Setting up BIND on the ALIX firewall

Setting up BIND is probably the part that took more thought than any other when building the firewall. This is not because of any particular technical challenges; rather, BIND is managed by a consortium and its doc is… voluminous.

In the end, I went with the default /var/named/etc/named.conf on the assumption that it would do the right thing. According to its comment, it does both “recursive and authoritative queries using one cache,” which is what I want.

There are four files that need to change:

  1. /etc/rc.conf
  2. /var/named/etc/named.conf
  3. /var/named/master/mydomain.net
  4. /var/name/master/mydomain.net.rev

The last two can be named anything, but I stuck with conventions as I saw them.

Warning
Unlike everything up to now, the BIND files live on /var/. In flashrd, /var gets unpacked at boot time into a RAM disk. So you need to save any changes you make somewhere else. Do not reboot until you’ve saved your changes! Ultimately, we’ll put these changes in /flash/var.tar so they get re-created when the device reboots.

/etc/rc.conf
To enable named, change:

named_flags=""

/var/named/etc/named.conf
I used the default named.conf, which is really just a copy of named-simple.conf.

I made one addition in the options section:

       forwarders { 8.8.8.8; };

This tells DNS to look for answers at the Google DNS server if it can’t find the answer on the local DNS server. (Actually, I put a few DNS servers that were specific to my ISP, but the Google server will work too.)

I also made a few changes near the end:

// Master zones
//
zone "mydomain.net" {
        type master;
        file "master/mydomain.net";
};

// Reverse mappings for mydomain.net domain
zone "150.168.192.in-addr.arpa" in {
     type master;
     file "master/mydomain.net.rev";
};

This tells named to look in /var/named/master/mydomain.net for mappings of mydomain.net, and to look in /var/named/master/mydomain.net.rev for mappings of 192.168.150.*.

/var/named/master/mydomain.net
Here’s my mydomain.net:

mydomain.net. IN SOA firewall.mydomain.net. myemail.yahoo.com. (
     1          ; Serial
     10800      ; Refresh after 3 hours
     3600       ; Retry after 1 hour
     604800     ; Expire after 1 week
     86400 )    ; Minimum TTL of 1 day

;
; Name Servers
;
mydomain.net.  IN NS   firewall.mydomain.net.

;
; Host addresses
;
localhost.mydomain.net.        IN A    127.0.0.1
firewall.mydomain.net.         IN A    192.168.150.1
firesign.mydomain.net.         IN A    192.168.150.170
frantics.mydomain.net.         IN A    192.168.150.171
bundolo.mydomain.net.          IN A    192.168.150.172

The first bit says my domain is called mydomain.net. I’ve published my email as myemail@yahoo.com (but note the dot instead of the at sign there).

The next bit is serial number / expiration times. You’re supposed to bump up the serial number every time you edit, but I usually just kill and restart named.

After that, I say that the firewall will be the nameserver for the domain.

Next is the interesting bit: the mapping of host names to host addresses. They must all end in . because BIND requires it. It’s very easy to miss a . in your config file and be confused about why things aren’t working.

/var/name/master/mydomain.net.rev
In addition to DNS doing lookup for names, it usually also does lookup for IP addresses. This is what you get when you do nslookup 192.168.150.1, for instance. The reverse domain name file holds that:


150.168.192.in-addr.arpa. IN SOA firewall.mydomain.net. myemail.yahoo.com. (
     1          ; Serial
     10800      ; Refresh after 3 hours
     3600       ; Retry after 1 hour
     604800     ; Expire after 1 week
     86400 )    ; Minimum TTL of 1 day

;
; Name Servers
;
150.168.192.in-addr.arpa.       IN NS   firewall.mydomain.net.

;
; Addresses point to canonical name
;
1.150.168.192.in-addr.arpa.     IN PTR  firewall.mydomain.net.
170.150.168.192.in-addr.arpa.   IN PTR  firesign.mydomain.net.
171.150.168.192.in-addr.arpa.   IN PTR  frantics.mydomain.net.
172.150.168.192.in-addr.arpa.   IN PTR  bundolo.mydomain.net.

Once again, watch for . characters at the end of .arpa. and .net.

At this point, you can kill and restart named, then:

nslookup
server localhost
frantics

You should see something like:

Server:         localhost
Address:        127.0.0.1#53

Name:   frantics.mydomain.net
Address: 192.168.150.171

/etc/resolv.conf.tail
The DHCP client overwrites /etc/resolv.conf, but then appends whatever/s in /etc/resolv.conf.tail to that. So let’s tell OpenBSD that Change /etc/resolv.conf to point to the running nameserver:

nameserver 192.168.150.1
domain mydomain.net
search mydomain.net
lookup bind file

This sets up the firewall as the nameserver to look for, tells what my domain is, says to search foo.mydomain.net when looking for foo, and to look up via bind first and then /etc/hosts.

/etc/dhcpd.conf
Now is a good time to change dhcpd.conf to point to your nameserver instead of someone else:

option domain-name-servers 192.168.150.1;

Save those changes
To save the changes that are in /var, use the following command:

tar cf /flash/var.tar -C /var .

Might as well save a copy somewhere else too:

tar cf /root/named.tar /var/named

Things are saved away as well as they’re going to be; time to reboot and hope you didn’t miss anything!

(This post is part of Building an ALIX firewall)

Advertisements

One Response to Setting up BIND on the ALIX firewall

  1. […] Setting up BIND on the ALIX firewall […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: