Setting up Bind views
This is first post of hopefully many about my “kidnet”. The idea is to limit the kids exposure to the more “adult” side of the internet using BIND.
The plan is to use my exisiting infrastructure to serve all VLAN’s in the house, whether they are on the regular VLAN or kids VLAN. As a background, my network consists of the following:
- Firewall = pfsense running on a DL120 G7 with an additional quad NIC card.
- Core Switch = HP 2530-48G-PoEP Switch
- Edge Switch = Netgear GS724T
- Access point Switch = Unifi 8 Port PoE Switch
- Access Points = Unifi AP-Pro x 3
UAP’s all connect to the Unifi Switch, there is a 3 port LAG between the unifi switch and the netgear. Then there is a 4 port LAG between the Netgear switch and core HP switch. Finally the LAN, Normal WiFi and kidnet wifi all then have dedicated 1Gbps links to the firewall. More on this in a later post though.
The kids VLAN spans all switches and access points, this mean that all the wifi devices and also wired devices use the kidnet VLAN.
I run 2 internal DNS servers, both CentOS7 running bind/named. Originally both of those went straight out to the root DNS servers for anything not in its cache. they are also authoritive for the internal domain name i use. Now with the use of views, i have the normal VLAN going directly out to the internet for anything not in the DNS cache, the kidnet VLAN forwards onto OpenDNS. I’d rather not use OpenDNS for this, but i havnt had chance to compile a decent kid safe blocklist. So for now, it will do.
Another downside to this setup is im unable to use pi-hole’s as it would mean it moves things either out of the “view” or would forward everything either straight to OpenDNS or straight to the root DNS servers. Neither of which i want. This is something ill be working in the future.
About BIND Views
Reading about on the internet, it seems Views have a bit of a bad name as being difficult to setup. For example, if you are using your DNS server as both recursive and authoritive, you have to declare the domains its authoritive for in all views. They also allow you to give different DNS configs out depending on the source address. This means they can be used in split-horizon DNS setups or just having multiple networks all using the same DNS server. Views are also quite specific to BIND / Named. I’ve been wanting to change my DNS servers over to powerdns, but they dont support views and so far i havnt had time to investigate an alternative.
Using ACL’s in BIND
For this setup i tried making things as clear as possible for myself so i have used ACL’s for all networks. ACL’s are really easy to configure, here is 2 examples using the 2 relevant networks:
acl kids {
172.16.24.0/24;
};
acl nonkids {
172.16.23.0/24;
192.168.0.0/24;
172.16.22.0/24;
172.16.50.0/24;
172.16.99.0/24;
172.16.25.0/24;
};
Now, instead of declaring subnets you just declare the ACL name (kids or nonkids).
Onto the actual Views configuration, as i mentioned previously you have to declare all authoritive domains in both views. A little annoying and untidy but it works.
The following is the kidnet config:
view "kidnet" {
match-clients { "kids"; };
recursion yes;
forwarders {
208.67.222.222; // OpenDNS
208.67.220.220; // OpenDNS
};
zone "." IN {
type hint;
file "named.ca";
};
zone "an-internal-domain.host" IN {
type master;
file "an-internal-domain.db";
allow-update { none; };
notify yes;
also-notify { 192.168.0.193; };
};
zone "another-internal-domain.me" IN {
type master;
file "another-internal-domain.db";
allow-update { none; };
notify yes;
also-notify { 192.168.0.193; };
};
include "/etc/named.rfc1912.zones";
};
Here is the nonkids view:
view "others" {
match-clients { nonkids;127.0.0.1; };
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "an-internal-domain.host" IN {
type master;
file "an-internal-domain.host.db";
allow-update { none; };
notify yes;
also-notify { 192.168.0.193; };
};
zone "another-internal-domain.me" IN {
type master;
file "another-internal-domain.db";
allow-update { none; };
notify yes;
also-notify { 192.168.0.193; };
};
include "/etc/named.rfc1912.zones";
};
You can see the difference in the configs, the kidnet has the “forwarders” stanza added where as the nonkids doesnt.
Thats more or less all there is to it. Its not that complicated but it does bloat your config.
Using views also has its benefit when parsing the logs (i use splunk) but the logs do show which view a query came from.