I can't find where to set dns forward from GUI for records that are not found within my zones. Can help me please :-(
DNS forwarding means typically using an external resolver for zones not hosted on your systems, which is the default in your setup, the DNS resolver is configured under system > server config > Server > nameservers. But this is not about records not found in your zone, so you might mix up things here. When you want to e.g. that non declared names like abc.yourdomain.tld resolve to a specific IP address, then that's called a wildcard DNS record, and you create it by creating a DNS A-record and use * as record name.
Until now I have been using my own techinitium based DNS server to host my public site records and I had set "Allow Recursion >> yes " and "Forwarders 8.8.8. 8 and 8.8.4.4 " so that my home pc and my other virtual machines would use the techinitium server to forward the requests of unknown domains to 8.8.8.8 . Now I want to use IPS config to centralize DNS , I put in named.conf.options options { "/var/cache/bind" directory; // If there is a firewall between the user and the name servers you want to talk to, you may need to // talk, you may need to fix the firewall to allow multiple ports to talk. // to talk to multiple ports. See http://www.kb.cert.org/vuls/id/800113 // If your ISP has provided you with one or more IP addresses for stable nameservers. // stable nameservers, you will likely want to use them as forwarders. // Remove the comment on the following block and insert the addresses that replace // the all-0 placeholder. // forwarders { // 0.0.0.0; // }; forwarders { 8.8.8.8;8.8.4.4; }; //======================================================================== // If BIND logs error messages related to the expired root key, // you need to update the keys. See https://www.isc.org/bind-keys //======================================================================== "unknown" version; allow-transfer {none;}; auth-nxdomain no; # compliant with RFC1035 listen-on-v6 { any; }; }; but my pc doesn't resolve unknown sites
What happens instead? How are you testing that? If you test from command line, show cut and pasted text. And in CODE tags, please start using them.
with techiniutm server nslookup www.google.it Server: static-84-33-1-183.serverclienti.com Address: 84.33.1.183 Non-authoritative answer: Name: www.google.it Addresses: 2a00:1450:4001:811::2003 142.250.185.163 with ISP server nslookup www.google.it DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 84.33.1.183 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-out
You forgot CODE tags. Are you testing on your Windows workstation? Which name server is it using? It would be useful to test giving nslookup your name server as parameter, so you know you are testing your name server. I suggest commenting out the forwarders declaration from your name server, it should work without it.
it's work i need to add recursion yes; allow-recursion { any; }; the final file configuration is options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; forwarders { 8.8.8.8;8.8.4.4; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== version "unknown"; allow-transfer {none;}; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; recursion yes; allow-recursion { any; }; };
Your server is not reachable from the internet, right? Otherwise, you just created an open resolver, which is a really bad idea as your server will get misused and likely be used to attack other systems soon.
No. Running a public DNS resolver like ISP's do means that you need large server capacities and must monitor traffic against misuse, DOS attacks, and so on. Many ISP also limit access to their own client IP ranges to be able to sanction misuse if one of their client is doing it. So unless you run a larger company with your own data center and staff with the necessary knowledge to monitor the DNS resolver 24/7, you should avoid doing that. Your internet access provider might even block you when they detect that you run an open DNS resolver. If you want to run your own DNS resolver for your desktop systems (which does not make sense in most cases as you can simply use the resolver of your ISP), then you must ensure that only the IP address of your desktop system (or your local network IP range) plus localhost is allowed to use the resolver.
