Jail: djbdns (dns cache server)

Preface

This guide has been assembled from multiple web sites.  It's assumed you've already performed the installation of FreeBSD and created a jail (ie; EZJail).

Installation

Installation simply involves installing the djbdns with the default options configuration options:

cd /usr/ports/dns/djbdns
make clean
make install
make clean

Configuration

The first step is to manually create the users as per the dbjdns instructions:

pw groupadd dns
pw useradd dnscache -s /bin/nologin
pw useradd dnslog -s /bin/nologin
pw groupmod dns -m dnscache,dnslog

The environment can now be created for the dns cache server using the user IDs just created above and the IP address of the jail itself.  Since this is a port I prefer to keep the data files in /usr/local.

/usr/local/bin/dnscache-conf dnscache dnslog /usr/local/etc/dnscache 192.168.1.47

There are two choices to make, you can use the default top root DNS servers or reconfigure the dns cache to use your local ISP servers (or maybe an OpenDNS server).  If you don't want to use the top level servers then you need to edit the /usr/local/etc/dnscache/root/servers/@ file and replace the servers with your preferred IP addresses

The following is an example using OpenDNS:

208.67.222.222
208.67.220.220

To work with OpenDNS (and maybe some other DNS servers?) you must enable FORWARDONLY:

touch /usr/local/etc/dnscache/env/FORWARDONLY

Increase the amount of available memory for dnscache (it defaults to 1 meg):

echo 50000000 > /usr/local/etc/dnscache/env/CACHESIZE
echo 52428800 > /usr/local/etc/dnscache/env/DATALIMIT

Make sure the computers on our local network (and the jail itself) can use the DNS cache, so lets add the ip range for 192.168.1.0/24:

touch /usr/local/etc/dnscache/root/ip/192.168.1

Configure our local jail to use it's newly installed name server (note: we can't use 127.0.0.1) by editing our local /etc/resolv.conf:

domain kingsquarry.net
nameserver 192.168.1.47

Configure svscan to find and automatically start our dns cache server by performing the following steps:

cd /var
mkdir service
cd service
ln -s /usr/local/etc/dnscache dnscache

Finally we need to add the enable and service directory parameters to the /etc/rc.conf file:

svscan_enable="YES"
svscan_servicedir="/var/service"

Configuration (Extra)

If you've configured your own local (as in not accessible from anyone outside your network) dns server then lets add support to the dns cache to resolve your local dns entries through your local server.  Basically you need to provide the domain and reverse address lookup servers to the /usr/local/etc/dnscache/root/servers directory as follows:

echo 192.168.1.46 > /usr/local/etc/dnscache/root/servers/kingsquarry.net
echo 192.168.1.46 > /usr/local/etc/dnscache/root/servers/1.168.192.in-addr.arpa

Start

If everything is properly configured we can execute the following command to start our new dns cache server:

/usr/local/etc/rc.d/svscan.sh restart

Test

To verify everything is properly running you should perform a dnsip lookup

dnscache# dnsip yahoo.com
216.109.112.135 66.94.234.13

or perform an nslookup:

dnscache# nslookup yahoo.com
Server:         192.168.1.47
Address:        192.168.1.47#53

Non-authoritative answer:
Name:   yahoo.com
Address: 66.94.234.13
Name:   yahoo.com
Address: 216.109.112.135