Back to the sea ; the Domain Name Service (DNS), episode III
532 words, 3 minutes
Here’s the directions to configure a dual-view DNS on OpenBSD.
I’ll be using BIND 9.4.2-P2
as shipped with 4.8.
Prerequisites
A running OpenBSD ; I’m doing it on 4.8/amd64.
Have a look at the local “BIND 9 Administrator Reference Manual”:
# lynx /usr/share/doc/html/bind/Bv9ARM.html
Keep a eye on it while configuring the daemon and filling-in the zone files.
Name daemon configuration
I will configure a so called dual-view DNS.
This means that local (internal) users won’t get the same answers as external
(from Internet) ones. That enables only my users to make recursive DNS requests.
That also permits to point to (hidden) local addresses when users are on the
LAN. The users from Internet will only see public addresses for services that I
publish.
Configure the daemon:
# cp -p /var/named/etc/named-dual.conf /var/named/etc/named.conf
# vi /var/named/etc/named.conf
(...)
view "recursive" {
(...)
zone "tumfatig.net" {
type master;
file "master/tumfatig.net";
allow-transfer { clients; };
};
zone "carnat.net" {
type master;
file "master/carnat.net";
allow-transfer { clients; };
};
zone "10.in-addr.arpa" {
type master;
file "master/10.in-addr.arpa";
allow-transfer { clients; };
};
};
(...)
view "authoritative" {
(...)
zone "tumfatig.net" {
type master;
file "master/PUB.tumfatig.net";
};
zone "carnat.net" {
type master;
file "master/PUB.carnat.net";
};
};
Zone file configuration
Copy the default zone files:
# cp -p /var/named/standard/localhost /var/named/master/PUB.tumfatig.net
# cp -p /var/named/standard/localhost /var/named/master/PUB.carnat.net
# cp -p /var/named/standard/localhost /var/named/master/carnat.net
# cp -p /var/named/standard/localhost /var/named/master/tumfatig.net
# cp -p /var/named/standard/loopback /var/named/master/10.in-addr.arpa
Correct the SOA informations.
Complete the zone files according to your need.
Checks
There is a “simple” tool that will point you to any error before you start the daemon:
# named-checkconf -t /var/named -z /etc/named.conf
zone localhost/IN: loaded serial 1
zone 127.in-addr.arpa/IN: loaded serial 1
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1
zone tumfatig.net/IN: loaded serial 1
zone carnat.net/IN: loaded serial 1
zone 10.in-addr.arpa/IN: loaded serial 1
zone tumfatig.net/IN: loaded serial 1
zone carnat.net/IN: loaded serial 1
Last steps
Configure the system to auto-start the DNS daemon on boot:
# vi /etc/rc.conf.local
named_flags=""
Quoting the named
man page:
When invoked without arguments, named will fork into two processes for privilege separation, chroot(2) to /var/named, read the default configuration file /var/named/etc/named.conf, read any initial data, and listen for queries. The privileged process will communicate with the child and bind(2) to privileged ports on its behalf. See CAVEATS section below.
This is what we want, so that’s OK :)
Reboot the system so that it also creates the shared secret to communicate with named.
Check the logs to ensure everything went OK:
# grep named /var/log/daemon
Configure the system to use it’s own BIND instance and try to resolve things:
# vi /etc/resolv.conf
nameserver 127.0.0.1
# dig @localhost www.google.fr
(...)
;; QUESTION SECTION:
;www.google.fr. IN A
;; ANSWER SECTION:
www.google.fr. 345554 IN CNAME www.google.com.
www.google.com. 604754 IN CNAME www.l.google.com.
www.l.google.com. 254 IN A 74.125.230.84
www.l.google.com. 254 IN A 74.125.230.80
www.l.google.com. 254 IN A 74.125.230.83
www.l.google.com. 254 IN A 74.125.230.82
www.l.google.com. 254 IN A 74.125.230.81
(...)
# dig @localhost -t mx carnat.net
(...)
;; QUESTION SECTION:
;carnat.net. IN MX
;; ANSWER SECTION:
carnat.net. 86400 IN MX 10 mail.tumfatig.net.
;; AUTHORITY SECTION:
carnat.net. 86400 IN NS dns.tumfatig.net.
;; ADDITIONAL SECTION:
dns.tumfatig.net. 86400 IN A 10.0.0.50
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
That’s All Folks!