|
pagetitle
Setting up a FreeBSD
DNS Configuration
edited by:
Tom
Anderson
Introduction
In this document we will give an example of how to set up DNS server on
FreeBSD.
Much of his information was gleaned from the "FreeBSD
Handbook".
The default
FreeBSD dns daemon is called 'named' and it is part of the 'bind' port
(/usr/ports/bind8). The dir '/etc/namedb' is the place where named searches
for
configuration files / zone files.
The following
files are of interest for us and we will create/edit them allong the way:
named.conf
db.example.org
example-reverse
localhost.rev
In
this document show how to create/edit these file to configure a DNS server
which operates
on a local network and queries two outside DNS servers if the DNS server
doesn't know the
answer.
Here is the
basic network schema:
named.conf
This file is by default in the dir /etc/namedb and we only have to edit
it.
Here is an
example of how it should look:
---
options {
directory "/etc/namedb";
forwarders {
[dns-server 1]; [dns-server 2];
};
query-source address * port 53;
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA"
{
type master;
file "localhost.rev";
};
zone "example.org"
{
type master;
file "db.example.org";
};
zone "1.168.192.in-addr.arpa"
{
type master;
file "example.org-reverse";
};
---
What does
all this mean?
forwarders
This should be a semicollon seperated (don't forget the last one) list
of dns servers.
If your dns server doesn't know the answer it will ask these dns servers.
query-source
address
With this option you can force the DNS server to use a specific port,
this is usefull when using a firewall.
zone "."
This zone is for the top level domains, the file 'named.root' contains
all the root servers (the addresses
haven't changed for years so you don't have to edit this file).
zone "example.org"
This specifies the file in which the DNS server can find the information
about the domain 'example.org'
zone "1.168.192.in-addr.arpa"
This zone is used for reverse DNS lookups. As you might notice the ip
address is backwards and the last
number misses. This is a work-around for a 'chicken and the egg' kind
of problem. How does a DNS server
know at which server it can find the information it looks for? It resolves
the ip address and queries the
authoritive server but how can he query the server? by resolving the host
name. You see, this is a little
problem. This is why this approach is chosen. I won't explain any deeper
because it is not necesary to
know for setting up the DNS server.
db.example.org
This is the zone file for your domain. Here is an example:
---
$TTL 86400
example.org. IN SOA ns.example.org. admin.example.org. (
2001220201 ; Serial (YYYYDDMM plus 2 digit serial)
86400 ; refresh (1 day)
7200 ; retry (2 hours)
8640000 ; expire (100 days)
86400) ; minimum (1 day)
IN NS ns.example.org.
IN MX 10 mail.example.org.
ns IN A 192.168.1.1
sun IN A 192.168.1.100
moon IN A 192.168.1.101
maan IN CNAME moon
---
NOTE: Comments
in the configuration files are unlike usually marked with semicollons
in stead of hashes!!!
Behind each
domain a dot is marked bold. This is because this dot HAS to be there
and it is a
common mistake to forget it.
$TTL
This it the default time to life, should be in here.
SOA
This is short for Start Of Authority and it should be followed by the
domain of
the originating host and an e-mail address of the administrator of the
DNS server.
As you might notice: there is now add symbol in the e-mail address. This
is because
the add symbol has a differen meaning here and therefor the first dot
is replaced
by the add symbol whenever it is needed.
Serial
This is the serial number for this zone, it should be increased each time
something has been changed. A good structure for the serial number is
YYYYDDMM plus 2 digits. This means the year in 4 digits followed by the
day,
month and a sequence number. The latter is usefull when you udate the
zone file
more then once on a day.
IN NS ns.example.org.
This tells the dns server that 'dns.example.org' is authoritive for this
zone.
In this case
thet authoritive dns server is on the same domain (example.org) as the
domain it is authoritive for. Here's an example of a more realistic zone:
---
$TTL 86400
mydomain.org. IN SOA
ns.example.org. admin.example.org. (
2001220201 ; Serial (YYYYDDMM plus 2 digit serial)
86400 ; refresh (1 day)
7200 ; retry (2 hours)
8640000 ; expire (100 days)
86400) ; minimum (1 day)
IN NS ns.example.org.
IN MX 10 mail.example.org.
mydomain.org. A 211.211.211.211
www IN A 212.212.212.212
db IN A 213.213.213.213
---
As you can
see an mx record and an etry for the domain name without subdomain
have been added to this example. The example.org is still in here because
it is the
authoritive dns server.
example.org-reverse
This file is used for reverse lookups
---
$TTL 86400
@ IN SOA ns.example.org.
admin.example.org. (
2001220200 ; Serial (date, 2 digits version)
86400 ; refresh (1 day)
7200 ; retry (2 hours)
8640000 ; expire (100 days)
86400) ; minimum (1 day)
IN NS ns.example.org.
100 IN PTR sun.example.org.
101 IN PTR moon.example.org.
---
PTR
PTR stands for Pointer.
localhost.rev
This file just maps 127.0.0.1 to localhost.
---
$TTL 3600
@ IN SOA ns.example.org.
admin.example.org. (
2001220200 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS ns.example.org.
1 IN PTR localhost.example.org.
---
Starting
the DNS server
So now you have created/edited all the necesary config files and want
to start your server.
You can do this by hand by typing in (as root) '/usr/sbin/named'. Now
check /var/log/messages
for errors. If your server runs without errors, change the '/etc/resolv.conf'
file to match the following:
---
domain example.org
nameserver 192.168.1.1
---
Now start
nslookup and query your server for one of the subdomains in your zone
file.
If all this
works you'll probely want to start the DNS server automaticaly when your
server
boots. Put the following lines in '/etc/rc.conf'
---
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-u bind -g bind"
---
Lastly, make
sure the user and group 'bind' exist. If you don't start named with this
user/group it will be started as root:wheel (need I explain why you should't
do
this?)
|
