# BIND as a caching DNS server

## gareth

Any BIND gurus out there ?

I have a local network of three machines, one of which is a Gentoo machine I use as a Samba/DNS/mail etc server for fun, and to learn; and two Windows machines.  The three machines are on a hub, and also plugged in is an ADSL router (one of the simple Conexant chip ones).

I've created a zone file for static IP machines - currently the server and the router (I'll look at configuring Dynamic DNS for the two windows machines later), and it seems to work OK.

But being the inquisitive type, I ran the Ethereal packet sniffer on one of the Windows machine, and noticed that BIND wasn't caching my queries.  I used ping on the Windows machine to ping web sites.

My setup is to use the 'forward' directive within the named.conf file to point my server at the router's built-in DNS server if the server can't find anything in it's cache.  My thinking is that BIND should ask the router the first time it is queried for a 'new' site, and susequently cache this for future use.  When I run a ping for the first time, Ethereal shows this:-

```
No.     Time        Source                Destination           Protocol Info

28 2.493896    10.0.0.145            server.garethwilliams.me.uk DNS      Standard query A www.gentoo.org

29 2.495491    server.garethwilliams.me.uk router.garethwilliams.me.uk DNS      Standard query A www.gentoo.org

31 2.520749    router.garethwilliams.me.uk server.garethwilliams.me.uk DNS      Standard query response A 65.19.163.231 A 66.45.74.45 A 199.246.73.203

32 2.522168    server.garethwilliams.me.uk 10.0.0.145            DNS      Standard query response A 199.246.73.203 A 65.19.163.231 A 66.45.74.45

35 2.534230    10.0.0.145            www.gentoo.org        ICMP     Echo (ping) request

36 2.748464    www.gentoo.org        10.0.0.145            ICMP     Echo (ping) reply

47 3.535625    10.0.0.145            www.gentoo.org        ICMP     Echo (ping) request

48 3.657501    www.gentoo.org        10.0.0.145            ICMP     Echo (ping) reply

59 4.537117    10.0.0.145            www.gentoo.org        ICMP     Echo (ping) request

60 4.662440    www.gentoo.org        10.0.0.145            ICMP     Echo (ping) reply

71 5.543504    10.0.0.145            www.gentoo.org        ICMP     Echo (ping) request

72 5.689423    www.gentoo.org        10.0.0.145            ICMP     Echo (ping) reply

```

(I've filtered on DNS or ICMP packets so that it doesn't display the multitude of SMB/NetBios junk that Windows kicks out - hence the non-contiguous line numbers).

If I leave it for long enough for Windows to forget the cached entries and ask DNS when it pings, I get the same result: In lines 29 & 30, the server (running BIND) queries the router (running it's own DNS) for info on www.gentoo.org.  Surely, if it's a caching name server, then it should have these details in it's cache!

I've looked through example setups on the Internet, and can't see any pointers to how long BIND caches DNS entries, and all the zone files I've created are for the localhost and my local network (garethwilliams.me.uk).

Anyone any ideas?

Thanks in advance,

Gareth

----------

## steveb

could you post your bind configuration?

cheers

SteveB

----------

## gareth

Here is my named.conf:-

```
logging {

channel to_file {

file "/var/log/bind.log";

};

category default {to_file;};

};

controls {

inet 127.0.0.1 allow { localhost; } keys { rndc_key; };

};

key "rndc_key" {

algorithm hmac-md5;

secret "oxGqmCbuKxJjWWVwEk8FzQ==";

};

options {

directory "/var/bind";

# Ask router's DNS for non-local queries.

forwarders {10.0.0.2;};

# Let router's DNS find out the answer, don't do it ourselves.

forward only;

# Only queries from local net.

allow-query {"localnets";};

# Don't do zone-transfers to anyone!

allow-transfer{"none";};

};

# Not using this, as the router's DNS will find the answers for us

# using the 'forward' options above.

#zone "." IN {

#type hint;

#file "named.ca";

#};

# zone info for localhost

zone "localhost" IN {

type master;

file "pri/localhost.zone";

};

# reverse lookup zone info for localhost

zone "0.0.127.in-addr.arpa" IN {

type master;

file "pri/127.zone";

};

# zone info for local machines

zone "garethwilliams.me.uk" IN {

type master;

file "pri/garethwilliams.me.uk.zone";

};

# reverse lookup zone info for local machines

zone "0.0.10.in-addr.arpa" IN {

type master;

file "pri/0.0.10.in-addr.arpa.zone";

};
```

Please ignore the first few lines.  I've not even got round to looking at them yet!!!!

Thanks,

Gareth

----------

## steveb

you miss serval points in your configuration. if you want, i could post a configuration i would use in your situation. but bevore i continue, let me ask you serval things:do you use dhcp in your setup?what is the ip of the router?what is the ip of the server?what is your internal network range (10.0.0.0/24)?

cheers

SteveB

----------

## gareth

I use the DHCP server on the router.  Unfortunately, it doesn't update the DNS server on the router, which is the real reason I started to play with BIND (and also to get DNS for my local machines).

At first, I had DHCP and DNS running on the server (can't remember which package), but with that setup, I trashed the server while playing around, and couldn't get onto the Internet to ask search/ask for help!

The Conexant router is set to the factory default of 10.0.0.2.

I've put my server at 10.0.0.3.

I use 10.0.0.0./24 for the network.

Thanks for your help with this.  I could give up and use a simpler DNS server, but that's a defeatist attitude isn't it   :Very Happy: 

Thanks,

Gareth

----------

## steveb

 *gareth wrote:*   

> I use the DHCP server on the router.  Unfortunately, it doesn't update the DNS server on the router, which is the real reason I started to play with BIND (and also to get DNS for my local machines).
> 
> At first, I had DHCP and DNS running on the server (can't remember which package), but with that setup, I trashed the server while playing around, and couldn't get onto the Internet to ask search/ask for help!
> 
> The Conexant router is set to the factory default of 10.0.0.2.
> ...

 

okay. then allow me to be the bad guy and show you how to configure dhcp and bind to allow you to manage local clients and allow dhcpd to update your bind server automaticly.

first create a key for the dhcp updater:

```
cd /etc/dhcp

dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

sed -n "s/^Key: \(.*\)$/\1/gIp" *.private
```

the above command will print your key to the console. now use this key and change in your /etc/bind/named.conf the line with secret "xxxxx" under the section key "dhcp_updater" and replace the xxx in the quotes with the key you just generated.

replace your current /etc/bind/named.conf configuration with the following one (please backup your old one first):

```
# /etc/bind/named.conf

// Set up our ACLs

acl "xfer" {

   // Allow no transfers.  If we have other

   // name servers, place them here.

   none;

};

acl "bogon" {

// Filter out the bogon networks.  These are networks

// listed by IANA as test, RFC1918, Multicast, experi-

// mental, etc.  If you see DNS queries or updates with

// a source address within these networks, this is likely

// of malicious origin.

   0.0.0.0/8;

   1.0.0.0/8;

   2.0.0.0/8;

   169.254.0.0/16;

   192.0.2.0/24;

//   10.0.0.0/8;

   172.16.0.0/12;

   192.168.0.0/16;

   224.0.0.0/3;

   240.0.0.0/4;

};

acl "trusted" {

   10.0.0.0/24;         // garethwilliams.me.uk ip range: 10.0.0.0/255.255.255.0

   127.0.0.1;         // localhost

};

key "dhcp_updater" {

   // Set the KEY, secret = key generated by dnssec-keygen

   // wich zones schould be updated in DNS

   // secred key created with: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

   algorithm hmac-md5;

   secret "xxxxxxxxxxxxxxxxxx";

};

key "rndc-key" {

   algorithm hmac-md5;

   secret "oxGqmCbuKxJjWWVwEk8FzQ==";

};

controls {

        inet 127.0.0.1 port 953

                allow { 127.0.0.1; } keys { "rndc-key"; };

};

options {

   directory "/var/bind";

   // uncomment the following lines to turn on DNS forwarding,

   // and change the forwarind ip address(es) :

   forward first;

   forwarders {

      10.0.0.2;      // router.garethwilliams.me.uk

   };

   listen-on-v6 { none; };

   // listen-on port 53;

   listen-on port 53 {

      10.0.0.3;      // server.garethwilliams.me.uk

      127.0.0.1;      // localhost

   };

   // to allow only specific hosts to use the DNS server:

   allow-query {

      trusted;      // trusted clients

   };

   allow-transfer {

      // Zone tranfers limited to members of the

      // "xfer" ACL

      xfer;

   };

   allow-recursion {

      trusted;      // trusted clients

   };

   blackhole {

      // Deny anything from the bogon networks as

      // detailed in the "bogon" ACL.

      bogon;

   };

   // if you have problems and are behind a firewall:

   //query-source address * port 53;

   pid-file "/var/run/named/named.pid";

   // misc stuff

   version "Hay hacker, why you want to know my version? Get away from me.";

   auth-nxdomain yes;

};

// Recently verisign added a wildcard A record to the .COM and .NET TLD

// zones making all .com and .net domains appear to be registered

// This causes many problems such as breaking important anti-spam checks

// which verify source domains exist. ISC released a patch for BIND which

// adds 'delegation-only' zones to allow admins to return the .com and .net

// domain resolution to their normal function.

// zone com IN { type delegation-only; };

// zone net IN { type delegation-only; };

// Link in our zones

zone "." IN {

   type hint;

   file "named.ca";

};

// Allow queries for the localhost network, but not zone transfers.

// Every name server, both slave and master, will be a master

// for this zone.

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   allow-update {

      none;

   };

   notify no;

};

// Allow queries for the 127/8 network, but not zone transfers.

// Every name server, both slave and master, will be a master

// for this zone.

zone "127.in-addr.arpa" IN {

   type master;

   file "pri/127.zone";

   allow-update {

      none;

   };

   notify no;

};

// Allow queries for the 10.0.0.0/24 network, but allow only

// updates to key DHCP_UPDATER.

zone "0.0.10.in-addr.arpa" IN {

   type master;

   file "pri/0.0.10.in-addr.arpa.zone";

   allow-update {

      key "dhcp_updater";

   };

   notify no;

// For secondary DNS server

//   notify yes;

//   also-notify {

//      10.0.0.x;

//   };

};

// Allow queries for the garethwilliams.me.uk network, but allow

// only updates to key DHCP_UPDATER.

zone "garethwilliams.me.uk" IN {

   type master;

   file "pri/garethwilliams.me.uk.zone";

   allow-update {

      key "dhcp_updater";

   };

   notify no;

// For secondary DNS server

//   notify yes;

//   also-notify {

//      10.0.0.x;

//   };

};

logging {

   channel query_logging {

      file "/var/log/bind/query.log" versions 3 size 10M;

      print-time yes;

   };

   

   channel to_file {

      file "/var/log/bind/bind.log" versions 3 size 10M;

      print-time yes;

   };

   

   category queries {

      query_logging;

   };

   

   category default {

      to_file;

   };

   

   category lame-servers { null; };

   

};
```

if you do not have the directory /var/log/bind then please make it first:

```
mkdir -p /var/log/bind

chwon -R bind:bind /var/log/bind
```

for dhcp change your /etc/dhcp/dhcpd.conf to be something like this (you need as well to replace the secret key for the dhcp_updater):

```
# /etc/dhcp/dhcpd.conf

# option definitions common to all supported networks...

option domain-name "garethwilliams.me.uk";

option domain-name-servers 10.0.0.3, server.garethwilliams.me.uk, localhost;

default-lease-time 14400;

max-lease-time 28800;

# If this DHCP server is the official DHCP server for the local

# network, the authoritative directive should be uncommented.

authoritative;

# Use this to send dhcp log messages to a different log file (you also

# have to hack syslog.conf to complete the redirection).

log-facility local7;

# Dynamic DNS update

ddns-update-style ad-hoc;               # can be 'none', 'ad-hoc', or 'interim'

ddns-domainname "garethwilliams.me.uk";            # name of the domain

ddns-rev-domainname "0.0.10.in-addr.arpa";         # reverse domain name

update-static-leases true;               # update static adresses in DNS as well

# garethwilliams.me.uk network (10.0.0.1 - 10.0.0.254)

subnet 10.0.0.0 netmask 255.255.255.0 {

   range 10.0.0.50 10.0.0.100;            # Internal DHCP range

   range dynamic-bootp 10.0.0.101 10.0.0.105;      # BOOTP range

   option nntp-server 10.0.0.3;            # NTP

   option domain-name-servers 10.0.0.3,10.0.0.3;      # DNS servers

   option netbios-node-type 8;            # WINS hybrid type (WINS - broadcast)

   option netbios-name-servers 10.0.0.3,10.0.0.3;      # WINS name servers

   option domain-name "garethwilliams.me.uk";      # Domain name

   option routers 10.0.0.3,10.0.0.3;         # Router

   option subnet-mask 255.255.255.0;

   option broadcast-address 10.0.0.255;

   default-lease-time 300;

   max-lease-time 360;

   

   #######################################################

   # Set the KEY, secret = key generated by dnssec-keygen

   # wich zones schould be updated in DNS

   # secred key created with: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

   key dhcp_updater {

      algorithm hmac-md5;

      secret "xxxxxxxxxxxxxxxxxxx";

   }

   #######################################################

   zone garethwilliams.me.uk. {

      primary 10.0.0.3;

      key "dhcp_updater";

   }

   #######################################################

   zone 0.0.10.in-addr.arpa. {

      primary 10.0.0.3;

      key "dhcp_updater";

   }

   #######################################################

   

   

   #######################################################

   # I N T E R N A L  C L I E N T S

   #######################################################

   #

   #######################################################

   # gareth's workstation

   host gareth {

      hardware ethernet 00:00:00:00:00:00;

      fixed-address 10.0.0.xxx;

   }

   #######################################################

   # END

   #######################################################

   

   #######################################################

   # R E S E R V E D  F O R  S E R V E R S / S E R V I C E

   #######################################################

   # Use IP addresses, allowing them to use BOOTP and

   # other services.

   # Probably they will NOT use DHCP to get the address,

   # but we list them here anyway.

   #######################################################

   #

   #######################################################

   # ADSL Router

   host router {

      hardware ethernet 00:00:00:00:00:00;

      fixed-address 10.0.0.2;

   }

   #######################################################

   # Server

   host server {

      hardware ethernet 00:00:00:00:00:00;

      fixed-address 10.0.0.3;

   }

   #######################################################

   # END

   #######################################################

}

#######################################################

# ADSL modem range

subnet abc.abc.abc.abc netmask xyz.xyz.xyz.xyz {

   not authoritative;

}

#######################################################
```

the above configuration only reserves addresses from 10.0.0.50 to 10.0.0.100 for local clients (i hope you have not more?).

if you want to use dhcp to give always the same address to certain hosts, then look at the bottom of the dhcp configuration. you only need to add there the host name (the one you use in bind configuration for that specific system) and you need to add the mac address and a fixed ip address.

please add/change the mac address for the server and the router in the dhcpd configuration (now i have set them up as 00:00:00:00:00:00).

another thing i would suggest is to add a subnet for your adsl modem and flag that subnet as not authorative.

let me know if this is okay for you and if you need more help.

cheers

SteveB

----------

## ARC2300

Simply way to make it caching and not forwarding:

Remove the forwarder statements and uncomment your "named.ca" section.  By default, if BIND can't resolve the name with your DNS files, it'll hit the root servers for the info.

[edit]BTW, I just noticed in the ACL of that BIND config given that 169.254.x.x is blackholed.  Bad idea.  Those are APIPA addresses, and if your Winders machines ever assign themselves APIPA addresses, you won't have crap for name resolution.

But, that's just my opinion.  If my dhcp goes down, I still like to be able to get into my server to restart DHCP or whatever (and yes, DHCP did crash a while back because of a problem with the ebuild).

----------

## steveb

i hope he does not just route everything from internal to the external adsl router. according to the definition for APIPA, windows will look every 5 minutes for the dhcp server and try to get the address again.

i personaly like to know when something goes wrong. and what benefit does one have if every windows system can get to the internet, but every other system can not?

better is to get the system to be secure and reliable then tweaking around to work around problems of windows.

i have only 2 systems runing with windows (one old 98se and a winnt4 system) and everything else (more then 30 cpu's) run linux (even my workstation. i have no windows at all and i do my job with my workstation and my laptop. and all my clients (i am consultant and developer) have only windows and some of them have mac on the client.)

definition of APIP:

```
Short for Automatic Private IP Addressing, a feature of later Windows operating systems. With APIPA, DHCP clients can automatically self-configure an IP address and subnet mask when a DHCP server isn't available. When a DHCP client boots up, it first looks for a DHCP server in order to obtain an IP address and subnet mask. If the client is unable to find the information, it uses APIPA to automatically configure itself with an IP address from a range that has been reserved especially for Microsoft. The IP address range is 169.254.0.1 through 169.254.255.254. The client also configures itself with a default class B subnet mask of 255.255.0.0. A client uses the self-configured IP address until a DHCP server becomes available. 

The APIPA service also checks regularly for the presence of a DHCP server (every five minutes, according to Microsoft). If it detects a DHCP server on the network, APIPA stops, and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses. 

APIPA is meant for nonrouted small business environments, usually less than 25 clients.
```

btw: if you use newer versions of windows, then you can assign an alternative configuration to your nic. there you could use another ip address and not allow windows to use APIPA adresses.

cheers

SteveB

----------

## gareth

Thanks very very very very.......  much.  Unfortunately, my DHCP clients are Windows, and my DHCP server is on the router.

Although I could disable it there, and run one on the server, it would mean that if (or should I say when) my server dies, I can't use any of the machines.  Also, I have a friend plugged into my router, and if I go away for a reasonable length of time, I switch the server off and leave the router on for him.  Therefore the router must be the DHCP server and have a DNS server running on it so that he can surf while I'm away.

Any ideas on getting BIND to update from windows clients if at all possible?

Thanks again,

Gareth

----------

## steveb

 *gareth wrote:*   

> Thanks very very very very.......  much.  Unfortunately, my DHCP clients are Windows, and my DHCP server is on the router.
> 
> Although I could disable it there, and run one on the server, it would mean that if (or should I say when) my server dies, I can't use any of the machines.  Also, I have a friend plugged into my router, and if I go away for a reasonable length of time, I switch the server off and leave the router on for him.  Therefore the router must be the DHCP server and have a DNS server running on it so that he can surf while I'm away.
> 
> Any ideas on getting BIND to update from windows clients if at all possible?
> ...

 

hmmm.. and if the router dies, then you can go to the internet as well.

anyway... i would do the following:leave the router at 10.0.0.2switch YOUR network to 10.0.1.0/24install bind and dhcp on the serverinstall a firewall on the server (mybe something like shorewall)use 2 nic's in the serverconnecting one nic to the adsl modem and use the dhcp server build into the adsl modem to get the ip address.use shorewall to mask your 10.0.1.0/24 network and route every other traffic to 10.0.0.2.configure bind and dhcp to serve the 10.0.1.0/24 network.

with that setup your friend could still use the router directly and you can turn off the server when you are away, without breaking the routing for your friend. and your network is protected from your friend (don't know if you want that?) and it is as well protected from any possible security trouble/problem with the router.

cheers

SteveB

----------

## gareth

Excellent idea - that's why you are a consultant, and I merely play with these things!  I actually trust my friend, but it would be worth doing that just for the learning experience.  I'll look into getting another network card.

In the mean time, my system is doing exactly as it was in the first post, even after installing your named.conf:-

If I ping 'www.sky.com' and monitor the network using Ethereal, BIND ask the router's DNS for the IP address, gets it, and returns it to the machine.  If I ping 'www.sky.com' again, it does the same.  Shouldn't it cache the first query instead though, and not have to ask the router the second time?

Thanks again,

Gareth

----------

## steveb

did you restarted bind? maybe it would be better to stop it first and then kill all runing bind processes and then start bind again.

cheers

SteveB

----------

## steveb

btw: to which dns server does your win client point to? 10.0.0.2 or 10.0.0.3?

cheers

steve

----------

## gareth

As I'm 'messing about' with BIND at the moment, I'm running it on the command line as  'named -t /chroot/dns  -g -u named'.  I then get to see some debug messages, and if all the zone files are OK etc.  I always stop and start the server after any changes.  Once it's running OK, I'll start it as a daemon.

I've set the Windows clients to look at 10.0.0.3 first, then 10.0.0.2

Thanks again,

Gareth

----------

## steveb

 *gareth wrote:*   

> I've set the Windows clients to look at 10.0.0.3 first, then 10.0.0.2

 

okay... then no one can guarantee you that windows will NOT use 10.0.0.2 for lookups.

if you wan to force the caching, then use only 10.0.0.3.

cheers

SteveB

----------

## gareth

When I ping someone, it always goes like this:-Client asks BIND

BIND asks router

router returns information to BIND

BIND informs client

The client never asks the router directly.  On the other hand, I've just ran the 'dig' program on the server, and the reply time is amazing.  The first time (no cache) it takes between 30ms and 600ms to query the real world, and the second and subsequent times it takes approx 3ms to query BIND.  So it seems to work there!!!!  Very strange.

Regards,

Gareth

----------

## ARC2300

 *steveb wrote:*   

> i hope he does not just route everything from internal to the external adsl router. according to the definition for APIPA, windows will look every 5 minutes for the dhcp server and try to get the address again.
> 
> i personaly like to know when something goes wrong. and what benefit does one have if every windows system can get to the internet, but every other system can not?
> 
> better is to get the system to be secure and reliable then tweaking around to work around problems of windows.
> ...

 

Thank you for the definition of something I already know.  It's really appreciated.  Guess I shouldn't assume anymore that someone asking about BIND and DHCP doesn't know how to change his APIPA address on his/her Windows machines.  How stupid of me.

----------

## steveb

 *ARC2300 wrote:*   

> Thank you for the definition of something I already know.  It's really appreciated.  Guess I shouldn't assume anymore that someone asking about BIND and DHCP doesn't know how to change his APIPA address on his/her Windows machines.  How stupid of me.

 

Cool! You are great! When I grow up, I want just to be like you!

cheers

SteveB

----------

