Setting up BIND is probably the part that took more thought than any other when building the firewall. This is not because of any particular technical challenges; rather, BIND is managed by a consortium and its doc is… voluminous.
In the end, I went with the default /var/named/etc/named.conf on the assumption that it would do the right thing. According to its comment, it does both “recursive and authoritative queries using one cache,” which is what I want.
There are four files that need to change:
- /etc/rc.conf
- /var/named/etc/named.conf
- /var/named/master/mydomain.net
- /var/name/master/mydomain.net.rev
The last two can be named anything, but I stuck with conventions as I saw them.
Warning Unlike everything up to now, the BIND files live on /var/. In flashrd, /var gets unpacked at boot time into a RAM disk. So you need to save any changes you make somewhere else. Do not reboot until you’ve saved your changes! Ultimately, we’ll put these changes in /flash/var.tar so they get re-created when the device reboots.
/etc/rc.conf To enable named, change: named_flags=""
/var/named/etc/named.conf I used the default named.conf, which is really just a copy of named-simple.conf.
I made one addition in the options section:
forwarders { 8.8.8.8; };
This tells DNS to look for answers at the Google DNS server if it can’t find the answer on the local DNS server. (Actually, I put a few DNS servers that were specific to my ISP, but the Google server will work too.)
I also made a few changes near the end:
// Master zones
//
zone "mydomain.net" {
type master;
file "master/mydomain.net";
};
// Reverse mappings for mydomain.net domain
zone "150.168.192.in-addr.arpa" in {
type master;
file "master/mydomain.net.rev";
};
This tells named to look in /var/named/master/mydomain.net for mappings of mydomain.net, and to look in /var/named/master/mydomain.net.rev for mappings of 192.168.150.*.
/var/named/master/mydomain.net Here’s my mydomain.net:
mydomain.net. IN SOA firewall.mydomain.net. myemail.yahoo.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
mydomain.net. IN NS firewall.mydomain.net.
;
; Host addresses
;
localhost.mydomain.net. IN A 127.0.0.1
firewall.mydomain.net. IN A 192.168.150.1
firesign.mydomain.net. IN A 192.168.150.170
frantics.mydomain.net. IN A 192.168.150.171
bundolo.mydomain.net. IN A 192.168.150.172
The first bit says my domain is called mydomain.net. I’ve published my email as myemail@yahoo.com (but note the dot instead of the at sign there).
The next bit is serial number / expiration times. You’re supposed to bump up the serial number every time you edit, but I usually just kill and restart named.
After that, I say that the firewall will be the nameserver for the domain.
Next is the interesting bit: the mapping of host names to host addresses. They must all end in . because BIND requires it. It’s very easy to miss a . in your config file and be confused about why things aren’t working.
/var/name/master/mydomain.net.rev In addition to DNS doing lookup for names, it usually also does lookup for IP addresses. This is what you get when you do nslookup 192.168.150.1, for instance. The reverse domain name file holds that:
150.168.192.in-addr.arpa. IN SOA firewall.mydomain.net. myemail.yahoo.com. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
; Name Servers
;
150.168.192.in-addr.arpa. IN NS firewall.mydomain.net.
;
; Addresses point to canonical name
;
1.150.168.192.in-addr.arpa. IN PTR firewall.mydomain.net.
170.150.168.192.in-addr.arpa. IN PTR firesign.mydomain.net.
171.150.168.192.in-addr.arpa. IN PTR frantics.mydomain.net.
172.150.168.192.in-addr.arpa. IN PTR bundolo.mydomain.net.
Once again, watch for . characters at the end of .arpa. and .net.
At this point, you can kill and restart named, then: nslookup server localhost frantics
You should see something like:
Server: localhost
Address: 127.0.0.1#53
Name: frantics.mydomain.net
Address: 192.168.150.171
/etc/resolv.conf.tail The DHCP client overwrites /etc/resolv.conf, but then appends whatever/s in /etc/resolv.conf.tail to that. So let’s tell OpenBSD that Change /etc/resolv.conf to point to the running nameserver:
nameserver 192.168.150.1
domain mydomain.net
search mydomain.net
lookup bind file
This sets up the firewall as the nameserver to look for, tells what my domain is, says to search foo.mydomain.net when looking for foo, and to look up via bind first and then /etc/hosts.
/etc/dhcpd.conf Now is a good time to change dhcpd.conf to point to your nameserver instead of someone else:
option domain-name-servers 192.168.150.1;
Save those changes To save the changes that are in /var, use the following command: tar cf /flash/var.tar -C /var . Might as well save a copy somewhere else too: tar cf /root/named.tar /var/named
Things are saved away as well as they’re going to be; time to reboot and hope you didn’t miss anything!
(This post is part of Building an ALIX firewall)