Enable Caching in Bind 9 Using Views

Submitted by Tom Thorp on Friday, August 19, 2022 - 16:21
Modified on Friday, August 19, 2022 - 19:20
Bind Caching Server
Setting up SpamAssassin on my Postfix email server was one project I was determined to complete. Having already set up DCC, Pyzor and Razor as plugins for SpamAssassin, there was one issue left on my todo list - that been getting Postfix and SpamAssassin to be able to query spam filters (such as URIBL, SORBS, etc.)
 
Fortunately the solution was straight forward - enable DNS caching. 
 
Since I already host my own Primary DNS server along with a number of domains, I also restrict query access so that only domains I actually host get returned (ie. not an open resolver). This is taken care of using two Views : 

acl "SecondaryACL" {

#IP list of trusted secondaries go here

};

# List of Master domains allowing zone transfers from trusted Secondary NS
view "trusted" {
        match-clients { SecondaryACL; };
        allow-update { SecondaryACL; };
        allow-recursion { any; };
        allow-transfer { SecondaryACL; };
        zone "your.domain" IN {
                type master;
                file "your.zonefile";
        };
};

# Allow query of hosted domains from 3rd-party NS without allowing zone transfers
view "guest" {
        match-clients { ! SecondaryACL; any; };
        allow-update { none; };
        recursion yes;
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        zone "your.domain" IN {
                in-view "trusted";
        };
};
To implement local DNS caching, I had to implement a third View as well as an ACL. Like such: 
 
acl "self" {
        127.0.0.1;
};

view "local" {
        match-clients { self; };
        allow-update { none; };
        recursion yes;
        allow-query { self; };
        zone "." IN {
                type hint;
                file "named.ca";
        };
};
With the addition of the new View, I also had to add an exclusion into the 'guests' View, so that localhost queries do not get directed there by mistake. 
 
view "guest" {
        match-clients { ! BuddyACL; ! self; any; };
        .
        .
        .
};
 
With the new Bind configuration saved, verify your configuration using 'named-checkconf'. Your Bind configuration has no errors if no output is returned. Restart the Bind service when satisfied. 
 
Finally, make sure your resolver in /etc/resolv.conf points to 127.0.0.1 . This way, any local DNS requests initiated from a running service, get handled first through Bind from a localhost context. 
 
An example of a working caching Bind server.
 
Test URIBL access through localhost

$ dig @127.0.0.1 test.uribl.com.multi.uribl.com txt +short
"permanent testpoint"


Test caching response times 

$ dig @127.0.0.1 thorp.com | grep "Query"
;; Query time: 417 msec
$ dig @127.0.0.1 thorp.com | grep "Query"
;; Query time: 0 msec    

As always with Bind, double-check your configuration that it is working as expected, and that you are not introducing any security holes. It is important to test for every scenario, particularly if your Bind configuration transfers your zones between Bind servers.

 

 

About the author

Tom Thorp
Tom Thorp is an IT Consultant living in Miami on Queensland's Gold Coast. With over 30+ years working in the IT industry, Tom's experience is a broad canvas. The IT services Tom provides to his clients, includes :
 
Website development and hosting
Database Administration
Server Administration (Windows, Linux, Apple)
PABX Hosting and Administration
Helpdesk Support (end-user & technical).
  If you like any of my content, consider a donation via Crypto by clicking on one of the payment methods :
 
Categories