Local caching name server

steve217 · Aug 17, 2013

As an intellectual exercise, to ease finding computers on my network and to bring all the civic goodness associated with setting up a local caching name server, I recently configured BIND on my FreeBSD machine.

$ uname -a

Code:

FreeBSD kry.local 9.1-RELEASE-p4 #0: Mon Jun 17 11:38:17 UTC 2013     
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

The attached docs are the cobblings of some heroic googling. I added the local DNS to my router as the primary DNS and everything seems to work.

Questions:
1. Did I actually set up a caching local name server?

2. Anything jump out here as out of whack? Any tips to standardize or remove extraneous settings?
3. What does all this mean? I know this is BIG question so I put bold ? next to specific mysteries.

Some of the questions, I'm not even sure how to phrase. What I am afraid of is spurious DNS traffic instead of lightening the load.

Thanks,
Steve

resolv.conf

Code:

domain havoc.local
nameserver 127.0.0.1
# Earthlink DNS's with the obnoxious NXDOMAIN hijack. The opt-out DNS's were flakey.
nameserver 207.69.188.186 
nameserver 207.69.188.187

rc.conf

Code:

hostname="kry.local"
ifconfig_fxp0=" inet 10.0.1.102 netmask 255.255.255.0"
defaultrouter="10.0.1.1"

# Named section
named_enable="YES"
named_auto_forward="YES" [B]? what is auto forwarding doing?[/B]

named.conf

Code:

options {
  directory "/etc/namedb/working"; 
  version   "get lost";
  pid-file  "/var/run/named/pid"; 
  dump-file "/var/dump/named_dump.db"; 
  statistics-file "/var/stats/named.stats";
  listen-on  port 53  { 127.0.0.1; 10.0.1.102;}; [B]? why both the machine IP and the localhost?[/B]
  listen-on-v6        {none; };

include "/etc/namedb/auto_forward.conf"; 
};

zone "." IN {
  type hint;
  file "/etc/namedb/named.root";
};

zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; 
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; 
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

zone "havoc.local" IN {
	type master;
	file "/etc/namedb/zone.havoc.local";
};

zone "1.0.10.in-addr.arpa" IN {
	type master;
        notify no;
	file "/etc/namedb/zone.havoc.local.rev";
};

zone.havoc.local

Code:

$TTL    86400
@       IN      SOA     ns.havoc.local. root.havoc.local. (  [B] modified from an on-line example. Why both? Could I get away with just kry.havoc.local?[/B]
                       2013081003   ; Serial (YYYYMMDDnn)
                       10800        ; Refresh
                       7200         ; Retry
                       36000000     ; Expire
                       86400 )      ; Negative Cache TTL
;
@       IN      NS      ns.havoc.local.
@       IN      A       10.0.1.102
ns      IN      A       10.0.1.102
; Hostname entries
kry           IN A            10.0.1.102
laptop        IN A            10.0.1.8

zone.havoc.local.rev

Code:

;
; BIND reverse data file for havoc.local
;
$TTL    86400
@       IN      SOA     ns.havoc.local. root.havoc.local. (
                2013081003      ;serial (YYYYMMDDNN where N = 01,02,03,...)
                10800           ;refresh (3 hours)
                7200            ;retry (2 hours)
                36000000        ;expire (10,000 hours = 416 2/3 days)
                86400)          ;default minimum ttl
;
@         IN      NS      ns.
102       IN      PTR     ns.havoc.local.
 
; Hostname RNL pointers
8                IN PTR  laptop.havoc.local.
102              IN PTR  kry.havoc.local.

bash-3.2# dig kry.havoc.local

Code:

; <<>> DiG 9.8.3-P1 <<>> kry.havoc.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14626
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;kry.havoc.local.		IN	A

;; ANSWER SECTION:
kry.havoc.local.	86400	IN	A	10.0.1.102

;; AUTHORITY SECTION:
havoc.local.		86400	IN	NS	ns.havoc.local.

;; ADDITIONAL SECTION:
ns.havoc.local.	        86400	IN	A	10.0.1.102

;; Query time: 5 msec
;; SERVER: 10.0.1.102#53(10.0.1.102)
;; WHEN: Fri Aug 16 19:58:43 2013
;; MSG SIZE  rcvd: 89

kpa · Aug 17, 2013

Is the machine a gateway and a DNS forwarder for a LAN network? If not then you don't have to listen on any external address, just the localhost address 127.0.0.1. I would remove the named_auto_forward stuff and state the forwarders explicitly in named.conf (in my example the forwarder addresses are the Google DNS forwarders):

Code:

options {
  directory "/etc/namedb/working"; 
  ...
  forwarders { 8.8.8.8; 8.8.4.4; }:
};

The leave just this in /etc/resolv.conf:

Code:

domain havoc.local
nameserver 127.0.0.1

The second part root.havoc.local. in the SOA record is actually an email address root@havoc.local., for some reason it has to be written like that.

You could do all this a bit easier using dns/unbound. You wouldn't lose much functionality (you usually need BIND only to have a real authoritative server for a domain with secondary servers) but the configuration is much easier.

steve217 · Aug 18, 2013

Is the machine a gateway and a DNS forwarder for a LAN network?

Definitely a DNS forwarder for a LAN network...

As to the gateway, I presumed the gateway would still be my wireless router (10.0.1.1).
$ netstat -r

Code:

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.1.1           UGS         0    26240   fxp0
10.0.1.0           link#5             U           0    19588   fxp0
ns.havoc.local     link#5             UHS         0     3215    lo0
localhost          link#7             UH          0      213    lo0

Code:
The leave just this in /etc/resolv.conf:
Code:

Code:

domain havoc.local nameserver 127.0.0.1

That broke the setup. DNS queries were no longer being done locally - I couldn't ping any of my local machines.

I had to keep the following:
$ cat /etc/resolv.conf

Code:

domain havoc.local
nameserver 127.0.0.1
nameserver 10.0.1.102
nameserver 207.69.188.186
nameserver 207.69.188.187

You could do all this a bit easier using dns/unbound. You wouldn't lose much functionality (you usually need BIND only to have a real authoritative server for a domain with secondary servers) but the configuration is much easier.

I'm sure the configuration couldn't be any more complicated than BIND was, but, I've got BIND working (I think... :\) and I hate to bail out now.

wblock@ · Aug 18, 2013

Did you remove the second address from listen-on port 53 { 127.0.0.1; 10.0.1.102;}; in the earlier example? That's needed to accept DNS requests from the local network.

kpa · Aug 19, 2013

That is exactly why I asked if the machine is a DNS forwarder for a LAN. You have to listen-on the external address at least, listening on localhost is recommended. Leave the listen-on option like you had it there.

Always check with dig(1) that your server can resolve queries. For example:

dig @127.0.0.1 [url=http://www.google.com]www.google.com[/url]
dig @10.0.1.102 [url=http://www.freebsd.org]www.freebsd.org[/url]

I doubt that leaving out the extra nameservers in resolv.conf actually broke your set up, it must have been something else. The nameservers are tried in order. You would see a long delay if the server listening on 127.0.0.1 wasn't responding before the resolver switches to next server.

steve217 · Aug 19, 2013

kpa said:
That is exactly why I asked if the machine is a DNS forwarder for a LAN. You have to listen-on the external address at least, listening on localhost is recommended. Leave the listen-on option like you had it there.

Always check with dig(1) that your server can resolve queries. For example:

dig @127.0.0.1 [url=http://www.google.com]www.google.com[/url]
dig @10.0.1.102 [url=http://www.freebsd.org]www.freebsd.org[/url]

I doubt that leaving out the extra nameservers in resolv.conf actually broke your set up, it must have been something else. The nameservers are tried in order. You would see a long delay if the server listening on 127.0.0.1 wasn't responding before the resolver switches to next server.

I want to start out by stating I appreciate your taking an interest in helping me. Between this exercise and this MS article on DNS', I'm learning quite a bit here.

Here's where I'm at:

"named_auto_forward" is gone from rc.conf

resolv.conf

Code:

domain havoc.local
nameserver 127.0.0.1

named.conf

Code:

options {
  directory "/etc/namedb/working"; 
 ...
  listen-on  port 53  { 127.0.0.1; 10.0.1.102;};
  listen-on-v6        {none; };
  forwarders {207.69.188.186; 207.69.188.187; };
  include "/etc/namedb/auto_forward.conf";
};

Everything seems in order.

Local caching name server

steve217

kpa

steve217

wblock@

kpa

steve217