From owner-freebsd-questions@FreeBSD.ORG Fri Jan 14 19:55:45 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBF3316A4CE for ; Fri, 14 Jan 2005 19:55:45 +0000 (GMT) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E3EB43D39 for ; Fri, 14 Jan 2005 19:55:45 +0000 (GMT) (envelope-from infofarmer@mail.ru) Received: from [83.237.61.28] (port=3346 helo=[172.17.0.69]) by mx1.mail.ru with esmtp id 1CpXXr-000JJG-00; Fri, 14 Jan 2005 22:55:44 +0300 Message-ID: <41E823BF.2050305@mail.ru> Date: Fri, 14 Jan 2005 22:55:43 +0300 From: "Andrew P." User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Matthew Seaman References: <20050114131018.68217.qmail@web15703.mail.cnb.yahoo.com> <41E7CBFB.1090603@infracaninophile.co.uk> <41E7D5A0.2090004@mail.ru> <41E7F5B3.7050408@infracaninophile.co.uk> In-Reply-To: <41E7F5B3.7050408@infracaninophile.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam: Not detected cc: FreeBSD-Questions Questions Subject: Re: DNS: querying route DNS X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: infofarmer@mail.ru List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2005 19:55:45 -0000 Matthew Seaman wrote: > Sure. Assuming you're using 5.3-RELEASE, 5.3-STABLE or better, then > setting up a recursive-only nameserver is really very simple. > > The system comes with BIND-9.3.0 as standard, and it has all of the > chroot-ing functionality available just by default. All you need do is > add the following to /etc/rc.conf: > > named_enable="YES" > > There are several other variables you can use to tweak the named startup > via /etc/rc.conf, but basically the default values are good for what I > want to do here: > > named_program="/usr/sbin/named" # path to named, if you want a different > one. > named_flags="-u bind" # Flags for named > named_pidfile="/var/run/named/pid" # Must set this in named.conf as well > named_chrootdir="/var/named" # Chroot directory (or "" not to > auto-chroot it) > named_chroot_autoupdate="YES" # Automatically install/update chrooted > # components of named. See /etc/rc.d/named. > named_symlink_enable="YES" # Symlink the chrooted pid file > g > > You need to do three more things to configure named. The first is to > generate the keys that allow rndc(8) to communicate with and control the > name server: > > # rndc-confgen > /etc/named/rndc.conf > > The file consists of two parts: the stuff rndc needs to read, followed > by the equivalent stuff, but commented out, to go into named.conf: > > # Start of rndc.conf > key "rndc-key" { > algorithm hmac-md5; > secret "XXXXXXXXXXXXXXXXXXXXXX=="; > }; > > options { > default-key "rndc-key"; > default-server 127.0.0.1; > default-port 953; > }; > # End of rndc.conf > > # Use with the following in named.conf, adjusting the allow list as needed: > # key "rndc-key" { > # algorithm hmac-md5; > # secret "XXXXXXXXXXXXXXXXXXXXXX=="; > # }; > # > # controls { > # inet 127.0.0.1 port 953 > # allow { 127.0.0.1; } keys { "rndc-key"; }; > # }; > # End of named.conf > > All of those X's will be replaced by a random password hash. > > The second thing is to generate the zone files for the localhost and the > IPv6 and IPv4 loopback addresses, which you do by running the provided > script: > > # cd /etc/namedb > # ./make-localhost > > This will write two files into /etc/namedb/master: localhost.rev, and > localhost-v6.rev which let you resolve the IP numbers 127.0.0.1 and ::1 > respectively as mapping to the hostname 'localhost.' Once you've > generated those once, you never need to touch them again. Nb. Although > we're setting up a recursive nameserver, it will hold these localhost > domains authoritatively; a slight exception to the usual rule of not > mixing recursive and authoritative functions in the same nameserver > instance. Pretty much every nameserver in operation provides the > localhost reverse domain. > > The third and final step is to generate a named.conf -- details of the > configuration file syntax are available in > > file:///usr/share/doc/bind9/arm/Bv9ARM.html > > but something based on the attached example is what you need. This will > provide a recursive nameservice including both IPv4 and IPv6. Use > named-confcheck to syntax check the file: > > % named-checkconf named.conf && echo "Configuration OK" > > BIND v9 is in general very picky about the syntax of the configuration > file, and if it finds an error (usually a missing semi-colon) it will > silently (except for messages to the system log) refuse to start up. > > At last you're ready to fire up named for the first time: > > # /etc/rc.d/named start > > This will result in the contents of /etc/namedb being copied into > /var/named/etc/namedb and a sym-link being created in /etc. Various > other necessary bits will be created under /var/named and as a security > measure, the named daemon will be chroot'ed there when it starts up. > > Any time you work on named's config or zone files, always check the > system log to confirm that named is still happy: > > Jan 14 09:08:40 gravitas named[371]: starting BIND 9.3.0 -u bind -t > /var/named > Jan 14 09:08:41 gravitas named[371]: command channel listening on > 127.0.0.1#953 > Jan 14 09:08:41 gravitas named[371]: command channel listening on ::1#953 > > Use rndc(8) to control named during normal use -- it's interesting to > dump the cache after a day or so's operation to see what weird and > wonderful places your system has been looking up. > Thanks much! I actually thought that BIND configuration was a lot more difficult, but it appears to be a matter of 20 minutes. I also need to serve some local zones, but I'll figure that out on my own. Will try to switch to BIND this weekend. Best wishes, Andrew P.