Back to the sea ; the Domain Name Service (DNS), episode III

Here’s the directions to configure a dual-view DNS on OpenBSD.
I’ll be using BIND 9.4.2-P2 as shipped with 4.8.

Prerequisites

A running OpenBSD ; I’m doing it on 4.8/amd64.

Have a look at the local “BIND 9 Administrator Reference Manual”:

# lynx /usr/share/doc/html/bind/Bv9ARM.html

Keep a eye on it while configuring the daemon and filling-in the zone files.

Name daemon configuration

I will configure a so called dual-view DNS.
This means that local (internal) users won’t get the same answers as external (from Internet) ones.
That enables only my users to make recursive DNS requests.
That also permits to point to (hidden) local addresses when users are on the LAN. The users from Internet will only see public addresses for services that I publish.

Configure the daemon:

# cp -p /var/named/etc/named-dual.conf /var/named/etc/named.conf
# vi /var/named/etc/named.conf
(...)
view "recursive" {
(...)
        zone "tumfatig.net" {
                type master;
                file "master/tumfatig.net";
                allow-transfer { clients; };
        };

        zone "carnat.net" {
                type master;
                file "master/carnat.net";
                allow-transfer { clients; };
        };

        zone "10.in-addr.arpa" {
                type master;
                file "master/10.in-addr.arpa";
                allow-transfer { clients; };
        };
};
(...)
view "authoritative" {
(...)
        zone "tumfatig.net" {
                type master;
                file "master/PUB.tumfatig.net";
        };

        zone "carnat.net" {
                type master;
                file "master/PUB.carnat.net";
        };
};

Zone file configuration

Copy the default zone files:

# cp -p /var/named/standard/localhost /var/named/master/PUB.tumfatig.net
# cp -p /var/named/standard/localhost /var/named/master/PUB.carnat.net
# cp -p /var/named/standard/localhost /var/named/master/carnat.net
# cp -p /var/named/standard/localhost /var/named/master/tumfatig.net
# cp -p /var/named/standard/loopback /var/named/master/10.in-addr.arpa

Correct the SOA informations.
Complete the zone files according to your need.

Checks

There is a “simple” tool that will point you to any error before you start the daemon:

# named-checkconf -t /var/named -z /etc/named.conf
zone localhost/IN: loaded serial 1
zone 127.in-addr.arpa/IN: loaded serial 1
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1
zone tumfatig.net/IN: loaded serial 1
zone carnat.net/IN: loaded serial 1
zone 10.in-addr.arpa/IN: loaded serial 1
zone tumfatig.net/IN: loaded serial 1
zone carnat.net/IN: loaded serial 1

Last steps

Configure the system to auto-start the DNS daemon on boot:

# vi /etc/rc.conf.local
named_flags=””

Quoting the named man page:

When invoked without arguments, named will fork into two processes for
privilege separation, chroot(2) to /var/named, read the default
configuration file /var/named/etc/named.conf, read any initial data,
and listen for queries. The privileged process will communicate with
the child and bind(2) to privileged ports on its behalf. See CAVEATS
section below.

This is what we want, so that’s OK 🙂

Reboot the system so that it also creates the shared secret to communicate with named.

Check the logs to ensure everything went OK:

# grep named /var/log/daemon

Configure the system to use it’s own BIND instance and try to resolve things:

# vi /etc/resolv.conf
nameserver 127.0.0.1
# dig @localhost www.google.fr
(…)
;; QUESTION SECTION:
;www.google.fr. IN A

;; ANSWER SECTION:
www.google.fr. 345554 IN CNAME www.google.com.
www.google.com. 604754 IN CNAME www.l.google.com.
www.l.google.com. 254 IN A 74.125.230.84
www.l.google.com. 254 IN A 74.125.230.80
www.l.google.com. 254 IN A 74.125.230.83
www.l.google.com. 254 IN A 74.125.230.82
www.l.google.com. 254 IN A 74.125.230.81
(…)
# dig @localhost -t mx carnat.net
(…)
;; QUESTION SECTION:
;carnat.net. IN MX

;; ANSWER SECTION:
carnat.net. 86400 IN MX 10 mail.tumfatig.net.

;; AUTHORITY SECTION:
carnat.net. 86400 IN NS dns.tumfatig.net.

;; ADDITIONAL SECTION:
dns.tumfatig.net. 86400 IN A 10.0.0.50

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

That’s All Folks!

1 Comment

  • Back to the sea ; the OpenBSD services, episode I at TuM'Fatig Thu, 28 Jul 2011 14:10:56 +0000 Reply

    […] the Domain Name Service (DNS) […]

Leave a Reply

%d bloggers like this: