Sunday, 6 March 2011

OpenBSD: Unbound Domain Name Server

Local DNS Server Relay

Introduction

A Local DNS Server Relay is useful within a local network when an internet-facing web server is present, and you wish to access it by name from within the local network.

A DNS Server with a local override enables the internet addresses of internal webservers to be overridden with the internal address instead of the external internet address.

This is useful, particularly when the internet modem that does the network address translation from the internet address (WAN) to the appopriate local area network address (LAN) is unable to "loop-back" the TCP packets destined for the internal network.

The solution is to run a local DNS server, but override the names of the internal webservers. Two programs can do this (dnsmasq and unbound).

Unbound refers the DNS queries through the root nameservers on the internet, rather than relaying them through the ISP. It also caches the query results. Because dnsmasq does neither of these, it is slightly slower. This note describes the installation of unbound on OpenBSD.

Installation

Install unbound:
pkg_add -i ftp://ftp.mirrorservice.org/pub/OpenBSD/snapshots/packages/i386/unbound-1.4.7.tgz
Download the root domain name servers:
mkdir /var/unbound/var/hints
cd /var/unbound/var/hints
ftp ftp://FTP.INTERNIC.NET/domain/named.cache
Edit the configuration file /var/unbound/etc/unbound.conf:
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
outgoing-range: 64
chroot: "/var/unbound"
directory: "etc"
root-hints: "/var/hints/named.cache"
local-zone: "local." static
local-data: "mycomputer.local." IN A 192.168.2.1
local-data: "www.mydomainname.co.uk" IN A 192.168.2.2
Change the default DNS server to be the local machine:
  1. If the DNS server list is passed via DHCP, it should be done on the DHCP server (usually the modem that interfaces to the internet).
  2. If the DNS server list is configured statically, it must be modified on each machine on the internal network - note that DHCP is a better mechanism for alocation, particularly with laptops and other mobile computers.
Create a startup script in /etc/rc.d/unbound:
#!/bin/sh
#
# unbound domain name server
#

daemon="/usr/local/sbin/unbound"
daemon_flags=""
. /etc/rc.d/rc.subr
rc_cmd $1
Start the server:
/etc/rc.d/unbound start
Making Things Permanent

Edit /etc/rc.conf, and ensure that unbound is included in the rc_scripts section.
# rc.d(8) daemons scripts
# started in the specified order and stopped in reverse order
rc_scripts="unbound samba"
Integrating into the Admin Webserver

In order to integrate this function into the admin webserver, the local server entries must be unplugged from the unbound.conf file, and produced automatically.

Remove the local-data lines from the unbound.conf file.
Copy the unbound.conf file to unbound.src.
Create a script in /var/localadm/bin/reconfiguredns:
#!/bin/sh
cat /var/unbound/etc/unbound.etc /var/localadm/etc/unbound.local-data > /var/unbound/etc/unbound.conf
/etc/rc.d/unbound restart


No comments:

Post a Comment