Forwarding Nameserver with BIND 9

I know all of the djbdns fans will attack me, but I set up a forwarding nameserver with the built-in BIND 9.3.1 version packaged with FreeBSD 5.4. I did give djbdns the old college try using the ports tree, but I had trouble getting daemontools and scvscan working in the time I allotted for the project. I was able to get BIND working strictly as a forwarding server using the following steps.

First I created a rndc.key file using rndc-confgen.

janney:/etc/namedb# rndc-confgen -a
wrote key file "/etc/namedb/rndc.key"

I created a /etc/named/rndc.conf file and copied the contents of /etc/namedb/rndc.key into rndc.conf, along with the entries shown below:

options {
        default-server  localhost;
        default-key     "rndc-key";
};

server localhost {
        key     "rndc-key";
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "OBSCURED";
};

I then modified /etc/namedb/named.conf in the following ways.

        listen-on       { 127.0.0.1; 192.168.3.7;};

        forward only;

        forwarders {
                192.168.2.1;
        };

The first line tells BIND where to listen. The second tells BIND to only forward DNS requests. The third line tells BIND where to forward requests.

So what's the purpose of this setup? I am running BIND on a central system to which various remote sensors connect. All of them will be configured to ask DNS requests of this central system through an IPSec tunnel. None will make DNS requests on the client networks. This reduces the traffic caused by the sensor on the client network.

I had trouble setting up BIND using the configuration I outlined before. Specifically, BIND did not recognize the controls directive:

janney:/etc/namedb# named -g
28-Jun-2005 17:07:57.969 starting BIND 9.3.1 -g
28-Jun-2005 17:07:57.970 found 2 CPUs, using 2 worker threads
28-Jun-2005 17:07:57.986 loading configuration from '/etc/namedb/named.conf'
28-Jun-2005 17:07:57.987 /etc/namedb/named.conf:27: unknown option 'controls'
28-Jun-2005 17:07:57.991 loading configuration: failure
28-Jun-2005 17:07:57.991 exiting (due to fatal error)

I have no idea why this happened. Once I removed the controls section, everything worked. This is what I used for controls:

controls {
  inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

Comments on why this failed are appreciated.

Comments

Anonymous said…
All I can think why it failed would be because you had controls before defining the key. Mine looks the same as your except my controls statement also has a port configure.
6:24 PM
Anonymous said…
Mine looks the same also. Perhaps the order is essential.

By the way, I too had problems with djbdns and had to use BIND. It's an internal box on my home network, so I'm not too worried.
7:22 PM
Anonymous said…
now when u're talking bad about djbdns publicly, then u're just asking for it... ;P

nah, just kidding. But to all of the folks that have problems, why not just consider compiling it manually? I know I did. And it worked with my FreeBSD system. I don't believe there's any stuff in there (the ports tree) to warrant having to use the ports system to compile djbdns, or any of its dependencies...

Besides, it's not as if the code is not stable! right? The code's been like not moving for quite a while now (just like qmail-1.03)

So good luck, and have some fun/experimentation with djbdns!
7:48 AM
Anonymous said…
If you think using ports is about compiling then you're missing the plot.

Package management, version control, integrity checking, auditing, compliance to the way the OS builders intended the system to be used etc, all of these things gets accomplished by using the ports - and other package management system - for all your software needs. You gain a lot more than just having a simple compile done.

Want to upgrade package A, ask the package system what depends on A so you know what to rebuild. Really simple example where having a big network with maybe more than one admin installing from source would completely fall flat.
2:45 PM
Anonymous said…
yes, i know. My point was just that djbdns doesn't really depend on a load of stuff (or others, on it, that requires some trickiness that requires ports. Want a dns server/cache? Sure! no big deal. Just put it in /etc/resolv.conf) - so imo, it is perfectly fine to compile it by hand if you want to. Just know that the source hasnt moved for some time already, and probably wont move ever (djb reserves the last word on that, of course).
6:40 AM
mechanix said…
'controls' statement has to be before (not in) 'options'
6:12 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more