Bind - Setup pfSense as slave DNS server

mateusscheper

Hey guys, I need a tutorial on how to setup my pfSense as an external slave DNS server. I couln'd find anything so I came here for help.
I've downloaded Bind package but I'm not sure how to configure each tab.

Thank you already.

Grimson

pfSense is a firewall not a (public) domain name server, use a dedicated box/VM for that.

johnpoz

I would concur with Grimson here.. While sure you can use bind on pfsense - your public dns should really be on a box dedicated to that.. There are multiple services that will host it for you for pennies really. Some even free options - HE will be your secondary NS for free for like 50 domains or something.

Where is your primary NS? Your secondary should be on different netblock, and different geographic location even. The services that host your dns for you do that for their bread and butter and reside on large global anycast networks so they dont go down, can handle attacks, etc. etc..

I have been doing dns for 20 some years - and for major players with 1000s of domains.. You don't host your own public dns in this day an age - there is zero benefit in doing it.. If your really really want to - then just get a vps somewhere and host it there. Not your firewall.

mateusscheper

@johnpoz said in Bind - Setup pfSense as slave DNS server:

I would concur with Grimson here.. While sure you can use bind on pfsense - your public dns should really be on a box dedicated to that.. There are multiple services that will host it for you for pennies really. Some even free options - HE will be your secondary NS for free for like 50 domains or something.

Where is your primary NS? Your secondary should be on different netblock, and different geographic location even. The services that host your dns for you do that for their bread and butter and reside on large global anycast networks so they dont go down, can handle attacks, etc. etc..

I have been doing dns for 20 some years - and for major players with 1000s of domains.. You don't host your own public dns in this day an age - there is zero benefit in doing it.. If your really really want to - then just get a vps somewhere and host it there. Not your firewall.

Hmmm I see. My primary DNS is in another country, so I thought maybe it would me good to setup my secondary DNS here.
Thanks you for your help, Sir.

johnpoz

You only have 1 NS currently? Shoot many registrars will not even allow you to setup only 1 NS.. You should always have 2.. What/Where are you hosting your NS on currently.

mateusscheper

@johnpoz said in Bind - Setup pfSense as slave DNS server:

You only have 1 NS currently? Shoot many registrars will not even allow you to setup only 1 NS.. You should always have 2.. What/Where are you hosting your NS on currently.

I had two, but my second one is off for now, so I want to setup a new one.

mateusscheper

@grimson said in Bind - Setup pfSense as slave DNS server:

pfSense is a firewall not a (public) domain name server, use a dedicated box/VM for that.

What are the cons of setting up a DNS slave server in my pfSense?

leungda

@johnpoz

I have a few domain names using my personal Windows server 2019 DNS server (at the data center location, MASTER) to resolve IP for the public. Now, I want to set up secondary DNS (at the office location, SLAVE) using pfsense to replicate the Windows Server 2019 DNS server. Do you know how?

johnpoz

So so you jumped on a thread from 2 years ago ;) Where the user was told not to host their own dns ;)

Dude.. Your hosting dns off a windows server to the public?

Your in the same setup where your registrar for this domain let you register 1 NS only?? What registrar is this... PM me this domain please so I can see what is listed for it public.. Or you can just post the name here if you don't care - but just PM if you do.. So I can look to see how many NS actually listed..

edit: As I thought - not 1 NS, 6 NS - from his registrar, 1 being his and the 5 other the registrar with conflicting info..

So again going to suggest the same thing as 2 years ago.. Pick a service to host your dns.. Be it your registrar - shoot cloudflare is FREE for quite a bit, I host some domains there. They pretty much support anything you can think of, and if your tld supports dnssec which yours does you can enable that with a click..

Unless your domain it local use only - there is zero reason to host it on your own servers.. Just none..

Gertjan

@leungda : Another free Slave DNS server : https://freedns.afraid.org/

leungda

@gertjan The reason is I want to have Let's Encrypt DNS-01 verify. Most of the DNS providers it for fee (not free) or not even support it. That's why I build my own DNS server. I already have ns1 running and works fine. Now, I want to build another one at my office location for a SLAVE DNS. Yes, I can build another VM for it. I know that but I want to use the pfsense BIND. I don't want to pay extra MS license or build another VM into the ESXi. not enough space and memory on the ESXi server.

leungda

@johnpoz Yes, that's the reason I want to remove another 5 NS and use the pfsense BIND to do the job. At least, it can SYNC with ns1 (I guess). The main reason is the Let's encrypt DNS-01 verify. Many of the DNS providers do not support DNS-01 verify or you will have to pay for premium service.

johnpoz

@leungda said in Bind - Setup pfSense as slave DNS server:

Let's Encrypt DNS-01 verify. Most of the DNS providers it for fee (not free) or not even support it.

Not sure where you got that idea.. I use cloudflare dns with my acme cert.. There is a huge list of supported dns providers you can use.. Many of them FREE..

Gertjan

@leungda said in Bind - Setup pfSense as slave DNS server:

I already have ns1 running and works fine.

That 'master' is the one that gets used by acme and the DNS-01 protocol. Ones the records are set in the master DNS , it will NOTIFY the slave DNS's. And when they are ready, they will ask for a zone transfer.
acme and other do not communicate with slave domain servers.

The domain master to slave setup itself is another story. Ones you know how to set up bind using it's a straight forward config, the same thing would work using the GUI of pfSense, although using a clumsy way as bind (and nginx, and apache2, and postfix etc) really can't be set up using a GUI. It's just to .... complicated to do it that way.

edit : I just installed bind.
I kept unbound bound to the LAN type and localhost, and bind was bound to the WAN .
The GUI does not seem (but I won't be categoric here) to offer all the needed options to configure a slave domain name server.

johnpoz

@gertjan said in Bind - Setup pfSense as slave DNS server:

The GUI does not seem (but I won't be categoric here) to offer all the needed options to configure a slave domain name server.

And why do you say that?

Gertjan

@johnpoz : Saw the "Slave" option.
Setup start there.
Good luck for those maintaining it like this ;)

GUI, or not, one has to know how to set up bind before actually using it.
Using 'vi' or some GUI : it's just a choice.

Setting up a slave DNS using some free service, like the one mentioned above, is waaaaaaaaaay simpler.

johnpoz

@gertjan said in Bind - Setup pfSense as slave DNS server:

one has to know how to set up bind before actually using it.

Could not agree more! This is requirement for sure...

Is that what you meant.. I took your post that something was missing from the gui to be able to setup a slave?

Other than local dns, or just as a learning experience I can not think of one reason why anyone would want to host their own dns.. It makes no sense to do so.. When you can leverage huge deployments of NS across the globe using anycast and allow you to setup dns in a robust and stable way without having to know the ins and outs of bind configuration, etc.

Learning is great, but I sure wouldn't do it on any sort of production domain. Ie something you want anyone to be able to get to.. Fire up some play domain you want to learn with.. Its not like you can not get a domain to play with for like $1.. They always specific tlds on sale all the time where you can get them for a year for shoot like 88 cents sometimes..

But if this is some domain you actually want to people to be able to use to get to your stuff - then no I would not suggest you host it yourself.

edit: Here you go
https://www.namecheap.com/promos/99-cent-domain-names/

Bunch of tlds you can use to create a play/learning domain..

leungda

@johnpoz

Thanks all, I switched to Cloudflare and it works with Let'encrypt. Anyway, I really want to know how to set up the pfsense BIND as a SLAVE DNS. It might be useful

johnpoz

If I get a chance later this week I will throw up a simple walk through.. It really should be as simple as picking slave and putting in the IP of the master, and then allowing the firewall rules to let the master talk to bind on pfsense.

edit: Take it your talking about some other domain then the one you sent me via PM. Because that domain still shows what it shows before. It has not been moved anywhere.

Gertjan

@leungda said in Bind - Setup pfSense as slave DNS server:

I really want to know how to set up the pfsense BIND as a SLAVE DNS. It might be useful

bind, apache2, nginx and postfix are the 4 most documented programs on the Internet.
One might say these ARE the Internet.
It's old science, most of their functionality has become 'RFC'.

If you already have a bind master domain name server, you've prepared 85 % of the work (== learning bind and what DNS really is).

It all start with a phrase like this : bind how to create a slave dns server ?

Then the fun part start :
My advice : never ever do this @home. DNS servers should be reachable 99,99999 % of the time. That exclude our ISP connections right away.
Take a 1 € / month VPS - do not go for any Microsoft solution, do what everybody does : a recent Debian, no GUI. just you, the keyboard, the chair (these 3 help centralize 99 % of issues). No GUI, just you and a command line.

When you've installed 'bind' on the VPS 'to become a DNS slave) you change the zone info of your domain master DNS servers.
Like ns1 = the IP of you master zone DNS
ns2 = the IP of your salve DNS server.

Now, do what all admins do : goto /var/log/ and look for the 'bind' logs.
Read (tail -f) them. Always. Do not stop until every line means something to you. Learn to be allergic for warnings. Accept none, make them go away. Learn to panic when you see 'error' or worse.

Connect to the domain registrar where you got your domain name from.
Go to the page where you have to enter your DNS servers, your ns1, ns2, etc.
(Your master domain name server IPv4 should be there already.)

Make it look like :

Like

Note : I have a bind DNS master, and 2 bind slave name servers, running on my dedicated servers (two bare bone and one VPS).
This needs to be done, because the tld ".fr." needs to know where the domain name servers of my test-domaine.fr (my domain) 'lives'. And now you know what happens when you don't pay the annual rent of your domain name : the name server entries in the tld are wiped by your registrar, as they have access to the tld, not you.

Use tools like https://www.zonemaster.net/domain_check - and use them often.
Make something clean, like https://www.zonemaster.net/result/abd0e923f67b5728

When you think you've got it, remember that you only reached level 1. Grat's.
Check if you have a drugs store close by, and their opening hours. Check our health insurance (chapter psychological issues) and go for DNSSEC. Not the one your registrar offers you, make it happen on your own DNS name servers. You will need your registrar to hand them over your DS key. you'll reach master level if you pull this one of using scripts (the registrar has to an API access). implementing and following DNSSEC takes days, weeks.
You wind up having this mess : https://dnsviz.net/d/test-domaine.fr/dnssec/ Again : NO red or yellow stuff here, otherwise, people that use Resolvers and DNSSEC checking, like pfSense does by default, will NOT resolve your domain any more.

last, but not least : your DNS zone has to be fully IPv6 and IPv4. Your name servers have to use both of them, can be contacted using both protocols.
Your reverse PTR should be set correctly,
Etc.

If your still here ....
A last one : go for the ultimate : throw in TLS to DNS, security, authentication DANE.