FreeBSD DNS Servers Part 1

The original Japanese version is available here.

My cell phone is an iPhone. Actually, I started using it from iPhone 3G, and it is my 7th iPhone with iPhone 4, iPhone 5, iPhone 6, iPhone7, iPhone 8, and iPhone XS. This iPhone XS has plenty of storage space, is not so slow, and runs reasonably well, but it is a model that does not support to 5G. I was thinking about what to do with it when I was looking at some old photos and realized that there were many nostalgic photos. I think they are nothing for people other than me but I would like to use a few of them with a brief explanation to motivate myself. This eye-catching photo is a road sign I took in Prague when I visited an MPLS network provider’s office in the Czech Republic.

Now, the DNS we are going to set up this time will be a server that answers inquiries from DNS clients in the my home only. As I mentioned in a previous article, we bought the domain name jf3vqb.net, and the provider who manages our rental server has a DNS servers for this domain.

There must be more than 2 for redundancy.

There seems to be an option within the home to have the same domain name or a subdomain such as home.jf3vqb.net. Since there is no need to expose the DNS inside to the Internet, I would like to go with home.jf3vqb.net.
Of course, since we don’t need to publish it, we don’t need to create a NS record for the home subdomain in jf3vqb.net. The first thing we need to do is to give the DNS server a static IP address. I don’t think DNS server will get different IP address when it is restarted. But there is no guarantee that there will not be a power failure, etc. We will set static IP address.

specify static IP address and subnet mask. We also need to specify the gateway address as this was provided by DHCP. Let’s keep the IPv6 as it is for now.

If you reboot in this state, it will come up using the new address. nmbd is now up and running, so Windows can use the host name as it is. Since Windows is basically a broadcast OS, broadcast is used very often. Name resolution also uses broadcast to resolve addresses such as pokemon and packages by querying master browsers in the same network.

IP addresses may changes and I can’t remember it. But machine names never changes.

The next step is to install the DNS software, and I would like to use ISC BIND9, which has the largest market share. The available version seems to be bind918. First, let’s look at the options.

We use default options except for the DOCS option.

You can change the TERM variable to xterm for better visibility.

I removed this option and the X11-related options when I installed vmware tools, so let’s just compile it without DOCS option. The pokemon server should have an empty /usr/ports directory, so use “portsnap fetch extract” to copy it over here and compile it as well. Don’t forget to keep the package server up-to-date with “portsnap fetch update” as well.

We still have options when we recompile open-vm-tools.

During compilation, I was told that py38-setuptools-57.0.0.0 was already installed. Run “pkg delete py38-setuptools-57.0.0” to remove it, then run “make install clean” again. Don’t forget to run “make install clean” in /usr/ports/net/samba413 as samba413 will also be removed during pkg delete operation. This can happen if you mix packages and ports.

We don’t see “file system full” message either.

Then also compile samba413 again, which was removed as a dependency, and restart samba.

Now, it is time to configure DNS. Edit /usr/local/etc/namedb/named.conf. Here, pokemon will be the primary server and package will be the secondary server. For now, modify /etc/rc.conf and start DNS.

The DNS service need to be up and running automatically.

In /usr/local/etc/namedb/named.conf, it is written to bind only to 127.0.0.1. Therefore, if you query 127.0.0.1, the address should be returned.

Using the root DNS servers, we now have the whitehouse and google IP addresses. From here, we start customization of DNS. The default configuration is to query the root servers for anything we don’t know.

The root servers may changes occasionally. need to check it up periodically.

First, let’s change this behaviour. We will use DNS cache servers who already have some information if we have unknows information. Here is the setting.

It took more time if we use root servers than using cache servers near us. Because they may know the results already.

All forwarders are commented out. Uncomment it so that it queries google DNS. When we use forwarders, DNS always try forwarders first.If forwarders is not available, or if no response is received within the specified time due to high load, etc., the server will contact the root DNS servers. To prevent this, the forward only option is also set.

Try the DNS lookup again.

You see a slightly different address than the previous one. Which one is closer?

The minima response times are almost the same, but on average the google DNS gave us a bit better IP address for us. Finally, I compared the results with the google addresses I get when I specify the DNS provided by my home ISP.

The response time is 500us better when we use ISP DNS. I would like to test one more frequently used site. Let’s check M$’s datacenter. The google DNS seems to have returned the address of a datacenter in Tokyo.

The google DNS use anycast. the closest server will answer.

On the other hand, when I used the DNS provided by my ISP, it returned the address of a data center in Osaka. Since my home location is in Osaka, I was able to get almost 10ms better result.

So, in my case, I will specify the ISP-provided DNS as the forwarders. What I need to set up next is to create the data for the home domain and describe it in named.conf. First, prepare the template file for forward lookup.

Having copied the file for the loopback address, we will start with the IPv4 A records first.

It looks like this.

Add a database file to the DNS configuration file and load the new settings.

Now let’s test it.

Looks good. Now, let’s set up the secondary server. It looks like this.

Oops? files can’t be created. Permission problem? We will add statements which allow the secondary to send data to the rimary. In addition, bind it to an interface with a real IP address so that it can forward the file. Both primary and secondary need to be modified. The primary looks like this.

accepts the transfer requests from the secondary.

When I did the “rndc reload” on the secondary again, I got an error on the console: creating IPv4 interface vmx0 failed. This was also a permissions issue. For security reasons, it seems that it is running as a “bind” user and the interface cannot be bound. So it must bind to the interface before the setuid() system call is executed.

So, we restart the process so that it can bind the interface as root, which can do anything. I restarted the process on both the primary and secondary. The file is now firmly in place.

I will test the secondary as well.

Looks good. Now let’s set up the resolver. The main server will be your own server and the backup will be the other server. It looks like this.

We will do the final test.

Oops, I made a mistake with the IP address of server “package”. I will correct it. Open the database file in the primary.

Then modify the IP address of server “package”. It is important to fix the wrong IP address, of course, but the serial number in SOA zone should be larger than it is now. That way the secondary server will know that the primary data has been updated. No data transfer will occur until this condition occurs.

Now, let’s reload the data.

Looks good. Now let’s see if we can resolve external names as well.

Everything seems to be OK. Finally, change your domain name from jf3vqb.net to home.jf3vqb.net and restart the server.

Finally, reverse lookups are also important on the Internet, although I can’t think of a situation where they would be needed in the home network. For example, when a hostname is used to allow mail relay in sendmail, the hostname is reverse looked up from the IP address, the resulting hostname is forward looked up to the IP address, and when this address matches the first address and still matches the specified hostname, then the mail relay is allowed. This is not of great significance in the home, but it can be configured anyway. There is this kind of example.

Copy the template file for the reverse lookup. Of course, this is done in the primary.

Edit and add data.

Rewrite the NS record as for the forward lookup and add a PTR records for the reverse lookup. The period at the end of each line is important. Without it, the name is treated as relative data.

Change the DNS servers and PTR records in the configuration file.

As same as forward lookup, specify file names and set transfer permissions properly.

The secondary is set up in the same way as the forward lookup.

Load the settings on the primary first. Then load the secondary configuration. The files for the secondary will then be copied from the primary.

The machine name is now firmly displayed.

I’ll check it out in a bit.

The email address for reverse lookup is wrong and I will fix it.

In case of my ISP, better IP addresses of servers closer to my network (geographically closer) is returned when I use the DNS provided by the ISP, but there are many reports that using public DNS, such as google DNS, could be better. The best choice will difference between my home and your home, so find the forwarder that works best for your environment.

Now, did your DNS work as expected? This time, the DHCP service in the ISP router doesn’t work properly, so I had to check only DNS by touching the resolver settings directly. When I can introduce DHCP, I will be able to do it a little more smartly on a Windows PC. A while ago, I was using a Cisco ISR router as a broadband router, but I gave up using that router when I changed the line speed from 100M to 1G. The router with better specification to get the best line utilization was too expensive for personal use 🙂 It was good and we could do anything….

Horse-drawn carriages were common in the old town of Prague. I don’t think it would be strange if a knight in armor came out of the corner there 🙂

We had a dinner meeting with MPLS provider at an old restaurant just across the Charles Bridge from the old town. At night, some lamps were lit and we could see a fantastic night view.

This picture was taken from the window of the plane taking off from Prague the day after the dinner meeting. I took a cab from the hotel to the airport. and asked the driver to see if I can use credit card. Then he said “no worries, I will take care of it!”. I asked him to take me to the airport, but when I got off the taxi, he found out that the card reader does not have batteries! I am not sure what he did, but scratching around in the trunk of the car and other places while grumbling about it, he managed to get a power supply and I was released about 20 minutes after arrival. I wonder what would have happened if he couldn’t read the card 🙂

From the Czech Republic, through Poland, and about to enter the Baltic Sea. The flight was comfortable with few clouds. Our destination is Helsinki Airport.

As usual, I wait with a cup of Starbucks coffee in hand while waiting for my connection to the direct flight from Helsinki to Kansai International Airport. ( There are currently no direct flights to/from KIX due to the decrease in passenger volume caused by Covid or the fact that it takes too much time and fuel to bypass the Russian no-fly zone, and as of June 2022, the only direct flights from Helsinki will be to/from Narita…)

JAL airbus A330-300, economy seat of course 🙂 This picture is an aircraft to Kansai International Airport, but right next to this gate, there was a direct flight to Narita airport which took off 10 or 20 minutes later than this one. I hope that the restrictions on corona-derived travel will be greatly eased and passenger numbers will recover. And the end of the war, of cours