Date: Fri, 14 Jan 2005 22:55:43 +0300 From: "Andrew P." <infofarmer@mail.ru> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: DNS: querying route DNS Message-ID: <41E823BF.2050305@mail.ru> In-Reply-To: <41E7F5B3.7050408@infracaninophile.co.uk> References: <20050114131018.68217.qmail@web15703.mail.cnb.yahoo.com> <41E7CBFB.1090603@infracaninophile.co.uk> <41E7D5A0.2090004@mail.ru> <41E7F5B3.7050408@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote:
> Sure. Assuming you're using 5.3-RELEASE, 5.3-STABLE or better, then
> setting up a recursive-only nameserver is really very simple.
>
> The system comes with BIND-9.3.0 as standard, and it has all of the
> chroot-ing functionality available just by default. All you need do is
> add the following to /etc/rc.conf:
>
> named_enable="YES"
>
> There are several other variables you can use to tweak the named startup
> via /etc/rc.conf, but basically the default values are good for what I
> want to do here:
>
> named_program="/usr/sbin/named" # path to named, if you want a different
> one.
> named_flags="-u bind" # Flags for named
> named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
> named_chrootdir="/var/named" # Chroot directory (or "" not to
> auto-chroot it)
> named_chroot_autoupdate="YES" # Automatically install/update chrooted
> # components of named. See /etc/rc.d/named.
> named_symlink_enable="YES" # Symlink the chrooted pid file
> g
>
> You need to do three more things to configure named. The first is to
> generate the keys that allow rndc(8) to communicate with and control the
> name server:
>
> # rndc-confgen > /etc/named/rndc.conf
>
> The file consists of two parts: the stuff rndc needs to read, followed
> by the equivalent stuff, but commented out, to go into named.conf:
>
> # Start of rndc.conf
> key "rndc-key" {
> algorithm hmac-md5;
> secret "XXXXXXXXXXXXXXXXXXXXXX==";
> };
>
> options {
> default-key "rndc-key";
> default-server 127.0.0.1;
> default-port 953;
> };
> # End of rndc.conf
>
> # Use with the following in named.conf, adjusting the allow list as needed:
> # key "rndc-key" {
> # algorithm hmac-md5;
> # secret "XXXXXXXXXXXXXXXXXXXXXX==";
> # };
> #
> # controls {
> # inet 127.0.0.1 port 953
> # allow { 127.0.0.1; } keys { "rndc-key"; };
> # };
> # End of named.conf
>
> All of those X's will be replaced by a random password hash.
>
> The second thing is to generate the zone files for the localhost and the
> IPv6 and IPv4 loopback addresses, which you do by running the provided
> script:
>
> # cd /etc/namedb
> # ./make-localhost
>
> This will write two files into /etc/namedb/master: localhost.rev, and
> localhost-v6.rev which let you resolve the IP numbers 127.0.0.1 and ::1
> respectively as mapping to the hostname 'localhost.' Once you've
> generated those once, you never need to touch them again. Nb. Although
> we're setting up a recursive nameserver, it will hold these localhost
> domains authoritatively; a slight exception to the usual rule of not
> mixing recursive and authoritative functions in the same nameserver
> instance. Pretty much every nameserver in operation provides the
> localhost reverse domain.
>
> The third and final step is to generate a named.conf -- details of the
> configuration file syntax are available in
>
> file:///usr/share/doc/bind9/arm/Bv9ARM.html
>
> but something based on the attached example is what you need. This will
> provide a recursive nameservice including both IPv4 and IPv6. Use
> named-confcheck to syntax check the file:
>
> % named-checkconf named.conf && echo "Configuration OK"
>
> BIND v9 is in general very picky about the syntax of the configuration
> file, and if it finds an error (usually a missing semi-colon) it will
> silently (except for messages to the system log) refuse to start up.
>
> At last you're ready to fire up named for the first time:
>
> # /etc/rc.d/named start
>
> This will result in the contents of /etc/namedb being copied into
> /var/named/etc/namedb and a sym-link being created in /etc. Various
> other necessary bits will be created under /var/named and as a security
> measure, the named daemon will be chroot'ed there when it starts up.
>
> Any time you work on named's config or zone files, always check the
> system log to confirm that named is still happy:
>
> Jan 14 09:08:40 gravitas named[371]: starting BIND 9.3.0 -u bind -t
> /var/named
> Jan 14 09:08:41 gravitas named[371]: command channel listening on
> 127.0.0.1#953
> Jan 14 09:08:41 gravitas named[371]: command channel listening on ::1#953
>
> Use rndc(8) to control named during normal use -- it's interesting to
> dump the cache after a day or so's operation to see what weird and
> wonderful places your system has been looking up.
>
Thanks much! I actually thought that BIND configuration was a lot
more difficult, but it appears to be a matter of 20 minutes. I also
need to serve some local zones, but I'll figure that out on my own.
Will try to switch to BIND this weekend.
Best wishes,
Andrew P.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E823BF.2050305>