Bueno después de seguir intentando y leyendo* (y gracias a las recomendaciones de Angel Jauregui) *y probando con la herramienta http://www.dnsstuff.com/tools, para chequear el DNS del dominio, logre configurarlo correctamente o al menos eso creo, dejare esta configuración espero que le sirva a alguien mas, y si hay sugerencias para mejorarlo y darle mayor seguridad mucho mejor:
*1.- VPS ips:*
- 1.1.1.1* (server.vps.com http://server.vps.com)*, 1.1.1.2 *(ns1.midominio.com.ve http://ns1.midominio.com.ve)*, 1.1.1.3 *(ns2.midominio.com.ve http://ns2.midominio.com.ve)*.
*2.- Hostname:*
- server.vps.com
*3.- /ect/hosts:*
# Auto-generated hostname. Please do not remove this comment. 127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 1.1.1.1 server.vps.com
*4.- /etc/resolv.conf:*
search midominio.com.ve nameserver 127.0.0.1 // localhost ip. nameserver 4.2.2.2 // DNS VPS ip Proveedor. nameserver 8.8.8.8 // Google DNS ip.
*5.- /etc/named.conf:*
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. //
acl "trusted" { /* * You might put in here some ips which are allowed to use the cache or * recursive queries */ 127.0.0.0/8; ::1/128; };
acl "xfer" { /* * Deny transfers by default except for the listed hosts. * If we have other name servers, place them here. */ // Ips Autorizados - Para tus NameServes. 1.1.1.2; 1.1.1.3; };
options { listen-on port 53 { any; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt";
/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */
allow-query { /* * Accept queries from our "trusted" ACL. We will * allow anyone to query our master zones below. * This prevents us from becoming a free DNS server * to the masses. */ trusted; };
allow-query-cache { /* Use the cache for the "trusted" ACL. */ trusted; }; allow-recursion { /* Only trusted addresses are allowed to use recursion. */ trusted; };
allow-transfer { /* Zone tranfers are denied by default. */ xfer; };
allow-update { /* Don't allow updates, e.g. via nsupdate. */ none; };
recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
/* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; };
logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.zones"; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
*6.- /etc/named.zones:*
zone "midominio.com.ve" { type master; file "/var/named/midominio.com.ve.hosts"; /* Anybody is allowed to query but transfer should be controlled by the master. */ allow-query { any; }; allow-transfer { xfer; }; };
zone "1.1.1.1.in-addr.arpa" { type master; file "/var/named/1.1.1.1.in-addr.arpa"; /* Anybody is allowed to query but transfer should be controlled by the master. */ allow-query { any; }; allow-transfer { xfer; }; };
*7.- /var/named/midominio.com.ve.hosts:*
$ttl 38400 midominio.com.ve. IN SOA ns1.midominio.com.ve. administrator.midominio.com.ve. ( 2015113003 // El Serial debe llevar el formato YYYYMMDDnn indicado en la norma (*rfc1912*). 10800 3600 1209600 38400 ) IN NS ns1.midominio.com.ve. IN NS ns2.midominio.com.ve. @ IN A 1.1.1.1 ns1 IN A 1.1.1.2 ns2 IN A 1.1.1.3 www IN CNAME midominio.com.ve. 1.1.1.1.midominio.com.ve. IN PTR midominio.com.ve.
*8.- /var/named/1.1.1.1.in-addr.arpa:*
$ttl 38400 @ IN SOA ns1.midominio.com.ve. administrator.midominio.com.ve. ( 2015113001 // El Serial debe llevar el formato YYYYMMDDnn indicado en la norma (*rfc1912*). 10800 3600 1209600 38400 ) IN NS ns1.midominio.com.ve. IN NS ns1.midominio.com.ve. @ IN A 1.1.1.1 ns1 IN A 1.1.1.2 ns2 IN A 1.1.1.3 90 IN PTR ns1.midominio.com.ve. 91 IN PTR ns2.midominio.com.ve.
Hasta ahora voy así, voy a indagar como crear una zona slave para el servidor DNS, así como corregir estas info que arroja DNSSTUFF:
1.- No stealth nameservers to test. This is simply a note to indicate that you do not have any stealth nameservers to test, which is what is normally expected of domains.
2.- Domain has a WWW hostname provided through one or more CNAME lookups, which will slow down clients attempting to resolve this host. www.midominio.com.ve. | midominio.com.ve. | 38400 midominio.com.ve. | 1.1.1.1 | 38400
3.- No DNSSEC records created for this zone. Many major institutions and government agencies are planning to move to DNSSEC. You may want to consider an implementation plan for the zone specified. If you implemented DNSSEC for your zone we would be able to run further tests.
4.- This domain does not have an SPF record, nor an SPF formatted TXT record. SPF stands for Sender Policy Framework and is intended as an anti-forgery email solution (See RFC4408 http://www.dnsstuff.com/tools#rfcLookup|type=rfc&&value=4408). Many spammers have adopted this mechanism and SPF records alone may not be sufficient to stop spam.
A medida que corrija y lo tenga perfecto ire actualizando, si alguien mas quiere colaborar para dejar este post como guía a personas sin conocimiento que puedan entender de forma mas sencilla, como configurar un servidor DNS bind,
Saludos,
Wilmer.