|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|||
BIND 9 : Caching and forward-only named.conf
A simple named.conf which forwards all DNS queries to another nameserver, and caches the answers for possible reuse.
Tested under OpenBSD 4.7 BETA with Code:
$ named -v BIND 9.4.2-P2 Not only for your notebook or laptop using wireless connections, but also for a department that wishes to make use of a LAN/WAN link efficiently.
Code:
// Caching and forward only configuration // Access Control List acl clients { 192.168.222.0/24 ; }; options { forward only ; forwarders { 192.168.222.10 ; } ; allow-query { clients ; } ; // max-cache-size is in bytes : echo '2 * 1024^2' | bc max-cache-size 2097152 ; empty-zones-enable yes; } ; # After editing this file please use 'named-checkconf' to validate! Code:
named_flags='-4 -c /etc/caching-forward-only.conf' For my small department in the garage, the clients have the following in /etc/resolv.conf Code:
nameserver 192.168.222.25 Code:
dig www.kpn.com ; <<>> DiG 9.4.2-P2 <<>> www.kpn.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34979 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.kpn.com. IN A ;; ANSWER SECTION: www.kpn.com. 3600 IN A 145.7.192.133 ;; Query time: 96 msec ;; SERVER: 192.168.222.25#53(192.168.222.25) ;; WHEN: Fri Mar 5 04:11:47 2010 ;; MSG SIZE rcvd: 45 Code:
dig www.kpn.com ; <<>> DiG 9.4.2-P2 <<>> www.kpn.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24059 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.kpn.com. IN A ;; ANSWER SECTION: www.kpn.com. 3219 IN A 145.7.192.133 ;; Query time: 1 msec ;; SERVER: 192.168.222.25#53(192.168.222.25) ;; WHEN: Fri Mar 5 04:18:08 2010 ;; MSG SIZE rcvd: 45
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Installation scripts
Because I run my garage department nameserver on a regular reinstalled OpenBSD snapshot I use the following two scripts to automate the install and configuration.
The named configuration script Code:
#---------------------------------------- FILE=/var/named/etc/caching-forward-only.conf #FILE=$( basename ${FILE} ) echo Creating ${FILE} cat <<END >${FILE} // Caching and forward only configuration // Access Control List acl clients { 192.168.222.0/24 ; }; options { forward only ; forwarders { 192.168.222.10 ; } ; allow-query { clients ; } ; // max-cache-size is in bytes : echo '2 * 1024^2' | bc max-cache-size 2097152 ; empty-zones-enable yes; } ; # After editing this file please use 'named-checkconf' to validate! END Code:
# ---------------------------------------- FILE=./etc/rc.conf.local #FILE=$( basename ${FILE} ) echo Enabling 'named' as forward-only resolver in ${FILE} cat <<END >> $FILE # note that the 'named' configuration file is in '/var/naned/etc' # because of the chroot in "/var/named" , it has to be specified # without the "/var/named" part. named_flags='-4 -c /etc/caching-forward-only.conf' END Code:
$ netstat -an -f inet Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 192.168.222.25.22 192.168.222.244.35967 ESTABLISHED tcp 0 0 127.0.0.1.587 *.* LISTEN tcp 0 0 127.0.0.1.25 *.* LISTEN tcp 0 0 *.515 *.* LISTEN tcp 0 0 192.168.222.25.22 *.* LISTEN tcp 0 0 127.0.0.1.953 *.* LISTEN tcp 0 0 192.168.222.25.53 *.* LISTEN tcp 0 0 127.0.0.1.53 *.* LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp 0 0 192.168.222.25.27727 85.17.207.62.123 udp 0 0 192.168.222.25.34152 213.206.97.167.123 udp 0 0 192.168.222.25.34002 194.109.64.200.123 udp 0 0 *.19590 *.* udp 0 0 192.168.222.25.53 *.* udp 0 0 127.0.0.1.53 *.* udp 0 0 *.514 *.*
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Note that on OpenBSD the key for rndc(8), the 'remote name daemon control' utility is automatically generated. From the rc messages:
Code:
setting tty flags pf enabled starting network starting system logger rndc-confgen: generating new shared secret... done. starting named openssl: generating new isakmpd RSA key... done. starting initial daemons: ntpd. savecore: no core dump
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
How does such a helpful thread as this have no replies? I've been around since the BSDforums days, and only drop in on Daemon Forums about twice a year, and J65nko has always been one of the most knowledgeable and helpful posters. Point is, thanks for this thread! I've become a bit tired of hosts files and nmbd for local name resolution.
|
Tags |
bind, named, named.conf, nameserver forward-only |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DDNS problem (unable to add forward / reverse map) | riotnrrd | FreeBSD General | 12 | 28th February 2010 03:13 PM |
simple named.conf with dnssec ? | mayuka | OpenBSD Security | 21 | 31st January 2010 09:47 PM |
Named not starting on NetBSD boot | Antimidget | NetBSD General | 2 | 27th August 2009 10:57 PM |
Forward SSH from some port to some other machine | starbuck | Other BSD and UNIX/UNIX-like | 10 | 18th September 2008 04:40 AM |
caching DNS server? | spiderpig | General software and network | 5 | 30th May 2008 10:01 PM |