Category Archives: DNS

Running dns/bind910 within a chroot after r382109

dns/bind910 gained native chroot support in r382109. Those of us who used to store the BIND files in /var/named/etc/namedb and ran BIND with /var/named as the chroot environment, must do five things:

  1. Rename the /var/named directory to something else, like /var/Named. This is to avoid upsetting make -C /usr/src delete-old and still retain the meaning of the directory’s name.
  2. Rename the /var/Named/etc/namedb directory to /var/Named/usr/local/etc/namedb.
  3. Edit /var/Named/usr/local/etc/namedb/named.conf to reflect that the BIND files now resides in /usr/local/etc/namedb, as seen from within the chroot environment.
  4. Change the appropriate line in /etc/rc.conf to read named_chrootdir="/var/Named".
  5. Restart BIND using /usr/local/etc/rc.d/named restart, or start BIND using /usr/local/etc/rc.d/named start if the former fails.

Missing chroot for dns/bind9{9,10}?

The removal of BIND from base in stable/10 left us with the option of running BIND from ports either in a jail, or as an ordinary service. The old BIND in base was able to run in a chroot environment, isolated from the rest of the system.

Some of us believe a chroot is a good compromise between running BIND as an unisolated service or in a jail. I personally believe the removal of /etc/namedb and /var/named as part of make delete-old is premature, as most of us would like to continue keeping all BIND related files in /var/named/etc/namedb.

Harald Schmalzbauer has been kind enough to recreate a chroot environment for dns/bind910. I guess the same patches can be used for dns/bind99 with some minor tweaking.

Take a look at Harald’s contribution if you feel a jail is too much work for a simple service like DNS. Continue reading Missing chroot for dns/bind9{9,10}?

FreeBSD’s local_unbound in mobile environments

FreeBSD’s local_unbound DNS resolver was introduced in head in September 2013, and later in stable/10 when that branch became available. Its configuration out of the box, particularly its treatment of the /etc/resolvconf.conf, assumes the local_unbound resolver is the sole resolver to be used.

The reason for this blog entry is that I appreciate being able to resolve DNS domain names even when the local resolver is unavailable for whatever reason. The use of single user mode with the network interfaces enabled and without any services running is one example I can think of. I’m certain this also applies to some of you. Continue reading FreeBSD’s local_unbound in mobile environments

Having trouble starting named from dns/bind99 automatically? Here’s how I solved it!

I tried to convince named from dns/bind99, as of r333563, to start automatically at (re)boot on stable/10 and head.

My /etc/rc.conf file contains lines like these:

named_enable="YES"
named_program="/usr/local/sbin/named"
named_wait="YES"
named_wait_host="localhost"
named_auto_forward="YES"
named_auto_forward_only="YES"

Eventually, I resolved the matter using the following patch:

--- named.orig  2013-11-18 15:51:27.339844000 +0100
+++ named       2013-11-18 15:53:35.587723548 +0100
@@ -19,15 +19,15 @@
 reload_cmd="named_reload"
 stop_cmd="named_stop"

-named_enable="NO"              # Run named, the DNS server (or NO).
-named_program="/usr/local/sbin/named"  # Path to named, if you want a different one.
-named_conf="/usr/local/etc/namedb/named.conf"  # Path to the configuration file
+named_enable=${named_enable-"NO"}              # Run named, the DNS server (or NO).
+named_program=${named_program-"/usr/local/sbin/named"} # Path to named, if you want a different one.
+named_conf=${named_conf-"/usr/local/etc/namedb/named.conf"}    # Path to the configuration file
 #named_flags=""                        # Use this for flags OTHER than -u and -c
-named_uid="bind"               # User to run named as
-named_wait="NO"                        # Wait for working name service before exiting
-named_wait_host="localhost"    # Hostname to check if named_wait is enabled
-named_auto_forward="NO"                # Set up forwarders from /etc/resolv.conf
-named_auto_forward_only="NO"   # Do "forward only" instead of "forward first"
+named_uid=${named_uid-"bind"}          # User to run named as
+named_wait=${named_wait-"NO"}                  # Wait for working name service before exiting
+named_wait_host=${named_wait_host-"localhost"} # Hostname to check if named_wait is enabled
+named_auto_forward=${named_auto_forward-"NO"}          # Set up forwarders from /etc/resolv.conf
+named_auto_forward_only=${named_auto_forward_only-"NO"}        # Do "forward only" instead of "forward first"

 named_poststart() {
        if checkyesno named_wait; then

The tabs are missing, so you better apply this patch by hand. It’s not that difficult.

I have emailed the patch to the maintainer of dns/bind99, and I hope the patch hits the Subversion repos within a day or two.