Date: Tue, 28 Jan 2003 12:58:49 +1100 From: Greg Lane <gregory.lane@anu.edu.au> To: freebsd-questions@FreeBSD.ORG Cc: leblanc+freebsd@keyslapper.org Subject: Re: Caching nameserver question - I need a spot here . . . Message-ID: <20030128015849.GA76718@nucl03.anu.edu.au> In-Reply-To: <20030127221529.GB36301@keyslapper.org> References: <20030127221529.GB36301@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 27, 2003 at 05:15:29PM -0500, Louis LeBlanc <leblanc+freebsd@keyslapper.org> wrote: > Hey all. I'm finally getting around to setting up a caching dns > server. Pretty confusing from my angle. > > Here's what I have so far: > named enaabled in /etc/rc.conf > cd to /etc/namedb and run sh make-localhost > > and the following in /etc/namedb/named.conf: > > options { > directory "/etc/namedb"; > forward first; > forwarders { > 151.203.0.84; > 151.202.0.84; > }; > listen-on { 10.8.20.5; }; > version "surely you must be joking" > query-source address * port 53; > }; > > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "localhost.rev"; > }; > G'day Louis, The only differences I can see between this and my working configuration at home is 1/. I have "forward only" rather than "forward first". So far my DNS providers haven't failed me! 2/. I run named as a non-privileged user. I haven't configured a complete sandbox (see http://www.au.freebsd.org/doc/en_US.ISO8859-1/books/handbook/dns.html#NAMED-SANDBOX for that), but just did the following: mkdir /etc/namedb/s chown bind:bind /etc/namedb/s chmod 750 /etc/namedb/s Add the following to the options in named.conf dump-file "s/named_dump.db"; and named_flags="-u bind -g bind" to /etc/rc.conf. 3/. I don't have the version and query-source lines. I don't believe they'll break anything for you. 4/. I have set up an authorative "lane.family" domain for my home network 5/. You may want to add 127.0.0.1 to your listen-on option. I can't see anything in your setup as is that will wreak havoc on the internet, but I am not an expert. I would at least run it as bind:bind rather than root as it is trivial to set up. A complete sandbox is better, and of course a jail would be even better, but they are both more work. Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030128015849.GA76718>