Internal DNS with BIND on FreeBSD

Local DNS resolution (outbound)

This could be done with unbound but that would have to be undone as I want to use BIND to serve my local domain anyway, so I elected to not configure unbound during installation and instead install BIND 9.12:

# pkg install bind912

Edit /usr/local/etc/namedb/named.conf, adding the lan IP of the device to listeners, and uncommenting the forwarders block, replacing 127.0.0.1 with your DNS servers (currently using OpenDNS). Configure bind to start at boot time:

# echo 'named_enable="YES"' >> /etc/rc.conf
# service named start

DNS resolution should now be available for hosts on the LAN to access outside DNS. But what about internal names? WINS is awful in my experience, and not all my devices speak it.

Configure a TSIG key

We need an appropriate key for the DHCP server (still coming) to speak to DNS to update the local zones. The first command generates the key, the second one throws away all the metadata and leaves you with only the key that you’ll use in the configuration files:

# dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate
# cat K*.key | awk '{print $7}'

Now, immediately after the options {}; block in named.conf, paste the key definition (pasting the key output from above in place of SUPER_SECRET_KEY==) and two zone definitions:

key dhcpupdate {
        algorithm hmac-md5;
        secret "SUPER_SECRET_KEY==";
};

zone "home.fwaggle.org" {
        type master;
        file "home.fwaggle.org.zone";
        allow-update { key dhcpupdate; };
};

zone "10.in-addr.arpa" {
        type master;
        file "home.fwaggle.org.rev";
        allow-update { key dhcpupdate; };
};

10.in-addr.arpa is already defined further down, so comment it out. Now we need a couple of empty zone files, this should get you started:

# cat > working/home.fwaggle.org.rev
$ORIGIN .
$TTL 10 ; 10 seconds
10.in-addr.arpa         IN SOA  ns.home.fwaggle.org. fwaggle.fwaggle.org. (
                                34         ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                10         ; minimum (10 seconds)
                                )
$TTL 3600       ; 1 hour
                        NS      ns.home.fwaggle.org.
$ORIGIN 0.0.10.in-addr.arpa.
1                       PTR     router.home.fwaggle.org.
^d

# cat >> namedb/working/home.fwaggle.org.zone
$ORIGIN .
$TTL 10 ; 10 seconds
home.fwaggle.org        IN SOA  ns.home.fwaggle.org. fwaggle.fwaggle.org. (
                                47         ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                10         ; minimum (10 seconds)
                                )
$TTL 3600       ; 1 hour
                        NS      ns.fwaggle.org.
ns                      A       10.0.0.1
router                  A       10.0.0.1
^d

Pretty sure the TTLs and so on are wrong, but I can fix those later and will update the documentation at that point.

If you restart bind with service named restart you should be ready for Dynamic DNS updates once you’ve configured DHCP.

Author:

fwaggle

Published:

2018-05-13T13:32:00+1000

Modified:

2024-02-20T16:51:56+1100