BIND 9 : Caching and forward-only named.conf

[J65nko]

A simple named.conf which forwards all DNS queries to another nameserver, and caches the answers for possible reuse.
Tested under OpenBSD 4.7 BETA with

Code:

$ named -v
BIND 9.4.2-P2

This type of configuration is useful to minimize the repeating nameserver queries issued when surfing the web.
Not only for your notebook or laptop using wireless connections, but also for a department that wishes to make use of a LAN/WAN link efficiently.

• The Access Control List (acl) limits useage of this forward-only nameserver to my local 192.168.222.0/24 subnet.
  
• The queries are forwarded to a dnscache namerver running on my OpenBSD firewall at 192.168.222.10.
  
• The cache size is limited to two MB, which probably is too much for a notebook or laptop. The comments show how to calculate this amount in bytes using bc(1), the unlimited precision calculator.
  

Code:

// Caching and forward only configuration

// Access Control List

acl  clients    {
    192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

# After editing this file please use 'named-checkconf' to validate!

To enable this under OpenBSD, assuming the above configuration has been saved as /var/naned/etc/caching-forward-only.conf, you have to add the following to /etc/rc.conf.local:

Code:

named_flags='-4 -c /etc/caching-forward-only.conf'

Note that applications use the /etc/resolv.conf to find out which name server they should use. So for a departmental nameserver, all clients should have the iP address of that name server in /etc/resolv.conf

For my small department in the garage, the clients have the following in /etc/resolv.conf

Code:

nameserver 192.168.222.25

A test query shows that dig indeed selects the 192.168.222.25 nameserver:

Code:

dig www.kpn.com

; <<>> DiG 9.4.2-P2 <<>> www.kpn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34979
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kpn.com.                   IN      A

;; ANSWER SECTION:
www.kpn.com.            3600    IN      A       145.7.192.133

;; Query time: 96 msec
;; SERVER: 192.168.222.25#53(192.168.222.25)
;; WHEN: Fri Mar  5 04:11:47 2010
;; MSG SIZE  rcvd: 45

The nameserver received this answer after 96 msec, and will cache this data for 3600 seconds, A repeat query showing a 1 msec query time and a decreased TTL (Ttime to live) of 3219.

Code:

dig www.kpn.com 

; <<>> DiG 9.4.2-P2 <<>> www.kpn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24059
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.kpn.com.                   IN      A

;; ANSWER SECTION:
www.kpn.com.            3219    IN      A       145.7.192.133

;; Query time: 1 msec
;; SERVER: 192.168.222.25#53(192.168.222.25)
;; WHEN: Fri Mar  5 04:18:08 2010
;; MSG SIZE  rcvd: 45

[J65nko]

Because I run my garage department nameserver on a regular reinstalled OpenBSD snapshot I use the following two scripts to automate the install and configuration.

The named configuration script

Code:

#----------------------------------------
FILE=/var/named/etc/caching-forward-only.conf
#FILE=$( basename ${FILE} )

echo Creating ${FILE} 

cat <<END >${FILE}
// Caching and forward only configuration

// Access Control List

acl  clients    {
    192.168.222.0/24  ;
};

options {
    forward only ;
    forwarders { 192.168.222.10 ; } ; 
    allow-query { clients ; } ;
    // max-cache-size is in bytes : echo '2 * 1024^2' | bc
    max-cache-size 2097152 ; 
    empty-zones-enable yes;
} ;

# After editing this file please use 'named-checkconf' to validate!

END

The /etc/rc.conf.local configuration is done with

Code:

# ----------------------------------------
FILE=./etc/rc.conf.local
#FILE=$( basename ${FILE} )
echo Enabling 'named' as forward-only resolver in ${FILE}

cat <<END >> $FILE

#  note that the 'named' configuration file is in '/var/naned/etc'
#  because of the chroot in "/var/named" , it has to be specified 
#  without the "/var/named" part.
named_flags='-4 -c /etc/caching-forward-only.conf'

END

You can check with netstat, whether named is running, it will use port 53 on both TCP and UDP

Code:

$ netstat -an -f inet
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  192.168.222.25.22      192.168.222.244.35967  ESTABLISHED
tcp          0      0  127.0.0.1.587          *.*                    LISTEN
tcp          0      0  127.0.0.1.25           *.*                    LISTEN
tcp          0      0  *.515                  *.*                    LISTEN
tcp          0      0  192.168.222.25.22      *.*                    LISTEN
tcp          0      0  127.0.0.1.953          *.*                    LISTEN
tcp          0      0  192.168.222.25.53      *.*                    LISTEN
tcp          0      0  127.0.0.1.53           *.*                    LISTEN
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp          0      0  192.168.222.25.27727   85.17.207.62.123      
udp          0      0  192.168.222.25.34152   213.206.97.167.123    
udp          0      0  192.168.222.25.34002   194.109.64.200.123    
udp          0      0  *.19590                *.*                   
udp          0      0  192.168.222.25.53      *.*                   
udp          0      0  127.0.0.1.53           *.*                   
udp          0      0  *.514                  *.*

[J65nko]

Note that on OpenBSD the key for rndc(8), the 'remote name daemon control' utility is automatically generated. From the rc messages:

Code:

setting tty flags
pf enabled
starting network
starting system logger
rndc-confgen: generating new shared secret... done.
starting named
openssl: generating new isakmpd RSA key... done.
starting initial daemons: ntpd.
savecore: no core dump

[asemisldkfj]

How does such a helpful thread as this have no replies? I've been around since the BSDforums days, and only drop in on Daemon Forums about twice a year, and J65nko has always been one of the most knowledgeable and helpful posters. Point is, thanks for this thread! I've become a bit tired of hosts files and nmbd for local name resolution.