Date: Tue, 28 Jan 2003 12:58:49 +1100 From: Greg Lane <gregory.lane@anu.edu.au> To: freebsd-questions@FreeBSD.ORG Cc: leblanc+freebsd@keyslapper.org Subject: Re: Caching nameserver question - I need a spot here . . . Message-ID: <20030128015849.GA76718@nucl03.anu.edu.au> In-Reply-To: <20030127221529.GB36301@keyslapper.org> References: <20030127221529.GB36301@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 27, 2003 at 05:15:29PM -0500, Louis LeBlanc <leblanc+freebsd@keyslapper.org> wrote:
> Hey all. I'm finally getting around to setting up a caching dns
> server. Pretty confusing from my angle.
>
> Here's what I have so far:
> named enaabled in /etc/rc.conf
> cd to /etc/namedb and run sh make-localhost
>
> and the following in /etc/namedb/named.conf:
>
> options {
> directory "/etc/namedb";
> forward first;
> forwarders {
> 151.203.0.84;
> 151.202.0.84;
> };
> listen-on { 10.8.20.5; };
> version "surely you must be joking"
> query-source address * port 53;
> };
>
>
> zone "." {
> type hint;
> file "named.root";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "localhost.rev";
> };
>
G'day Louis,
The only differences I can see between this and my working
configuration at home is
1/. I have "forward only" rather than "forward first".
So far my DNS providers haven't failed me!
2/. I run named as a non-privileged user. I haven't configured
a complete sandbox (see http://www.au.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX for that),
but just did the following:
mkdir /etc/namedb/s
chown bind:bind /etc/namedb/s
chmod 750 /etc/namedb/s
Add the following to the options in named.conf
dump-file "s/named_dump.db";
and named_flags="-u bind -g bind" to /etc/rc.conf.
3/. I don't have the version and query-source lines. I
don't believe they'll break anything for you.
4/. I have set up an authorative "lane.family"
domain for my home network
5/. You may want to add 127.0.0.1 to your listen-on option.
I can't see anything in your setup as is that will wreak havoc on the
internet, but I am not an expert. I would at least run it as bind:bind
rather than root as it is trivial to set up. A complete sandbox is better,
and of course a jail would be even better, but they are both more work.
Greg
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128015849.GA76718>