Install named server on a home network

c00kie · #1 April 25th, 2012, 17:32

Hi
I'm trying to set up a name server on a home network. My setup:

http://drupal876.co.uk/img/net.jpg

I've done a post
# sysinstall

http://drupal876.co.uk/img/sysinstall.jpg

In file:
/etc/hosts

Code:

::1  localhost localhost.org
127.0.0.1  localhost localhost.org
192.168.0.5  manor8 manor8.mydomain.org

File:
/etc/resolv.conf

Code:

domain mydomain.org
nameserver 192.168.0.5			# manor8
nameserver 194.168.4.100		# ISPs nameservers
nameserver 194.168.8.100

/etc/rc.conf

Code:

hostname="manor8.mydomain.org"
ifconfig_re0="inet 192.168.0.5 netmask 255.255.255.0"
default_router="192.168.0.1"
named_enable="YES"

/etc/namedb/db.mydomain.org

Code:

$TTL 1d
mydomain.org. IN SOA manor8.mydomain.org. admin.mydomain.org. (
						2012042301 ; Serial (date, 2 digits version of day)
						1d ; refresh
						2h ; retry
						100d ; expire
						1h ) ; negative cache expiry

;name servers
	IN NS ns

;MXrecords
	IN MX 50 manor8.mydomain.org.
	
ns      IN A		192.168.0.5

;Hosts
localhost 	IN A		127.0.0.1
manor8	 	IN A		192.168.0.5
paula		IN A		192.168.0.2
andy		IN A		192.168.0.3
jess            IN A		192.168.0.4

;nicknames
www IN CNAME manor8
ftp IN CNAME manor8

In the file:
/etc/namedb/mydomain-reverse

Code:

$TTL 1d
@		IN SOA 			manor8.mydomain.org. admin.mydomain.org. (
								2012042301 ; Serial (date, 2 digits version of day)
								1d ; refresh
								2h ; retry
								100d ; expire
								2h ) ; negative cache
		IN NS 			ns.mydomain.org.

5		IN PTR                  manor8.mydomain.org.
2		IN PTR                  paula.mydomain.org.
3		IN PTR                  andy.mydomain.org.
4		IN PTR                  jess.mydomain.org.

In file:
/etc/namedb/localhost.rev

Code:

$TTL 1d
@		IN SOA 			manor8.mydomain.org. root.mydomain.org. (
									2012042501 ; Serial
									1h ; Refresh
									5m ; Retry
									100d ; Expire
									1h ) ; Negative cache
		IN NS 			manor8.mydomain.org.
1		IN PTR 			localhost.mydomain.org.

In file:
/etc/namedb/named.conf

With the comments removed, it looks like:

Code:

// $FreeBSD$

options {
	// All file and path names are relative to the chroot directory,
	// if any, and should be fully qualified.
	directory	"/etc/namedb";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";

	forwarders {
		194.168.4.100; 194.168.8.100;
	};
};

...
[details omitted here]
...

zone "mydomain.org" {
	type master;
	file "db.mydomain.org";
};

zone "0.168.192.in-addr.arpa" {
	type master;
	file "mydomain-reverse";
};

zone "0.0.127.in-addr.arpa" {
	type master;
	file "localhost.rev";
};

File:
/var/log/messages

For a successful configuration I'm expecting output similar to:

Code:

Mar 18 15:01:57 freebie named[69751]: starting (/etc/namedb/named.conf). named 8.3.
4-REL Wed Dec 18 13:38:28 CST 2002 grog@freebie.example.org:/usr/obj/src/FreeBSD/5-S
TABLE-FREEBIE/src/usr.sbin/named
Mar 18 15:01:57 freebie named[69751]: hint zone "" (IN) loaded (serial 0)
Mar 18 15:01:57 freebie named[69751]: master zone "example.org" (IN) loaded (serial
2003031801)
Mar 18 15:01:57 freebie named[69751]: Zone "0.0.127.in-addr.arpa" (file localhost.re
verse): No default TTL ($TTL <value>) set, using SOA minimum instead
Mar 18 15:01:57 freebie named[69751]: master zone "0.0.127.in-addr.arpa" (IN) loaded
(serial 97091501)
Mar 18 15:01:57 freebie named[69751]: listening on [223.147.37.1].53 (rl0)
Mar 18 15:01:57 freebie named[69751]: listening on [127.0.0.1].53 (lo0)
Mar 18 15:01:57 freebie named[69752]: Ready to answer queries.

Mine's rather different however:

Code:

Apr 25 13:01:57 manor8 named[1727]: starting BIND 9.8.1-P1 -t /var/named -u bind
Apr 25 13:01:57 manor8 named[1727]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man'
'--enable-threads' '--enable-getifaddrs' '--disable-linux-caps' '--with-openssl=/usr'
Apr 25 13:01:57 manor8 named[1727]: command channel listening on 127.0.0.1#953
Apr 25 13:01:57 manor8 named[1727]: command channel listening on ::1#953
Apr 25 13:01:57 manor8 named[1727]: the working directory is not writable
Apr 25 13:01:57 manor8 named[1727]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Apr 25 13:01:57 manor8 named[1727]: running

Back at my domain registrar, Ive updated server settings. Removing their DNS server names to my ISP's name servers.

Code:

cache1.service.virginmedia.net
cache2.service.virginmedia.net

If I call:
# rndc reload
It reports:

Code:

Apr 25 13:52:17 manor8 named[1727]: the working directory is not writable
server reload successful

I'm not sure if the directory /etc/namedb/working is relevant to named?
The directory is empty by default and in my /etc/namedb/named.conf file I edited the directory option to:

Code:

options {
	// All file and path names are relative to the chroot directory,
	// if any, and should be fully qualified.
	// directory "/etc/namedb/working";
	directory	"/etc/namedb";

help..

**SirDice** · #2 April 26th, 2012, 07:55

It all looks good, what's not working?

You can test your DNS with the dig(1) command like so:
dig @192.168.0.5 manor8.mydomain.org

Or, doing a reverse lookup:
dig @192.168.0.5 -x 192.168.0.5

c00kie · #3 April 26th, 2012, 10:48

Quote:

Originally Posted by SirDice

It all looks good, what's not working?

Thanks. That's reasurring. dig(1) is useful. It reports:

Code:

; <<>> DiG 9.8.1-P1 <<>> @192.168.0.5 manor8.mydomain.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<-- opcode: QUERY, status: NOERROR, id: 10322
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
; manor8.mydomain.org.		IN		A

;; ANSWER SECTION:
manor8.mydomain.org.	        86400	IN		A		192.168.0.5

;; AUTHORITY SECTION:
mydomain.org.			86400	IN		NS		ns.mydomain.org.

;; ADDITIONAL SECTION:
ns.mydomain.org.		86400	IN		A		192.168.0.5

;; Query time: 29 msec
;; SERVER: 192.168.0.5#53(192.168.0.5)
;; WHEN: Thu Apr 26 08:11:53 2012
;; MSG SIZE rcvd: 86

So it would appear that everything is correct. This gives me hope. But alas browse to http://www.mydomain.org and receive

Code:

Could not find remote server

Just wondering, in the file /etc/namedb/named.conf

I commented out this line:

Code:

// listen-on 	{ 127.0.0.1; };

Would this have any significance?

Another strange thing is if I

# cd /etc/namedb

then # pwd I'm expecting to see

/etc/namedb

But it reveals:

/var/named/etc/namedb

Is this normal?

**SirDice** · #4 April 26th, 2012, 10:58

Quote:

Originally Posted by c00kie

So it would appear that everything is correct.

Yes, your BIND is correctly configured.

Quote:

But alas browse to http://www.mydomain.org and recieve "Could not find remote server"

You need to change your domain information for that. It needs to point to your DNS server. You also need to make sure your DNS server is accessible from the internet. Since you're using RFC-1918 addresses this means you have to open up your router and/or firewall and forward TCP and UDP port 53 to your DNS server.

Quote:

Just wondering, in the file /etc/namedb/named.conf

I commented out this line:

Code:

// listen-on 	{ 127.0.0.1; };

Would this have any significance?

Yes, that will bind it to localhost making it unaccessable from any other machine.

Quote:

Another strange thing is if I

# cd /etc/namedb

then # pwd I'm expecting to see

/etc/namedb

But it reveals:

/var/named/etc/namedb

Is this normal?

Yes, that's normal. They're symlinked

c00kie · #5 April 26th, 2012, 11:20

Quote:

You need to change your domain information for that. It needs to point to your DNS server.

Thanks.

Hmm... Firstly, I'm using http://mydomain.org purely as a reference. All instances of it are replaced with my 'real' domain of course. Or are you getting at something else here?

**SirDice** · #6 April 26th, 2012, 11:26

Quote:

Originally Posted by c00kie

All instances of it are replaced with my 'real' domain of course.

Yes, that was clear. What wasn't clear is where you expected this to work, it should at least work on your local network. Provided the client you use is configured to use your DNS server.

c00kie · #7 April 26th, 2012, 11:58

Quote:

Originally Posted by SirDice

Yes, that was clear. What wasn't clear is where you expected this to work, it should at least work on your local network. Provided the client you use is configured to use your DNS server.

OK. It would be good if it works on my home network and externally via the internet. I think I'm getting a little closer. I fixed the port forwarding on my router:

http://drupal876.co.uk/img/port_forwarding.jpg

I have a firewall in place; you may recognise this

pfctl -sr reveals:

Code:

anchor "ftp-proxy/*" all
block drop all
pass in on re0 proto tcp from any to any port = ftp flags S/SA keep state
pass in on re0 proto tcp from any to any port > 49151 flags S/SA keep state
pass in proto tcp from any to any port = ssh flags S/SA keep state
pass in proto tcp from any to any port = http flags S/SA keep state
pass out all flags S/SA keep state

It's changed a little.

I'm now sat at machine 192.168.0.2. At the browser enter http://mydomain.org and the page doesn't load...

Do I need a new rule(s) in /etc/pf.conf?

Purely a guess..

Code:

pass in on re0 proto tcp from any to any port = 53 flags S/SA keep state

suntzu · #8 April 26th, 2012, 12:09

How about

Code:

pass in on re0 proto { tcp, udp } from any to any port 53 keep state

cat /etc/services | grep ^domain

**SirDice** · #9 April 26th, 2012, 12:30

Yes, you need to allow both TCP and UDP to port 53 for DNS to work.

c00kie · #10 April 26th, 2012, 12:33

Quote:

Originally Posted by suntzu

how about

Code:

pass in on re0 proto { tcp, udp } from any to any port 53 keep state

cat /etc/services | grep ^domain

Thanks.

With these rules added to /etc/pf.conf, and

cat /etc/services | grep ^domain

The system reports:

Code:

domain       53/tcp    #Domain Name Server
domain       53/tcp    #Domain Name Server

All looks good. But, the server won't serve pages with the domain. It works with an IP address.

aa · #11 April 26th, 2012, 14:27

Quote:

Originally Posted by c00kie

OK. It would be good if it works on my home network and externally via the internet.

Good for local exercise, but it will never go public.

c00kie · #12 April 26th, 2012, 14:36

Quote:

Originally Posted by aa

Good for local exercise, but it will never go public.

You're saying it's not possible?

c00kie · #13 April 26th, 2012, 14:49

Quote:

Originally Posted by SirDice

What wasn't clear is where you expected this to work, it should at least work on your local network. Provided the client you use is configured to use your DNS server.

Thanks. I've defined my zone files with the local clients IP addresses inclusive. It should work then within the LAN? I've taken your comments on board. And am beginning to think a basic VPS package would be more suitable. I can then have multiple zones all for a flat fee, it's a long way away (and better) from shared hosting.

aa · #14 April 27th, 2012, 12:55

Quote:

Originally Posted by c00kie

You're saying it's not possible?

Unfortunately, it won't. Your ISP (nameservers) is the one that has the authority of your domain name.

You may ask the registrar (if you paid more for the service) to point your domain nameserver to your IPs (at least 2), but then you don't have authorization to manage the full network to modify PTR records do you?

Even with part subnet classless delegation, I think at least you need 4 IP addresses to be functional, 2 dedicated to DNS server (with warning, because both reside in the same network).

Also, you can not publish local IP (RFC-1918). Bear in mind that the only thing DNS do (primarily) is to convert name to address. If somebody somewhere tries to reach a name from your nameservers (which then give them local IP), they're stuck on a host in their local network as well.

shitson · #15 April 28th, 2012, 04:23

c00kie what are you trying to access on these machines form the outside world?

c00kie · #16 April 28th, 2012, 11:08

Quote:

Originally Posted by aa

Unfortunately, it won't. Your ISP (nameservers) is the one that has the authority of your domain name.

Thanks for the insight. Clearly it was a little naive of me thinking that this would work outside of my network. Non routable addresses are just not suitable for the internet. What I have learn't from this exercise, is that a VPS is more realistic option.

c00kie · #17 April 28th, 2012, 11:10

Quote:

Originally Posted by shitson

c00kie what are you trying to access on these machines form the outside world?

Websites..

rtwingfield · #18 April 29th, 2012, 02:53

I'm not clear on what you are referring to as a VPS that would allow you to have "multiple zones for a flat $fee". Are you wanting to host several web hosts, e.g., x.com, y.com z.com? If so, then take a look at virtual hosting with Apache. All you would need is one static IP address.

c00kie · #19 April 29th, 2012, 10:54

Quote:

Originally Posted by rtwingfield

I'm not clear on what you are referring to as a VPS that would allow you to have "multiple zones for a flat $fee".

Quote:

Are you wanting to host several web hosts, e.g., x.com, y.com z.com?

Yes.

Quote:

If so, then take a look at virtual hosting with Apache.

I'm aware (not expert) of virtual hosting. This is what I'm trying to get to the bottom of. Even with one static IP address, and with virtual hosting. I'd still need to define individual zone files for each domain?

I'm a little inexperienced in name servers, so this is all new to me.

Quote:

All you would need is one static IP address.

And a VPS would give me this, moreover, a public, static, routable IP address. Along with master and slave DNS servers.

rtwingfield · #20 April 29th, 2012, 18:11

Here is a URL to an example of the Apache v2.2.11 httpd-vhost.conf file (i.e., the model that I use to host multiple domains):

http://archaxis.net/htdocs/white_papers/vhost.conf.pdf

As I mentioned in the brief, there is much more to configuring Apache than my simple example, but I hope it will get you started. Essentially, Apache becomes your VPS.

Also, at first, I'd suggest that you focus more on understanding the Apache configuration, than DNS. As long as you've successfully set up DNS (assuming with BIND), and the authoritive name servers are working, then you can always come back and fine-tune later.

I have plans to add to the document. Any questions, certainly ask. Criticism invited, too.

c00kie · #21 April 30th, 2012, 09:29

Quote:

Originally Posted by rtwingfield

Here is a URL to an example of the Apache v2.2.11 httpd-vhost.conf

Thanks. Plug in the values, nice.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Squid + squidguard alternative for small home network	ilemur	Web & Network Services	0	February 21st, 2012 19:25
[Solved] Home server on FreeBSD	pkubaj	System Hardware	12	February 15th, 2012 09:58
Home Network Specs	Simba7	Off-Topic	6	November 20th, 2011 19:55
Setting up home network	Frozen001	Installing & Upgrading	5	June 1st, 2011 13:42
Home server advice	greg_d128	System Hardware	1	December 18th, 2010 09:46

The Following User Says Thank You to SirDice For This Useful Post:
c00kie (April 26th, 2012)

The Following User Says Thank You to aa For This Useful Post:
c00kie (April 28th, 2012)