Bind package for pfsense 2.1
-
The bind documentation is really rich on internet. Most part of this packages was written based on it. chroot and dnssec are a good example of that.
I do not have that free time to spend on documentation guide. I do my best on field descriptions and a left to right configuration style package.
IMHO you need to know something about the package you are configuring on your network to prevent serious security problems.
Thank's for testing this package. This week I'll put in production and based on result change it to release or stable version.
-
I hear ya – I will be more than happy to put up some docs in the wiki, etc.. With pictures for the basic users on bring up a zone for example -- what you have to highlight, and how to work through the tabs left to right, etc.
And your field descriptions are very good to be honest!! Just needs a overall how to doc is all for the users that don't know the basics. I am very limited in my understanding of dnssec and jails myself - but I am more than happy to get more familiar with both for my own benefit and helping in documentation on using your great package!!
And I am with you - you allowing for enabling dnssec in bind via a gui, does not mean you have the time to write a how to for dnsses. And I would prefer actually that you spend your time enabling great features in your interface..
This looks to me to be one of the all time great packages for pfsense.. But as of now it seems to me there is something that the user needs to do other than click that check box to get dnssec to work.. Maybe a note about understanding dnssec and its requirements in the field would work for now ;) I checked it just playing around and it broke bind for my my local zone. That is not on you -- that is just lack of understanding on my part as well - same with chroot and jails, that is on me to understand.
Was just a note that it can be confusing for us that don't understand jails and such while the log says its loading one path, when that path is not really the actual path.
-
I just wanted to chime in and say this package is brilliant. Everything works beautifully, and while polish would be some Wiki Docs as others have mentioned, the core of it works great and any BIND veteran will be very pleased with this.
I cannot say how frustrated I've been that the tinydns package crashes all the time when attempting to set up a multi-vlan response (not to mention how difficult it is to set one up with it to begin with…NAT to localhost et al).
People should note that BIND of course has been the subject of MANY flaws over the years and if you plan on using it on your FIREWALL you should probably not allow BIND access to external networks or even untrusted (guest) internal ones if you are very paranoid. Even with chroot there is the potential for issues. Having said all that, the ability to use this for multi-view internal VLANs is priceless and head and shoulders above anything else.
-Q
-
So far so good. Working flawless on my network. ;D
I'll test sync code today.
-
I've updated the package with some fixes and improvements. :)
What's new on bind 0.3 RC package?
-
Backup/restore dnssec keys to xml option
-
A lot of logging options
-
Moved bind logs do Resolver tab on system logs(may require a reboot or restart on syslogd)
-
Add forward zone type
-
Enable/disable zone option
-
Fixed sync code. Backup servers receive zones configured on master server as slave
-
-
Anybody else testing it? I'm planning to change status to release as it's running fine here.
-
I updated this morning with no issues.. I have my local.lan forward running and 2 ptr's setup working great. Have not had time to play with dnssec or zone transfers.
I liked how you linked to info for dnssec and give the actual configs in the gui, etc. This is a rocking package!!
-
I've included an extra field(custom zone records) on zone configuration tab with no package version bump.
This way you can do a intermediate/faster server migration.
Also tested backup DNSSEC keys on master and restore on slave. All working fine! ;D
-
enable dnssec validation?
I have played with adding custom options to enable dnssec validation - but not working..
So if I query my ubuntu box that has bind installed as just a resolver I can get the AD flag showing zone was validated via dnssec
; <<>> DiG 9.9.4 <<>> @192.168.1.7 pir.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60520
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A;; ANSWER SECTION:
pir.org. 300 IN A 50.63.189.22
pir.org. 300 IN RRSIG A 5 2 300 20131109085000 20131026085000 51527 pir.org. tZk+v1mE8zRnwxGZZ21F6vCOSLMMPoJu3LTJVn4gWp5ZZMWZgQ7aPHAr NMr4xffHPtfHcWGImIr2Tc0eMGbbCBLbz2IVCAtq0bfGW8RDJpEOhFyh nTByNna4ggQaMfn0anAg4Q+yIaptfINI0Dtl3tSziWk8RNY02mNaY8gz Aqw=But if I query pfsense no AD flag?
; <<>> DiG 9.9.4 <<>> @192.168.1.253 pir.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9091
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 8;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A;; ANSWER SECTION:
pir.org. 300 IN A 50.63.189.22
pir.org. 300 IN RRSIG A 5 2 300 20131109085000 20131026085000 51527 pir.org. tZk+v1mE8zRnwxGZZ21F6vCOSLMMPoJu3LTJVn4gWp5ZZMWZgQ7aPHAr NMr4xffHPtfHcWGImIr2Tc0eMGbbCBLbz2IVCAtq0bfGW8RDJpEOhFyh nTByNna4ggQaMfn0anAg4Q+yIaptfINI0Dtl3tSziWk8RNY02mNaY8gz Aqw=So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
-
Does this package integrate well with the pfsense DHCP? I have the Dynamic DNS enabled on the DHCP settings but I'm unable to get my DNS zone to update. Mods, please move my post to a different thread if it doesn't belong in here.
In my DNS zone, the updates are allowed from an IP range (192.168.1/24)
acl "192.168" { 192.168/16; }; acl "192.168.1" { 192.168.1/24; }; view "myzone.lan" { recursion yes; match-clients { any;}; allow-recursion { any;}; zone "internal.myzone.lan" { type master; file "/etc/namedb/master/myzone.lan/internal.myzone.lan.DB"; allow-update { 192.168;}; allow-query { any;}; allow-transfer { none;}; # look for dnssec keys here: key-directory "/etc/namedb/keys"; # publish and activate dnssec keys: auto-dnssec maintain; # use inline signing: inline-signing yes; }; zone "192.168.1.in-addr.arpa" { type master; file "/etc/namedb/master/myzone.lan/192.168.1.DB"; allow-update { 192.168.1;}; allow-query { any;}; allow-transfer { none;}; };Thanks!
-
I have an Internet connection via the satellite. Therefore I feel need in increase in ttl.
Marcelloc, can you add the option "min-cache-ttl" in your package? Description in russian here http://alex-at.ru/linux/bind-9-6-0-p1-ttl. And patch is:diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c --- bind-9.6.0-P1.orig/bin/named/config.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/config.c 2009-05-22 12:31:35.000000000 +0400 @@ -129,6 +129,8 @@ min-roots 2;\n\ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ + override-cache-ttl 0; /* do not override */\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ max-cache-ttl 604800; /* 1 week */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c --- bind-9.6.0-P1.orig/bin/named/server.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/server.c 2009-05-22 12:32:18.000000000 +0400 @@ -1727,6 +1727,16 @@ CHECK(mustbesecure(obj, view->resolver)); obj = NULL; + result = ns_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h --- bind-9.6.0-P1.orig/lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400 @@ -131,6 +131,8 @@ isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; in_port_t dstport; dns_aclenv_t aclenv; diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c --- bind-9.6.0-P1.orig/lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400 @@ -4054,6 +4054,18 @@ } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c --- bind-9.6.0-P1.orig/lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400 @@ -821,6 +821,8 @@ { "lame-ttl", &cfg_type_uint32, 0 }, { "max-acache-size", &cfg_type_sizenodefault, 0 }, { "max-cache-size", &cfg_type_sizenodefault, 0 }, + { "override-cache-ttl", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, -
Marcelloc, can you add the option "min-cache-ttl" in your package?
I can't compile binaries to official repo. :(
It will need a freebsd ports patch on bind before we can include it on pfsense compile options.
-
So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
I have no idea. What tests are these?
-
But if I query pfsense no AD flag?
Maybe it's related to this?
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/242956 -
It is a test that dns your using is validating dnssec info.
As you saw my ubuntu box running default bind install as recursive server reflects that dnssec was validated with the AD flag when used +dnssec.
google dns for example as enabled dnssec validation even if client does not request.. So you can see below that simple query to googledns without +dnssec still returns the AD flag for a domain that passes validation.. While a domain that does not have it does not
; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pir.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38390
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63693
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1If I set my client to use google dns the above test site states that my dns is validating
What I would like is bind to do dnssec validation even when not specifically requested via +dnssec - but I can not seem to get it to the validation even with +dnssec flag..
Ok got it to work with below options, seems setting to yes for validation requires to add keys, while auto loads the keys included with bind.
dnssec-enable yes;
dnssec-validation auto;now what is odd is that test site is saying permissive.. but I doubt that is the case to be honest.. since if I try query a zone that broken dnssec get servfail like it should
; <<>> DiG 9.9.2-P1 <<>> www.rhybar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52165
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1If I query the site via a resolver that does not do validation I get an answer
; <<>> DiG 9.9.2-P1 <<>> @4.2.2.2 www.rhybar.cz
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.rhybar.cz. IN A
;; ANSWER SECTION:
www.rhybar.cz. 600 IN A 217.31.205.51So it seems to be working correctly - but what is odd is that that test shows google is not permissive? But bind on pfsense is? Odd maybe I will email them about that aspect of their test.
-
Anybody else testing it? I'm planning to change status to release as it's running fine here.
When you added $ORIGIN, reverse lookup broke, a simple if statement will fix it:
if($zonereverso == "on") $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n"; else $zone_conf .= "\$ORIGIN {$zonename}.\n";-Q
-
When you added $ORIGIN, reverse lookup broke, a simple if statement will fix it:
-
Does this package integrate well with the pfsense DHCP?
Are you getting any error on logs?
Can you increase log debugging to see what is wrong.
Are your internal dnssec zone working?
-
marcelloc
Thanks for creating this BIND packge for pfSense. And thanks for fixing it yesterday! I am new to pfSense and was trying to set up my domain with your package and banging my head trying to figure out why the reverse domain kept failing to load. I turned on extra debugging to see what the error was, then manually edited the zone file to add the rest of the proper SOA suffix (in-addr.arpa.) and it worked. Then I noticed this post and checked out the version history on the package and re-installed it. Edited/saved my reverse zone and now I see the GUI puts in the proper SOA syntax.
Thanks again! ;D
-
Are you getting any error on logs?
Here's an example of the server storage1 trying to update it's DNS record. The entry storage1 doesn't exist in bind yet as I want it to be automatically created when a DHCP lease is given. If the entry already exists, it would be simply updated.
named[95868]: client 192.168.1.6#57928: view internal: updating zone 'internal.myzone.lan/IN': update unsuccessful: storage1.internal.myzone.lan/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
From reading bind documentation, the DHCP server would need a shared key with Bind in order to allow the creation of a new entry (not just updating an entry). In the current pfsense GUI, there's no option to add custom commands or parameters.
Are your internal dnssec zone working?
I was using dnssec but to keep things simple I disabled it. It's not being used anymore
