Not many people run their own internal DNS any more. For people who
do, here's now I do it.
Of course in the old days everyone used BIND, but there's better
now. The basic approach is twofold:
Both of these are configured by default to use all interfaces. So a
bit of careful setup is needed. I'm using Debian/stable (v12,
bookworm, at the time of writing).
I assume your local zone is LOCALZONE (in my case
homenet.firedrake.org).
nsd
Bind it to localhost: /etc/nsd/nsd.conf.d/server.conf
server:
ip-address: 127.0.0.1
ip-address: ::1
username: nsd
xfrdfile: "/var/lib/nsd/xfrd.state"
Set up local zone(s):/etc/nsd/nsd.conf.d/main.zones.conf:
zone:
name: "LOCALZONE"
zonefile: "db.LOCALZONE"
provide-xfr: 10.0.0.0/8 NOKEY
provide-xfr: 127.0.0.1 NOKEY
provide-xfr: ::1/128 NOKEY
(On theory this should only need localhost addresses but it didn't
work for me until I put in the local net too.) Similarly with
10.in-addr.arpa
Stick the zonefiles in /etc/nsd/ . These are standard BIND-type
zonefiles.
unbound
Set up access addresses: /etc/unbound/unbound.conf.d/something.conf;
server:
interface: 10.0.0.100
interface: 2001:[my public IPv6 address]
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
[and IPv6 too]
do-not-query-localhost: no
domain-insecure: LOCALZONE
local-zone: "10.in-addr.arpa." nodefault
Then enable the zones served by nsd as stub zones in the same file.
stub-zone:
name: "LOCALZONE"
stub-addr: 127.0.0.1
stub-no-cache: yes
If you have an external server you want to use as a forwarder:
forward-zone:
name: "."
forward-addr: FORWARDER-ADDRESS
Then point all other hosts to this one as the resolver. If you want to
be able to resolve from outside (e.g. over a VPN) you'll need glue
records, but no need if this is for purely internal use.
When you update the local zone, run
nsd-control reload LOCALZONE
and then
unbound-control flush_zone LOCALZONE