02 September 2007

Your very own caching DNS server

If you're using FreeBSD you may not realize that you already have the software on your system to run a DNS server. Why should you run a DNS server process?! Really just to tinker. Networks are so much faster and reliable than they once were, that the small amount of network traffic you could save from running your own caching DNS server is probably not worth the trouble.

For you tinkerers who are still with me, the first thing you need to do is find the configuration file. The software is called BIND (Berkeley Internet Name Domain); the actual executable is called "named". (Seems like they might have worked the letters 'dns' into one of those, but no.) The file we need is "named.conf" and it's located in the directory "/var/named/etc/namedb" (which "/etc/namedb" is linked to, by the way). (I'm doing this all in FreeBSD version 6.x incidentally, and am not sure if things differ in other versions.)

Once you've found "named.conf" back it up. I usually make a copy in the same directory suffixed ".ORIG" or something of the like. Now edit "named.conf". The main things you must take care of are to uncomment this line:

   forward only;

(delete the two slashes) and then find your ISP's DNS server address(es) (should be in "/etc/resolv.conf") and use those to replace "127.0.0.1;" in the "forwarder" block, like this, for example:

   forwarders {
      208.67.222.222; 208.67.220.220;
   };


Be careful to leave commented out all of the various "example" zones at the end of the file.

One more thing that's important is the "listen-on" statement -- for basic security if nothing else. I know you're already running a firewall. :) But, we follow the onion security paradigm and so we set this as well. If you're only going to access this DNS server from the machine that it's on, then the default that's already there is all you need:

   listen-on { 127.0.0.1; };

But, if you've got an internal network that you wish to share the DNS service with, then simply add the IP address of the internal interface. (E.g., "listen-on { 127.0.0.1; 192.168.100.1; };".)

Now you can enable this by putting a line that says 'named_enable="YES"' into "/etc/rc.conf". Then you can start the server by running the command "/etc/rc.d/named start". (It uses a system start script since it ships with the system.) Finally, edit "/etc/resolv.conf" and change whatever IP was in there to "127.0.0.1". ... And, beware, DHCP and PPP may rewrite resolv.conf when they make a new connection. I haven't decided yet if the best solution to that is to make the file unwritable (will DHCP get mad?) or just to make a script that rewrites it back to 127.0.0.1.

More fine print

There's also a small question about those two zones in the middle for the loopback addresses. I can tell you the server works fine with them commented out and it works fine with them there. Purists say that you should have those zones and have them properly configured. I'm not sure why, since localhost will get resolved via "/etc/hosts" before it even hits DNS. Anyway, if you prefer to leave them in, just go to "/var/named/etc/namedb/" and run the set-up script for the loopback zones like this: "sh make-localhost".

Labels: ,

1 Comments:

At 14/1/12 16:00, Anonymous Anonymous said...

great little blog......

I am on freebsd 9.0-RELEASE and "/var/named/etc/namedb/" and run the set-up script for the loopback zones like this: "sh make-localhost".

no longer exists..... anyway.

 

Post a Comment

<< Home