Date: Fri, 14 Jan 2005 16:39:15 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: infofarmer@mail.ru Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: DNS: querying route DNS Message-ID: <41E7F5B3.7050408@infracaninophile.co.uk> In-Reply-To: <41E7D5A0.2090004@mail.ru> References: <20050114131018.68217.qmail@web15703.mail.cnb.yahoo.com> <41E7CBFB.1090603@infracaninophile.co.uk> <41E7D5A0.2090004@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5653F8E4B6331DC36E6272B3
Content-Type: multipart/mixed;
boundary="------------000802030408010009020408"
This is a multi-part message in MIME format.
--------------000802030408010009020408
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Andrew P. wrote:
> Matthew Seaman wrote:
>
>> If your ISPs nameservers are unreliable or overloaded, and not giving
>> you a good service, then one course of action you might consider is
>> just configuring the named(8) built into your FreeBSD system to do
>> recursive DNS lookups for you. (And caching -- but that's a given for
>> any sort of DNS server). If you (or anyone) is interested I'll be
>> happy to post a HowTo to the list.
> I'm sure it won't be difficult for anyone to find a named(8) how-to,
> but I'd be very glad to see your post, please. I currently use djbdns,
> but I'm not very happy with it and I'd like to try something else.
Sure. Assuming you're using 5.3-RELEASE, 5.3-STABLE or better, then
setting up a recursive-only nameserver is really very simple.
The system comes with BIND-9.3.0 as standard, and it has all of the
chroot-ing functionality available just by default. All you need do is
add the following to /etc/rc.conf:
named_enable="YES"
There are several other variables you can use to tweak the named startup
via /etc/rc.conf, but basically the default values are good for what I
want to do here:
named_program="/usr/sbin/named" # path to named, if you want a different
one.
named_flags="-u bind" # Flags for named
named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
named_chrootdir="/var/named" # Chroot directory (or "" not to
auto-chroot it)
named_chroot_autoupdate="YES" # Automatically install/update chrooted
# components of named. See /etc/rc.d/named.
named_symlink_enable="YES" # Symlink the chrooted pid file
g
You need to do three more things to configure named. The first is to
generate the keys that allow rndc(8) to communicate with and control the
name server:
# rndc-confgen > /etc/named/rndc.conf
The file consists of two parts: the stuff rndc needs to read, followed
by the equivalent stuff, but commented out, to go into named.conf:
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXX==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "XXXXXXXXXXXXXXXXXXXXXX==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
All of those X's will be replaced by a random password hash.
The second thing is to generate the zone files for the localhost and the
IPv6 and IPv4 loopback addresses, which you do by running the provided
script:
# cd /etc/namedb
# ./make-localhost
This will write two files into /etc/namedb/master: localhost.rev, and
localhost-v6.rev which let you resolve the IP numbers 127.0.0.1 and ::1
respectively as mapping to the hostname 'localhost.' Once you've
generated those once, you never need to touch them again. Nb. Although
we're setting up a recursive nameserver, it will hold these localhost
domains authoritatively; a slight exception to the usual rule of not
mixing recursive and authoritative functions in the same nameserver
instance. Pretty much every nameserver in operation provides the
localhost reverse domain.
The third and final step is to generate a named.conf -- details of the
configuration file syntax are available in
file:///usr/share/doc/bind9/arm/Bv9ARM.html
but something based on the attached example is what you need. This will
provide a recursive nameservice including both IPv4 and IPv6. Use
named-confcheck to syntax check the file:
% named-checkconf named.conf && echo "Configuration OK"
BIND v9 is in general very picky about the syntax of the configuration
file, and if it finds an error (usually a missing semi-colon) it will
silently (except for messages to the system log) refuse to start up.
At last you're ready to fire up named for the first time:
# /etc/rc.d/named start
This will result in the contents of /etc/namedb being copied into
/var/named/etc/namedb and a sym-link being created in /etc. Various
other necessary bits will be created under /var/named and as a security
measure, the named daemon will be chroot'ed there when it starts up.
Any time you work on named's config or zone files, always check the
system log to confirm that named is still happy:
Jan 14 09:08:40 gravitas named[371]: starting BIND 9.3.0 -u bind -t
/var/named
Jan 14 09:08:41 gravitas named[371]: command channel listening on
127.0.0.1#953
Jan 14 09:08:41 gravitas named[371]: command channel listening on ::1#953
Use rndc(8) to control named during normal use -- it's interesting to
dump the cache after a day or so's operation to see what weird and
wonderful places your system has been looking up.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 8 Dane Court Manor
School Rd
PGP: http://www.infracaninophile.co.uk/pgpkey Tilmanstone
Tel: +44 1304 617253 Kent, CT14 0JL UK
--------------000802030408010009020408
Content-Type: text/plain;
name="named.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="named.conf"
#
# Recursive resolver, for general purpose use.
#
# Networks/IP numbers from where people are allowed to do recursive
# lookups via this server. For security reasons, you should limit
# this to just your own networks. Edit to suit your local setup.
acl allowedusers {
192.168.0.0/24;
123.45.67.89;
};
# The 'key' and 'controls' blocks should be copied out of
# /etc/namedb/rndc.conf -- I've added an obvious extension so you can
# connect via IPv6 as well.
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXX==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
inet ::1 port 953
allow { ::1; } keys { "rndc-key"; };
};
# This logging statement turns on query logging to syslog /by
# default/. Enable /var/log/all.log by following the instructions in
# /etc/syslog.conf if you want to see the output. Nb. you will
# probably want to turn off query logging if there are a lot of people
# using the resolver, as it generates quite a bit of output. You can
# toggle query logging at runtime by using rndc(8).
logging {
category default {
default_syslog;
default_debug;
};
category queries {
default_syslog;
};
category unmatched {
null;
};
};
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
# See http://www.onlamp.com/pub/a/onlamp/2003/09/22/vixie.html
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
listen-on { any; };
listen-on-v6 { any; };
allow-recursion { allowedusers; localhost; };
allow-transfer { none; };
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
notify no;
allow-update { none; };
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
notify no;
allow-update { none; };
};
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "master/localhost-v6.rev";
notify no;
allow-update { none; };
};
#
# That's All Folks!
#
--------------000802030408010009020408--
--------------enig5653F8E4B6331DC36E6272B3
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQCVAwUBQef1upr7OpndfbmCAQLvGwQAs5JU422s4oC+raoNyUV5e/SpgbNMExJu
w05O/8AWyrEoyazKjCwrZRWnzzddPYwS3xzrabrA9o9fcSBXnoZQTcuayrxWAz3o
otv49q9ON8WyJasAxPIe3isGmY0Cc63cBL/X8lU1fqGMMn8mUK/f7xrZSMyvCGo5
pXzs97phRm0=
=FAXp
-----END PGP SIGNATURE-----
--------------enig5653F8E4B6331DC36E6272B3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E7F5B3.7050408>