DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th February 2014
3v1l 3v1l is offline
New User
 
Join Date: Aug 2012
Posts: 2
Thanked 0 Times in 0 Posts
Default OpenBSD As DNS Server

Hi Guys!

Please Help me to solve these questions :
1- which of FreeBSD or OpenBSD is better ( security+stable ) for DNS Server ?
2- is important turn on and configure server firewall or no ?
i want to install and configure BIND DNS Server .

in the first step : install bind .
in the second step i want to manage these domain and sub domains :

main domain : test.com ( Not Real just Test Reason )
sub domains : armenia.test.com - america.test.com - mma.test.com
and all off these sub domains has sub domain ( two level domains ) like :

de.armenia.test.com
en.armenia.test.com
sp.armenia.test.com
.
.

the problem is here : i can not configure these two level sub domains!!he problem is here : i can not configure these two level sub domains!!
if there is any sample of configuring+sub domains+(two or Three level of sub somains ) please help me .f there is any sample of configuring+sub domains+(two or Three level of sub somains ) please help me .

if there was a text file that somebody do before please upload here and let me to use .f there was a text file that somebody do before please upload here and let me to use .


Best Wishes
3v1l
Reply With Quote
  #2   (View Single Post)  
Old 5th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

At this moment I am not able to test , but the following modification of the example of Authoritative only BIND nameserver for local domain should define two sub-domains of de.filo:
  • frankfurt.de.filo
  • freiburg.de.filo

Zone file:

Code:
; Zone file for de.filo
$TTL 86400
@               IN      SOA     ns1.de.filo. j65.de.filo. (
                2009120802      ; serial, todays date+todays  
                86400           ; refresh, seconds
                7200            ; retry, seconds
                3600000         ; expire, seconds
                86400 )         ; minimum, seconds


                IN NS ns1.de.filo.
                IN NS ns2.de.filo.

                IN MX 0 mail.de.filo.

localhost       IN A 127.0.0.1

ns1             IN A 192.168.222.245
ns2             IN A 192.168.222.200

mail            IN A 192.168.222.20
www             IN A 192.168.222.20
ftp             IN A 192.168.222.20

; sub-domains

frankfurt       IN NS ns1.de.filo.
                IN NS ns2.de.filo.
freiburg        IN NS ns1.de.filo.
                IN NS ns2.de.filo.
Of course you will need to create additional zone files for the frankfurt.de.filo and freiburg.de.filo sub-domains.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 5th February 2014 at 07:53 PM. Reason: Forgot to add the ".' at the end of the sub-domain nameservers
Reply With Quote
  #3   (View Single Post)  
Old 5th February 2014
3v1l 3v1l is offline
New User
 
Join Date: Aug 2012
Posts: 2
Thanked 0 Times in 0 Posts
Default

ok ,, thanks i will test and back here.
Reply With Quote
  #4   (View Single Post)  
Old 5th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Small but essential correction. With the original zone file I posted this is the result of a query for the nameservers for the sub-domain:
Code:
$ dig +norecurse -t ns frankfurt.de.filo @192.168.222.20

; <<>> DiG 9.4.2-P2 <<>> +norecurse -t ns frankfurt.de.filo @192.168.222.20
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19990
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;frankfurt.de.filo.             IN      NS

;; AUTHORITY SECTION:
frankfurt.de.filo.      86400   IN      NS      ns1.de.filo.de.filo.
frankfurt.de.filo.      86400   IN      NS      ns2.de.filo.de.filo.

;; Query time: 17 msec
;; SERVER: 192.168.222.20#53(192.168.222.20)
;; WHEN: Wed Feb  5 20:51:34 2014
;; MSG SIZE  rcvd: 79
Do you notice the double de.filo.de.filo.? I missed to add a '.' at the name of the sub-domain nameservers. After this modification and updating the serial number in the SOA record, it works better.
The corrected version:
Code:
; sub-domains

frankfurt       IN NS ns1.de.filo.
                IN NS ns2.de.filo.
freiburg        IN NS ns1.de.filo.
                IN NS ns2.de.filo.
Now the query works as intended:
Code:
$  dig +norecurse -t ns frankfurt.de.filo @192.168.222.20 

; <<>> DiG 9.4.2-P2 <<>> +norecurse -t ns frankfurt.de.filo @192.168.222.20
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63242
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;frankfurt.de.filo.             IN      NS

;; AUTHORITY SECTION:
frankfurt.de.filo.      86400   IN      NS      ns1.de.filo.
frankfurt.de.filo.      86400   IN      NS      ns2.de.filo.

;; ADDITIONAL SECTION:
ns1.de.filo.            86400   IN      A       192.168.222.245
ns2.de.filo.            86400   IN      A       192.168.222.200

;; Query time: 1 msec
;; SERVER: 192.168.222.20#53(192.168.222.20)
;; WHEN: Wed Feb  5 20:56:56 2014
;; MSG SIZE  rcvd: 103
We all love BIND and its forgiving syntax, isn't ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 5th February 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,876
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by 3v1l View Post
which of FreeBSD or OpenBSD is better ( security+stable ) for DNS Server ?
In the hands of an experienced administrator, or anyone who has done thorough research, either. In the hands of anyone who has not learned the protocols involved, neither.
Quote:
i want to install and configure BIND DNS Server .
nsd(8) is part of a base installation. No third-party application needs to be installed.

Last edited by ocicat; 5th February 2014 at 10:31 PM. Reason: Correct spelling error. Oopsie...
Reply With Quote
  #6   (View Single Post)  
Old 5th February 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,640
Thanked 214 Times in 189 Posts
Default

To clarify ocicat's comments:
  • NSD and BIND are both included in the OpenBSD base system, as of 5.4-release. Here is the link to the named(8) man page for BIND on OpenBSD.
  • I understand that the OpenBSD project plans to eventually remove BIND from the OpenBSD base.
  • BIND has been removed from the base FreeBSD system as of 10.0-release.
  • I understand that both NSD and BIND have ports available for FreeBSD.
Reply With Quote
  #7   (View Single Post)  
Old 6th February 2014
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by 3v1l View Post
Hi Guys!

Please Help me to solve these questions :
1- which of FreeBSD or OpenBSD is better ( security+stable ) for DNS Server ?
The one which is configured by a more knowledgeable person! Out of box
OpenBSD is more secure but at the same time it uses BIND while FreeBSD
default DNS is Unbound and NSD. In my Lab we use managed authoritative
DNS but we use Unbound a validating, recursive, and caching DNS. Even
though Unbound is not included in the base of OpenBSD, IRC it is developed
on OpenBSD. OpenBSD port of Unbound is up to date and default configuration
is very secure but it can be tied up even more if you read and understand
man pages. Since we do not run authoritative DNS we do not use NSD.


Quote:
Originally Posted by 3v1l View Post
2- is important turn on and configure server firewall or no ?
i want to install and configure BIND DNS Server .
l
DNS server should be behind PF. My DNS servers also
have their own PFs.

Quote:
Originally Posted by 3v1l View Post
in the first step : install bind .
in the second step i want to manage these domain and sub domains :
l
The moment you said that you are considering installing BIND on
OpenBSD I concluded that you have no business running DNS.


Quote:
Originally Posted by 3v1l View Post
main domain : test.com ( Not Real just Test Reason )
sub domains : armenia.test.com - america.test.com - mma.test.com
and all off these sub domains has sub domain ( two level domains ) like :

de.armenia.test.com
en.armenia.test.com
sp.armenia.test.com
.
.

the problem is here : i can not configure these two level sub domains!!he problem is here : i can not configure these two level sub domains!!
if there is any sample of configuring+sub domains+(two or Three level of sub somains ) please help me .f there is any sample of configuring+sub domains+(two or Three level of sub somains ) please help me .

if there was a text file that somebody do before please upload here and let me to use .f there was a text file that somebody do before please upload here and let me to use .


Best Wishes
3v1l
Reply With Quote
  #8   (View Single Post)  
Old 6th February 2014
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 764
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by J65nko View Post
At this moment I am not able to test , but the following modification of the example of Authoritative only BIND nameserver for local domain should define two sub-domains of de.filo:
  • frankfurt.de.filo
  • freiburg.de.filo

Zone file:

Code:
; Zone file for de.filo
$TTL 86400
@               IN      SOA     ns1.de.filo. j65.de.filo. (
                2009120802      ; serial, todays date+todays  
                86400           ; refresh, seconds
                7200            ; retry, seconds
                3600000         ; expire, seconds
                86400 )         ; minimum, seconds


                IN NS ns1.de.filo.
                IN NS ns2.de.filo.

                IN MX 0 mail.de.filo.

localhost       IN A 127.0.0.1

ns1             IN A 192.168.222.245
ns2             IN A 192.168.222.200

mail            IN A 192.168.222.20
www             IN A 192.168.222.20
ftp             IN A 192.168.222.20

; sub-domains

frankfurt       IN NS ns1.de.filo.
                IN NS ns2.de.filo.
freiburg        IN NS ns1.de.filo.
                IN NS ns2.de.filo.
Of course you will need to create additional zone files for the frankfurt.de.filo and freiburg.de.filo sub-domains.
I do not run authoritative DNS in my lab but IRC the last time I looked NSD
one can literally use the same BIND zone files.
Reply With Quote
  #9   (View Single Post)  
Old 6th February 2014
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,140
Thanked 182 Times in 149 Posts
Default

Oko, yes that is correct. NSD can use the BIND zone format.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD NFS server over TCP performance mickywicky OpenBSD General 1 30th December 2013 01:47 AM
ssh server on OpenBSD MarinosK OpenBSD General 4 16th February 2011 07:38 PM
How to build a OpenBSD server? fender0107401 OpenBSD Installation and Upgrading 6 15th October 2010 07:11 PM
OpenBSD as a PPP Dialup Server jjjustjjjay OpenBSD General 2 20th April 2010 01:58 PM


All times are GMT. The time now is 02:02 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick