# FreeBSD 10: Unbound and LDNS replacing BIND



## tanked (Sep 30, 2013)

I must admit I was surprised this hasn't got more attention; does anyone know the reasons why BIND is being dropped?


----------



## kpa (Sep 30, 2013)

It is mainly because BIND is a huge overkill as a local caching resolver when there is no need to have an authoritative DNS server at the same time. Unbound fits that role much better. You can install BIND from ports if you really need it.


----------



## tanked (Sep 30, 2013)

Thank you, as soon as I saw your reply I saw the following blog posts from the committer responsible:

http://blog.des.no/2013/09/dns-in-freebsd-10/

http://blog.des.no/2013/09/dns-again-a-clarification/


----------



## wblock@ (Sep 30, 2013)

Remember that BIND is just being removed from base.  It can still be easily installed and updated from ports: dns/bind99.  In fact, many people already did that to have the latest version.


----------



## tanked (Sep 30, 2013)

Yes, I've already done that with the BIND port and selected the option to replace the base BIND; I also edited src.conf so that it wouldn't be rebuilt when rebuilding world.


----------



## spanglefox (Oct 19, 2013)

Following from digging around (no pun intended) on an Ubuntu box I found that it uses DNSMasq as a local service to "resolve" and cache DNS requests. A little investigation revealed not only is it quite lightweight but also combines a DHCP server with internal DNS updates.

It turned out to be much simpler than BIND and ISC DHCP combination of dynamic updates and the developers report it supports around a thousand clients. Perfect for setting up your average SME network with about five lines to change in the configuration file.

BIND is great if you need all the bells and whistles but there are certainly lighter tools that perhaps are simpler and easier to administer but still get the job done.

My experience with DNSMasq did leave me feeling that for some simple basic setups BIND may be a tad over engineered.


----------



## gkontos (Nov 3, 2013)

Ok, stupid question.

I have installed BIND from ports but I can't find a proper rc startup script. 


```
named_enable="YES"
named_program="/usr/local/sbin/named"
```

`#/etc/rc.d/named start`


```
/etc/rc.d/named: WARNING: /etc/mtree/BIND.chroot.dist missing,
/etc/rc.d/named: WARNING: chroot directory structure not updated
/etc/rc.d/named: WARNING: named chroot: /etc/namedb is a directory!
mount: /var/named/dev: No such file or directory
/etc/rc.d/named: WARNING: devfs_domount(): Unable to mount devfs on /var/named/dev
devfs: open: /var/named/dev: No such file or directory
devfs: open: /var/named/dev: No such file or directory
cp: /var/named/etc/localtime: No such file or directory
cp: /var/named/etc/protocols: No such file or directory
cp: /var/named/etc/services: No such file or directory
rndc-confgen: create keyfile: file not found
Starting named.
/etc/rc.d/named: WARNING: failed to start named
```

`#/usr/local/sbin/named` just works fine. This is really irritating.


----------



## kpa (Nov 3, 2013)

It sounds like the start up script is expecting that it can chroot(8) to /var/named but since you're on FreeBSD 10 that directory and the expected contents are not created by default.


----------



## gkontos (Nov 3, 2013)

kpa said:
			
		

> Sounds like the start up script is expecting that it can chroot(8) to /var/named but since you're on FreeBSD 10 that directory and the expected contents are not created by default.



Yes most probably. Any Idea how to fix that? 

`# ls /var/named/`


```
dev	etc	usr
```

`# ls /etc/namedb/`


```
dynamic		master		named.conf	named.root	named.tgz	rndc.key	slave		working
```

`# /etc/rc.d/named start`


```
/etc/rc.d/named: WARNING: /etc/mtree/BIND.chroot.dist missing,
/etc/rc.d/named: WARNING: chroot directory structure not updated
/etc/rc.d/named: WARNING: named chroot: /etc/namedb is a directory!
rndc-confgen: create keyfile: file not found
Starting named.
/etc/rc.d/named: WARNING: failed to start named
```

`# mount`


```
.......
devfs on /var/named/dev (devfs, local, multilabel)
```


----------



## gkontos (Nov 3, 2013)

For some reason dns/bind99 refuses to run in a chroot environment. I am not sure if I am doing anything wrong since chroot configuration is the same like I have in other FreeBSD 9.X systems.

Specifying 
	
	



```
named_chrootdir=""
```
 in rc.conf appears to solve the problem for now.


----------



## chrcol (Dec 15, 2013)

*W*ow, I found this page after seeing in the port configuration replace base is for 9.x or earlier so it got my interest. [ ¿Qué pasó? -- mod.]

It does seem that nowadays freebsd FreeBSD is more and more leaning to desktop features over server features.

Ok, some may say its there a sa port so deal with it, but its not quite that simple as various server software expects to find bind BIND files in the base directories, not a port. If the replace_base function still works in fbsd10 FreeBSD 10 then fair enough, if it doesn't there will be more problems with freebsd becoming incompatible with 3rd third-party software.


----------



## usdmatt (Dec 16, 2013)

As someone who uses FreeBSD pretty much exclusively for servers, I'm perfectly happy with the change. The only reason to have BIND is if you really need a full featured authoritative server, and in 99% of our server installs, that isn't the case. I'm much happier with a light-weight, high performance resolver with the option to install BIND as a port if I'm actually building a DNS server. I can then using normal package/port functions to keep it up to date as well.

Regarding the problems mentioned above, it appears all the named_ flags were removed from /etc/defaults/rc.conf recently (and /etc/rc.d/named has gone) so hopefully things will be a bit smoother when 10.0 actually comes out. I would hope they make sure the port is updated before 10.0-RELEASE in order to detect 10.0+ and install a /usr/local/etc/rc.d/named script that works 'out of the box'.

Edit: In fact the port changes have already been done. I'm not sure what it means for chrooting in the future though.


> Support FreeBSD 10.0.
> 
> On FreeBSD 10.0, all configuration is installed under
> /usr/local/etc/namedb and installs its own rc script in
> ...



For any software that automates BIND configuration, I would hope it would be sensible enough to have options to specify the location of the configuration files and zone data files (unless the software is FreeBSD specific, these locations already vary depending on the OS as it is).


----------



## gkontos (Dec 17, 2013)

usdmatt said:
			
		

> Edit: In fact the port changes have already been done. I'm not sure what it means for chrooting in the future though.



It means that the port does not support running BIND in chroot any more. There was a long discussion in the mailing lists and the maintainer suggested that those who need the extra security should consider running BIND in a jail instead.

For me this is bad news because I could set up an authoritative DNS without having to install ANY third-party software.


----------



## chrcol (Dec 17, 2013)

gkontos said:
			
		

> usdmatt said:
> 
> 
> 
> ...



Things get from bad to worse. It's as if they are trying to scare people away from the operating system.


----------



## kpa (Dec 17, 2013)

Why don't you do something yourself? Like come up with a workable replacement for the chroot(8) system that is now missing? FreeBSD has always been a "patches accepted" system as long as those patches are good quality. It's so easy (and cheap) to talk from your comfy armchair and throw judgement at people who work very hard to keep FreeBSD alive. Get involved if you want to change things people!


----------



## wblock@ (Dec 17, 2013)

What is the reason the port can't run in a chroot(8) any more?  It seems like that would be fixable.


----------



## fonz (Dec 17, 2013)

wblock@ said:
			
		

> It seems like that would be fixable.


People have been encouraged on the mailing list(s) (probably freebsd-ports@) to help if they can


----------



## gkontos (Dec 17, 2013)

No, nothing like that. This has been going on for some time. 

Link: http://lists.freebsd.org/pipermail/free ... 75659.html

Edit:

For those who wish to try exotic methods to implement chroot be warned that this might break during a future port upgrade.


----------



## chrcol (Dec 18, 2013)

kpa said:
			
		

> Why don't you do something yourself? Like come up with a workable replacement for the chroot(8) system that is now missing? FreeBSD has always been a "patches accepted" system as long as those patches are good quality. It's so easy (and cheap) to talk from your comfy armchair and throw judgement at people who work very hard to keep FreeBSD alive. Get involved if you want to change things people!



Yes that's the common reply I see to feedback I give. But what is special in this case is that the code already exists for a working chroot. There is no need to make a patch, simply they just readd the removed code. The good news is, it does seem one person on the mailing list is determined to fix it and he says he is making a patch for it.

In the meantime I wont be using FreeBSD 10 anyway, I am only just migrating some systems now to 9.2.  So for me personally I will just hope that in two years or so the situation is different.


----------

