This tutorial shows how to set up a FreeBSD based server that offers DNS services. This tutorial is written for the 64-bit version of FreeBSD, but should apply to the 32-bit version.
I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!
1 Requirements
To install such a system you will need:- FreeBSD boot only CD
- Fast Internet connection
2 Preliminary Note
In this tutorial I use the hostname dnsfreebsd.tm.local with the IP address 192.168.0.100 and the gateway 192.168.0.2.. These settings might differ for yours, so you have to replace them where appropriate.This Article assumes that you have a new server, or a server that you are able to format.
3 The Base System
Insert your FreeBSD install CD into your system and boot from it. Leave it till it will boot on its own or you can press [ENTER].
Select your country, highlight the [OK] button and then press [ENTER].
Select the Keyboard type, highlight the [OK] button and then press [ENTER].
For simplicity choose Standard, highlight the [OK] button and then press [ENTER].
For Automatic configuration, press A and then Q.
Choose Standard MBR.
Highlight the [OK] button and then press [ENTER] to go ahead for the partitioning step.
Again I pressed A and then Q, you can do your own partitioning if you want.
Scroll down to User and press the [SPACEBAR].
For the ports selection we will choose [YES] to avoid doing it manually later, so highlight the [Yes] button and then press [ENTER].
You will go back to the distribution screen so press [TAB] to highlight the OK button then press [ENTER].
As we have internet connection, we will go ahead and choose FTP, then highlight the [OK] button and then press [ENTER].
The best choice here would be the nearest server to you, so it would be the fastest, after you make your choice, highlight the [OK] button and then press [ENTER].
As we have chosen ftp we will have to configure the network, so we will chose the network card connected to the Internet, then highlight the [OK] button and then press [ENTER].
For IPv6 I choose [NO], as my network environment doesn't support IPv6.
If you have DHCP you can choose yes and change your IP later on (details covered below), however if you have a static IP you can configure it now.
Here is the network configuration, if you don't have a DHCP in your network you will have to fill this screen up manually, when finished [TAB] to [OK] and press [ENTER], if you want to use DHCP and configure these settings later go ahead and check the section below on how to configure static IP after installation, here I will go with Static IP:
Last Chance? highlight the [Yes] button and then press [ENTER].
After the installation you will get the below message, highlight the [OK] button and then press [ENTER].
You will then be asked if you want the server to be a network gateway, so we will go and choose [NO].
Also we will choose [NO] for the inetd.
Choose [YES] for the SSH login.
Choose [NO] for the anonymous FTP login:
Choose [NO] for the NFS server.
Choose [NO] again for the NFS client.
You will then be asked for system console customization so we will choose [NO].
Choose [YES] for the time zone.
Most systems don't use UTC, if not please choose [NO].
Time Zone, choose your region, highlight [OK] and press [ENTER].
Choose your country, highlight [OK] and press [ENTER].
CEST was ok for me, so depending on your region go ahead with the following selection.
It a text based installation and we wont use any mouse here so I choose [NO].
Choose [NO] for application browsing.
Choose [YES] for creating a new user.
Scroll down to User, highlight [OK] and press [ENTER].
Type the username and TAB to type the password then the full name, we will then need to type wheel in the Member groups box so that this user will be able to login via SSH, when finished highlight [OK] and press [ENTER]:
You will then go back to the previous screen choose X Exit then highlight [OK] and press [ENTER].
Ok no we will configure the root password, so press [OK].
Type the new password and press [ENTER] to go and then Retype the new password again, then press [ENTER].
Choose [NO] for visiting the configuration menu.
You will then go back to the sysinstall main menu, you can then highlight X Exit Install and press [ENTER].
Remove the CD, highlight [YES] and press [ENTER].
After the reboot you can login with root to do administrative tasks, however if you are logging in via SSH you will need to login using the user you created and then switch to root using the su command.
Before installing 3rd party applications we need to configure FreeBSD to find the 3rd Party commands before the usual FreeBSD commands we will thus have to change the order of the default search path, we can do that by opening the .cshrc file:
cd /root
ee .cshrc
Then we will comment out (disable) the default path by adding a "#" at the beginning of the line so it looks like that:ee .cshrc
#set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin) |
set path = (/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin $HOME/bin) |
Now logout [CTRL+D] and then login again, if you want to display the current search path use the following command:
echo $path
A good thing to do is to limit the SSH Access, to specify specific users add them to the sshd_config file, do to that open the file using easy editor:ee /etc/ssh/sshd_config
Add the following line and remember to modify the users based on the users you want to allow, in the below example I'll allow user1 and user2 to access my server via SSH:AllowUsers user1 user2 |
/etc/rc.d/sshd restart
4 Configuring Static IP
If you have chosen DHCP during the installation, you can follow the following steps to configure a static IP, just remember to exclude then the server's IP from the DHCP so that it wont conflict with another network device.We will edit the rc.conf file using the following command:
ee /etc/rc.conf
You should then see something like:hostname="dnsfreebsd.tm.local" ifconfig_xlo="DHCP" |
Then we will modify the rest to look like that:
hostname="dnsfreebsd.tm.local" ifconfig_xlo="inet 192.168.0.100 netmask 255.255.255.0" defaultrouter="192.168.0.2" |
Now save and exit.
5 Checking the Hosts and DNS IPs configuration
We need also to make sure that the hosts file and the resolve.conf file are configured correctly, so we will start by the hosts file:ee /etc/hosts
It should look like this, please modify your domain name (e.g. tm.local), and your hostname (e.g. dnsfreebsd). based on your configuration:::1 localhost localhost.tm.local 127.0.0.1 localhost localhost.tm.local 192.168.0.100 dnsfreebsd dnsfreebsd.tm.local |
We will now check the resolv.conf file:
ee /etc/resolv.conf
It should look like that, feel free to change based on your configuration, you should put the domain name at the top and then any DNS servers you have (your ISP ..etc) below after the word nameserverdomain tm.local nameserver 192.168.0.2 nameserver 192.168.0.100 |
6 Updating the system
To make sure you are connected to the internet you can ping any website (e.g. www.google.com) if all good you can update and reboot the system using the following commands:freebsd-update fetch
freebsd-update install
reboot
After rebooting you can display the release level using the following command:freebsd-update install
reboot
uname -r
7 Configuring FreeBSD Ports Collection
The Ports Collection provides a centralized and simple way to install softwares, it is designed to be automated and relatively easy to use. We will carry on the following steps also with the superuser.First we will need to copy the ports-supfile to the /root to find it easily later:
cp /usr/share/examples/cvsup/ports-supfile /root
You need now to choose the nearest update server to your location, you can go to:http://www.freebsd.org/doc/en/books/handbook/cvsup.html
And choose the nearest server to you.
We will then open the ports-supfile and we will type in our server name:
ee /root/ports-supfile
Around line 49 you will see the default server parameters, mine looks like that below, you can change the server to which ever near you:*default host=cvsup.de.FreeBSD.org |
Use the following command to update the ports:
csup -g -L 2 /root/ports-supfile
It may take sometime, however if it didn't connect during the first 2 mins please make sure you have port 5999 opened on your firewall (from your server to the update server), If it doesn't work just make sure you can telnet on your server using port 5999.telnet cvsup.de.freebsd.org 5999
If telnet was successful you should see something like that:OK 17 0 SNAP_16_1h CVSup server ready
To create ports index file we will need to install Perl using the following commands:
cd /usr/ports/lang/perl5.8
make install clean
rehash
After that we will update the ports index and the readme files this may take really long time (may be 40 mins):make install clean
rehash
cd /usr/ports
make install readmes && make index
make install readmes && make index
8 Installing Portmaster and Portaudit (Optional but Recommended)
Portmaster makes life easy when upgrading most of the packages even if there are other packages depend on it, for example if you have Apache Server and you want to upgrade eXpat you have to uninstall eXpat and install the new version, doing this will break the Apache installation, Portmaster can be used to do this operation safely without breaking any links ..etc.To install Portmaster do the following:
cd /usr/ports/ports-mgmt/portmaster
make install clean
rehash
Portaudit is a nice application which will check the vulnerability database when building ports to ensure that there is no known security issues with what you are installing, if there is a known issue if wont continue and will reference you to the vulnerability.make install clean
rehash
To install it do the following:
cd /usr/ports/ports-mgmt/portaudit
make install clean
rehash
If you want to install a program even if it has a known vulnerability you can do that using the following command:make install clean
rehash
make -D DISABLE_VULNERABILITIES install clean
9 Installing and Configuring DNS
BIND is part of the FreeBSD 7.0 distribution, check the version you have in the ports collection and if it's equal 9.4.2 skip to the configuration section, if its supersedes 9.4.2 then continue with the installation sectionYou can check the version you have using the following command:
cat /usr/ports/dns/bind94/Makefile | grep PORTVERSION
Installation
cd /usr/ports/dns/bind94
make configure ; make clean
A menu will appear displaying options for BIND, press the [SPACEBAR] to choose the REPLACE_BASE the others you can leave at the defaults, then [TAB] to highlight [OK] and press [ENTER] to complete the installation process.make configure ; make clean
Configuration
We will now configure BIND 1st thing we will add "NO_BIND = YES" to the make.conf file in /etc you can do that using the following commands:cp /etc/make.conf /etc/make.conf.old
echo "NO_BIND = YES" >> /etc/make.conf
This will let the make command not to build the base version of BIND in case you rebuild FreeBSD from the source.echo "NO_BIND = YES" >> /etc/make.conf
Now let's edit named.conf to configure our forwarders, zones ...etc.
ee /var/named/etc/namedb/named.conf
Scroll down and comment out the listen-on line (about line 21) by adding // at the beginning of the line, this is to configure BIND to answer both internal and external queries, it should then look like this:// listen-on { 127,0,0,1 }; |
It should then look something like that:
forwarders {
192.168.0.2;192.168.0.3;
}; |
zone "tm.local" {
type master;
file "master/tm.local";
allow-transfer { localhost; };
allow-update { key rndc-key };
}; |
There is a feature in BIND called dynamic DNS updates allows BIND to work with the DHCP to dynamically update the client records, I will cover that in detail in my FreeBSD DHCP tutorial.
Now we need to add the reverse lookup zone, so same thing at the end of the file we will add the following:
zone "0.168.192.in-addr.arpa" {
type master;
file "master/tm.local.rev";
allow-transfer { localhost; };
allow-update { key rndc-key };
}; |
Save and Exit the file.
Now we need to add the rndc.key file and add its contents to the bottom of the named.conf file, rndc.key is an encryption key that rndc utility needs to work, also it's used in case you are using dynamic DNS together with DHCP.
To do that run the following commands:
rndc-confgen -a
cd /var/named/etc/namedb
cp named.conf named.conf.old
cat rndc.key >> named.conf
Now we are finished with the named.conf file, we need now to create our zone files which contain the records, etc.cd /var/named/etc/namedb
cp named.conf named.conf.old
cat rndc.key >> named.conf
Creating the Master forward lookup zone file
Remember to replace tm.local with your domain name, it must match what you have used before.So we will create the file tm.local:
cd /var/named/etc/namedb/master
ee tm.local
Then we add the following:ee tm.local
$TTL 3600 tm.local. IN SOA dnsfreebsd.tm.local. root.tm.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ;Minimum TTL ; DNS Servers tm.local. IN NS dnsfreebsd.tm.local. ; Computer names and records dnsfreebsd.tm.local. IN A 192.168.0.2 ; Aliases www IN CNAME dnsfreebsd.tm.local. ; Mail MX Records tm.local. IN MX 10 dnsfreebsd.tm.local. |
root.tm.local is the e-mail address of the person responsible for the zone, here we use a "." instead of an "@" sign.
Creating the Master reverse lookup zone file
Now we will create a reverse lookup zone file for the forward one we created above using the following commands:cd /var/named/etc/namedb/master
ee tm.local.rev
Then we we will add the below data to it, again feel free to modify based on your configuration:ee tm.local.rev
$TTL 3600 0.168.192.in-addr.arpa. IN SOA dnsfreebsd.tm.local. root.tm.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400) ; Minimum TTL ; DNS Servers 0.168.192.in-addr.arpa. IN NS dnsfreebsd.tm.local. ; Computer IPs 100 IN PTR dnsfreebsd.tm.local. 100 IN PTR www.tm.local. |
Testing your DNS Server
Now we are finished with configuration, we just need to start the service and test it.First of all let's make sure that your server has it's own IP as the primary DNS server in the resolv.conf file.
Open the resolv.conf:
ee /etc/resolv.conf
and make sure you are using your DNS servers IP as the primary IP, my server's IP is 192.168.0.100 thus my resolv.conf looks like that with my IP at the first place:domain tm.local nameserver 192.168.0.100 nameserver 192.168.0.2 |
Configure named to start automatically at the boot time.
Open the rc.conf file in /etc:
ee /etc/rc.conf
We will then add the following line to it:named_enable="YES" |
Start the named service:
/etc/rc.d/named start
You can try to dig for google.com to make sure all good with your DNS server:dig google.com
If you saw at the end (probably the 3rd line from down) something like this:;; SERVER: 192.168.0.100#53(192.168.0.100)
So this means your DNS server (e.g. 192.168.0.100) was the one who answered the query.
You can try then to ping your A records if all give the expected reply then your DNS is working fine.
10 Sources and References
- Official FreeBSD Handbook
- Using the ports collection (FreeBSD Handbook)
- Search FreeBSD Ports Collection
- PortMaster
- BIND 9 Administrator Reference Manual
- RFC 1034 - Domain Names: Concepts and Facilities
- RFC 1035 - Domain Names: Implementation and Specification
- The FreeBSD DNS Handbook
- Building a Server with FREEBSD 7
No comments:
Post a Comment