mirror of
https://github.com/opnsense/docs
synced 2024-10-30 21:20:20 +00:00
bind: improve documentation for 23.1.6, remove faulty advanced section
Better blocklist support exists in Unbound and since Bind can run as standalone there is no need to transform the faulty advanced options to the file-based override that Unbound still supports.
This commit is contained in:
parent
b9fbf01aa6
commit
0a0a607146
@ -6,18 +6,16 @@ BIND Plugin
|
|||||||
History
|
History
|
||||||
-------
|
-------
|
||||||
|
|
||||||
The history of the Bind plugin was a user request on OPNsense subreddit to create a
|
The history of the Bind plugin was a user request on OPNsense subreddit to create a
|
||||||
plugin with a full-featured DNS server, also able to manage zonefiles with the most
|
plugin with a full-featured DNS server, also able to manage zonefiles with the most
|
||||||
popular resource records. In the beginning the plugin was built with only general
|
popular resource records. In the beginning the plugin was built with only general
|
||||||
features so the community can contribute and adding wished features with a friendly
|
features so the community can contribute and adding wished features with a friendly
|
||||||
review of the OPNsense team.
|
review of the OPNsense team.
|
||||||
|
|
||||||
At the time of writing the plugin is able to be used as a local resolver and as a
|
At the time of writing the plugin is able to be used as a local resolver and as a
|
||||||
nice replacement for pfBlockerNG or PiHole, since it is offering a DNSBL feature
|
nice replacement for pfBlockerNG or PiHole, since it is offering a DNSBL feature
|
||||||
via BIND Reverse Policy Zones.
|
via BIND Reverse Policy Zones.
|
||||||
|
|
||||||
For version 2.0 it is planned to offer full zone-file management.
|
|
||||||
|
|
||||||
------------
|
------------
|
||||||
Installation
|
Installation
|
||||||
------------
|
------------
|
||||||
@ -37,30 +35,31 @@ General Settings
|
|||||||
Set the IPv6 addresses the daemon should listen on.
|
Set the IPv6 addresses the daemon should listen on.
|
||||||
:Listen Port:
|
:Listen Port:
|
||||||
Set the port the daemon should listen on. Per default the port is 53530 to not
|
Set the port the daemon should listen on. Per default the port is 53530 to not
|
||||||
interfere with existing Unbound/dnsmasq setups. If you want to switch to BIND
|
interfere with existing Unbound/Dnsmasq setups. If you want to switch to BIND
|
||||||
only, make sure to stop Unbound and dnsmasq.
|
only, make sure to stop Unbound/Dnsmasq and switch to port 53 with both
|
||||||
|
0.0.0.0 and :: as listening addresses set up.
|
||||||
|
|
||||||
|
|
||||||
:DNS Forwarders:
|
:DNS Forwarders:
|
||||||
A list of IP addresses BIND will forward unknown DNS request to. If empty BIND
|
A list of IP addresses BIND will forward unknown DNS request to. If empty BIND
|
||||||
tries to resolve directly via the root servers.
|
tries to resolve directly via the root servers.
|
||||||
:Logsize in MB:
|
:Logsize in MB:
|
||||||
The amount for each logfile it can grow.
|
The amount for each logfile it can grow.
|
||||||
:Maximum Cache Size:
|
:Maximum Cache Size:
|
||||||
This is the amount of RAM (in percent) the daemon can use for caching.
|
This is the amount of RAM (in percent) the daemon can use for caching.
|
||||||
:Recursion:
|
:Recursion:
|
||||||
You have to set a list of networks via **ACL** tab to allow them using recursion
|
You have to set a list of networks via **ACL** tab to allow them using recursion
|
||||||
against BIND.
|
against BIND.
|
||||||
:DNSSec Validation:
|
:DNSSec Validation:
|
||||||
Whether to enable or disable DNSSec validation.
|
Whether to enable or disable DNSSec validation.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
-----
|
-----
|
||||||
DNSBL
|
DNSBL
|
||||||
-----
|
-----
|
||||||
|
|
||||||
:Enable DNSBL:
|
:Enable DNSBL:
|
||||||
Enable the DNSBL service. BIND will be configured for Reverse Policy Zones to
|
Enable the DNSBL service. BIND will be configured for Reverse Policy Zones to
|
||||||
blacklist domains. Choose below the lists to use for blacklist categories.
|
blacklist domains. Choose below the lists to use for blacklist categories.
|
||||||
:Type of DNSBL:
|
:Type of DNSBL:
|
||||||
Here you can select the lists to use. Do not just select all and save. There are
|
Here you can select the lists to use. Do not just select all and save. There are
|
||||||
@ -72,7 +71,7 @@ DNSBL
|
|||||||
The Blacklists are downloaded and updated with every **Save** within BIND configuration.
|
The Blacklists are downloaded and updated with every **Save** within BIND configuration.
|
||||||
For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the
|
For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the
|
||||||
dropdown list you'll find the corret task under **Command**. Set the refresh interval
|
dropdown list you'll find the corret task under **Command**. Set the refresh interval
|
||||||
as you wish and save. This will trigger an update of the selected lists and reload
|
as you wish and save. This will trigger an update of the selected lists and reload
|
||||||
BIND.
|
BIND.
|
||||||
|
|
||||||
|
|
||||||
@ -82,24 +81,3 @@ ACLs
|
|||||||
|
|
||||||
On tab ACLs you can create ACLs used for configuration options like **Recursion**. Add
|
On tab ACLs you can create ACLs used for configuration options like **Recursion**. Add
|
||||||
a new ACL via **+**, give it a **Name** and add as many networks as you wish in **Network List**.
|
a new ACL via **+**, give it a **Name** and add as many networks as you wish in **Network List**.
|
||||||
|
|
||||||
|
|
||||||
--------
|
|
||||||
Advanced
|
|
||||||
--------
|
|
||||||
|
|
||||||
Maybe you want to stick with Unbound as your primary DNS and only use BIND for blacklisting,
|
|
||||||
you can set in :menuselection:`Services --> Unbound DNS --> General --> Custom Options`.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
do-not-query-localhost: no
|
|
||||||
forward-zone:
|
|
||||||
name: "."
|
|
||||||
forward-addr: 127.0.0.1@53530
|
|
||||||
|
|
||||||
.. Note::
|
|
||||||
When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.
|
|
||||||
Please remove the line and let Bind listen to your LAN IP with port 53530 instead of localhost.
|
|
||||||
After this you can set the LAN IP in ``forward-addr``.
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user