I have completed setting up DNS for IPv4 and IPv6.   Part of it was configuring HSTS for my web sites.   I configured logging for bind. 

7.1.2020 : Setting up better logging for DNS

I finally am ready to show how I did BIND9 DNS for IPv4 and IPv6

### Named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.log";
sudo cat named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //======================================================================                    ==
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //======================================================================                    ==
        dnssec-validation auto;
        recursion yes;
        listen-on-v6 { any; };
};
 sudo cat named.conf.local
// allow-transfer { 192.168.1.xxx; 172.16.1.xxx; };
//        also-notify { 192.168.1.xxx; 172.16.1.xxx; };

// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "db.scsiraidguru.lan" {
        type master;
        file "/etc/bind/zones/db.scsiraidguru.lan";
        allow-transfer { 192.168.1.xxx; 172.16.1.xxx; };
        also-notify { 192.168.1.xxx; 172.16.1.xxx; };
 };

zone "db.scsiraidguru.com" {
        type master;
        file "/etc/bind/zones/db.scsiraidguru.com";
        allow-transfer { 192.168.1.xxx; 172.16.1.xxx; };
        also-notify { 192.168.1.xxx; 172.16.1.xxx; };
 };

zone "scsiraidguru.com" {
        type master;
        file "/etc/bind/zones/scsiraidguru.com";
        allow-transfer { 192.168.1.xxx; 172.16.1.xxx; };
        also-notify { 192.168.1.xxx; 172.16.1.xxx; };
 };

###
Other zones I don't want to show
###

zone "scsiraidguru.lan" {
        type master;
        file "/etc/bind/zones/scsiraidguru.lan";
        allow-transfer { 192.168.1.xxx; 172.16.1.xxx; };
        also-notify { 192.168.1.xxx; 172.16.1.xxx; };
 };

zone "168.192.in.addr.arpa" {
        type master;
        file "/etc/bind/zones/db.192.168";
        allow-transfer { 192.168.1.xxx; 172.16.1.xxx; };
        also-notify { 192.168.1.xxx; 172.16.1.xxx; };
};

### 
I have 2 WAN and 8 Layer 3 LAN ports on the 60E.  I will show you a few of them. 

zone "2.9.1.e.f.e.5.2.0.8.9.0.2.0.7.1.0.0.6.2.ip6.arpa" {
        type master;
        file "/etc/bind/zones/db.2600.1702.980.25ef.e192";
        allow-transfer { 2600:1702:980:25ef:2172:16:1:xxx; 2600:1702:980:25ef:E192:168:1:xxx; };
        also-notify { 2600:1702:980:25ef:2172:16:1:xxx; 2600:1702:980:25ef:E192:168:1:xxx; };
};

I removed the last digits of the address for privacy reasons in named.conf.options.  You will notice allow-transfer and also-notify for IPv4 is an IPv4 address.   IPv6 is an IPv6 address.   On the secondary DNS server in /var/cache/bind/slaves, a copy of the /etc/bind/zones is copied. I follow naming protocols for the zones.   Internal servers are scsiraidguru.lan and websites are scsiraidguru.com

 sudo cat named.conf.log
 logging {
  channel bind_log {
    file "/var/log/bind/bind.log" versions 3 size 5m;
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
  };
  category default { bind_log; };
  category update { bind_log; };
  category update-security { bind_log; };
  category security { bind_log; };
  category queries { bind_log; };
  category lame-servers { null; };
};

For completeness, I created a separate named.conf.log for the logging.   I like my logs in a folder under /var/log. 

Below is the old stuff from this page I need to edit and delete.

sudo apt update
sudo apt install resolvconf
sudo systemctl start resolvconf.service
sudo systemctl enable resolvconf.service sudo systemctl status resolvconf.service
sudo dpkg-reconfigure resolvconf # answer Yes and ok

sudo vim /etc/resolvconf/resolv.conf.d/head
# your nameservers, domain, options that would go in /etc/resolv.conf in here

search nyc3.example.com # your private domain
nameserver 10.128.10.11 # ns1 private IP address
nameserver 10.128.20.12 # ns2 private IP address


Restart the server

Turn these off in named.conf.options or you get errors

 dnssec-enable no;
 dnssec-validation no;

Sudo systemctl -l status bind9 gets check hint errors

These commands help test your DNS

sudo named-checkconf -z /etc/bind/named.conf
sudo named-checkconf -z /etc/bind/named.conf.local

sudo named-checkconf -z /etc/bind/named.conf
zone scsiraidguru.com/IN: loaded serial 2011071006
zone 2.9.1.e.f.e.5.2.0.8.9.0.2.0.7.1.0.0.6.2.ip6.arpa/IN: loaded serial 2011071005
zone 127.in-addr.arpa/IN: loaded serial 1
zone 0.in-addr.arpa/IN: loaded serial 1
zone 255.in-addr.arpa/IN: loaded serial 1
zone 168.192.in-addr.arpa/IN: loaded serial 2011071005
zone 16.172.in-addr.arpa/IN: loaded serial 2011071005
sudo named-checkconf -z /etc/bind/named.conf.local
zone scsiraidguru.com/IN: loaded serial 2011071006
zone 2.9.1.e.f.e.5.2.0.8.9.0.2.0.7.1.0.0.6.2.ip6.arpa/IN: loaded serial 2011071005
zone 127.in-addr.arpa/IN: loaded serial 1
zone 0.in-addr.arpa/IN: loaded serial 1
zone 255.in-addr.arpa/IN: loaded serial 1
zone 168.192.in-addr.arpa/IN: loaded serial 2011071005
zone 16.172.in-addr.arpa/IN: loaded serial 2011071005

sudo named-checkzone forward /etc/bind/zones/scsiraidguru.com
zone forward/IN: loaded serial 2011071006
OK

sudo named-checkzone reverse /etc/bind/zones/scsiraidguru.com

zone reverse/IN: loaded serial 2011071006
OK
nslookup wp.scsiraidguru.com
Server:  xxxxxxx
Address:  2600:1702:980:25ef:e192:xxxx:xxxx:xxxx

Name:    wp.scsiraidguru.com
Addresses:  2600:1702:980:25ef:e192:xxxx:xxxx:xxxx
          192.168.1.xxxx