BIND 0.4.3 - 2.2.6-RELEASE (i386)
-
After installing the bind package, disabling resolution and forwarding and creating both a master zone and a forward zone the package does not seem to be including any zone details to named.conf. If I toggle enable logging I see the includes in named.conf but that's it. Am I missing something? I'm not seeing any standard bind options relative the the options set in the UI like recursion or allow_queries….
The two folders I found are:
/usr/pbi/bind-i386/local/etc/namedb/named.conf
/cf/named/etc/namedb/named.confno errors in the logs, it just looks like I'm missing enable on something somewhere.....
less /cf/named/etc/namedb/named.conf
#Bind pfsense configuration
#Do not edit this file!!!key "rndc-key" {
algorithm hmac-md5;
secret "tgCExWc7GEslJ05taOLRiA==";
};controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
statistics-file "/var/log/named.stats";
max-cache-size 256M;
listen-on-v6 { 2001:------:37::1; 2001:-------::1; ::1; };
listen-on { 192.168.37.1; 192.168.40.1; 127.0.0.1; };};
logging { category default { null; }; };
Thanks
-
Greetings:
It took me a bit, being a BIND newbe and a pfSense newbe, but I got BIND working a few months back. Googling BIND got me pages that talked of .conf files, but I didn't know how those related to pfSense's GUI, and there are no BIND pages in the wiki. My goal was BIND as an authoritative server on the WAN, and then something lightweight for the LAN and DMZ. I finally got that working and it's clean.
My problem was that from the main BIND page I first did the Settings tab, looked at the ACLs and Views tabs but skipped them (because I had no clue and thought I could come back later), and then tried filling in the Zones tab. I too got some .conf files, but my zone files were never generated. Finally, when I Googled for pfSense BIND GUI (or something like that), I found a 10-page thread here in these forums that gave me enough hints I was able to figure things out. The thread. Also, since I was setting up an authoritative name server on WAN I needed a way to test it. I used Network Tools.
But heck with that. Let's jump right to what worked for me.
#1. The ACLs (access control lists) tab had some weird looking configs.
The first four were the existing ACLs, the fifth is a custom ACL I made. If I remember correctly the built-in ACLs were all configured the same, none of which made any sense. "IP or network range block" was two blank entries for every ACL. Maybe there's some magic happening and the config is only necessary when you want to do something different, but with zero documentation I had to "try and test". This is what I eventually came up with, which works.
An illegal address is as good as "none". ;)
Not sure why I ended up with this, and the CIDR notation may not be legal for classes D & E, but it works.
Self explanatory.
My interpretation of "localnets" is RFC 1918 addresses. Note that since I only allow BIND to run on my WAN interface, I'll never use this ACL. But I like it.
My custom ACL contains only the IP address of my secondary DNS server. I don't feel like letting just anyone grab my entire zone.#2 All that's nice, but the really critical thing was the Views. When I first looked at it, it was empty.
I had to create one, which I called WAN1 (someday I'll add a second WAN).
These are my settings. Note, I'm setting up BIND to be an authoritative name server to the world, so I need to let the world in, and I need to kill recursion.#3 Once I had my custom View, I was able to use it in the Zones tab. This was critical.
I'm not bothering to show the main Zones page. The interesting bit is the contents of (any) one page. The individual zone pages are quite long, so I've hacked it up to only show the most interesting bits.
First, the View selector thingie was empty until I created a custom view. Nothing happened until I selected a view. BIND was dead in the water and did not respond to that Network Tools web page. Or maybe my ACLs were messed up and BIND was dead because of that. Either way View has to exist or you get nothing.Second, note the use of ACLs in the Master Zone Configuration section.
Third, the Resulting Zone Config File was blank, until I got View working. pfSense fills in the blank for you, so it's a good test to see if all is setup right.
#4 Settings needs to be on the correct interface for this all to work.
Here "WAN1" is from my interface list. This is not the same "WAN1" as in View. Perhaps I should have named that custom View "wan1" (so it's instantly apparent they are not the same thing).Success!
Everything works. And I'm able to transfer zone data between BIND and my secondary DNS (which is a Windows Server box on the DMZ). I did a bit of testing and the ACLs seem to work as well. That is, by dicking around with ACL settings I can enable/disable access to BIND.
#5 Recursive DNS for LAN and DMZ.
At this point I went back to pfSense Services and after a bit of Googling decided DNS Forwarder (caching DNS) was what I wanted. I have a Windows Server set up as a LAN sever, and that's doing dynamic DNS for the LAN, and DNS resolution as well. Then I point that to the DNS Forwarder on pfSense. Then I point pfSense to my ISP's resolving DNS servers. My DMZ doesn't have access to my LAN server, so hosts there go straight to pfSense for resolution.
I was able to create hosts entries for the DNS Forwarder via pfSense's GUI, to pick up host names in my DMZ. Hosts on my DMZ can see them, and hosts on my LAN can see them, but no one on the WAN can see these names.
Done!
So that's it. BIND on WAN, DNS Forwarder on DMZ and LAN.
Good luck with your setup.
-
Hey! Thanks for taking the time to respond with such detail. It was the missing view that did it for me. You the man :)
Chris
-
You're welcome.
I'm not sure if my ACLs are setup "the right way" but I do know they work. It'd be great if some BIND/ACL expert could comment on what I've done.