DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th September 2009
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default Caching-only DNS server on OpenBSD

I was wondering if I could get some help and advice with Caching-only DNS server for my OpenBSD laptop.

Namely, I am trying to improve the network performance of my laptop by running Caching-only DNS (although I do not fully understand security ramifications of my decision).

I edited /var/named/etc/named.conf

Code:
acl clients {
        localnets;
        ::1;
};

options {
        allow-query { 127.0.0.1; };
        allow-recursion { 127.0.0.1; };
        forward first;
        forwarders { 208.67.222.222; 208.67.220.220; };
        query-source address 127.0.0.1 port 53;
        listen-on    { 127.0.0.1; };
        listen-on-v6 { none; };

        empty-zones-enable yes;

        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
};

// Standard zones
//
zone "." {
        type hint;
        file "etc/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};
As you can see it is almost as the default file that comes with OpenBSD installation apart of the fact that I edited options sections with the addresses of my forwarders server OpenDNS.

I have not edited standard/localhost and standard/loopback files.

I did edit however my dhclient.conf file as follows

Code:
backoff-cutoff 2;
initial-interval 1;
link-timeout 10;
reboot 0;
retry 10;
select-timeout 0;
timeout 30;


supersede host-name "oko";
supersede domain-name "bagdala.net";
prepend domain-name-servers 127.0.0.1;
initial-interval 1;
send host-name "oko";
request subnet-mask,
        broadcast-address, 
        routers,
        domain-name,
        domain-name-servers, 
        host-name;
require routers,
        subnet-mask,
        domain-name-servers;
my pf.conf file with ALTQ disabled for now looks as follows. Note that I still run 4.5 stable so the rules would be slightly different on 4.6.

Code:
NoRouteIPs = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                10.0.0.0/8,  169.254.0.0/16, 192.0.2.0/24,  \
                0.0.0.0/8,   240.0.0.0/4, 255.255.255.255/32}"

ext_if="rl0"
tcp_services = "{ssh, sftp, imap, imaps, pop3s, smtp, 587,\
                              rtsp, domain, ntp, www, https}"
udp_services= "{domain, ntp, rtsp}"

set require-order yes
set block-policy return
set optimization normal
set skip on lo
set loginterface $ext_if

scrub in all random-id fragment reassemble 
scrub out all random-id fragment reassemble

block log all
antispoof quick for { lo $int_if $ext_if }

block in  quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs

block drop in quick from no-route to any
block drop in quick from urpf-failed to any
block out log quick on $ext_if from ! 192.168.1.101 to any
block drop in quick on $ext_if from any to 255.255.255.255
block in on ! lo0 proto tcp to port 6000:6010

pass out on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto udp to any port $udp_services
pass out on $ext_if inet proto tcp to any port $tcp_services flags S/SA

After I start named and connect to internet my resolv.conf looks as follows
Code:
search bagdala.net
nameserver 127.0.0.1
nameserver 209.55.5.10
nameserver 209.55.5.11
Where nameserver 209.55.5.10 and nameserver 209.55.5.11 are DNS servers of my ISP.

Everything looks fine to me now. For instance

Code:
$ nslookup
> www.FreeBSD.org
Server:         208.67.222.222
Address:        208.67.222.222#53

Non-authoritative answer:
Name:   www.FreeBSD.org
Address: 69.147.83.33
but when I dig google.com Query times seems random rather than being zero after the first dig.

Code:
$ dig google.com 

; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52042
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             48      IN      A       74.125.45.100
google.com.             48      IN      A       74.125.67.100
google.com.             48      IN      A       74.125.127.100

;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 13 14:45:55 2009
;; MSG SIZE  rcvd: 76

$ dig google.com 

; <<>> DiG 9.4.2-P2 <<>> google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20659
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             45      IN      A       74.125.45.100
google.com.             45      IN      A       74.125.67.100
google.com.             45      IN      A       74.125.127.100

;; Query time: 56 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 13 14:45:58 2009
;; MSG SIZE  rcvd: 76

Could somebody shed the light on what I am doing wrong. Also I know that pf.conf is not enough to protect from DNS poisoning. Could you give me some references for securing DNS server.


Most Kind Regards,
OKO
Reply With Quote
  #2   (View Single Post)  
Old 13th September 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,167
Default

I found that running an external nameserver, a Pentium I20 Mhz, on my LAN gives faster DNS responses on my PIII 800Mhz workstation, then running a nameserver on the workstation itself.

BTW I use DJB's dnscache nameserver.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
exclude URL from caching at squid 3 ccc FreeBSD General 1 31st January 2009 06:20 PM
caching DNS server? spiderpig General software and network 5 30th May 2008 10:01 PM
openVPN 2.1_rc7 (server) on openBSD 4.3 config examples s2scott Guides 2 23rd May 2008 06:16 PM
setting up a proxy server in OpenBSD 4.3 jrake OpenBSD General 1 14th May 2008 06:43 PM
Anyone running an OpenBSD email server ? roundkat OpenBSD General 9 10th May 2008 03:08 AM


All times are GMT. The time now is 04:13 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick