DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default BIND 9 : Caching and forward-only named.conf

A simple named.conf which forwards all DNS queries to another nameserver, and caches the answers for possible reuse.
Tested under OpenBSD 4.7 BETA with
Code:
$ named -v
BIND 9.4.2-P2
This type of configuration is useful to minimize the repeating nameserver queries issued when surfing the web.
Not only for your notebook or laptop using wireless connections, but also for a department that wishes to make use of a LAN/WAN link efficiently.
  • The Access Control List (acl) limits useage of this forward-only nameserver to my local 192.168.222.0/24 subnet.
  • The queries are forwarded to a dnscache namerver running on my OpenBSD firewall at 192.168.222.10.
  • The cache size is limited to two MB, which probably is too much for a notebook or laptop. The comments show how to calculate this amount in bytes using bc(1), the unlimited precision calculator.

Code:
// Caching and forward only configuration

// Access Control List

acl  clients    {
    192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

# After editing this file please use 'named-checkconf' to validate!
To enable this under OpenBSD, assuming the above configuration has been saved as /var/naned/etc/caching-forward-only.conf, you have to add the following to /etc/rc.conf.local:

Code:
named_flags='-4 -c /etc/caching-forward-only.conf'
Note that applications use the /etc/resolv.conf to find out which name server they should use. So for a departmental nameserver, all clients should have the iP address of that name server in /etc/resolv.conf

For my small department in the garage, the clients have the following in /etc/resolv.conf

Code:
nameserver 192.168.222.25
A test query shows that dig indeed selects the 192.168.222.25 nameserver:

Code:
dig www.kpn.com

; <<>> DiG 9.4.2-P2 <<>> www.kpn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34979
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kpn.com.                   IN      A

;; ANSWER SECTION:
www.kpn.com.            3600    IN      A       145.7.192.133

;; Query time: 96 msec
;; SERVER: 192.168.222.25#53(192.168.222.25)
;; WHEN: Fri Mar  5 04:11:47 2010
;; MSG SIZE  rcvd: 45
The nameserver received this answer after 96 msec, and will cache this data for 3600 seconds, A repeat query showing a 1 msec query time and a decreased TTL (Ttime to live) of 3219.

Code:
dig www.kpn.com 

; <<>> DiG 9.4.2-P2 <<>> www.kpn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24059
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kpn.com.                   IN      A

;; ANSWER SECTION:
www.kpn.com.            3219    IN      A       145.7.192.133

;; Query time: 1 msec
;; SERVER: 192.168.222.25#53(192.168.222.25)
;; WHEN: Fri Mar  5 04:18:08 2010
;; MSG SIZE  rcvd: 45
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 5th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default Installation scripts

Because I run my garage department nameserver on a regular reinstalled OpenBSD snapshot I use the following two scripts to automate the install and configuration.

The named configuration script
Code:
#----------------------------------------
FILE=/var/named/etc/caching-forward-only.conf
#FILE=$( basename ${FILE} )

echo Creating ${FILE} 

cat <<END >${FILE}
// Caching and forward only configuration

// Access Control List

acl  clients    {
    192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

# After editing this file please use 'named-checkconf' to validate!

END
The /etc/rc.conf.local configuration is done with
Code:
# ----------------------------------------
FILE=./etc/rc.conf.local
#FILE=$( basename ${FILE} )
echo Enabling 'named' as forward-only resolver in ${FILE}

cat <<END >> $FILE

#  note that the 'named' configuration file is in '/var/naned/etc'
#  because of the chroot in "/var/named" , it has to be specified 
#  without the "/var/named" part.
named_flags='-4 -c /etc/caching-forward-only.conf'

END
You can check with netstat, whether named is running, it will use port 53 on both TCP and UDP
Code:
$ netstat -an -f inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  192.168.222.25.22      192.168.222.244.35967  ESTABLISHED
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.515                  *.*                    LISTEN
tcp          0      0  192.168.222.25.22      *.*                    LISTEN
tcp          0      0  127.0.0.1.953          *.*                    LISTEN
tcp          0      0  192.168.222.25.53      *.*                    LISTEN
tcp          0      0  127.0.0.1.53           *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  192.168.222.25.27727   85.17.207.62.123      
udp          0      0  192.168.222.25.34152   213.206.97.167.123    
udp          0      0  192.168.222.25.34002   194.109.64.200.123    
udp          0      0  *.19590                *.*                   
udp          0      0  192.168.222.25.53      *.*                   
udp          0      0  127.0.0.1.53           *.*                   
udp          0      0  *.514                  *.*
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 5th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Note that on OpenBSD the key for rndc(8), the 'remote name daemon control' utility is automatically generated. From the rc messages:

Code:
setting tty flags
pf enabled
starting network
starting system logger
rndc-confgen: generating new shared secret... done.
starting named
openssl: generating new isakmpd RSA key... done.
starting initial daemons: ntpd.
savecore: no core dump
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 17th February 2013
asemisldkfj's Avatar
asemisldkfj asemisldkfj is offline
Fdisk Soldier
 
Join Date: Aug 2008
Posts: 50
Thanked 1 Time in 1 Post
Default

How does such a helpful thread as this have no replies? I've been around since the BSDforums days, and only drop in on Daemon Forums about twice a year, and J65nko has always been one of the most knowledgeable and helpful posters. Point is, thanks for this thread! I've become a bit tired of hosts files and nmbd for local name resolution.
__________________
chat.taucher.net #bsd
Reply With Quote
Reply

Tags
bind, named, named.conf, nameserver forward-only

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DDNS problem (unable to add forward / reverse map) riotnrrd FreeBSD General 12 28th February 2010 03:13 PM
simple named.conf with dnssec ? mayuka OpenBSD Security 21 31st January 2010 09:47 PM
Named not starting on NetBSD boot Antimidget NetBSD General 2 27th August 2009 10:57 PM
Forward SSH from some port to some other machine starbuck Other BSD and UNIX/UNIX-like 10 18th September 2008 04:40 AM
caching DNS server? spiderpig General software and network 5 30th May 2008 10:01 PM


All times are GMT. The time now is 01:10 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick