Thread: Caching-only DNS server on OpenBSD
View Single Post
  #1   (View Single Post)  
Old 13th September 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
  
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default Caching-only DNS server on OpenBSD
I was wondering if I could get some help and advice with Caching-only DNS server for my OpenBSD laptop.

Namely, I am trying to improve the network performance of my laptop by running Caching-only DNS (although I do not fully understand security ramifications of my decision).

I edited /var/named/etc/named.conf

Code:
acl clients {
        localnets;
        ::1;
};

options {
        allow-query { 127.0.0.1; };
        allow-recursion { 127.0.0.1; };
        forward first;
        forwarders { 208.67.222.222; 208.67.220.220; };
        query-source address 127.0.0.1 port 53;
        listen-on    { 127.0.0.1; };
        listen-on-v6 { none; };

        empty-zones-enable yes;

        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
};

// Standard zones
//
zone "." {
        type hint;
        file "etc/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};
As you can see it is almost as the default file that comes with OpenBSD installation apart of the fact that I edited options sections with the addresses of my forwarders server OpenDNS.

I have not edited standard/localhost and standard/loopback files.

I did edit however my dhclient.conf file as follows

Code:
backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;


supersede host-name "oko";
supersede domain-name "bagdala.net";
prepend domain-name-servers 127.0.0.1;
initial-interval 1;
send host-name "oko";
request subnet-mask,
        broadcast-address, 
        routers,
        domain-name,
        domain-name-servers, 
        host-name;
require routers,
        subnet-mask,
        domain-name-servers;
my pf.conf file with ALTQ disabled for now looks as follows. Note that I still run 4.5 stable so the rules would be slightly different on 4.6.

Code:
NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                10.0.0.0/8,  169.254.0.0/16, 192.0.2.0/24,  \
                0.0.0.0/8,   240.0.0.0/4, 255.255.255.255/32}"

ext_if="rl0"
tcp_services = "{ssh, sftp, imap, imaps, pop3s, smtp, 587,\
                              rtsp, domain, ntp, www, https}"
udp_services= "{domain, ntp, rtsp}"

set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble

block log all
antispoof quick for { lo $int_if $ext_if }

block in  quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs

block drop in quick from no-route to any
block drop in quick from urpf-failed to any
block out log quick on $ext_if from ! 192.168.1.101 to any
block drop in quick on $ext_if from any to 255.255.255.255
block in on ! lo0 proto tcp to port 6000:6010

pass out on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services flags S/SA

After I start named and connect to internet my resolv.conf looks as follows
Code:
search bagdala.net
nameserver 127.0.0.1
nameserver 209.55.5.10
nameserver 209.55.5.11
Where nameserver 209.55.5.10 and nameserver 209.55.5.11 are DNS servers of my ISP.

Everything looks fine to me now. For instance

Code:
$ nslookup
> www.FreeBSD.org
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   www.FreeBSD.org
Address: 69.147.83.33
but when I dig google.com Query times seems random rather than being zero after the first dig.

Code:
$ dig google.com 

; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52042
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             48      IN      A       74.125.45.100
google.com.             48      IN      A       74.125.67.100
google.com.             48      IN      A       74.125.127.100

;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 13 14:45:55 2009
;; MSG SIZE  rcvd: 76

$ dig google.com 

; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20659
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             45      IN      A       74.125.45.100
google.com.             45      IN      A       74.125.67.100
google.com.             45      IN      A       74.125.127.100

;; Query time: 56 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 13 14:45:58 2009
;; MSG SIZE  rcvd: 76

Could somebody shed the light on what I am doing wrong. Also I know that pf.conf is not enough to protect from DNS poisoning. Could you give me some references for securing DNS server.


Most Kind Regards,
OKO
Reply With Quote