OPNsense Forum
English Forums => Documentation and Translation => Topic started by: stesin on February 13, 2016, 04:37:37 pm
-
Dear colleagues,
OPNsense is a great and exciting product, millions of thanks for this great work! Being a nonprofit, we appreciate the availability of the free product with this kind of functionality, comparable to industry leaders.
However, we have a simple (maybe basic) question. What we need is to get our firewall to become a primary DNS server for some 2-3 domains for our projects. Yes we have bind910 package installed. But what is correct approach to achive the goal?
Now we have DNS Forwarder in operations. Is it really dnsmasq, what I guess?
What exactly is used as DNS Resolver - is it BIND itself, or whatever?
Which is a correct way to achieve the following setup:
1) a completely independent DNS Server (BIND) working as a service at WAN interface and serves as primary for our zones,
2) external (via WAN) queries for x.mydomain.org are resolved into visible official A records,
3) internal (via LAN) queries for x.mydomain.com are resolved into RFC#1918 A records with IPs from "grey", corporate range like 10.whatever
If anyone from the team give some suggestions about "what is OPNsense policy for this", I'd write a brief HOWTO on this for the community.
Thanks in advance!
WBR, Andrii
-
Hi Andrii,
DNS Forwarder is dnsmasq, DNS Resolver is unbound. Bind is installed too, but is only used in the GUI for RFC 2136 Dynamic DNS.
You can configure Bind manually like you would in a normal FreeBSD installation. https://forums.freebsd.org/threads/guide-bind-9-10-install-on-freebsd-10.45716/
You should see if unbound can do what you want (which it probably can) and go from there. It's likely that we can provide docs for unbound/dnsmasq, but not for bind.
Cheers,
Franco
-
Dear Franco,
thank you for the hint. Just one more question: in case I (maybe, who knows?) will someday enable DynDNS in the GUI, will it clobber my DNS configuration away, or not?
I took a brief look at unbound docs, it seems to me that I'll be more comfortable with good old named (which I'm familiar with since 1993) and rc.conf :) That's just my personal bias, of course.
WBR,
Andrii
-
Hi Andrii,
Good question. It looks like each RFC 2136 entry has its own config so it should not clobber your own unless you start to add your own entries manually. named.conf and named are unaffected. :)
Although unbound was the replacement for bind in FreeBSD this was largely due to many security advisories being registered for bind so it was decided to replace it. In OPNsense we have bind in the ports tree so you get the latest security updates anyway and it's unlikely going to be removed. It may also be a plugin some day, too.
You should be ok with your choice of named and rc.conf. If not let me know. :)
Cheers,
Franco
-
Hi @franco and the OPNsense Team,
I know this is an old threat, but it is the most relevant one to my search, as I have the very same questions as the OP.
I would like to strongly suggest that BIND remain an integral part of the OPNsense distribution on the simple grounds that it appears to be the only DNS package that can be used to perform Authoritative name resolution.
It was very interesting to see @franco coalesce from separate Help topics that:
...DNS Forwarder is dnsmasq, DNS Resolver is unbound...
I would like to see some kind of help text in the GUI for each of these tools that makes these DNS roles unambiguous - there is currently no such mention as far as I can see for any of them.
Thanks.