Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIND Package (or similar functioning authoritative DNS server)

    Scheduled Pinned Locked Moved pfSense Packages
    52 Posts 19 Posters 18.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rhyskoedijk
      last edited by

      Hi Sven,

      First of all, thanks for putting this package together, great work!
      I'm having a bit of an issue getting BIND to start after following your instructions, just wondering if you have any ideas as to what might be wrong?

      I have set up the BIND server in the pfSense UI, clicked save, the changes seem to stick in the UI just fine (if I reload the page), but the service fails to start.
      The log file shows…

      
      Jun 1 18:54:26	named	42941	exiting (due to fatal error)
      Jun 1 18:54:26	named	42941	loading configuration: failure
      Jun 1 18:54:26	named	42941	/etc/namedb/named.conf:27: missing ';' before '}'
      Jun 1 18:54:26	named	42941	loading configuration from '/etc/namedb/named.conf'
      Jun 1 18:54:26	named	42941	using up to 4096 sockets
      Jun 1 18:54:26	named	42941	using 8 UDP listeners per interface
      Jun 1 18:54:26	named	42941	found 16 CPUs, using 16 worker threads
      Jun 1 18:54:26	named	42941	----------------------------------------------------
      Jun 1 18:54:26	named	42941	available at https://www.isc.org/support
      Jun 1 18:54:26	named	42941	corporation. Support and training for BIND 9 are
      Jun 1 18:54:26	named	42941	Inc. (ISC), a non-profit 501(c)(3) public-benefit
      Jun 1 18:54:26	named	42941	BIND 9 is maintained by Internet Systems Consortium,
      Jun 1 18:54:26	named	42941	----------------------------------------------------
      Jun 1 18:54:26	named	42941	built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-ledit' '--sysconfdir=/usr/local/etc/namedb' '--disable-fetchlimit' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--disable-largefile' '--disable-newstats' '--without-python' '--disable-querytrace' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--enable-rrl' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--without-gost' '--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CFLAGS=-O2 -pipe -isystem /usr/local/include -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=-isystem /usr/local/include -DLIBICONV_PLUG' 'CPP=cpp'
      Jun 1 18:54:26	named	42941	starting BIND 9.10.3-P4 <id:ebd72b3>-c /etc/namedb/named.conf -u bind -t /cf/named/</id:ebd72b3> 
      

      The config file in /usr/local/etc/namedb/named.conf doesn't appear to reflect the settings from the UI either.
      By my count, line 27 of the config file is a comment line?! Is this the correct file? are the UI settings being saved somewhere else?

      
      // $FreeBSD$
      //
      // Refer to the named.conf(5) and named(8) man pages, and the documentation
      // in /usr/local/share/doc/bind for more details.
      //
      // If you are going to set up an authoritative server, make sure you
      // understand the hairy details of how DNS works.  Even with
      // simple mistakes, you can break connectivity for affected parties,
      // or cause huge amounts of useless Internet traffic.
      
      options {
              // All file and path names are relative to the chroot directory,
              // if any, and should be fully qualified.
              directory       "/usr/local/etc/namedb/working";
              pid-file        "/var/run/named/pid";
              dump-file       "/var/dump/named_dump.db";
              statistics-file "/var/stats/named.stats";
      
      // If named is being used only as a local resolver, this is a safe default.
      // For named to be accessible to the network, comment this option, specify
      // the proper IP address, or delete this option.
              listen-on       { 127.0.0.1; };
      
      // If you have IPv6 enabled on this system, uncomment this option for
      // use as a local resolver.  To give access to the network, specify
      // an IPv6 address, or the keyword "any".
      //      listen-on-v6    { ::1; };
      
      // These zones are already covered by the empty zones listed below.
      // If you remove the related empty zones below, comment these lines out.
              disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
              disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
              disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
      
      // If you've got a DNS server around at your upstream provider, enter
      // its IP address here, and enable the line below.  This will make you
      // benefit from its cache, thus reduce overall DNS traffic in the Internet.
      /*
              forwarders {
                      127.0.0.1;
              };
      */
      
      

      Any leads on where to go with this, was there anything else required beyond just disabling the other DNS services and installing the packages in the specified order?
      Thanks in advance

      ===========
      EDIT

      I've attached a copy of the http response I get from pfSense when saving the configuration in the UI. The response is "302 Moved", is this normal?

      ![Screen Shot 2016-06-01 at 7.21.09 PM.png](/public/imported_attachments/1/Screen Shot 2016-06-01 at 7.21.09 PM.png)
      ![Screen Shot 2016-06-01 at 7.21.09 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-06-01 at 7.21.09 PM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • S
        Scissorfish
        last edited by

        @rhyskoedijk:

        Hi Sven,

        First of all, thanks for putting this package together, great work!
        I'm having a bit of an issue getting BIND to start after following your instructions, just wondering if you have any ideas as to what might be wrong?

        I have set up the BIND server in the pfSense UI, clicked save, the changes seem to stick in the UI just fine (if I reload the page), but the service fails to start.
        The log file shows…

        
        Jun 1 18:54:26	named	42941	exiting (due to fatal error)
        Jun 1 18:54:26	named	42941	loading configuration: failure
        Jun 1 18:54:26	named	42941	/etc/namedb/named.conf:27: missing ';' before '}'
        Jun 1 18:54:26	named	42941	loading configuration from '/etc/namedb/named.conf'
        Jun 1 18:54:26	named	42941	using up to 4096 sockets
        Jun 1 18:54:26	named	42941	using 8 UDP listeners per interface
        Jun 1 18:54:26	named	42941	found 16 CPUs, using 16 worker threads
        Jun 1 18:54:26	named	42941	----------------------------------------------------
        Jun 1 18:54:26	named	42941	available at https://www.isc.org/support
        Jun 1 18:54:26	named	42941	corporation. Support and training for BIND 9 are
        Jun 1 18:54:26	named	42941	Inc. (ISC), a non-profit 501(c)(3) public-benefit
        Jun 1 18:54:26	named	42941	BIND 9 is maintained by Internet Systems Consortium,
        Jun 1 18:54:26	named	42941	----------------------------------------------------
        Jun 1 18:54:26	named	42941	built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-ledit' '--sysconfdir=/usr/local/etc/namedb' '--disable-fetchlimit' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--disable-largefile' '--disable-newstats' '--without-python' '--disable-querytrace' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--enable-rrl' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--without-gost' '--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.3' 'build_alias=amd64-portbld-freebsd10.3' 'CC=cc' 'CFLAGS=-O2 -pipe -isystem /usr/local/include -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing' 'LDFLAGS= -L/usr/local/lib -fstack-protector' 'LIBS=' 'CPPFLAGS=-isystem /usr/local/include -DLIBICONV_PLUG' 'CPP=cpp'
        Jun 1 18:54:26	named	42941	starting BIND 9.10.3-P4 <id:ebd72b3>-c /etc/namedb/named.conf -u bind -t /cf/named/</id:ebd72b3> 
        

        The config file in /usr/local/etc/namedb/named.conf doesn't appear to reflect the settings from the UI either.
        By my count, line 27 of the config file is a comment line?! Is this the correct file? are the UI settings being saved somewhere else?

        
        // $FreeBSD$
        //
        // Refer to the named.conf(5) and named(8) man pages, and the documentation
        // in /usr/local/share/doc/bind for more details.
        //
        // If you are going to set up an authoritative server, make sure you
        // understand the hairy details of how DNS works.  Even with
        // simple mistakes, you can break connectivity for affected parties,
        // or cause huge amounts of useless Internet traffic.
        
        options {
                // All file and path names are relative to the chroot directory,
                // if any, and should be fully qualified.
                directory       "/usr/local/etc/namedb/working";
                pid-file        "/var/run/named/pid";
                dump-file       "/var/dump/named_dump.db";
                statistics-file "/var/stats/named.stats";
        
        // If named is being used only as a local resolver, this is a safe default.
        // For named to be accessible to the network, comment this option, specify
        // the proper IP address, or delete this option.
                listen-on       { 127.0.0.1; };
        
        // If you have IPv6 enabled on this system, uncomment this option for
        // use as a local resolver.  To give access to the network, specify
        // an IPv6 address, or the keyword "any".
        //      listen-on-v6    { ::1; };
        
        // These zones are already covered by the empty zones listed below.
        // If you remove the related empty zones below, comment these lines out.
                disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
                disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
                disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        
        // If you've got a DNS server around at your upstream provider, enter
        // its IP address here, and enable the line below.  This will make you
        // benefit from its cache, thus reduce overall DNS traffic in the Internet.
        /*
                forwarders {
                        127.0.0.1;
                };
        */
        
        

        Any leads on where to go with this, was there anything else required beyond just disabling the other DNS services and installing the packages in the specified order?
        Thanks in advance

        ===========
        EDIT

        I've attached a copy of the http response I get from pfSense when saving the configuration in the UI. The response is "302 Moved", is this normal?

        /etc/namedb/named.conf:27: missing ';' before '}'
        check your config

        Installed bind yesterday on 2.3.3_1 and it is working flawlessly so far

        1 Reply Last reply Reply Quote 0
        • V
          voleatech
          last edited by

          Hi,

          the configs are actually saved in a chrooted dir /cf/named/ .

          Can you check the file in there? It should be /cf/named/etc/namedb/named.conf and let me know what it looks like on line 27?

          The 302 is not an issue.

          Best
          Sven

          Voleatech
          pfSense Select Partner

          1 Reply Last reply Reply Quote 0
          • V
            voleatech
            last edited by

            Hi,

            the package is merged and should be available soon.

            Please let me know of any problems.

            Best
            Sven

            Voleatech
            pfSense Select Partner

            1 Reply Last reply Reply Quote 0
            • R
              rhyskoedijk
              last edited by

              Hi,

              I checked the /cf/namedb/etc/namedb directory and found that it was because of this…

              
                      forwarders { 8.8.8.8;8.8.4.4 };
              
              

              When it needed to be…

              
                      forwarders { 8.8.8.8;8.8.4.4; };
              
              

              In the UI it states you need to seperate IP's with a semi-colon, but I didn't realise you also need end the string with a semi-colon too.
              Maybe the hint message could be a bit more clear about this, or the server-side could just ensure it terminates the string with a semi-colon when writing out to the configuration file?

              All working now though, thanks.

              1 Reply Last reply Reply Quote 0
              • V
                voleatech
                last edited by

                Hi,

                thanks for the feedback.

                We will change the text for that field to make it clear that a semi-colon has to be added at the end as well.
                It will be in the next update of the package.

                Best
                Sven

                Voleatech
                pfSense Select Partner

                1 Reply Last reply Reply Quote 0
                • O
                  opty
                  last edited by

                  just upgraded from pfsense 2.2 with bind to pfsense 2.3.1 without any problem, new bind is working perfect

                  Thanks for your work

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cybertoy
                    last edited by

                    Hi,

                    Thanks for the hard work that was put into this. I just upgraded from 2.2.6 to 2.3.1 and it worked nearly flawless. After the upgrade I had to login though and set the nameserver to 8.8.8.8 manually so that it was able to download all packages. After that everything installed itself including bind.

                    ciao,
                    Cybertoy

                    1 Reply Last reply Reply Quote 0
                    • A
                      asterix
                      last edited by

                      Would you know how to get the below google safesearch info in pfSense BIND DNS?

                      server: include: /var/unbound/forecegoogle.conf

                      1 Reply Last reply Reply Quote 0
                      • A
                        asterix
                        last edited by

                        @Asterix:

                        Would you know how to get the below google safesearch info in pfSense BIND DNS?

                        server: include: /var/unbound/forecegoogle.conf

                        Anyone?

                        1 Reply Last reply Reply Quote 0
                        • V
                          voleatech
                          last edited by

                          Hi,

                          from looking at it briefly the file does not have a format the bind will understand.
                          You have to take the entries and create a new zone with them in bind.

                          Best
                          Sven

                          1 Reply Last reply Reply Quote 0
                          • M
                            MROX
                            last edited by

                            HI,

                            I have been using bind already for years, but pfsense since a couple of months, where I bought a SG-4860. With the upgrade to 2.3.2, I was thinking of installing bind as a slave server on the pfsense. In principle, I have bind working fine, as long as I specify the config via /cf/named/etc/namedb/named.conf manually.

                            I did the following that goes wrong:
                            a - In the View custom options, in a Windows browser, I entered, multiple options with a carriage return and new line.
                            b - in the named.conf of the pfsense, I can see the ^M from the windows browser.

                            To be sure, I stopped the named service, edited the named.conf by removing the ^M and started this again, to make sure it was working fine, which it does. With the ^M, I had bind behavior which I did not expect.

                            Now the problem and questions:
                            1 - When I edit the same view again by changing another option, the view custom options is back to the old situation with ^M
                            2 - I noticed that the backup of the config file using pfsense Web UI is not storing any of the manual changes to named.conf.

                            So clearly, the Web UI settings are stored somewhere else and used for the backup.
                            I am perfectly fine to backup the named.conf manually, but prefer this automatically if at all possible with pfsense backup and restore functionality.

                            So
                            i. is there any way to fix the ^M behavior?
                            ii. Where are the Web Ui settings be stored? Can I enter my bind settings over there in a command line to workaround this windows browser, so with any backup and restore my named changes are stored automatically? (Unfortunately, I have no linux browser to workaround this, also I noticed in the xml backup file that the custom options is encrypted, not plain text, otherwise I would have changed it in the xml file.)

                            Thanks,

                            1 Reply Last reply Reply Quote 0
                            • C
                              CaptainElmo
                              last edited by

                              Upgraded from 2.2.6 to 2.3.2 and the named service won't start. It gives no error and produces no system logs. No other service is using port 53 and the bind configs were all working under the previous version.

                              Ideas on where to start troubleshooting?

                              1 Reply Last reply Reply Quote 0
                              • V
                                voleatech
                                last edited by

                                @MROX:

                                Now the problem and questions:
                                1 - When I edit the same view again by changing another option, the view custom options is back to the old situation with ^M
                                2 - I noticed that the backup of the config file using pfsense Web UI is not storing any of the manual changes to named.conf.

                                So clearly, the Web UI settings are stored somewhere else and used for the backup.
                                I am perfectly fine to backup the named.conf manually, but prefer this automatically if at all possible with pfsense backup and restore functionality.

                                So
                                i. is there any way to fix the ^M behavior?
                                ii. Where are the Web Ui settings be stored? Can I enter my bind settings over there in a command line to workaround this windows browser, so with any backup and restore my named changes are stored automatically? (Unfortunately, I have no linux browser to workaround this, also I noticed in the xml backup file that the custom options is encrypted, not plain text, otherwise I would have changed it in the xml file.)

                                Thanks,

                                Hi Mrox,

                                configs are always saved in the config.xml of pfSense.
                                Since you are using a browser to set the configs there should not be a ^M since that is a newline in windows encoded textfiles.
                                Maybe you are copying from a textfile?
                                You can try and use notepad++ or another editor, create a UTF8 file, type your config and then copy and paste that in the custom field.

                                Best
                                Sven

                                Voleatech
                                pfSense Select Partner

                                1 Reply Last reply Reply Quote 0
                                • V
                                  voleatech
                                  last edited by

                                  @CaptainElmo:

                                  Upgraded from 2.2.6 to 2.3.2 and the named service won't start. It gives no error and produces no system logs. No other service is using port 53 and the bind configs were all working under the previous version.

                                  Ideas on where to start troubleshooting?

                                  Hi,

                                  that is odd.
                                  You can start by looking in /var/log/system.log for error messages or /var/log/resolver.log .
                                  Can you see any error when you start the daemon?

                                  Best
                                  Sven

                                  Voleatech
                                  pfSense Select Partner

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    CaptainElmo
                                    last edited by

                                    Hello Sven. Thank you for doing this - I'm super excited to get this working.

                                    When I click the start arrow on the named service from the dashboard page it spins for about 10 seconds like it is starting up but then stops spinning without starting. There are no error messages. The resolver.log only contains entries from filterdns about some failures in resolving aliases saved under Firewall->Aliases. The system.log has nothing pertaining to the BIND package or the named service.

                                    I'm at a complete loss as to how to troubleshoot this. Of course the first thing I tried was to uninstall the BIND package and re-install but that didn't fix it. Then I tried removing all of the zones in case there was a damaged zone causing trouble, but that didn't fix it either.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sgoldtho
                                      last edited by

                                      Currently running pfSense:
                                        2.3.2-RELEASE (i386)
                                        built on Tue Jul 19 13:09:39 CDT 2016
                                        FreeBSD 10.3-RELEASE-p5

                                      With BIND:
                                        9.10_9 GUI
                                        9.10.4P2 bind package

                                      The named service doesn't start and there are no entries in either the system or resolver logs.

                                      Can bind be started from the command prompt, it may give an indication as to what is "not" happening?

                                      Thanks,
                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        wxop
                                        last edited by

                                        Hi there

                                        I've got the exact same problem as  @sgoldtho and @CaptainElmo either with a fresh 2.3.1-RELEASE (nanoBSD) or when upgraded to 2.3.2.

                                        Symptom :
                                        Bind cannot be launched from the GUI, while it can be started from the command line using:

                                        
                                        /usr/local/etc/rc.d/named onestart
                                        
                                        

                                        or

                                        
                                        /usr/local/sbin/named  -c /etc/namedb/named.conf -u bind -t /cf/named/
                                        
                                        

                                        BTW When Bind is launched (from CLI first) it can be stopped from the GUI.
                                        And there is nothing showing in the log file….

                                        After fighting a few hours I finally found the fix  8) :

                                        In the rcfile : /usr/local/etc/rc.d/named.sh

                                        change this line:

                                        
                                        		if [ -z "`/bin/ps auxw | /usr/bin/grep "[n]amed" | /usr/bin/awk '{print $2}'`" ]; then
                                        
                                        

                                        to

                                        
                                        		if [ -z "`/bin/ps auxw | /usr/bin/grep "[n]amed " | /usr/bin/awk '{print $2}'`" ]; then
                                        
                                        

                                        –-->Notice the vicious SPACE after [n]amed !

                                        I hope that the maintainer would check this easy fix and include it in the Bind pkg so that next pkg upgrade should work flawlessly.

                                        HTH

                                        1 Reply Last reply Reply Quote 0
                                        • V
                                          voleatech
                                          last edited by

                                          Hi,

                                          sorry for the restart bug.
                                          That line of code changed because it was not working on ipv4 and ipv6 enabled bind systems.
                                          @wxop thank you for finding the fix.
                                          A new version was just submitted.

                                          Best
                                          Sven

                                          Voleatech
                                          pfSense Select Partner

                                          1 Reply Last reply Reply Quote 0
                                          • H
                                            helge000
                                            last edited by

                                            @wxop cheers!

                                            Was fighting over the same issue. I can reconfirm the extra space does the trick.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.