2
0
mirror of https://github.com/opnsense/docs synced 2024-11-17 03:25:33 +00:00
opensense-docs/source/manual/how-tos/bind.rst

106 lines
3.5 KiB
ReStructuredText

===========
BIND Plugin
===========
-------
History
-------
The history of the Bind plugin was a user request on OPNsense subreddit to create a
plugin with a full-featured DNS server, also able to manage zonefiles with the most
popular resource records. In the beginning the plugin was built with only general
features so the community can contribute and adding wished features with a friendly
review of the OPNsense team.
At the time of writing the plugin is able to be used as a local resolver and as a
nice replacement for pfBlockerNG or PiHole, since it is offering a DNSBL feature
via BIND Reverse Policy Zones.
For version 2.0 it is planned to offer full zone-file management.
------------
Installation
------------
First of all, go to :menuselection:`System --> Firmware --> Plugins` and install **os-bind**.
You will finde the plugin at :menuselection:`Services --> BIND`.
----------------
General Settings
----------------
:Enable BIND Daemon:
Enable the BIND service.
:Listen IPs:
Set the IP addresses the daemon should listen on.
:Listen IPv6:
Set the IPv6 addresses the daemon should listen on.
:Listen Port:
Set the port the daemon should listen on. Per default the port is 53530 to not
interfere with existing Unbound/dnsmasq setups. If you want to switch to BIND
only, make sure to stop Unbound and dnsmasq.
:DNS Forwarders:
A list of IP addresses BIND will forward unknown DNS request to. If empty BIND
tries to resolve directly via the root servers.
:Logsize in MB:
The amount for each logfile it can grow.
:Maximum Cache Size:
This is the amount of RAM (in percent) the daemon can use for caching.
:Recursion:
You have to set a list of networks via **ACL** tab to allow them using recursion
against BIND.
:DNSSec Validation:
Whether to enable or disable DNSSec validation.
-----
DNSBL
-----
:Enable DNSBL:
Enable the DNSBL service. BIND will be configured for Reverse Policy Zones to
blacklist domains. Choose below the lists to use for blacklist categories.
:Type of DNSBL:
Here you can select the lists to use. Do not just select all and save. There are
websites not loading content when nested ads are not loaded.
:Whitelist Domains:
When a website is blocked due to a false positiv you can enter the domain name here
so it is whitelisted before the blacklists come into play.
The Blacklists are downloaded and updated with every **Save** within BIND configuration.
For production use you can go to :menuselection:`System --> Settings --> Cron` and add a cronjob. On the
dropdown list you'll find the corret task under **Command**. Set the refresh interval
as you wish and save. This will trigger an update of the selected lists and reload
BIND.
----
ACLs
----
On tab ACLs you can create ACLs used for configuration options like **Recursion**. Add
a new ACL via **+**, give it a **Name** and add as many networks as you wish in **Network List**.
--------
Advanced
--------
Maybe you want to stick with Unbound as your primary DNS and only use BIND for blacklisting,
you can set in :menuselection:`Services --> Unbound DNS --> General --> Custom Options`.
.. code-block:: none
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@53530
.. Note::
When you are using Overrides in Unbound you can not use ``do-not-query-localhost``.
Please remove the line and let Bind listen to your LAN IP with port 53530 instead of localhost.
After this you can set the LAN IP in ``forward-addr``.