Lots of people have a small home network. Usually you have a combo box which acts as a router/firewall/file server. Then you have a couple of other machines hooked up, and you share the Internet using NAT. A private DNS server is helpful in this kind of scenario for two reasons:

  • Recursive resolver cache can speed up common DNS lookups.
  • Private authoritative resolver lets you easily refer to machine in your home by name, instead of remembering IP addresses.
The DNS Dichotomy For many years there has been a dichotomy in the DNS server implementation world, pretty much between the ISC's BIND and just about everything else. The essence of this dichotomy is that BIND integrates both djbdns, has one tool - tinydns - for the authoritative portion while another - dnscache - implements the caching recursive resolver functionality. Convenience costs you security The monolithic BIND approach has certain limited benefits - mainly that it is convenient to configure and install a private DNS server which acts both as a cache and as an authority for the private domain. Unfortunately, this design has severe implications for the robustness of the software. It serves both to increase complexity within a single process while ignoring the principle of least privilege. Essentially, BIND is a horribly complicated beast, with serious security vulnerabilities being found pretty often - and even the smallest security flaw can result in major problems due to the single process design. Alternative approaches [caption id="attachment_487" align="aligncenter" width="250" caption="Unbound: A modern, secure DNS server"]Unbound[/caption] While djbdns might be one of the better-known BIND alternatives, I recently came across Unbound, a BSD licensed recursive resolver. One of the authors of Unbound is also an OpenBSD developer, which inspires confidence in the security of the software. Unbound also does simple authoritative resolution One of the nifty features of Unbound is that you can very simply configure it to act as an authority for your private domains. Due to this feature, you can have a single daemon on your home network router acting as both a cache and server for your local domain. This is very nice. In fact, I have found the Unbound configuration format to be considerably nicer to deal with than that of BIND. Setup under OpenBSD This describes how I set up Unbound on my OpenBSD machine - it should be a pretty similar procedure on most other operating systems.
# install the package
$ sudo pkg_add -i unbound
Now you have the binaries on disk, you can edit the configuration to set up your private domain. Unbound runs as a recursive resolver out of the box, so this is just about all the configuration you'll need to do.
# edit the config
$ sudo vi /var/unbound/etc/unbound.conf
For a single machine, add the following under 'server', replacing 'inet' with the desired name of your local domain, and 'joust' with the name of your machine:
    local-zone: "inet." static
    local-data: "joust.inet. IN A"
Since you want the DNS server to be accessible from other machines, you probably want it to listen on (all available interfaces). Make sure you have some kind of firewall in place before you do this, though - you don't want to let random Internet hosts query your DNS server:
    # Make sure you have a packet filter to block queries from the Internet.
    # Alternatively, set this only for your local network.
    access-control: allow
Now you can start up Unbound:
$ sudo /usr/local/sbin/unbound
And of course you probably want it to come up on boot, so follow these instructions:
$ pkg_info -D unbound
Information for inst:unbound-1.2.1p0

Install notice:
You should add:

    syslogd_flags="${syslogd_flags} -a /var/unbound/dev/log"

to /etc/rc.conf.local to create a syslog socket in the unbound chroot.

You may also want to add the following to /etc/rc.local to start unbound
at boot:

        if [ -x /usr/local/sbin/unbound ]; then
                echo -n ' unbound'; /usr/local/sbin/unbound 

Niall O'Higgins is an author and software developer. He wrote the O'Reilly book MongoDB and Python. He also develops Strider Open Source Continuous Deployment and offers full-stack consulting services at FrozenRidge.co.

blog comments powered by Disqus