Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tinydns and dnscache for external DNS?

    Scheduled Pinned Locked Moved
    DHCP and DNS
    1
    2
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hff
      last edited by

      Hello,

      I have recently registered in this forum, because I am having problems I have not been able to solve by searching the forums and reading documentation. I will try to be as detailed as possible without revealing my actual network addresses, so please excuse me if this post turn out a bit long.

      I have the following scenario:
      A box with pfSense 2.0.3 i386, with interfaces WAN, LAN and OPT
      A box with Zentyal and two interfaces, one connected to OPT and another to the LAN
      The internal box must provide a blog, mail and webmail services, both to the LAN and to WAN, but it has DNS entries that should only be available to the LAN, and not only Zentyal does not provide a GUI for managing BIND views, but any modification done by hand is lost in upgrades.

      So I thought about installing the dns-server package in pfSense, and creating there only the records that should be served to the public.

      The problem is that my ISP gives me a block of IPv4 addresses with netmask 29, using a classless delegation.

      Let's suppose my network has the fictitous address a.b.c.d/29, the router is taking a.b.c.e, the WAN of pfsense is taking a.b.c.f, and the internal box (the mailserver) is taking a.b.c.g (via NAT 1:1 to the OPT interface address)

      My ISP is doing something like this:
      g.c.b.a.in-addr.arpa CNAME g.d/29.c.b.a.in-addr.arpa

      As hard as I have tried to make the DNS resolve external queries for the PTR to my mailserver, it just won't work, which means there are many servers that will not accept my email.

      In the pfSense GUI, I have made records for the types SOA, NS, MX, A (enabling the checkmark for reverse lookup), but however I edit the entries, the PTR of the mailserver simply does not resolve. Besides, I am having problems with dnscache, no matter what interface or IP (or none) I declare to it, it does not seem to work (even when obviously enabled, and I made sure by uninstalling the dns-server packages, removing all tinydns/dnscache entries from /var/etc and reinstalling the package)

      I have even edited the file /var/etc/tinydns/data by hand, and entered things like these:
      ^g.d/29.c.b.a.in-addr.arpa:mail.mydomain.tld
      ^g.d\05729.c.b.a.in-addr.arpa:mail.mydomain.tld

      I made that file immutable so changes would not be lost because of other changes and ran tinydns-data afterwards, but still the only way I managed for the PTR to resolve was disabling dnscache and binding tinydns to the external IP, but then again when querying via dig -x a.b.c.g, it only worked when using the +norecurse parameter (and the external IP address as nameserver, obviously).

      I tried leaving it this way for a few days to see if changes would replicate to my ISP's nameservers (to which I have given permission of doing zone transfers both in the DNS server options and enabling incoming from them to the port TCP/53 of the WAN)

      To my surprise not only the changes never replicated, but in those days the DNS service went down one or twice a day at random times for no apparent reason (since I made no other modification).

      I tried binding tinydns to 127.0.0.1, disabling dnscache and using dnsmasq instead of dnscache, but apparently pfSense does not permit both installing dns-server and enabling the DNS Forwarder (dnsmasq). So I tried writing a configuration file by hand in /usr/local/etc/dnsmasq.conf with the options no-host, no-resolve, listen-address=a.b.c.f and server=127.0.0.1 but it was useless.

      Now to put the ice on the cake the DNS is not working at all even when I reverted all changes made by hand, blanked and reset the options in the GUI, and rebooted several times.

      My only easy option left is to save the configuration and restore it, but I have my doubts that when I save, the problem is saved too.

      My last option would be to reset pfSense to default and do the configuration again from the ground, but I would certainly prefer to avoid doing that again. And besides, I would still find the problem of the required PTR to my mailserver.

      So what I actually need is quite simply the procedure to make tinydns bind to 127.0.0.1, and dnscache query only that specific nameserver and bind itself to the WAN and answer the queries from any external address whatsoever.

      I hope the information I have provided is enough. Please, help.

      Regards, Hugo

      1 Reply Last reply Reply Quote 0
      • H
        hff
        last edited by

        Never mind, I solved the problems saving and restoring the configuration, uninstalling the dns-server package and installing nsd from the freebsd ports instead. Configuring it was easy and it does work with classless delegation (apparently even some root servers are now using it instead of BIND).

        One doubt though:
        I tried using /etc/rc.conf.local for starting the service, but this did not work as expected. So I added the line to launch the service to the end of /etc/rc (before the exit instruction), but this seems a little hackish.
        Is there a more proper place to call custom scripts or commands at system startup?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post