I was wondering if I could get some help and advice with Caching-only DNS server for my OpenBSD laptop.
Namely, I am trying to improve the network performance of my laptop by running Caching-only DNS (although I do not fully understand security ramifications of my decision).
I edited /var/named/etc/named.conf
Code:
acl clients {
localnets;
::1;
};
options {
allow-query { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
forward first;
forwarders { 208.67.222.222; 208.67.220.220; };
query-source address 127.0.0.1 port 53;
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
empty-zones-enable yes;
allow-recursion { clients; };
};
logging {
category lame-servers { null; };
};
// Standard zones
//
zone "." {
type hint;
file "etc/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
As you can see it is almost as the default file that comes with OpenBSD installation apart of the fact that I edited options sections with the addresses of my forwarders server OpenDNS.
I have not edited standard/localhost and standard/loopback files.
I did edit however my dhclient.conf file as follows
Code:
backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;
supersede host-name "oko";
supersede domain-name "bagdala.net";
prepend domain-name-servers 127.0.0.1;
initial-interval 1;
send host-name "oko";
request subnet-mask,
broadcast-address,
routers,
domain-name,
domain-name-servers,
host-name;
require routers,
subnet-mask,
domain-name-servers;
my pf.conf file with ALTQ disabled for now looks as follows. Note that I still run 4.5 stable so the rules would be slightly different on 4.6.
Code:
NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}"
ext_if="rl0"
tcp_services = "{ssh, sftp, imap, imaps, pop3s, smtp, 587,\
rtsp, domain, ntp, www, https}"
udp_services= "{domain, ntp, rtsp}"
set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if
scrub in all random-id fragment reassemble
scrub out all random-id fragment reassemble
block log all
antispoof quick for { lo $int_if $ext_if }
block in quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs
block drop in quick from no-route to any
block drop in quick from urpf-failed to any
block out log quick on $ext_if from ! 192.168.1.101 to any
block drop in quick on $ext_if from any to 255.255.255.255
block in on ! lo0 proto tcp to port 6000:6010
pass out on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services flags S/SA
After I start named and connect to internet my resolv.conf looks as follows
Code:
search bagdala.net
nameserver 127.0.0.1
nameserver 209.55.5.10
nameserver 209.55.5.11
Where nameserver 209.55.5.10 and nameserver 209.55.5.11 are DNS servers of my ISP.
Everything looks fine to me now. For instance
Code:
$ nslookup
> www.FreeBSD.org
Server: 208.67.222.222
Address: 208.67.222.222#53
Non-authoritative answer:
Name: www.FreeBSD.org
Address: 69.147.83.33
but when I dig google.com Query times seems random rather than being zero after the first dig.
Code:
$ dig google.com
; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52042
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 48 IN A 74.125.45.100
google.com. 48 IN A 74.125.67.100
google.com. 48 IN A 74.125.127.100
;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 13 14:45:55 2009
;; MSG SIZE rcvd: 76
$ dig google.com
; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20659
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 45 IN A 74.125.45.100
google.com. 45 IN A 74.125.67.100
google.com. 45 IN A 74.125.127.100
;; Query time: 56 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 13 14:45:58 2009
;; MSG SIZE rcvd: 76
Could somebody shed the light on what I am doing wrong. Also I know that pf.conf is not enough to protect from DNS poisoning. Could you give me some references for securing DNS server.
Most Kind Regards,
OKO