Getting djbdns/dnscache (dns-server package) running correctly under pfsense 2.0

lfitt

I've been on this forum a few times, and normally, it is lots of help. Unfortunately, nobody seems to know how djbdns works, so here is how i wrangled it into working. It works for me, it may not be entirely suitable for you, see notes at the end.

djbdns will be a name server, caching resolver, and answer any kind of query you want it to: A, TXT, SRV, and so on. (see http://lifewithdjbdns.org for some info) pfSense's package seems to be geared towards using it purely for being an authoritative name server, and appears to be actively breaking the dns fowarding side of things.

In my situation I have external DNS hosting from a reliable DNS host, but internally have my domain mirrored, with "extras" (ie: workstations, test servers, etc) these things do not need to be in the public DNS, so I use djbdns to override my domain internally.

Install the dns-server package and setup your domain/hosts however you see fit. Start the service, and you'll notice it's probably not doing anything like you thought it would. (ie: working)

Time to fix it!

SSH into your pfsense box and edit /usr/local/pkg/tinydns.inc;

around line 270 there is a line that reads:

exec("/usr/bin/touch {$g['varetc_path']}/dnscache{$dnsidx}/root/ip/{$dnsuserip}");

change it to read (or add another line) that reads:

exec("/usr/bin/touch {$g['varetc_path']}/dnscache{$dnsidx}/root/ip/192.168.1");

Where "192.168.1" is the start of your internal network, this line tells dnscache that it should take requests from any IPs starting with 192.168.1, if you have several subnets, add several lines. if you only want 192.168.1.10 to be able to use dnscache, just put that.

next stop is lines 455-457, which read:

                        $forwardingservers = tinydns_register_root_servers();
                        if($forwardingservers)
                                fwrite($fd, $forwardingservers);

Delete them all, they're telling tinydns - the name server - how to look up non-local domains, and it's Just Not Right, that's where dnscache comes in, it will look them up, AND cache the results.

You will need to populate /var/etc/dnscache*/root/servers/@ which is where dnscache will look up anything that you're not serving locally, luckily the contents of this file are generated from /var/etc/nameserver_*

Make a new file: /var/etc/nameserver_root and put the following in it:

198.41.0.4 
192.228.79.201 
192.33.4.12 
128.8.10.90 
192.203.230.10 
192.5.5.241 
192.112.36.4 
128.63.2.53 
192.36.148.17 
192.58.128.30 
193.0.14.129 
199.7.83.42 
202.12.27.33

This is a list of the DNS root servers, you can generate a current list and get some more information here:
http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/dns-updating-resolving-proxy-root-list.html#djbdns

Back to the interface, press save on the tinydns tab, and BAM! you've got a DNS server, and a DNS proxy, and it works!

Note, however, that if you're wanting to host external DNS on your pfSense machine, this setup will not be suited to you - I'm running tinydns on 127.0.0.1 and have dnscache running only on my internal interfaces, so any resolvable name thrown at my system will be resolved, you dont really want your internal network showing up from the outside of your network via DNS.

See http://www.fefe.de/djbdns/#splithorizon for information on how to setup a split horizon DNS if you want to host your own DNS server for internal and external use. (not related to pfSense, if you're feeling lucky you can hack the dns-server package, but it's likely to be a much more involved process)

marcelloc

if you're feeling lucky you can hack the dns-server package, but it's likely to be a much more involved process)

If you're feeling lucky, you can improove this package and submit changes.  ;)

Epinette

Just the solution I need. Work like a charm.

Thanks a lot!!!

stevemitchell

@lfitt:

I've been on this forum a few times, and normally, it is lots of help. Unfortunately, nobody seems to know how djbdns works, so here is how i wrangled it into working. It works for me, it may not be entirely suitable for you, see notes at the end.

Thanks for posting this.  I have just about everything working except lookups to domains that I don't have configured directly in tinydns.  It was working for a few minutes, and then stopped, and I haven't been able to get it working again.  Is this still working for others?

My backup plan is using the DNS Forwarder and adding a bunch of static entries, but I have two firewalls at two different sites and had hoped to use tinydns to keep them in sync instead of having to add host overrides at both places.

lfitt

Good news everyone! I updated to 2.0.1 over night, and hosed my tinydns setup!

marcelloc must be feeling lucky indeed, I've actually gone ahead and updated the package so it correctly works, patches below. (If someone knows the correct method of submitting a patch the the maintainers, i'm all ears)

I've added an extra config entry - "Respond to IP" which related to the second change above (what IPs dnscache will respond to)

Instead of looking up the root DNS servers for queries tinydns does not know, it will look up against your WAN DNS servers, which is probably preferrable anyway.

tinydns.xml.diff.txt
tinydns.inc.diff.txt

marcelloc

Follow these instructions  :)

http://forum.pfsense.org/index.php/topic,45379.msg236820.html#msg236820

JoshW

I added another dns-server patch to the bug reported here: http://redmine.pfsense.org/issues/1768

This fixes a problem with local domains not being setup correctly for dnscache.

Dynamic DHCP leases still do not get registered with DNS though.