BIND DNS configuration

[thefrisianclause]

I am trying to get BIND to work on my new OPNsense installation, but for some reason it will not work.
Next to that the Plugin or atleast the UI for it is pretty 'minimal' but also very chaotic as I do not know where to start. I am coming from a bare VM with BIND9 installed, so I know a bit about BIND, but the BIND UI within OPNsense makes me confused.

I looked up some manuals but those were pretty out of date (see : https://docs.opnsense.org/manual/how-tos/bind.html).
This manual is minimal, as it only has the 'basic' configuration of BIND. There are no examples or any further explaination of any function within this plugin.

So my question is, does someone have a 'demo' or some kind of example of how they configured BIND within OPNsense?
I also see people going back to plain 'freebsd' so they don't user the BIND plugin, but install the package next to OPNsense on the machine itself.

If someone could help me with an example or demo, I could eventually update the manual of this page: https://docs.opnsense.org/manual/how-tos/bind.html so other people don't stumble upon the samen issue.

[Patrick M. Hausen]

Doesn't it run when you enable it? The most important point that is different in OPNsense is that I at least would recommend to run BIND alongside Unbound. There are many intricate dependencies in the system settings, DHCP and Unbound, so I finally came to the conclusion that it is best to leave Unbound running as the local resolver.

That means that for your local domain you need to go to Unbound --> Overrides for static DNS entries. No point in creating that zone in BIND because Unbound considers it "its own". The upside to this is that e.g. static DHCP entries will make it into the zone automatically.

If you want to go that route, simply enable BIND and leave the default settings as they are. Specifically listen addresses and port. We need to permit Unbound to use BIND as a recursive server so we need to create an ACL. I named mine "unbound".

See the two screenshots I added, please.

If that is all up and BIND is running and listening on port 53530, we need to tell Unbound to forward all requests outside of its local domain to BIND. Create a file in /var/unbound/etc, I named mine X-forward-bind.conf.

Code: [Select]

server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530

Restart Unbound - done.


Happy BINDing ...

[thefrisianclause]

Doesn't it run when you enable it? The most important point that is different in OPNsense is that I at least would recommend to run BIND alongside Unbound. There are many intricate dependencies in the system settings, DHCP and Unbound, so I finally came to the conclusion that it is best to leave Unbound running as the local resolver.

That means that for your local domain you need to go to Unbound --> Overrides for static DNS entries. No point in creating that zone in BIND because Unbound considers it "its own". The upside to this is that e.g. static DHCP entries will make it into the zone automatically.

If you want to go that route, simply enable BIND and leave the default settings as they are. Specifically listen addresses and port. We need to permit Unbound to use BIND as a recursive server so we need to create an ACL. I named mine "unbound".

See the two screenshots I added, please.

If that is all up and BIND is running and listening on port 53530, we need to tell Unbound to forward all requests outside of its local domain to BIND. Create a file in /var/unbound/etc, I named mine X-forward-bind.conf.

Code: [Select]

server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530

Restart Unbound - done.



Happy BINDing ...

Thanks for your reply, in the meantime I had been busy with installing BIND9 itself next to OPNsense but just via the FreeBSD console. Would this be a good idea to do? If not I can simply remove the package.

EDIT: Yes BIND runs when I install the plugin, but everything from 'zones' to defining the records is pretty unclear. There is no documentation on that....

[Patrick M. Hausen]

I would not install anything outside of the official firmware/plugin channels. But that's just me.

As for the zones - if you know BIND, go ahead and create them. I did not find the interface that counter-intuitive. You need to create the NS records in a primary zone manually. The SOA will be created by the system.

If you have problems with some particular task - I'd be willing to help, cannot guarantee fast response at all times, though. 

[thefrisianclause]

Yeah and the UI makes me a bit confused about the configuration applied in BIND. I know BIND, but for some reason when I look at the UI and I apply some 'records' I am getting confused on what a 'forward zone' is and what a 'reverse lookup zone' is as they are just put together in one table instead of separating them...

[Patrick M. Hausen]

A forward zone is one of the kind "domain.com". A reverse lookup zone is one of the kind "0.168.192.in-addr.arpa". They go into named.conf with standard bind all the same.

[thefrisianclause]

Yeah I know that proces, but for some reason it looks very confusing. (maybe because I am used to defining the files for zones myself and fill them in myself )

But will try and work my magic on it, and if I have questions I will ask them here if that is okay?
And maybe if I got a working solution I would edit the manual page on this BIND Plugin (see: https://docs.opnsense.org/manual/how-tos/bind.html )\

EDIT:

I got it working . I have OPNsense as a seperate firewall behind my ISP modem to serve as a DNS server for my 'homelab' Though when I have setup the ISP modem IP, I cannot resolve the domain within the homelab (Which is configured on OPNsense BIND). What I also tried was using the ISP modem as primary DNS and the OPNsense BIND as secondary DNS, but still couldn't resolve the domain within the OPNsense environment.

What I have done now, may not be best practice, but is to set my primary DNS IP as the OPNsense BIND server and the secondary DNS IP as the modem ISP. Now I can resolve the Domain what is configured within OPNsense BIND.. Pretty strange, do you by any chance know how to fix it? So I can reach the domain within my OPNsense BIND with the IP of the ISP modem?

I hope my edit isnt too 'cryptical'