Difference between revisions of "DNS cache"

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search
Line 1: Line 1:
In an attempt to encourage administrators to minimize their router/firewall's vulnerability surface, the SR series does not currently provide a DNS server. However, it's possible to enable BIND's [http://www.openbsd.org/cgi-bin/man.cgi?query=named.conf] if you find it absolutley necessary by following these steps. It requires root access and uses [[skeleton files]].  This is '''not officially supported''', and might not be possible in future software versions. The example below both provides a recursive (caching) DNS and one split-horizon zone.
+
In an attempt to encourage administrators to minimize their router/firewall's vulnerability surface, the SR series does not currently provide a DNS server. However, it's possible to enable BIND's [http://www.openbsd.org/cgi-bin/man.cgi?query=named.conf] if you find it absolutely necessary by following these steps. It requires root access and uses [[skeleton files]].  This is '''not officially supported''', and might not be possible in future software versions. The example below both provides a recursive (caching) DNS and one split-horizon zone.
  
 
Start by enabling [[root access]] and log in using SSH.
 
Start by enabling [[root access]] and log in using SSH.

Revision as of 21:02, 29 April 2013

In an attempt to encourage administrators to minimize their router/firewall's vulnerability surface, the SR series does not currently provide a DNS server. However, it's possible to enable BIND's [1] if you find it absolutely necessary by following these steps. It requires root access and uses skeleton files. This is not officially supported, and might not be possible in future software versions. The example below both provides a recursive (caching) DNS and one split-horizon zone.

Start by enabling root access and log in using SSH.

Create /cfg/skel/rc.local (using for example vi) with the following contents

mount -uw /
cp /cfg/named.* /var/named/etc/
named
mount -ur /

Then create /cfg/named.conf with the following contents

options { forwarders { 8.8.8.8; }; forward only; };
zone "split-example.org" { type master; file "/etc/named.host1"; };

Finally create /cfg/named.host1 with the following contents

$TTL 1h
@ IN SOA localhost. root.localhost. ( 2003052800 86400 300 604800 3600 )
@ IN NS localhost.
@ IN A 192.168.1.100
* IN A 192.168.1.100

Forwarding queries over VPN

In case you are using a DNS server on the other side of an IPsec tunnel as forwarder (such as an internal Windows server), you might need to specify named's source address. In that case, modify named.conf according to

options { forwarders { 192.168.2.100; }; forward only; query-source address 192.168.1.1; };

where 192.168.1.1 is this router's internal IP address, and 192.168.2.100 is the DNS server on the other side of the IPsec tunnel.