Bind package for pfsense 2.1
-
Is there a setup tutorial for this that I can follow?
Just follow package tabs from left to right.
All you need is there :)
-
Might not be a bad idea - seems you have to have a view setup, and ACLs - and you have to highlight them in the zone or it doesn't like to work.
These are all bind requirementes but I've included more info on acl options to get it clear.
I just broke mine again with trying to enable the dnssec, had to delete the zone files and then go back in into the zones so they were recreated, etc.
what erros? I'm testing it massively and getting no errors.
Might be nice to allow checkconf from the gui to see its output.. But there is clearly some stuff with the chroot that I don't quite get.. still looks like /etc/namedb/named.conf - but this is really in /cf/named/etc/namedb but there there is also something to do with /usr/pbi/bind-i386/etc/named.conf ???
Some info on how this chroot stuff works for this package would be just fantastic!!!
Just take a look on named process:
ps ax | grep -i named
83446 ?? Is 0:00.02 /usr/pbi/bind-amd64/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/Join chroot dir and conf dir to understand how it works.
-
I get SERVFAIL - thought I posted up a screenie before, anyway can repeat the error.
So as you can see working fine - did a query for pfsense.local.lan get an answer all is good.
Then I go into the zone, click "Enable inline DNSSEC Signing for this zones. " hit save in the zone, then on the overall zone tab hit save again. Do my query again and get SERVFAIL
Going back into the zone and unchecking it and resaving does not correct the problem.. Have to delete all the files for that zone in the zone file area - for me its /cf/named/etc/namedb/master/everyone and then resave then it its back to working. Because I call my view everyone.
My point about having to highlight, I understand those are requirements for the configuration. But it doesn't auto use if there is only 1.. You still have to actually click on it so its highlighted on the gui page, or its not used in the config. Was like what the hell. It says its using my all acl allow.. No not really have to highlight them for it to work - see second pic
So notes about having to highlight might be good thing to add to documentation on the section, etc.
-
Then I go into the zone, click "Enable inline DNSSEC Signing for this zones. " hit save in the zone, then on the overall zone tab hit save again. Do my query again and get SERVFAIL
I'm not a DNSSEC specialist but if IRC, you need a parent zone to validate your dnssec zone(DS record on parent/root domain).
take a look on this whitepaper.
page 3
The Chain of trust
"…Surely the
public key isn’t just signed by the zone’s private key, which would mean that the public key would validate itself...""...No, the public key’s validity is established by the zone’s parent. For example, if our signed zone is called infoblox.
com, it’s the com zone that vouches for the infoblox.com zone’s public key...""...after the infoblox.com zone has been signed, the administrator sends a copy of his public key to the administrator of the com zone..."
Going back into the zone and unchecking it and resaving does not correct the problem
I'll test it here.
Other point. I've updated field info for zone acl. Transfer and updated acl should be restricted, not allowed to everyone. If you do not select any acl on it, means no access. That's why the package does not select automatically when only one acl is defined.
-
This goes back to the request for documentation/guide on using the package, etc.
From what I can tell so far you have put created one hell of a package!!! Freaking should be part of pfsense base install for bind support.. Dude this package just ROCKS!!! Ability for user to run full bind with a simple gui interface is fantastic!!! I can not say that enough.
But it needs a bit of documentation on its use is all - bind is a very complicated product, so to let users use it with a simple gui interface is going to put pfsense way above all other sim distro's for sure!!! So its going to draw in more and more users than just don't even understand the basics. Which is why it needs to be documented very well.
Let me know how I can help is what I am saying.. I am on the road but when I get some free time will dive into testing this package more - love the fact that you show the actual config file, etc..
I have never gotten into details of the jail stuff, so some basics on how that works would really help in the documentation.. Because looking at the logs saying conf is in loaded from /etc/namedb when that is not really the case is confusing.
And then details of how to get dnssec to work will help - what I can tell you from limited play time with the package so far is if I click on that setting is it breaks bind.. If there is something need to do – that needs to be documented, etc..
please let me know how I can help - this package is just pure gold and want to see it become part of the base install options, etc.. What I see so far is gold.. just needs some documentation and a few tweaks and it will be ready for prime time!!
thank you for all the work you have put into this!!
-
The bind documentation is really rich on internet. Most part of this packages was written based on it. chroot and dnssec are a good example of that.
I do not have that free time to spend on documentation guide. I do my best on field descriptions and a left to right configuration style package.
IMHO you need to know something about the package you are configuring on your network to prevent serious security problems.
Thank's for testing this package. This week I'll put in production and based on result change it to release or stable version.
-
I hear ya – I will be more than happy to put up some docs in the wiki, etc.. With pictures for the basic users on bring up a zone for example -- what you have to highlight, and how to work through the tabs left to right, etc.
And your field descriptions are very good to be honest!! Just needs a overall how to doc is all for the users that don't know the basics. I am very limited in my understanding of dnssec and jails myself - but I am more than happy to get more familiar with both for my own benefit and helping in documentation on using your great package!!
And I am with you - you allowing for enabling dnssec in bind via a gui, does not mean you have the time to write a how to for dnsses. And I would prefer actually that you spend your time enabling great features in your interface..
This looks to me to be one of the all time great packages for pfsense.. But as of now it seems to me there is something that the user needs to do other than click that check box to get dnssec to work.. Maybe a note about understanding dnssec and its requirements in the field would work for now ;) I checked it just playing around and it broke bind for my my local zone. That is not on you -- that is just lack of understanding on my part as well - same with chroot and jails, that is on me to understand.
Was just a note that it can be confusing for us that don't understand jails and such while the log says its loading one path, when that path is not really the actual path.
-
I just wanted to chime in and say this package is brilliant. Everything works beautifully, and while polish would be some Wiki Docs as others have mentioned, the core of it works great and any BIND veteran will be very pleased with this.
I cannot say how frustrated I've been that the tinydns package crashes all the time when attempting to set up a multi-vlan response (not to mention how difficult it is to set one up with it to begin with…NAT to localhost et al).
People should note that BIND of course has been the subject of MANY flaws over the years and if you plan on using it on your FIREWALL you should probably not allow BIND access to external networks or even untrusted (guest) internal ones if you are very paranoid. Even with chroot there is the potential for issues. Having said all that, the ability to use this for multi-view internal VLANs is priceless and head and shoulders above anything else.
-Q
-
So far so good. Working flawless on my network. ;D
I'll test sync code today.
-
I've updated the package with some fixes and improvements. :)
What's new on bind 0.3 RC package?
-
Backup/restore dnssec keys to xml option
-
A lot of logging options
-
Moved bind logs do Resolver tab on system logs(may require a reboot or restart on syslogd)
-
Add forward zone type
-
Enable/disable zone option
-
Fixed sync code. Backup servers receive zones configured on master server as slave
-
-
Anybody else testing it? I'm planning to change status to release as it's running fine here.
-
I updated this morning with no issues.. I have my local.lan forward running and 2 ptr's setup working great. Have not had time to play with dnssec or zone transfers.
I liked how you linked to info for dnssec and give the actual configs in the gui, etc. This is a rocking package!!
-
I've included an extra field(custom zone records) on zone configuration tab with no package version bump.
This way you can do a intermediate/faster server migration.
Also tested backup DNSSEC keys on master and restore on slave. All working fine! ;D
-
enable dnssec validation?
I have played with adding custom options to enable dnssec validation - but not working..
So if I query my ubuntu box that has bind installed as just a resolver I can get the AD flag showing zone was validated via dnssec
; <<>> DiG 9.9.4 <<>> @192.168.1.7 pir.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60520
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A;; ANSWER SECTION:
pir.org. 300 IN A 50.63.189.22
pir.org. 300 IN RRSIG A 5 2 300 20131109085000 20131026085000 51527 pir.org. tZk+v1mE8zRnwxGZZ21F6vCOSLMMPoJu3LTJVn4gWp5ZZMWZgQ7aPHAr NMr4xffHPtfHcWGImIr2Tc0eMGbbCBLbz2IVCAtq0bfGW8RDJpEOhFyh nTByNna4ggQaMfn0anAg4Q+yIaptfINI0Dtl3tSziWk8RNY02mNaY8gz Aqw=But if I query pfsense no AD flag?
; <<>> DiG 9.9.4 <<>> @192.168.1.253 pir.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9091
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 8;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A;; ANSWER SECTION:
pir.org. 300 IN A 50.63.189.22
pir.org. 300 IN RRSIG A 5 2 300 20131109085000 20131026085000 51527 pir.org. tZk+v1mE8zRnwxGZZ21F6vCOSLMMPoJu3LTJVn4gWp5ZZMWZgQ7aPHAr NMr4xffHPtfHcWGImIr2Tc0eMGbbCBLbz2IVCAtq0bfGW8RDJpEOhFyh nTByNna4ggQaMfn0anAg4Q+yIaptfINI0Dtl3tSziWk8RNY02mNaY8gz Aqw=So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
-
Does this package integrate well with the pfsense DHCP? I have the Dynamic DNS enabled on the DHCP settings but I'm unable to get my DNS zone to update. Mods, please move my post to a different thread if it doesn't belong in here.
In my DNS zone, the updates are allowed from an IP range (192.168.1/24)
acl "192.168" { 192.168/16; }; acl "192.168.1" { 192.168.1/24; }; view "myzone.lan" { recursion yes; match-clients { any;}; allow-recursion { any;}; zone "internal.myzone.lan" { type master; file "/etc/namedb/master/myzone.lan/internal.myzone.lan.DB"; allow-update { 192.168;}; allow-query { any;}; allow-transfer { none;}; # look for dnssec keys here: key-directory "/etc/namedb/keys"; # publish and activate dnssec keys: auto-dnssec maintain; # use inline signing: inline-signing yes; }; zone "192.168.1.in-addr.arpa" { type master; file "/etc/namedb/master/myzone.lan/192.168.1.DB"; allow-update { 192.168.1;}; allow-query { any;}; allow-transfer { none;}; };Thanks!
-
I have an Internet connection via the satellite. Therefore I feel need in increase in ttl.
Marcelloc, can you add the option "min-cache-ttl" in your package? Description in russian here http://alex-at.ru/linux/bind-9-6-0-p1-ttl. And patch is:diff -Nabdur bind-9.6.0-P1.orig/bin/named/config.c bind-9.6.0-P1/bin/named/config.c --- bind-9.6.0-P1.orig/bin/named/config.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/config.c 2009-05-22 12:31:35.000000000 +0400 @@ -129,6 +129,8 @@ min-roots 2;\n\ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ + override-cache-ttl 0; /* do not override */\n\ + min-cache-ttl 0; /* no minimal, zero is allowed */\n\ max-cache-ttl 604800; /* 1 week */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ diff -Nabdur bind-9.6.0-P1.orig/bin/named/server.c bind-9.6.0-P1/bin/named/server.c --- bind-9.6.0-P1.orig/bin/named/server.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/bin/named/server.c 2009-05-22 12:32:18.000000000 +0400 @@ -1727,6 +1727,16 @@ CHECK(mustbesecure(obj, view->resolver)); obj = NULL; + result = ns_config_get(maps, "override-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->overridecachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; result = ns_config_get(maps, "max-cache-ttl", &obj); INSIST(result == ISC_R_SUCCESS); view->maxcachettl = cfg_obj_asuint32(obj); diff -Nabdur bind-9.6.0-P1.orig/lib/dns/include/dns/view.h bind-9.6.0-P1/lib/dns/include/dns/view.h --- bind-9.6.0-P1.orig/lib/dns/include/dns/view.h 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/include/dns/view.h 2009-05-22 12:29:03.000000000 +0400 @@ -131,6 +131,8 @@ isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; + dns_ttl_t mincachettl; + dns_ttl_t overridecachettl; dns_ttl_t maxncachettl; in_port_t dstport; dns_aclenv_t aclenv; diff -Nabdur bind-9.6.0-P1.orig/lib/dns/resolver.c bind-9.6.0-P1/lib/dns/resolver.c --- bind-9.6.0-P1.orig/lib/dns/resolver.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/dns/resolver.c 2009-05-22 12:30:41.000000000 +0400 @@ -4054,6 +4054,18 @@ } /* + * Enforce the configure cache TTL override. + */ + if (res->view->overridecachettl) + rdataset->ttl = res->view->overridecachettl; + + /* + * Enforce the configure minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; + + /* * Enforce the configure maximum cache TTL. */ if (rdataset->ttl > res->view->maxcachettl) diff -Nabdur bind-9.6.0-P1.orig/lib/isccfg/namedconf.c bind-9.6.0-P1/lib/isccfg/namedconf.c --- bind-9.6.0-P1.orig/lib/isccfg/namedconf.c 2009-05-22 12:24:49.000000000 +0400 +++ bind-9.6.0-P1/lib/isccfg/namedconf.c 2009-05-22 12:31:21.000000000 +0400 @@ -821,6 +821,8 @@ { "lame-ttl", &cfg_type_uint32, 0 }, { "max-acache-size", &cfg_type_sizenodefault, 0 }, { "max-cache-size", &cfg_type_sizenodefault, 0 }, + { "override-cache-ttl", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, -
Marcelloc, can you add the option "min-cache-ttl" in your package?
I can't compile binaries to official repo. :(
It will need a freebsd ports patch on bind before we can include it on pfsense compile options.
-
So how do enabled dnssec validation so that say if go to site like this - shows protected? http://dnssectest.sidn.nl
I have no idea. What tests are these?
-
But if I query pfsense no AD flag?
Maybe it's related to this?
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/242956 -
It is a test that dns your using is validating dnssec info.
As you saw my ubuntu box running default bind install as recursive server reflects that dnssec was validated with the AD flag when used +dnssec.
google dns for example as enabled dnssec validation even if client does not request.. So you can see below that simple query to googledns without +dnssec still returns the AD flag for a domain that passes validation.. While a domain that does not have it does not
; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pir.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38390
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1; <<>> DiG 9.9.2-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63693
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1If I set my client to use google dns the above test site states that my dns is validating
What I would like is bind to do dnssec validation even when not specifically requested via +dnssec - but I can not seem to get it to the validation even with +dnssec flag..
Ok got it to work with below options, seems setting to yes for validation requires to add keys, while auto loads the keys included with bind.
dnssec-enable yes;
dnssec-validation auto;now what is odd is that test site is saying permissive.. but I doubt that is the case to be honest.. since if I try query a zone that broken dnssec get servfail like it should
; <<>> DiG 9.9.2-P1 <<>> www.rhybar.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52165
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1If I query the site via a resolver that does not do validation I get an answer
; <<>> DiG 9.9.2-P1 <<>> @4.2.2.2 www.rhybar.cz
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;www.rhybar.cz. IN A
;; ANSWER SECTION:
www.rhybar.cz. 600 IN A 217.31.205.51So it seems to be working correctly - but what is odd is that that test shows google is not permissive? But bind on pfsense is? Odd maybe I will email them about that aspect of their test.
