diff --git a/source/manual/how-tos/bind.rst b/source/manual/how-tos/bind.rst index 67555a02..8f746859 100644 --- a/source/manual/how-tos/bind.rst +++ b/source/manual/how-tos/bind.rst @@ -6,18 +6,16 @@ BIND Plugin History ------- -The history of the Bind plugin was a user request on OPNsense subreddit to create a +The history of the Bind plugin was a user request on OPNsense subreddit to create a plugin with a full-featured DNS server, also able to manage zonefiles with the most -popular resource records. In the beginning the plugin was built with only general +popular resource records. In the beginning the plugin was built with only general features so the community can contribute and adding wished features with a friendly review of the OPNsense team. -At the time of writing the plugin is able to be used as a local resolver and as a +At the time of writing the plugin is able to be used as a local resolver and as a nice replacement for pfBlockerNG or PiHole, since it is offering a DNSBL feature via BIND Reverse Policy Zones. -For version 2.0 it is planned to offer full zone-file management. - ------------ Installation ------------ @@ -37,30 +35,31 @@ General Settings Set the IPv6 addresses the daemon should listen on. :Listen Port: Set the port the daemon should listen on. Per default the port is 53530 to not - interfere with existing Unbound/dnsmasq setups. If you want to switch to BIND - only, make sure to stop Unbound and dnsmasq. - - + interfere with existing Unbound/Dnsmasq setups. If you want to switch to BIND + only, make sure to stop Unbound/Dnsmasq and switch to port 53 with both + 0.0.0.0 and :: as listening addresses set up. + + :DNS Forwarders: A list of IP addresses BIND will forward unknown DNS request to. If empty BIND tries to resolve directly via the root servers. :Logsize in MB: The amount for each logfile it can grow. :Maximum Cache Size: - This is the amount of RAM (in percent) the daemon can use for caching. + This is the amount of RAM (in percent) the daemon can use for caching. :Recursion: You have to set a list of networks via **ACL** tab to allow them using recursion against BIND. :DNSSec Validation: - Whether to enable or disable DNSSec validation. + Whether to enable or disable DNSSec validation. + - ----- DNSBL ----- :Enable DNSBL: - Enable the DNSBL service. BIND will be configured for Reverse Policy Zones to + Enable the DNSBL service. BIND will be configured for Reverse Policy Zones to blacklist domains. Choose below the lists to use for blacklist categories. :Type of DNSBL: Here you can select the lists to use. Do not just select all and save. There are @@ -72,7 +71,7 @@ DNSBL The Blacklists are downloaded and updated with every **Save** within BIND configuration. For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the dropdown list you'll find the corret task under **Command**. Set the refresh interval -as you wish and save. This will trigger an update of the selected lists and reload +as you wish and save. This will trigger an update of the selected lists and reload BIND. @@ -82,24 +81,3 @@ ACLs On tab ACLs you can create ACLs used for configuration options like **Recursion**. Add a new ACL via **+**, give it a **Name** and add as many networks as you wish in **Network List**. - - --------- -Advanced --------- - -Maybe you want to stick with Unbound as your primary DNS and only use BIND for blacklisting, -you can set in :menuselection:`Services --> Unbound DNS --> General --> Custom Options`. - -.. code-block:: none - - do-not-query-localhost: no - forward-zone: - name: "." - forward-addr: 127.0.0.1@53530 - -.. Note:: - When you are using Overrides in Unbound you can not use ``do-not-query-localhost``. - Please remove the line and let Bind listen to your LAN IP with port 53530 instead of localhost. - After this you can set the LAN IP in ``forward-addr``. -