DNS cache

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

In an attempt to encourage administrators to minimize their router/firewall's vulnerability surface, the security router does not currently provide a DNS server. However, it's possible to enable Unbound or BIND by following these steps. It requires root access and uses skeleton files. This is not officially supported. The examples below both provides a recursive (caching) DNS and one split-horizon zone.

Unbound

Start by enabling root access and log in using SSH.

Create/edit /cfg/skel/rc.local (using for example vi) with the following contents

mount -uw /
cp /cfg/unbound.conf /var/unbound/etc/
mount -ur /
mount_mfs -o nodev,nosuid -s 1024 swap /var/unbound/db
unbound-anchor -v 
unbound

and then create /cfg/unbound.conf with whatever you want as Unbound config; for example

server:
       interface: 0.0.0.0
       interface: ::0
       access-control: 0.0.0.0/0 allow
       auto-trust-anchor-file: "/var/unbound/db/root.key"
       local-zone: "example.com." static
       local-data: "www.example.com. IN A 1.2.3.4"
       local-zone: "1.2.10.in-addr.arpa." static
       local-data-ptr: "10.2.1.101 reverse.example.com."

Unbound on earlier versions

In security router releases other than 3.4 (OpenBSD 5.6), Unbound is not part of the software and has to be manually installed. However, Mikael Löfstrand has been so kind and created a package. The example below provides a recursive (caching) DNS.

Start by making sure you have enabled root access, log in with SSH and install Perl.

Then run (as root)

# ftp -o /cfg/unbound-install.sh https://github.com/mld/halon-unbound/blob/master/3.1-fox/unbound-install.sh
# chmod +x /cfg/unbound-install.sh

Optionally put a customized unbound.conf in /cfg/skel:

# scp unbound.conf [email protected]:/cfg/skel/unbound.conf

Add a startup command to /cfg/skel/rc.local by running

# echo "/cfg/unbound-install.sh &" >> cfg/skel/rc.local

Now we are ready to reboot. Unbound should now start automatically and listen on port 53 (both TCP and UDP) on all available interfaces. As long as there is a working internet connection at boot time, unbound-anchor also downloads and configures the root (.) DNSSEC-key and we also download a named.cache so unbound knows where to look for root servers.