ACL defines trusted networks:

  • Loopback: 127.0.0.0/8
  • Main LAN: 192.168.76.0/24
  • WiFi Network: 192.168.77.0/24 (optional segregated network)
  • VPN Subnet: 10.8.0.0/24 (if VPN enabled)
  • IPv6 Ranges: fd00::/8 (Unique Local Addresses for internal networks)

Local DNS Zones

Primary Internal Domain

pimeleon.local - Main internal domain for router services and local resources

Example Network Domains

  • home.local - Primary local domain with DHCP integration
  • lan.local - Alternative local domain for network services
  • custom.local - Custom domain for specialized services

Note: You can configure any .local domain or custom TLD for your internal network. The examples above use standard mDNS-compatible .local domains.

Dynamic DNS Integration

DHCP-DNS Synchronization

RNDC key enables DHCP server to automatically:

  • Create A/AAAA records for new leases
  • Generate PTR records for reverse lookups
  • Add TXT and DHCID records for lease tracking
  • Remove records when leases expire

Update Policies

Zones support different update types:

  • A/AAAA records: Forward hostname resolution
  • PTR records: Reverse IP-to-hostname mapping
  • TXT records: Metadata and verification
  • DHCID records: DHCP client identification

Reverse DNS Zones

IPv4 Reverse Zones

  • X.168.192.in-addr.arpa - Main LAN reverse lookup (192.168.X.0/24)
  • Y.168.192.in-addr.arpa - WiFi network reverse lookup (192.168.Y.0/24)

IPv6 Reverse Zones

  • IPv6 reverse zones for fd00::/8 Unique Local Address ranges
  • Automatic PTR record generation for IPv6 DHCP assignments
  • Configured based on your specific IPv6 subnet allocation

Integration with Filtering Services

DNS Filtering Integration

Internal view forwards recursive queries to the DNS filter (port 5553) for:

  • Network-wide ad blocking and malware filtering
  • Custom blocklists and whitelist management
  • Query statistics and monitoring (via Pimeleon web interface)
  • Upstream secure DNS resolution with encryption

Security Features

  • Recursion Control: Only internal clients can perform recursive queries
  • Query Restrictions: External clients limited to authoritative responses
  • Update Security: Dynamic updates require valid RNDC authentication
  • Zone Transfer Control: Prevents unauthorized zone transfers

Operational Benefits

  1. Split-Horizon Security: Different responses for internal/external clients
  2. Dynamic Management: Automatic DNS updates from DHCP
  3. Local Service Discovery: Internal domains for router services
  4. Network Segmentation: Zone-per-VLAN organization
  5. IPv6 Readiness: Full IPv6 reverse DNS support

Configuration Files

Key configuration file locations:

# BIND9 zone files
/var/cache/bind/pimeleon.local      # Dynamic zone with DHCP updates
/var/cache/bind/db.192.168.76       # IPv4 reverse zone (LAN)
/var/cache/bind/db.192.168.77       # IPv4 reverse zone (WiFi)

# BIND9 configuration
/etc/bind/named.conf.local          # Zone definitions
/etc/bind/named.conf.options        # BIND9 options

# RNDC key for secure updates
/etc/bind/rndc.key                  # Dynamic update authentication

Maintenance Considerations

Zone Management

  • Zone Files: Stored in /etc/bind/zones/ and /var/cache/bind/
  • RNDC Keys: Secure key management for dynamic updates
  • Backups: Regular zone file backups before major changes
  • Monitoring: Watch for DHCP update conflicts or failures

Performance Optimization

  • Cache Size: Adjust based on number of hosts
  • Zone Serial: Automatic increment for dynamic updates
  • Query Logging: Disabled for performance (use Pimeleon web interface for statistics)

Troubleshooting

Common Issues

Dynamic updates failing:

# Check RNDC key permissions
ls -la /etc/bind/rndc.key

# Test RNDC connectivity
rndc status

# Check BIND9 logs for update errors
sudo journalctl -u bind9 -f

Zone not resolving:

# Verify zone is loaded
rndc status | grep zones

# Check zone file syntax
named-checkzone pimeleon.local /var/cache/bind/pimeleon.local

# Reload zones
rndc reload

Reverse DNS not working:

# Test reverse lookup
dig -x 192.168.1.1

# Check reverse zone file
named-checkzone X.168.192.in-addr.arpa /var/cache/bind/db.192.168.X

← Back to Dashboard | [🏠 Documentation Home//)

ON THIS PAGE
Overview
Split-Horizon Architecture
Network Access Control
Local DNS Zones
Dynamic DNS Integration
Reverse DNS Zones
Integration with Filtering Services
Operational Benefits
Configuration Files
Maintenance Considerations
Troubleshooting
Related Documentation