# Running bind9 on Turris

The kresd DNS server on Turris is quite capable, but when you need to do some custom DNS magic for your internal network, it's not good enough. So let's replace it with a full blown DNS server Bind9 aka named.

The Bind9 is a very popular and mature DNS server, other option could be the modern Knot DNS, but I have some prior experience with the Bind, so let's stick with it. The server has a package present in the opkg repos on turris, so it's easily installed:

opkg update
opkg install bind-server

## Configuration

Let's assume our internal network for which we want to provide the DNS service is 192.168.1.0/24 and router lives on 192.168.1.1, we'll keep our DNS records under custom domain foo.bar and forward queries for all other domains to public DNS servers, we also want a DNSSEC validation for external domains. To configure this, edit /etc/bind/named.conf:

options {
directory "/tmp";

// Enable the DNSSEC validation
dnssec-enable yes;
dnssec-validation auto;
// Keep DNSSEC keys in the /etc/bind directory
managed-keys-directory "/etc/bind";

// Forward DNS queries to these servers
forwarders {
//CZ.NIC DNS servers
193.17.47.1;
185.43.135.1;
8.8.8.8;
2001:148f:fffe::1;
2001:148f:ffff::1;
};

auth-nxdomain no;    # conform to RFC1035

listen-on port 53 {
192.168.1.1;
localhost;
};
listen-on-v6 port 53 {
localhost;
};

recursion yes;
};

zone "foo.bar" IN {
type master;
file "/etc/bind/foo.bar";
};

type master;
file "/etc/bind/192.168.1";
};

...

Now we need to create a forward and reverse DNS zones for our network, as defined in the zone above, we'll keep our hosts under the foo.bar domain. First we need to create the zone file /etc/bind/foo.bar:

;
; BIND data file for foo.bar
;
$TTL 600 @ IN SOA localhost. root.localhost. ( 2021051800 ; Serial 86400 ; Refresh 7200 ; Retry 1209600 ; Expire 3600 ) ; Negative Cache TTL ; @ IN NS localhost. somehost IN A 192.168.1.10 otherhost IN A 192.168.1.11 We also want a reverse DNS records, these will be defined in /etc/bind/192.168.1: ; ; BIND reverse data file for 192.168.1.1/24 ;$TTL    600
@       IN      SOA     localhost. root.localhost. (
2021051800      ; Serial
86400                ; Refresh
7200                  ; Retry
1209600            ; Expire
3600 )                ; Negative Cache TTL
;

@       IN      NS localhost.

10      PTR   somehost.foo.bar.
11      PTR   otherhost.foo.bar.

Finally, we defined the directory for managed keys to be the same as the configuration, so let's make sure the bind user can create new files in there:

chown bind:bind /etc/bind

Now we can disable the original kresd resolver and replace it with the new server:

/etc/init.d/kresd stop
/etc/init.d/resolver stop
/etc/init.d/kresd disable
/etc/init.d/resolver disable

/etc/init.d/named start
/etc/init.d/named enable

One last step, we need to remove the dynamic domains script from the hotplug directory. The script was written to work with the kresd resolver and when the kresd daemon is not running, it will spam the syslog with error messages.

rm /etc/hotplug.d/dhcp/40-dynamic-domains

## Testing the new server

First test on turris if the DNS server redirects our requests to other DNS servers correctly, we should a valid google server IP address after running:

dig @127.0.0.1 google.com

Now check if the foo.bar hosts are resolved correctly from the local configuration, we should get authoritative answer with 192.168.1.10 IP:

dig @127.0.0.1 somehost.foo.bar

Finally, let's verify the reverse records (should return somehost.foo.bar)

dig @127.0.0.1 -x 192.168.1.10

If all above steps succeeded, congratulation, you have your very own DNS server working. At least it works inside the Turris, give it a try and use nslookup on windows or dig on Linux machine connected to the router to see if it also resolves correctly from the LAN network.