# Upgrade to 10.x from 5.5-RELEASE-p20 DNS server



## J.J. (Oct 28, 2014)

I need help with a strategy for upgrading our ancient FreeBSD DNS Server. I just started at this organization two months ago, and with all of the attention from the "#Bash Bug" our director deemed it necessary to upgrade. I was going to just upgrade bash from the ports collection, but couldn't find any supported versions compatible with FreeBSD 5.5. When I did a `portsnap fetch` it brought in the new ports collection, and every time I try to `make install clean` in /usr/ports/shells/bash with this error:

```
"/usr/ports/Mk/bsd.options.mk", line 266: Need an operator
"/usr/ports/Mk/bsd.options.mk", line 273: Need an operator
Unknown modifier 'u'
```
From my research it stated I need to upgrade.

Would it be better to start with a fresh build of 10.x on a VM?  Our DNS is chrooted, and if I installed BIND on 10.x could I just copy the named files over to the new install?

Or should I upgrade our current physical server version all the way to 10.x?  I am new to FreeBSD, but pretty familiar with anything *nix.

So I am looking for direction from seasoned FreeBSD gurus on what plan of action I should take.  Thanks in advance for any help.


----------



## Martillo1 (Oct 28, 2014)

Before anything try `portsnap fetch update` to make sure you are fetching the most recent sources.


----------



## J.J. (Oct 28, 2014)

Martillo1 said:


> Before anything try `portsnap fetch update` to make sure you are fetching the most recent sources.


Thanks for replying Martillo1,

Yeah, I have already done that step.  Extracted it.  Then tried installing it.  No bueno.


----------



## junovitch@ (Oct 28, 2014)

Just set up a new one.  5.5 is too old to have easy binary freebsd-update() and given the age of the thing there may be gotchas that have work their way in over the years from prior admins or just gotchas in general from making a big update jump. If it's only ever been an internal DNS server, security is probably less of a worry than one on the open net for all those years. I would still say the safe route both from the security standpoint and service availability standpoint is to set up a new server side by side and transfer everything over. Once the new one is performing as is cut everything over to it and get rid of the old one.


----------



## wblock@ (Oct 29, 2014)

Ports or packages will not work on a system that old.  Too many other things have changed to make an upgrade easy.


----------



## SirDice (Oct 29, 2014)

+1 on setting up a new one. While setting up the new one you can leave the old one running. That'll make it easier to fall-back in case something isn't set up properly. But just copying the zone files should be enough, I don't think the format changed a lot.

Using a VM would be preferred. DNS doesn't require a lot of resources, at least not the average authoritative or caching server. And with a VM you could easily add resources in case you do need more.

Besides the issues with the upgrade, this system is so old, and there have been many security advisories in the mean time, maybe the bad guys already own the box without anyone noticing. Starting fresh is the only way to make sure you're free of the baddies too.

While on the subject of baddies, make sure you configure your DNS correctly. There are a lot of badly configured DNS servers on the internet and they're all being abused to amplify DDoS attacks. If it's an authorititive server make sure it doesn't allow recursive queries. Similarly for caching servers, make sure they only recursively search requests that came from your network.
http://labs.opendns.com/2014/03/17/dns-amplification-attacks/


----------



## kpa (Oct 29, 2014)

Do note that there is no BIND in base anymore in FreeBSD 10. You would have to install the dns/bind99 port. Currently the port does not support the chroot(8) setup so I would advice setting up simple jail(8) for the DNS server.


----------



## rmoe (Oct 29, 2014)

I would strongly suggest to switch to nsd or unbound, both from RIPE and with a good reputation, depending on whether you need an authoritative or a recursive name server. From what I hear nsd seems to digest BIND zone files (I don't know for sure because I avoid BIND since many years).

Another advice is to `tar.gz` and save /etc, /usr/local/etc, and /boot/loader.conf. Doesn't cost much space and has saved my a** a couple of times.


----------



## wblock@ (Oct 29, 2014)

kpa said:


> Do note that there is no BIND in base anymore in FreeBSD 10. You would have to install the dns/bind99 port. Currently the port does not support the chroot(8) setup so I would advice setting up simple jail(8) for the DNS server.



There is an example of setting up a jail for BIND in the Handbook section on sysutils/ezjail: https://www.freebsd.org/doc/en_US.I...k/jails-ezjail.html#jails-ezjail-example-bind.


----------



## wblock@ (Oct 29, 2014)

Also: last I looked, there was no replacement for BIND's ability to interact with DHCP for dynamic DNS.  It is planned for some of the replacement DNS servers.


----------



## Terry_Kennedy (Oct 30, 2014)

J.J. said:


> Would it be better to start with a fresh build of 10.x on a VM?  Our DNS is chrooted, and if I installed BIND on 10.x could I just copy the named files over to the new install?
> 
> Or should I upgrade our current physical server version all the way to 10.x?  I am new to FreeBSD, but pretty familiar with anything *nix.
> 
> So I am looking for direction from seasoned FreeBSD gurus on what plan of action I should take.  Thanks in advance for any help.


In general, I would advise doing a fresh install of a recent, supported FreeBSD version on new hardware. That way you can experiment with things and become familiar with what has changed, and move all the way to a test deployment (of whatever services you need) without needing to disturb the old system. You can then easily "flip the switch" via whatever methods are needed, to make the new box the production one (for example, changing IP addresses). If it works, wait a week or more for any problems to show up, then decommission the old box and either return it to spares inventory or recycle it*.

Depending on your hardware requirements, you might then move your production install to a different piece of hardware (for example, if all your infrastructure systems are rackmount and you did the test deployment on a spare desktop, you'll want to switch to rackmount hardware).

* Unless your requirements are rather small, hardware that was current when FreeBSD 5.5 was new is likely too old to cost-effectively support today - it will be using obsolete memory, CPU(s), and probably obsolete expansion cards / buses as well. Modern hardware is substantially more power-efficient and you can get a lot more into a 1RU rack server if density is an issue in your environment. If installing on a modern server, consider the amd64 distribution instead of i386.


----------

