DNSmasq Authoritative config
Last update
2021-10-27
2021-10-27
« — »
Config and instructions
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 | # ---------------------------------------------------------------------------- # Authoritative DNS config for yourdomain.tld # Example for replacing Bind with dnsmasq # Source: Stefan Onderka, http://www.onderka.com # Description: https://www.onderka.com/inhalt/autoritativer-dns-server-mit-dnsmasq/ # Revision 2016-02-10 # ---------------------------------------------------------------------------- # https://www.onderka.com/inhalt/eigener-dyndns-mit-dnsmasq-apache-und-php/ # https://www.onderka.com/inhalt/eigener-dyndns-mit-bind-apache-und-php/ # http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html # http://www.thekelleys.org.uk/dnsmasq/doc.html # http://www.thekelleys.org.uk/dnsmasq/docs/FAQ # http://comments.gmane.org/gmane.network.dns.dnsmasq.general/7621 # https://wiki.archlinux.org/index.php/dnsmasq # ---------------------------------------------------------------------------- # Hostname: yourdomain.tld # IPv4 address: 10.20.30.40 # IPv6 address: ip:v6::ad::dr:ess # ---------------------------------------------------------------------------- # Basics # ---------------------------------------------------------------------------- listen-address=127.0.0.1 listen-address=10.20.30.40 listen-address=ip:v6::ad::dr:ess no-dhcp-interface=eth0 # Port port=53 bind-interfaces #bogus-priv #domain-needed # User and group user=dnsmasq group=root # PID file pid-file=/var/run/dnsmasq/dnsmasq.pid all-servers dns-forward-max=100 # TTL for auth replies auth-ttl=600 # Logging # ---------------------------------------------------------------------------- # Log to file log-facility=/var/log/dnsmasq.log # Log all queries log-queries # Query cache cache-size=16384 # Asynchronous logging, up to 50 lines log-async=50 # Config files and folders (DynDNS files) # ---------------------------------------------------------------------------- # Do not read /etc/resolv.conf no-resolv # Do not poll /etc/resolv.conf no-poll # Do not read /etc/hosts no-hosts # Read *.conf from this folder conf-dir=/var/www/ddns.example.com/dnsmasq/,*.conf # Authoritative DNS on interface eth0 # ---------------------------------------------------------------------------- auth-server=yourdomain.tld,eth0 # My zones and their subnets # ---------------------------------------------------------------------------- auth-zone=yourdomain.tld,10.20.30.40/32,ip:v6::ad::dr:ess/128 auth-zone=example.com,10.20.30.40/32,ip:v6::ad::dr:ess/128 # DDNS zone without subnet(s), contains "foreign" IPs auth-zone=ddns.example.com auth-zone=example.org,10.20.30.40/32,ip:v6::ad::dr:ess/128 auth-zone=example.net,10.20.30.40/32,ip:v6::ad::dr:ess/128 auth-zone=another-domain.de,10.20.30.40/32,ip:v6::ad::dr:ess/128 # Local (not forwarded in any case) # ---------------------------------------------------------------------------- local=/example.com/10.20.30.40 domain=example.com local=/ddns.example.com/10.20.30.40 domain=ddns.example.com local=/example.org/10.20.30.40 domain=example.org local=/example.net/10.20.30.40 domain=example.net local=/another-domain.de/10.20.30.40 domain=another-domain.de # SOA config # ---------------------------------------------------------------------------- auth-soa=2016021014,hostmaster.example.com,1200,120,604800 # Slave NS: nameserver2.provider.com (50.60.70.80) # ---------------------------------------------------------------------------- # Secondary NS (slave NS at provider) auth-sec-servers=nameserver2.provider.com # Allow zone transfers to secondary NS auth-peer=50.60.70.80 # A/AAAA records - Only 1st address creates PTR record! # ---------------------------------------------------------------------------- # MX: A/IPv4 only host-record=mail.example.com,10.20.30.40 # ipv6.example.com: AAAA/IPv6 only host-record=ipv6.example.com,ip:v6::ad::dr:ess # All others: A/IPv4 and AAAA/IPv6 host-record=example.com,10.20.30.40,ip:v6::ad::dr:ess host-record=ddns.example.com,10.20.30.40,ip:v6::ad::dr:ess host-record=example.org,10.20.30.40,ip:v6::ad::dr:ess host-record=example.net,10.20.30.40,ip:v6::ad::dr:ess host-record=another-domain.de,10.20.30.40,ip:v6::ad::dr:ess host-record=yourdomain.tld,10.20.30.40,ip:v6::ad::dr:ess # Provide an A record for secondary NS host-record=nameserver2.provider.com,50.60.70.80 # PTR & Reverse # ---------------------------------------------------------------------------- server=/30.20.10.in-addr.arpa/10.20.30.40 ptr-record=40.30.20.10.in-addr.arpa,mail.example.com ptr-record=40.30.20.10.in-addr.arpa,example.com ptr-record=40.30.20.10.in-addr.arpa,ddns.example.com ptr-record=40.30.20.10.in-addr.arpa,example.org ptr-record=40.30.20.10.in-addr.arpa,example.net ptr-record=40.30.20.10.in-addr.arpa,another-domain.de # MX records # ---------------------------------------------------------------------------- # All domains use MX mail.example.com mx-host=yourdomain.tld,mail.example.com,10 mx-host=example.com,mail.example.com,10 mx-host=example.org,mail.example.com,10 mx-host=example.net,mail.example.com,10 mx-host=another-domain.de,mail.example.com,10 # TXT records (SPF, DKIM, fun etc.) # ---------------------------------------------------------------------------- # A note for the MX txt-record=mail.example.com,"No, this is not a Microsoft Exchange server..." # SPF and DKIM records txt-record=yourdomain.tld,"v=spf1 +a +mx -all" txt-record=example.com,"v=spf1 +a +mx -all" txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.example.com,"v=DKIM1; k=rsa; p=..." txt-record=example.org,"v=spf1 +a +mx -all" txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.example.org,"v=DKIM1; k=rsa; p=..." txt-record=example.net,"v=spf1 +a +mx -all" txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.example.net,"v=DKIM1; k=rsa; p=..." txt-record=another-domain.de,"v=spf1 +a +mx -all" txt-record=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._domainkey.another-domain.de,"v=DKIM1; k=rsa; p=..." # CAA record for certificate authority | https://sslmate.com/caa/ # ---------------------------------------------------------------------------- # CAA/257 => 0 issue "letsencrypt.org" dns-rr=yourdomain.tld,257,000569737375656C657473656E63727970742E6F7267 # CNAME records # ---------------------------------------------------------------------------- # Subdomains of example.com cname=subdomain1.example.com,example.com cname=subdomain2.example.com,example.com cname=subdomain3.example.com,example.com # www. and ftp. for all domains cname=www.example.com,example.com cname=ftp.example.com,example.com cname=www.example.org,example.org cname=ftp.example.org,example.org cname=www.example.net,example.net cname=ftp.example.net,example.net cname=www.another-domain.de,another-domain.de cname=ftp.another-domain.de,another-domain.de |
Then set these DNS records on your registar panel:
1 2 3 4 | A yourdomain.tld 10.20.30.40 AAAA yourdomain.tld ip:v6::ad::dr:ess NS ns1.yourdomain.tld 10.20.30.40 NS ns2.yourdomain.tld 10.20.30.40 |
please take note that you sould have two different dns servers in case the first goes down.
Since 2021-06 this doen't work for letsecrypt/zerossl
The CA can't reach our DNS server... try checking the configuration with:
- https://viewdns.info/dnsreport/?domain=acavalin.com
- https://check-your-website.server-daten.de/?q=acavalin.com
- https://community.letsencrypt.org/t/dns-problem-authoritative-nameserver-refused-not-defined-or-timeout/125662/19
- https://serverfault.com/questions/856772/inconsistent-glue-records#856839
- https://community.letsencrypt.org/t/dns-problem-records-exist-but-query-timed-out-looking-up-txt-record/106586/2
- free dns: 1984 and cloudns
- https://dnsspy.io/scan/acavalin.com
Source: onderka.com, manpage, stackexchange, SOA record, CAA record + tool
See also: Letsencrypt setup with acme.sh post.