This time we will look at the installation of a Bind/Named server on FreeBSD. This configuration corresponds to my local setup needed to avoid the problems caused by
HairPinning
on internal devices when they try to connect to LAN services but resolve to public IPs.
This problem can be solved in several ways:
- Editing the
/etc/hostsfile on all affected devices, the drawback is that sometimes these are embedded devices or mobile phones and the mainteanance is completely manual. - If we have access to the router and it’s
Linux, we can choose to configureIPTables. - If the two previous options are not feasible, we can always set up a
DNSserver in DNS-RPZ mode.
The tutorial consists of the following steps:
- Jail and installation of basic tools
- Installation of Bind
- Configuration of Bind
- Enable query_log
- Firewall rules
- Functionality tests
Jail and installation of basic tools:
We create the jail and assign it an IP via
Bastille
:
bastille create -T RosettaStone 14.3-RELEASE 192.168.69.22/24 nfe0
We install the basic tools using the template system :
bastille template RosettaStone datadyne.alfaexploit.com/bastille-basicconfiguration
Installation of Bind:
We install Bind and some useful diagnostic tools:
pkg install -y bind920 bind-tools
The installer itself warns us that we must generate a key for
rndc
:
BIND requires configuration of rndc, including a "secret"key. The easiest, and most secure way to configure rndc is
to run 'rndc-confgen -a' to generate the proper conf file,with a new random key, and appropriate file permissions.
We proceed as indicated:
rndc-confgen -a
We enable the service and start it:
service named enable
service named start
Configuration of Bind:
Change the listening socket, enable DNS-RPZ, and configure forwarders for the remaining queries:
vi /usr/local/etc/namedb/named.conf
options {
...
listen-on { 192.168.69.22; };
response-policy { zone "rpz.zone"; };
forwarders {
8.8.8.8;
1.1.1.1;
};
...
};
// DNS RPZ (Response Policy Zone)
zone "rpz.zone" {
type master;
file "/usr/local/etc/namedb/db.rpz.local";
allow-query { any; };
allow-update { none; };
};
We configure the entries for the DNS-RPZ zone:
vi /usr/local/etc/namedb/db.rpz.local
$TTL 604800
@ IN SOA localhost.local. hostmaster.local. (
9 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
@ IN NS localhost.local.
poudriere.alfaexploit.com IN A 192.168.69.2
goaccess.alfaexploit.com IN A 192.168.69.2
mightymax.alfaexploit.com IN A 192.168.69.2
paperstreet.alfaexploit.com IN A 192.168.69.4
hellstorm.alfaexploit.com IN A 192.168.69.17
baikal.alfaexploit.com IN A 192.168.69.19
grafana.alfaexploit.com IN A 192.168.69.19
alfaexploit.com IN A 192.168.69.19
www.alfaexploit.com IN A 192.168.69.19
atlas.alfaexploit.com IN A 192.168.69.19
metacortex.alfaexploit.com IN A 192.168.69.20
rosettastone.alfaexploit.com IN A 192.168.69.22
minibeast.alfaexploit.com IN A 192.168.69.205
We check that the configuration is correct. If nothing is output, everything is in order:
named-checkconf
We restart the service:
service named restart
Enable query_log:
At some point, it may be useful to enable query logging to verify that everything is working correctly:
vi /usr/local/etc/namedb/named.conf
logging {
channel query_log {
file "/var/log/named/queries.log" versions 3 size 50m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category queries { query_log; };
};
Create the log directory and assign permissions:
mkdir -p /var/log/named
chown bind:bind /var/log/named
chmod 750 /var/log/named
Restart the service:
service named restart
Firewall rules:
If it were necessary to configure
PF
these would be the ACLs. In my case, I only want to allow traffic from the internal network:
# LAN DNS-RPZ:
pass in proto udp from 192.168.69.0/24 to 192.168.69.22 port 53
pass in proto tcp from 192.168.69.0/24 to 192.168.69.22 port 53
Functionality tests:
We check that it works correctly:
dig @192.168.69.22 baikal.alfaexploit.com +short
192.168.69.19
dig @8.8.8.8 baikal.alfaexploit.com +short
alfaexploit.com.
79.112.0.29