User Tools

This is an old revision of the document!

Back to Tech Documentation

DNS

Depending on the DHCP assignment group, clients in the house get one of 3 DNS configurations:

  • Normal clients get Surfrock66 Bind DNS, then upstream requests go to Surfrock66 PiHole, then upstream to Google DNS
  • Kids clients get Surfrock66 Bind DNS, then upstream to OpenDNS FamilyShield
  • Some guest clients get DNS directly from Google

Surfrock66 Bind DNS

This is a bind server running on sr66-hda at 10.2.2.10 on port 53. It should be the primary DNS responder to the house. It has 3 categories of DNS zones:

  • Zones for defining internal access to sites with the same URL as external sites, for example, “nextcloud.surfrock66.com”. These are defined in /etc/bind/named.conf and the zonefiles are in /etc/bind/zones/ under canonical names.
  • A single zone for all home clients on the domain hda.surfrock66.com; This is defined in /etc/bind/named.conf and the zone is /etc/bind/zones/hda.surfrock66.com.zone. This file groups clients into logical partitions based on subnet and “subNot” logical partition.
  • Reverse lookup zones to resolve host names to IPs. These are defined in /etc/bind/named.conf and the zonefiles are in /etc/bind/zones/ under names in reverse order of octet (so for IP subnet 10.4.3.0/24, the zonefile would be 3.4.10.in-addr-arpa-zone).

Bind responds based on “ACLs” or Access Control Lists which are just subnets/IP blocks. 3 are defined but we only use 2 actively:

  • internal-all-acl - This is every defined subnet/“subnot” in the house but is unused
  • internal-default-acl - This every defined subnet/“subnot” in the house EXCEPT the kids devices. It is tied to a view that will forward unknown requests to pihole on 127.0.0.1:5354.
  • internal-kids-acl - This is the kids devices. It is tied to a view that will forward unknown requests to OpenDNS FamilyShield.

Surfrock66 PiHole

PiHole is running as an ad and tracking blocking service on sr66-hda on port 5354. Once pihole was set up, it was not intuitive to move it to listen on another port (understanding Bind is listening on the normal DNS port). PiHole uses DNSMasq under the hood, and to change the port add “port=5354” to “/etc/dnsmasq.d/02-changeport.conf” and restart the service.

Back to Tech Documentation

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also, you acknowledge that you have read and understand our Privacy Policy. If you do not agree, please leave the website.

More information