Has BIND been replaced by TinyDNS?
-
Greetings!
A couple of months ago I was fighting with BIND on my pfSense box to try to replace an old authoritative DNS server for my zones. Never did get it to work and ending up port-forwarding through to a backdoor on my remaining authoritative DNS server. I know… one physical machine hosting all my DNS jewels. The horror! But it's a home network and I've got an "in" with the boss, so no danger of being fired.
Wanting to get this working, I was poking at it today. I've never run BIND before; how hard can it be? At one point I looked at the available packages and noticed BIND is gone. Maybe it's gone because you have a smart page that doesn't show stuff that's already installed. Or maybe it's gone because BIND is a complicated POS and you've replace it with TinyDNS.
So is TinyDNS now the recommended go-to for authoritatively serving my wonderful zones to the public? How well is TinyDNS integrated into pfSense's GUI? Is there a way to capture all the zone data I've laboriously typed into your GUI and easily input that into TinyDNS? I have a text editor and am not afraid to use it. So maybe I could grab the BIND zone files, fix 'em, and turn them into TinyDNS zone files. Or maybe I could diddle the pfSense XML backup file.
On a secondary note: I turned off Unbound as it seemed to be interfering with BIND on the WAN interface. My LAN server (Win 2008 Server) is doing DNS resolution for now. I want to replace that OS soon, so I'll be looking at a new solution. My thought is the pfSense box can run TinyDNS (or BIND) only on WAN, and Unbound only on LAN and DMZ. I guess it's possible to put a few static host A records (or the equivalent) on Unbound, correct?
Thanks!
-
As for subject - absolutely NOT! And no, it's not gone at all. Bind is still available in packages as always.
https://github.com/pfsense/pfsense-packages/tree/master/config/bind
(P.S. I'd rather not comment on DJBware :P)
-
Hey, man, thanks.
I noticed a few weeks ago that you were involved in maintaining some of these packages. That's pretty darn cool. So thanks for that too.
The Good News
I set up DNS forwarder on 2 of my private networks: LAN and DMZ. Tested it thoroughly on LAN and it's working well. I picked forwarder rather than resolver because I figured I'd let my ISP's resolver do the heavy lifting and I'd just cache the results. Set up some local host resolution as well, and set the options so I can use the bare hostname locally. E.g. "ssh root@philo" is equivalent to "ssh root@philo.mydomain.com". I need to do some more testing, specifically from the DMZ.
I'm not sure DNS forwarder uses Unbound. The interface for forwarder is very different from the interface for resolver (a much more complex operation). For chuckles and grins I tried restricting forwarder to LAN and then setting up resolver on DMZ–got a red-box complaint about two DNS services on the same interface.
The Bad News
Never have gotten BIND to work on WAN, or on any interface. And that was when I had forwarder and resolver disabled. I suspect my problem is ACLs. I can't puzzle out how they work based on the pfSense GUI, and there's no entries for BIND in the wiki. Tried reading the online manual at ISC… :o
Do ACLs for BIND work similarly to ACLs in DNS resolver? If so I could kill DNS forwarder, make resolver work (since it has wiki entries), and then use that knowledge to get BIND going. Just a thought.
The DigitalOcean website had some nice articles on DNS and BIND (that hosting company that advertises on BSD-Now). A much easier read than ISC's docs.
DNS Criticism
You got me thinking, so I did a bit of Googling. The harshest criticism of TinyDNS (actually for the whole djbdns suite, not just TinyDNS) was from Sam Trenholme, creator of MaraDNS. His points (made in 2007) were: Closed source, only Dr. Bernstein ever sees or works on the code. No updates since 2002, project appears to be abandoned and patches are needed. Doesn't play well with the Linux file system and creates directories in all the "wrong" places. Dr. Bernstein is arrogant. And djbdns is hard to setup and use. His criticisms created a firestorm of response, probably because he posted his essay to the djbdns mailing list.
In a 2013(?) article on using TinyDNS with Linux (admin-magazine.com) the author says it's easy to setup, but has a "weird" (if you're used to BIND) zone file format, and there is no file checking–it either works and starts up, or it doesn't. I think he mentioned that it'd be nice if there were a stand-alone file linter, or maybe that was a different article.
BIND is easy to criticize. It's quite old and seems to have been originally coded by drunken monkeys. It's also massive and complex, and probably still hosts a fair number of bugs. Dr. Bernstein (TinyDNS) thinks DNSSEC is a joke, but better than no joke at all (he suggests his methods are worlds better).
Finally
I'd like to get something working. And thanks for your response.
-
Are you really sure you want to run a public DNS server on your WAN? Yuck…
DNS forwarder == dnsmasq. DNS resolver == unbound. Dunno what specific trouble are you having with the Bind GUI.
-
Why I want to run BIND on WAN. Because if someone doesn't do it, then no one will be able to visit my domains.
Why I want to do my own hosting. For exactly the same reason I want to own my own transportation rather than always take the bus or call a cab.
In other news: IT WORKS!
Thought I'd grab BIND's config files and see what's really happening. All those Google results talk about config files, not pfSense graphical interface. So did a bit of Googling to see where the files might be hiding. Found a 10-page thread on this forum from 2013. Pretty darn helpful. Never having used BIND before I wasn't sure what to expect–MS's DNS does a bit more hand holding and checks everything as you type it in. Plus MS's DNS server isn't as versatile, so the interface is simpler.
Didn't know ACLs or Views (I did look at them), so I did Settings then jumped to Zones. In Zones the View selector was empty, so it must not be important, right? Down at the bottom the text box labeled "Resulting Zone Config File" was always empty. But wasn't that a place where BIND wizards typed their magical incantations into? The interface is full of those so I thought this was just one more. When I tried to look up BIND in your wiki there was nothing.
While poking around a few days ago I set up what I thought might be a useful View for a WAN, but nothing happened. Then today, because of the mention in that old forum thread about selecting a View in a Zone, I tried it and magic happened. That text box filled itself in. Then I discovered no more refused connections. After several hours of experimentation I got all my zones working (18). And was finally able to switch my other DNS server (Win 2008 Server) to secondary, and sync everything up. I even double checked to see that only my secondary could pull a zone from BIND.
HUZZAH!
DNSSEC is next. I have Lucas' little book. Think I might read it.
Dude, thanks a million for your help.