Bind package for pfsense 2.1
-
I've included an extra field(custom zone records) on zone configuration tab with no package version bump.
This way you can do a intermediate/faster server migration.
Also tested backup DNSSEC keys on master and restore on slave. All working fine! ;D
-
enable dnssec validation?
I have played with adding custom options to enable dnssec validation - but not working..
So if I query my ubuntu box that has bind installed as just a resolver I can get the AD flag showing zone was validated via dnssec
; <<>> DiG 9.9.4 <<>> @192.168.1.7 pir.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60520
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A;; ANSWER SECTION:
pir.org. 300 IN A 50.63.189.22
pir.org. 300 IN RRSIG A 5 2 300 20131109085000 20131026085000 51527 pir.org. tZk+v1mE8zRnwxGZZ21F6vCOSLMMPoJu3LTJVn4gWp5ZZMWZgQ7aPHAr NMr4xffHPtfHcWGImIr2Tc0eMGbbCBLbz2IVCAtq0bfGW8RDJpEOhFyh nTByNna4ggQaMfn0anAg4Q+yIaptfINI0Dtl3tSziWk8RNY02mNaY8gz Aqw=But if I query pfsense no AD flag?
; <<>> DiG 9.9.4 <<>> @192.168.1.253 pir.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9091
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 8;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A;; ANSWER SECTION:
pir.org. 300 IN A 50.63.189.22
pir.org. 300 IN RRSIG A 5 2 300 20131109085000 20131026085000 51527 pir.org. tZk+v1mE8zRnwxGZZ21F6vCOSLMMPoJu3LTJVn4gWp5ZZMWZgQ7aPHAr NMr4xffHPtfHcWGImIr2Tc0eMGbbCBLbz2IVCAtq0bfGW8RDJpEOhFyh nTByNna4ggQaMfn0anAg4Q+yIaptfINI0Dtl3tSziWk8RNY02mNaY8gz Aqw=So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
-
Does this package integrate well with the pfsense DHCP? I have the Dynamic DNS enabled on the DHCP settings but I'm unable to get my DNS zone to update. Mods, please move my post to a different thread if it doesn't belong in here.
In my DNS zone, the updates are allowed from an IP range (192.168.1/24)
acl "192.168" { 192.168/16; }; acl "192.168.1" { 192.168.1/24; }; view "myzone.lan" { recursion yes; match-clients { any;}; allow-recursion { any;}; zone "internal.myzone.lan" { type master; file "/etc/namedb/master/myzone.lan/internal.myzone.lan.DB"; allow-update { 192.168;}; allow-query { any;}; allow-transfer { none;}; # look for dnssec keys here: key-directory "/etc/namedb/keys"; # publish and activate dnssec keys: auto-dnssec maintain; # use inline signing: inline-signing yes; }; zone "192.168.1.in-addr.arpa" { type master; file "/etc/namedb/master/myzone.lan/192.168.1.DB"; allow-update { 192.168.1;}; allow-query { any;}; allow-transfer { none;}; };Thanks!
-
I have an Internet connection via the satellite. Therefore I feel need in increase in ttl.
Marcelloc, can you add the option "min-cache-ttl" in your package? Description in russian here http://alex-at.ru/linux/bind-9-6-0-p1-ttl. And patch is:diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c --- bind-9.6.0-P1.orig/bin/named/config.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/config.c 2009-05-22 12:31:35.000000000 +0400 @@ -129,6 +129,8 @@ min-roots 2;\n\ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ + override-cache-ttl 0; /* do not override */\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ max-cache-ttl 604800; /* 1 week */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c --- bind-9.6.0-P1.orig/bin/named/server.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/server.c 2009-05-22 12:32:18.000000000 +0400 @@ -1727,6 +1727,16 @@ CHECK(mustbesecure(obj, view->resolver)); obj = NULL; + result = ns_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h --- bind-9.6.0-P1.orig/lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400 @@ -131,6 +131,8 @@ isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; in_port_t dstport; dns_aclenv_t aclenv; diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c --- bind-9.6.0-P1.orig/lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400 @@ -4054,6 +4054,18 @@ } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c --- bind-9.6.0-P1.orig/lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400 @@ -821,6 +821,8 @@ { "lame-ttl", &cfg_type_uint32, 0 }, { "max-acache-size", &cfg_type_sizenodefault, 0 }, { "max-cache-size", &cfg_type_sizenodefault, 0 }, + { "override-cache-ttl", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, -
Marcelloc, can you add the option "min-cache-ttl" in your package?
I can't compile binaries to official repo. :(
It will need a freebsd ports patch on bind before we can include it on pfsense compile options.
-
So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
I have no idea. What tests are these?
-
But if I query pfsense no AD flag?
Maybe it's related to this?
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/242956 -
It is a test that dns your using is validating dnssec info.
As you saw my ubuntu box running default bind install as recursive server reflects that dnssec was validated with the AD flag when used +dnssec.
google dns for example as enabled dnssec validation even if client does not request.. So you can see below that simple query to googledns without +dnssec still returns the AD flag for a domain that passes validation.. While a domain that does not have it does not
; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pir.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38390
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63693
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1If I set my client to use google dns the above test site states that my dns is validating
What I would like is bind to do dnssec validation even when not specifically requested via +dnssec - but I can not seem to get it to the validation even with +dnssec flag..
Ok got it to work with below options, seems setting to yes for validation requires to add keys, while auto loads the keys included with bind.
dnssec-enable yes;
dnssec-validation auto;now what is odd is that test site is saying permissive.. but I doubt that is the case to be honest.. since if I try query a zone that broken dnssec get servfail like it should
; <<>> DiG 9.9.2-P1 <<>> www.rhybar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52165
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1If I query the site via a resolver that does not do validation I get an answer
; <<>> DiG 9.9.2-P1 <<>> @4.2.2.2 www.rhybar.cz
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.rhybar.cz. IN A
;; ANSWER SECTION:
www.rhybar.cz. 600 IN A 217.31.205.51So it seems to be working correctly - but what is odd is that that test shows google is not permissive? But bind on pfsense is? Odd maybe I will email them about that aspect of their test.
-
Anybody else testing it? I'm planning to change status to release as it's running fine here.
When you added $ORIGIN, reverse lookup broke, a simple if statement will fix it:
if($zonereverso == "on") $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n"; else $zone_conf .= "\$ORIGIN {$zonename}.\n";-Q
-
When you added $ORIGIN, reverse lookup broke, a simple if statement will fix it:
-
Does this package integrate well with the pfsense DHCP?
Are you getting any error on logs?
Can you increase log debugging to see what is wrong.
Are your internal dnssec zone working?
-
marcelloc
Thanks for creating this BIND packge for pfSense. And thanks for fixing it yesterday! I am new to pfSense and was trying to set up my domain with your package and banging my head trying to figure out why the reverse domain kept failing to load. I turned on extra debugging to see what the error was, then manually edited the zone file to add the rest of the proper SOA suffix (in-addr.arpa.) and it worked. Then I noticed this post and checked out the version history on the package and re-installed it. Edited/saved my reverse zone and now I see the GUI puts in the proper SOA syntax.
Thanks again! ;D
-
Are you getting any error on logs?
Here's an example of the server storage1 trying to update it's DNS record. The entry storage1 doesn't exist in bind yet as I want it to be automatically created when a DHCP lease is given. If the entry already exists, it would be simply updated.
named[95868]: client 192.168.1.6#57928: view internal: updating zone 'internal.myzone.lan/IN': update unsuccessful: storage1.internal.myzone.lan/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
From reading bind documentation, the DHCP server would need a shared key with Bind in order to allow the creation of a new entry (not just updating an entry). In the current pfsense GUI, there's no option to add custom commands or parameters.
Are your internal dnssec zone working?
I was using dnssec but to keep things simple I disabled it. It's not being used anymore
-
In the current pfsense GUI, there's no option to add custom commands or parameters.
It has custom options fields on almost all gui tabs.
What additional configuration do you need?
-
I may be going in the wrong direction, I've been following the steps outlined from here http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/#id2255991/ and therefore I would have liked to use a common key between dhcpd and bind in order to authorize the creation of new entries in bind.
-
This is nice and I might just switch to this from unbound!
But….
If I select listen on all interfaces, you generate:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
statistics-file "/var/log/named.stats";
max-cache-size 256M;
listen-on-v6 { Any; };
listen-on { Any; };
version "N/A";};
That's good. However I don't want it to listen on the WAN interface, so if I select individual interfaces other than the WAN interfaces, you generate:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
statistics-file "/var/log/named.stats";
max-cache-size 256M;
listen-on-v6 { none; }; <------------- This is bad!!!
listen-on { 192.168.4.1; 192.168.0.1; 24.98.144.135; 127.0.0.1; };
version "N/A";};
What? No IPV6 support???
-
Oh! And another thing. If I disable bind, then reboot… it is restarted anyway!
-
What? No IPV6 support???
Do you have ipv6 address assigned to any interface?
bind found these (192.168.4.1; 192.168.0.1; 24.98.144.135; 127.0.0.1; )
-
Oh! And another thing. If I disable bind, then reboot… it is restarted anyway!
Disable on gui or just stop the service?
-
Of course. All interfaces have IPV6 addresses, but it seems the config generating script didn't find them. And yes to answer your other question, disabled (or rather, not enabled) in the GUI. Great package though. I've switched to it and rely on the firewall to block IPV6 DNS queries from the WAN interface.
I think it may be a timing thing (as in the time when the config file is generated) since it missed one of the IPV4 addresses and IPV6 address allocation is a little slower than IPV4 address allocation since IPV6 must receive IPV6 router advertisements before it can configure its IPV6 subnets.
