Setting up BIND on the ALIX firewall

Setting up BIND is probably the part that took more thought than any other when building the firewall. This is not because of any particular technical challenges; rather, BIND is managed by a consortium and its doc is… voluminous.

In the end, I went with the default /var/named/etc/named.conf on the assumption that it would do the right thing. According to its comment, it does both “recursive and authoritative queries using one cache,” which is what I want.

There are four files that need to change:

  1. /etc/rc.conf
  2. /var/named/etc/named.conf
  3. /var/named/master/
  4. /var/name/master/

The last two can be named anything, but I stuck with conventions as I saw them.

Unlike everything up to now, the BIND files live on /var/. In flashrd, /var gets unpacked at boot time into a RAM disk. So you need to save any changes you make somewhere else. Do not reboot until you’ve saved your changes! Ultimately, we’ll put these changes in /flash/var.tar so they get re-created when the device reboots.

To enable named, change:


I used the default named.conf, which is really just a copy of named-simple.conf.

I made one addition in the options section:

       forwarders {; };

This tells DNS to look for answers at the Google DNS server if it can’t find the answer on the local DNS server. (Actually, I put a few DNS servers that were specific to my ISP, but the Google server will work too.)

I also made a few changes near the end:

// Master zones
zone "" {
        type master;
        file "master/";

// Reverse mappings for domain
zone "" in {
     type master;
     file "master/";

This tells named to look in /var/named/master/ for mappings of, and to look in /var/named/master/ for mappings of 192.168.150.*.

Here’s my IN SOA (
     1          ; Serial
     10800      ; Refresh after 3 hours
     3600       ; Retry after 1 hour
     604800     ; Expire after 1 week
     86400 )    ; Minimum TTL of 1 day

; Name Servers
;  IN NS

; Host addresses
;        IN A         IN A         IN A         IN A          IN A

The first bit says my domain is called I’ve published my email as (but note the dot instead of the at sign there).

The next bit is serial number / expiration times. You’re supposed to bump up the serial number every time you edit, but I usually just kill and restart named.

After that, I say that the firewall will be the nameserver for the domain.

Next is the interesting bit: the mapping of host names to host addresses. They must all end in . because BIND requires it. It’s very easy to miss a . in your config file and be confused about why things aren’t working.

In addition to DNS doing lookup for names, it usually also does lookup for IP addresses. This is what you get when you do nslookup, for instance. The reverse domain name file holds that: IN SOA (
     1          ; Serial
     10800      ; Refresh after 3 hours
     3600       ; Retry after 1 hour
     604800     ; Expire after 1 week
     86400 )    ; Minimum TTL of 1 day

; Name Servers
;       IN NS

; Addresses point to canonical name

Once again, watch for . characters at the end of .arpa. and .net.

At this point, you can kill and restart named, then:

server localhost

You should see something like:

Server:         localhost


The DHCP client overwrites /etc/resolv.conf, but then appends whatever/s in /etc/resolv.conf.tail to that. So let’s tell OpenBSD that Change /etc/resolv.conf to point to the running nameserver:

lookup bind file

This sets up the firewall as the nameserver to look for, tells what my domain is, says to search when looking for foo, and to look up via bind first and then /etc/hosts.

Now is a good time to change dhcpd.conf to point to your nameserver instead of someone else:

option domain-name-servers;

Save those changes
To save the changes that are in /var, use the following command:

tar cf /flash/var.tar -C /var .

Might as well save a copy somewhere else too:

tar cf /root/named.tar /var/named

Things are saved away as well as they’re going to be; time to reboot and hope you didn’t miss anything!

(This post is part of Building an ALIX firewall)


One Response to Setting up BIND on the ALIX firewall

  1. […] Setting up BIND on the ALIX firewall […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: