Running bind9 on Turris

Linux Networking

The kresd DNS server on Turris is quite capable, but when you need to do some custom DNS magic for your internal network, it's not good enough. So let's replace it with a full blown DNS server Bind9 aka named.

The Bind9 is a very popular and mature DNS server, other option could be the modern Knot DNS, but I have some prior experience with the Bind, so let's stick with it. The server has a package present in the opkg repos on turris, so it's easily installed:

opkg update
opkg install bind-server

Configuration

Let's assume our internal network for which we want to provide the DNS service is 192.168.1.0/24 and router lives on 192.168.1.1, we'll keep our DNS records under custom domain foo.bar and forward queries for all other domains to public DNS servers, we also want a DNSSEC validation for external domains. To configure this, edit /etc/bind/named.conf:

options {
        directory "/tmp";

        // Enable the DNSSEC validation
        dnssec-enable yes;
        dnssec-validation auto;
        // Keep DNSSEC keys in the /etc/bind directory
        managed-keys-directory "/etc/bind";

        // Forward DNS queries to these servers
        forwarders {
                //CZ.NIC DNS servers
                193.17.47.1;
                185.43.135.1;
                // Google
                8.8.8.8;
                2001:148f:fffe::1;
                2001:148f:ffff::1;
        };

        auth-nxdomain no;    # conform to RFC1035

        listen-on port 53 {
                192.168.1.1;
                localhost;
        };
        listen-on-v6 port 53 {
                localhost;
        };

        recursion yes;
};

zone "foo.bar" IN {
        type master;
        file "/etc/bind/foo.bar";
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/192.168.1";
};

...

Now we need to create a forward and reverse DNS zones for our network, as defined in the zone above, we'll keep our hosts under the foo.bar domain. First we need to create the zone file /etc/bind/foo.bar:

;
; BIND data file for foo.bar
;
$TTL    600
@       IN      SOA     localhost. root.localhost. (
                        2021051800     ; Serial
                        86400               ; Refresh
                        7200                 ; Retry
                        1209600           ; Expire
                        3600 )               ; Negative Cache TTL
;
@       IN      NS localhost.

somehost    IN  A   192.168.1.10
otherhost     IN  A   192.168.1.11

We also want a reverse DNS records, these will be defined in /etc/bind/192.168.1:

;
; BIND reverse data file for 192.168.1.1/24
;
$TTL    600
@       IN      SOA     localhost. root.localhost. (
                        2021051800      ; Serial
                        86400                ; Refresh
                        7200                  ; Retry
                        1209600            ; Expire
                        3600 )                ; Negative Cache TTL
;

@       IN      NS localhost.

10      PTR   somehost.foo.bar.
11      PTR   otherhost.foo.bar.

Finally, we defined the directory for managed keys to be the same as the configuration, so let's make sure the bind user can create new files in there:

chown bind:bind /etc/bind

Now we can disable the original kresd resolver and replace it with the new server:

/etc/init.d/kresd stop
/etc/init.d/resolver stop
/etc/init.d/kresd disable
/etc/init.d/resolver disable

/etc/init.d/named start
/etc/init.d/named enable

One last step, we need to remove the dynamic domains script from the hotplug directory. The script was written to work with the kresd resolver and when the kresd daemon is not running, it will spam the syslog with error messages.

rm /etc/hotplug.d/dhcp/40-dynamic-domains

Testing the new server

First test on turris if the DNS server redirects our requests to other DNS servers correctly, we should a valid google server IP address after running:

dig @127.0.0.1 google.com

Now check if the foo.bar hosts are resolved correctly from the local configuration, we should get authoritative answer with 192.168.1.10 IP:

dig @127.0.0.1 somehost.foo.bar

Finally, let's verify the reverse records (should return somehost.foo.bar)

dig @127.0.0.1 -x 192.168.1.10

If all above steps succeeded, congratulation, you have your very own DNS server working. At least it works inside the Turris, give it a try and use nslookup on windows or dig on Linux machine connected to the router to see if it also resolves correctly from the LAN network.

Previous Post Next Post