I haven’t found a PAKFire package for bind9, so I’m guessing this isn’t supported but…
My old gateway/firewall machine died after a (far too close!) lightning strike. I thought I’d use an IPFire distro to get a new one up and running fast – and it worked great!
Except for one thing: My old, hand-built firewall system was also a backup nameserver for my company’s domain. I’d really like to add that one functionality to the IPFire system rather than start from scratch, building a new firewall for myself starting with a Ubuntu server (like last time). I expect that EVERYTHING has changed – after all, more than a month has passed – so what I knew about setting one up last time is likely obsolete and incorrect now.
So, is it possible to add a bind9 (named) server to my IPFire system? If so, can anyone offer and tips, hints, pitfalls, etc.? Thanks!
They are not part of the bind server but they are part of the bind source package and if you want them you have to install them from the bind source tar ball or you don’t have them.
IPFire just doesn’t install the named part of bind. It individually installs the specified tools by having a make install step for each of the tools.
The original poster wanted to have the bind named service and that is not provided in IPFire, as it uses unbound.
The only way to get the fuill bind installed would be to build a customised version of IPFire as per
but then you would also need to understand how to configure bind so that it could work with unbound also present so that DNS forward loops don’t occur.
Also every time IPFire had a new Core Update the customised build would need to be rerun and installed to keep up to date.
For a backup of another nameserver I would suggest installing it on another pc server that does not already have a DNS server on it.
Another thing is, that this breaks IPFire’s philosophy. Nearly should be configurable with the WUI. There are no faciities implemented.
Further most ( all? ) users/devs are familiar with the unbound system, but not BIND. So there is almost no support for this piece of software and it’s usage in an IPFire system.
Because communication in the internet relies heavily on DNS, I would not recommend such a massive change.
Using an alternative DNS server in the local network may be an opportunity.
Not bind specific.
Unbound in IPfire. Uses the name in the dynamic lease section of the DHCP page?
And for fixed leases it uses the edit host page info.?
No, for fixed leases the ‘comment’ field is used as a host name ( if syntactical correct ). You have to transfer it, if you make a dynamic lease fixed.
I really don’t understand why they used unbound in the first place.
But there is other things I do question the usage in the unbound.conf file.
I’ll just list them out here:
The “allowed access from everywhere” is the first thing I see is incorrect to the standard way of using unbound. (0.0.0.0/0 allow) as its normally just allowing recursive query on the network, local host and local loopback on the machine in the config file. So the file should be like:
access-control: 127.0.0.1/32 allow_snoop
access-control: 127.0.0.0/8 allow
access-control: (green network ip network expressed like 192.168.5.0/24) allow
I wonder how susceptible it is to a DNS flood attack allowing all IP addresses?
I notice that the “private-address” is not listed and must be in an external file that is loaded. But I guess that is how you set up this so you can define these local network(s).
But on this topic of adding DNS clients, normally you would declare them in the unbound.conf file. So I wonder what external file you are using/interface to generate the file. Here is an example of a unbound.conf entry for the domain “home.lan” :
local zone
local-zone: "home.lan." static
local-data: "firewall.home.lan. IN A 10.0.0.1"
local-data: "vault.home.lan. IN A 10.0.0.2"
local-data: "media.home.lan. IN A 10.0.0.3"
local-data: "docs.home.lan. IN A 10.0.0.4"
local-data: "wiki.home.lan. IN A 10.0.0.5"
local-data-ptr: "10.0.0.1 firewall.home.lan"
local-data-ptr: "10.0.0.2 vault.home.lan"
local-data-ptr: "10.0.0.3 media.home.lan"
local-data-ptr: "10.0.0.4 docs.home.lan"
local-data-ptr: "10.0.0.5 wiki.home.lan"
So what file are you including that is externally generating this? or the real question: what menu is used to add these entries unless editing unbound .conf is the only way?
But unbound is just recursive, so those entries would only work on the router machine itself as far as I understand it.
Is there a way to install bind9 since bind-utils package is installed ?
bind9 could be easily used. The only additional thing you have to declare is a network or else it would be prone to DNS attacks.
you declare them as any client you set a name for must be a static IP address. Just like the TLD Dns servers on the internet.
This is the first time I tried the IPFire just try something new. Otherwise, I would load a stripped down Ubuntu Server and run Unbind with bind9 and UFW
Adding and implementing Bind9 wouldn’t be hard. Just have to take the use case in count. But even assigning names in unbound they supposed to be a static ip and not DHCP. DHCP is supposed to be for client devices instead of servers (or embedded servers like printers,NVRs,etc).
The easy way to add Bind9 to this stack would be adding another static IP (which would be the DNS IP) so Bind9 can use that IP. Then of course you add the bind9 IP into IPFire as a secondary DNS server for the green interface/network.
Btw I like the graphic front end IPFire has refined the unbound program.
But no one has made a decent graphic front end to bind9 that would be as easy for the local network end user (yet).
One thing I would like to mention is WINS server is dead networking architecture and even the creator of it suggest building a local DNS server for names.
I would like to mention in addition, the Cpu graph doesn’t work. it says "/var/log/rrd/collectd/localhost/cpu-1/cpu-wait.rrd " no such file or directory. Is this designed to be ran on multi-core machines?
