BIND named.conf

milew

Hello
I have installed BIND package on pfSense 2.6 community.
In folder /usr/local/etc/namedb is file named.conf.
I trayed to change any options in this file. BIND starts and ignoring my changes.
I rename and move this file to another folder. BIND starts normaly.
When BIND uses named.conf in this location?

milew

I open documentation freebsd. On top is
When invoked without arguments, named reads the default configuration file /usr/local/etc/namedb/named.conf, reads any initial data, and listens for queries.

bmeeks

pfSense works very differently with packages than you might be accustomed to in a plain-vanilla FreeBSD or Linux-type installation.

For starters, pretty much all configuration information for package binaries is stored and maintained by pfSense inside its own config.xml configuration file. Each time a package binary is started, the configuration is read from that internal config.xml file and written out to the *.conf file for the package. That means any manual edits you do on the filesystem are overwritten every time pfSense starts the package binary. You do all of your configuration inside the GUI and never directly edit configuration files.

Some of the *.conf file locations are also changed. Many wind up in subdirectories under /var.

milew

@bmeeks Thank you very much. You saved me a lot of time for tests.
BIND package saves it configuration on config.xml than writes to /var/etc/named/etc/namedb/named.conf and this configuration opens on start process named.

crichmon

@milew Is there a way to convert an existing bind setup (named.conf, zone files, etc.) from a Linux box into this config.xml that pfsense uses? And is all this true if the bind web GUI package isn't installed, just actual bind (named and related tools)?

bmeeks

@crichmon said in BIND named.conf:

@milew Is there a way to convert an existing bind setup (named.conf, zone files, etc.) from a Linux box into this config.xml that pfsense uses? And is all this true if the bind web GUI package isn't installed, just actual bind (named and related tools)?

I'm pretty sure there is no automated tool to accomplish such an import. You could do it by hand, but you would first need to become very familiar with how the bind GUI package uses the various sections of config.xml for storing its configuration information and translate your existing data into the proper locations in config.xml.

You could perhaps get by with installing only the binary portion of bind on pfSense and then doing everything by hand, including configuring automatic startup of the daemon. But instead of that hassle, why not just install the full package (GUI and binary) and then reproduce your existing configuration? Yeah, it might take some time, but once done it would be there from that point forward and follow you through future pfSense upgrades.

But unless you really want everything in a single box, you could leave bind on Linux with your existing configuration intact and simply point pfSense to the bind box for DNS operations? You could either configure the Linux box IP as an upstream "forwarder" for the DNS Resolver in pfSense, or even better, let bind be authoritative for your local domain and use a domain override in the pfSense DNS Resolver that tells it to forward all lookups for your local domain to the Linux box running bind. If you do this, don't forget to configure a reverse pointer override as well.

crichmon

@bmeeks Thanks! So I did install the whole enchilada and starting working through the porting exercise in the GUI. Most of it makes sense, but there are a few spots where the terminology seems a bit off and out of place, plus, I'm no BIND expert but have been pretending to be for many years (decades). I can find most answers, but applying stuff into pfsense is new to me. I'm a non-GUI sort.
Part of the point of this whole exercise is to replace the Linux box onto a tiny appliance using a more modern OS, so I could just leave the Linux box running as-is and point to it. It plays too many roles (DNS w/SEC, DHCP, NTP, VNC, httpd, mqtt, router/firewall, etc.), so usable but not exactly appropriate and fairly out of date. My other constraint is the wifey (SWMBO). I can't break the network for days on end, so this has to be a parallel development. If I have more specific questions, I'll open a new topic if I can't find another relevant thread.
Thx, Chris

bmeeks

@crichmon, another option is to virtualize things. pfSense runs fine as a virtual machine on a number of hypervisors (ESXi is my personal favorite, but Proxmox and Hyper-V work as well). You could then have a pair of VMs: one for pfSense and another to run your bind setup on a recent Linux distro. Unless you have gigabit or better Internet at home, the hypervisor host would not need to be a powerhouse. But even a gigabit connection would not need tons of horsepower unless you really load pfSense down with a lot of add-on packages.

The ability to use snapshots for instant "rollbacks" in the event some future update breaks things is a real plus for a virtualized environment.

milew

@crichmon I do not know how to convert. Only GUI interface.