bind9 DNS setup
TLDR: you can setup bind9 to handle your clearnet domain records for all clearnet presence purposes. Even on anonymously-rented VPSes.
In this tutorial we're going to take a look at how to setup DNS servers using bind9.
Disclaimer: If you want this service to remain anonymous, make sure you at least keep TOR between you and the service from the VPS acquisition to actual service usage.
Initial Setup
Weβll assume a standard Debian-based server.
First install the requirements:
root@Temple:~# apt update -y ; apt upgrade -y ; apt install bind9 -y
root@Temple:~# systemctl disable --now ufw
Next we edit the /etc/bind/named.conf.options file to define which ip the dns server will serve:
root@Temple:~# vim /etc/bind/named.conf.options
listen-on {
10.10.10.0/24;
10.1.0.0/16;
...
};
#OR
listen-on { any; };
listen-on-v6 { any; };
#OR, if systemd-resolved is running
listen-on { !127.0.0.53; !127.0.0.54; any; };
listen-on-v6 { any; };
Next, we allow the queries to come from any sources (not just local)
allow-query { any; };
Then, we prevent people from asking the version and hostname of this server.
// hide version number from clients for security reasons.
version none;
hostname none;
Finally, we disable recursion, to prevent our server being used in DDoS attacks
// disable recursion on authoritative DNS server.
recursion no;
Here's the result, save it with :wq
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
// hide version number from clients for security reasons.
version none;
hostname none;
// disable recursion on authoritative DNS server.
recursion no;
};
Then restart bind9:
root@Temple:~# systemctl restart named
root@Temple:~# systemctl status named
β named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-02 20:37:26 UTC; 4s ago
Docs: man:named(8)
Main PID: 2863095 (named)
Tasks: 8 (limit: 4584)
Memory: 30.0M
CGroup: /system.slice/named.service
ββ2863095 /usr/sbin/named -f -u bind
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Nov 02 20:37:26 Temple named[2863095]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 02 20:37:26 Temple named[2863095]: resolver priming query complete
Nov 02 20:37:30 Temple named[2863095]: listening on IPv4 interface tun0, 10.8.0.1#53
Nov 02 20:37:30 Temple named[2863095]: listening on IPv6 interface tun0, fe80::5822:e1cd:a277:e3e3%124941#53
Nov 02 20:37:30 Temple named[2863095]: no longer listening on 10.8.0.1#53
Nov 02 20:37:30 Temple named[2863095]: no longer listening on fe80::5822:e1cd:a277:e3e3%124941#53
Now let's setup an A record on our DNS server, for itself. To do that we need to specify the zones we're going to manage:
root@Temple:/etc/bind# vim named.conf.local
root@Temple:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
zone "yourdoma.in" {
type master;
file "db.yourdoma.in";
allow-update { none; };
};
Here we want to setup a subdomain of yourdoma.in so let's do it in the /var/cache/bind/db.yourdoma.in file:
$TTL 604800
@ IN SOA ns1.yourdoma.in. yourdoma.in. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
3600 IN NS ns1.yourdoma.in.
3600 IN NS ns2.yourdoma.in.
; name servers - A records
ns1.yourdoma.in. IN A 78.141.239.68
ns2.yourdoma.in. IN A 45.76.133.0
; other hosts - A records
host1.yourdoma.in. IN A 1.1.1.1
host2.yourdoma.in. IN A 1.0.0.1
And now we restart the bind9 service, and test if we can resolve the host1.yourdoma.in domain:
root@Temple:/etc/bind# systemctl restart named
root@Temple:/etc/bind# systemctl status named
β bind9.service - BIND Domain Name Server
Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 10:28:16 UTC; 51s ago
Docs: man:named(8)
Main PID: 3710 (named)
Tasks: 8 (limit: 4582)
Memory: 29.7M
CGroup: /system.slice/bind9.service
ββ3710 /usr/sbin/named -f -u bind
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Nov 14 10:28:16 Temple named[3710]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 14 10:28:16 Temple named[3710]: resolver priming query complete
To do that we use nslookup:
root@Temple:/etc/bind# nslookup host1.yourdoma.in localhost
Server: localhost
Address: 127.0.0.1#53
Name: host1.yourdoma.in
Address: 1.1.1.1
Now we fill in the db file for the rest of the hosts we need, I'll post my complete config just for reference:
root@Temple:/var/cache/bind# vim db.yourdoma.in
root@Temple:/var/cache/bind# cat db.yourdoma.in
$TTL 604800
@ IN SOA ns1.yourdoma.in. yourdoma.in. (
7 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
3600 IN NS ns1.yourdoma.in.
3600 IN NS ns2.yourdoma.in.
; name servers - A records
ns1.yourdoma.in. IN A 78.141.239.68
ns2.yourdoma.in. IN A 45.76.133.0
; A records, public IPs
temple 3600 IN A 78.141.239.68
mail 3600 IN A 45.76.133.0
mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
;yourdoma.in
3600 IN MX 10 mail.yourdoma.in.
3600 IN TXT "v=spf1 mx a:mail.yourdoma.in -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdoma.in; fo=1"
autoconfig 3600 IN CNAME yourdoma.in.
autodiscover 3600 IN CNAME yourdoma.in.
asciinema 3600 IN CNAME yourdoma.in.
blog 3600 IN CNAME yourdoma.in.
chat 3600 IN CNAME yourdoma.in.
cloud 3600 IN CNAME yourdoma.in.
codimd 3600 IN CNAME yourdoma.in.
cryptpad 3600 IN CNAME yourdoma.in.
cyberchef 3600 IN CNAME yourdoma.in.
ghostblog 3600 IN CNAME yourdoma.in.
git 3600 IN CNAME yourdoma.in.
gomez 3600 IN CNAME yourdoma.in.
haste 3600 IN CNAME yourdoma.in.
img 3600 IN CNAME yourdoma.in.
irc 3600 IN CNAME yourdoma.in.
jitsi 3600 IN CNAME yourdoma.in.
kb 3600 IN CNAME yourdoma.in.
kutt 3600 IN CNAME yourdoma.in.
lady 3600 IN CNAME yourdoma.in.
lain 3600 IN CNAME yourdoma.in.
latex 3600 IN CNAME yourdoma.in.
mind 3600 IN CNAME yourdoma.in.
notes 3600 IN CNAME yourdoma.in.
openproject 3600 IN CNAME yourdoma.in.
pad 3600 IN CNAME yourdoma.in.
privatebin 3600 IN CNAME yourdoma.in.
pve 3600 IN CNAME yourdoma.in.
routeur 3600 IN CNAME yourdoma.in.
safe 3600 IN CNAME yourdoma.in.
shells 3600 IN CNAME yourdoma.in.
status 3600 IN CNAME yourdoma.in.
sx 3600 IN CNAME yourdoma.in.
test 3600 IN CNAME yourdoma.in.
tube 3600 IN CNAME yourdoma.in.
u 3600 IN CNAME yourdoma.in.
www 3600 IN CNAME yourdoma.in.
zabbix 3600 IN CNAME yourdoma.in.
root@Temple:/var/cache/bind# systemctl restart named
root@Temple:/var/cache/bind# systemctl status named
β bind9.service - BIND Domain Name Server
Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 11:37:30 UTC; 2s ago
Docs: man:named(8)
Main PID: 18839 (named)
Tasks: 8 (limit: 4582)
Memory: 29.3M
CGroup: /system.slice/bind9.service
ββ18839 /usr/sbin/named -f -u bind
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 14 11:37:30 Temple named[18839]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 14 11:37:30 Temple named[18839]: resolver priming query complete
Now, let's setup our secondary DNS server. First, update the bind9 settings to be the same as the first server:
root@mail:~# apt install bind9 -y
root@mail:~# vim /etc/bind/named.conf.options
root@mail:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
// hide version number from clients for security reasons.
version none;
hostname none;
// disable recursion on authoritative DNS server.
recursion no;
};
first let's update the primary DNS server's named.conf.local file as follows:
root@Temple:/etc/bind# vim /etc/bind/named.conf.local
root@Temple:/etc/bind# cat /etc/bind/named.conf.local
zone "yourdoma.in" IN {
type master;
file "db.yourdoma.in";
allow-update { none; };
allow-transfer { 45.76.133.0; };
also-notify { 45.76.133.0; };
};
root@Temple:/etc/bind# systemctl restart named
In the allow-transfer and allow-notify parameters we put the public IP of our second DNS server. Next we restart bind9, and setup bind9 on the second server as a slave to our first server:
root@mail:~# vim /etc/bind/named.conf.local
root@mail:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
zone "yourdoma.in" {
type slave;
file "db.yourdoma.in";
masters {78.141.239.68;};
};
root@mail:/etc/bind# systemctl restart named
root@mail:/etc/bind# systemctl status named
β named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 14:39:17 UTC; 1s ago
Docs: man:named(8)
Main PID: 94210 (named)
Tasks: 4 (limit: 2340)
Memory: 14.1M
CPU: 29ms
CGroup: /system.slice/named.service
ββ94210 /usr/sbin/named -f -u bind
Nov 14 14:39:17 mail named[94210]: running
Nov 14 14:39:17 mail named[94210]: zone yourdoma.in/IN: Transfer started.
Nov 14 14:39:17 mail named[94210]: transfer of 'yourdoma.in/IN' from 78.141.239.68#53: connected using 45.76.133.0#51509
Nov 14 14:39:17 mail named[94210]: zone yourdoma.in/IN: transferred serial 9
Nov 14 14:39:17 mail named[94210]: transfer of 'yourdoma.in/IN' from 78.141.239.68#53: Transfer status: success
Nov 14 14:39:17 mail named[94210]: transfer of 'yourdoma.in/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.004 secs (279500 bytes/sec) (serial 9)
Nov 14 14:39:17 mail named[94210]: zone yourdoma.in/IN: sending notifies (serial 9)
Nov 14 14:39:17 mail named[94210]: dumping master file: /etc/bind/tmp-PF5Ud0HF2G: open: permission denied
Nov 14 14:39:17 mail named[94210]: resolver priming query complete
Nov 14 14:39:17 mail named[94210]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
And from there let's check if the domain name resolution works:
root@Temple:/etc/bind# nslookup ns1.yourdoma.in localhost
Server: localhost
Address: 127.0.0.1#53
Name: ns1.yourdoma.in
Address: 78.141.239.68
root@Temple:/etc/bind# nslookup ns1.yourdoma.in localhost
Server: localhost
Address: 127.0.0.1#53
Name: ns2.yourdoma.in
Address: 45.76.133.0
root@mail:/etc/bind# nslookup ns1.yourdoma.in localhost
Server: localhost
Address: 127.0.0.1#53
Name: ns2.yourdoma.in
Address: 45.76.133.0
root@mail:/etc/bind# nslookup ns1.yourdoma.in localhost
Server: localhost
Address: 127.0.0.1#53
Name: ns1.yourdoma.in
Address: 78.141.239.68
Everything looks good, we can resolve domain names on both the master and slave DNS servers.
You can go to the registrar (where you bought the domain) and update the nameservers to be your own (ns1.yourdoma.in and ns2.yourdoma.in)
You should also set the glue records to the IP of the servers. Those allow resolvers to find your nameservers, even if they donβt know of your domain.
Dynamic bind9 DNS setup
Now for my current setup, I need my yourdoma.in domain name to resolve a public IP that often changes, therefore I need a dynamic bind9 DNS setup for the A record of my yourdoma.in domain. It is possible to set it up with bind9, so let's do it:
root@Temple:/etc/bind# apt install bind9utils
root@Temple:/etc/bind# which ddns-confgen
/usr/sbin/ddns-confgen
root@Temple:/etc/bind# ddns-confgen -s yourdoma.in
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "ddns-key.yourdoma.in" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
# Then, in the "zone" statement for the zone containing the
# name "yourdoma.in", place an "update-policy" statement
# like this one, adjusted as needed for your preferred permissions:
update-policy {
grant ddns-key.yourdoma.in name yourdoma.in ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <****keyfile>
Now that's done, we follow the instructions that the command just output for us:
root@Temple:/etc/bind# vim /etc/bind/named.conf.local
root@Temple:/etc/bind# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
key "ddns-key.yourdoma.in" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
zone "yourdoma.in" {
type master;
file "/etc/bind/db.yourdoma.in";
allow-transfer { 45.76.133.0; };
also-notify { 45.76.133.0; };
update-policy {
grant ddns-key.yourdoma.in name yourdoma.in ANY;
};
};
root@Temple:/etc/bind# systemctl restart named
Now that's done, we're going to setup the dynamic DNS script on our client whose public IP is changing often:
root@home:~# which nsupdate
/usr/bin/nsupdate
root@home:~# vim /etc/ddnssupdate.key
root@home:~# cat /etc/ddnssupdate.key
key "ddns-key.yourdoma.in" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
root@home:~# cd /var/www/yourdoma.in/
root@home:/var/www/yourdoma.in# vim dyndns.sh
root@home:/var/www/yourdoma.in# cat dyndns.sh
#!/bin/bash
#MYIP=$(dig +short myip.opendns.com @resolver1.opendns.com)
MYIP=$(curl ifconfig.me)
KEY=/etc/ddnsupdate.key
NS=ns1.yourdoma.in
DOMAIN=yourdoma.in.
ZONE=yourdoma.in.
nsupdate -k $KEY -v <****<****EOF
server $NS
zone $ZONE
update delete $DOMAIN A
update add $DOMAIN 30 A $MYIP
send
EOF
Now let's test it:
root@home:/var/www/yourdoma.in# ./dyndns.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 14 100 14 0 0 72 0 --:--:-- --:--:-- --:--:-- 72
root@home:/var/www/yourdoma.in#
No error messages, so let's check if our script updated the the zone file as intended:
root@Temple:/etc/bind# cat /var/cache/bind/db.yourdoma.in
$ORIGIN .
$TTL 604800 ; 1 week
yourdoma.in IN SOA ns1.yourdoma.in. yourdoma.in. (
10 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
$TTL 3600 ; 1 hour
NS ns1.yourdoma.in.
NS ns2.yourdoma.in.
**$TTL 30 ; 30 seconds
A 92.148.147.119**
$ORIGIN yourdoma.in.
$TTL 3600 ; 1 hour
_dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdoma.in; fo=1"
asciinema CNAME yourdoma.in.
[...]
And it did! Now let's make sure our dynamic dns script runs every minute:
root@home:/var/www/yourdoma.in# crontab -e
* * * * * "/var/www/yourdoma.in/dyndns.sh"
root@home:/var/www/yourdoma.in# cronitor select
β "/var/www/yourdoma.in/dyndns.sh"
----βΊ Running command: "/var/www/yourdoma.in/dyndns.sh"
[+] updating ns1.yourdoma.in:
----βΊ β Command successful Elapsed time 0.353s
And that's it! We managed to setup 2 DNS servers using bind9 with a master-slave configuration along with dynamic DNS.
Note that by enabling dynamic DNS, you should not edit the zone file (/var/cache/bind/db.yourdoma.in) by hand while the server is running. To make manual changes, follow the following dance:
root@Temple:~# rndc sync
root@Temple:~# rndc freeze
root@Temple:~# vim /var/cache/bind/db.yourdoma.in
root@Temple:~# rndc thaw
Donβt forget to increase the serial number, otherwise the slaves wonβt know that you edited the zone.
Now if you want your DNS servers to propagate, you will have to wait:
You can check the status of the DNS propagation on this website (wait a 24hours to propagate fully):
you can check again after 24 hours:
As you can see, none of the major DNS servers around the world are aware of my ns1.yourdoma.in record, therefore I need to wait for my dns record to propagate (by setting the DNS server as the DNS servers for a particular domain, on a registrar):
DNSSEC Setup
Once your dns records have propagated we can setup DNSSEC:
root@mail-gw:~# vim /etc/bind/named.conf.options
root@mail-gw:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
//dnssec-validation yes;
//dnssec-enable yes;
//dnssec-lookaside auto; //since debian 12 these are no longer needed
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
// [β¦]
};
Then edit the zone file to enable DNSSEC signing on the zone:
root@Temple:~# vim /etc/bind/named.conf.local
root@Temple:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
key "ddns-key.yourdoma.in" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
zone "yourdoma.in" {
type master;
file "db.yourdoma.in";
allow-transfer { 45.76.133.0; };
also-notify { 45.76.133.0; };
update-policy {
grant ddns-key.yourdoma.in name yourdoma.in ANY;
};
dnssec-policy default;
inline-signing yes;
};
root@Temple:/etc/bind# systemctl restart named
The keys are automatically created, and the zone is automatically signed.
root@Temple:~# ls /var/cache/bind
Kyourdoma.in.+013+39732.key db.yourdoma.in db.yourdoma.in.signed.jnl
Kyourdoma.in.+013+39732.private db.yourdoma.in.jbk managed-keys.bind
Kyourdoma.in.+013+39732.state db.yourdoma.in.signed managed-keys.bind.jnl
root@Temple:~# dig @localhost +dnssec +nocrypto A ns1.yourdoma.in
; <<>> DiG 9.20.15 <<>> @localhost +dnssec +nocrypto A ns1.yourdoma.in
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 5d4fe384492de84b010000006978dd18d70f17674fa6c49e (good)
;; QUESTION SECTION:
;ns1.yourdoma.in. IN A
;; ANSWER SECTION:
ns1.yourdoma.in. 60 IN A 78.141.239.68
ns1.yourdoma.in. 60 IN RRSIG A 13 3 60 20260210114802 20260127143644 39732 yourdoma.in. [omitted]
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(localhost) (UDP)
;; WHEN: Tue Jan 27 16:43:20 CET 2026
;; MSG SIZE rcvd: 195
Upload the DS records to your registrar. To get the DS records, use the command dnssec-dsfromkey /var/cache/bind/Kyourdoma.in.+013+39732.key.
To edit the zone, use the same procedure as when dynamic dns is enabled, the zone should automatically be re-signed if you update the serial.
Suggest changes
AlbertLarsan68
2024-05-28
Donate XMR to the author:8A9NMYDHgp3DMQN5EqBfXAJsv5qEVacVbEfpT8fTcsm6aYiUGnoRjHELoqDZbEad1EYZn5CtRSSR1KbstyyBkafCJsEmMa8