cancel
Showing results for 
Search instead for 
Did you mean: 

Raspberry pi dns server

Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Raspberry pi dns server

Has anybody tried this out, http://blog.figster.net/post/40273124225/raspberry-pi-dns-server-plans-part-3 i can't get the script to run properly, maybe permissions etc Sad

    cd /etc/bind/raspberrydns
    sudo ./bind9BadDomains.py
    Please note the Python script takes about 10mins to complete on the Raspberry Pi, obviously its much quicker on more meatier processors. Once done you’ll have a nice big juicy file called: named.conf.blocked.new. To get this in the right place and restart Bind9 to take all the above changes into account, just run the Bash script:
    sudo ./update.sh
17 REPLIES
St3althM4ster
Grafter
Posts: 57
Registered: 01-02-2013

Re: Raspberry pi dns server

Make sure the file has 777 or 755 file permissions then it should work.
Community Veteran
Posts: 6,606
Thanks: 209
Fixes: 15
Registered: 16-02-2009

Re: Raspberry pi dns server

Is that the o/p of the script? If so then it is running.
Otherwise try sudo python <script>
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

following this from a fresh install...  http://blog.figster.net/p...i-dns-server-plans-part-3
I can't get it to work at all, i just keep following the instructions from the link above line for line.
driving me mad Sad
  Make a copy of the interfaces file: 
    sudo cp /etc/network/interfaces /etc/network/interfaces.orig
    Now edit the interfaces file:
    sudo nano /etc/network/interfaces
    Comment out the line, prefix with a #: 
    #iface eth0 inet dhcp
    Paste the following - note in my network I’m setting my Pi server to 192.168.1.5:
    auto eth0
    iface eth0 inet static
          address 192.168.0.15
          netmask 255.255.255.0
          network 192.168.0.0
          broadcast 192.168.0.255
          gateway 192.168.0.254
          dns-nameservers 127.0.0.1
          dns-search home.lan
          dns-domain home.lan
(My router has the IP address of 192.168.1.1, I’m sure the rest is easy to work out from the above. I’ll explain home.lan later..)
    Ctrl + x to save, and reboot the Pi.
    Using Terminal on your computer ssh into the Pi - follow the instructions as they come up:
    ssh pi@192.168.1.5


Raspberry Pi - DNS Server Plans - part 3
Part 3 (which is the final part to this series) covers off installing your home DNS server and configuring it to block iffy websites and adverts in a direct effort to improve security and general internet safety.
Install DNS Service - Bind9
I’m using Bind9 as it’s well used on the internet and there’s plenty of help for it. I want to set it up so all my network devices on my home network use this service to lookup domain names - at this point I can block undesirable addresses. I’ve use this guide as inspiration: http://www.learnlinux.co.uk/E/technical_notes/ln0008.htm
    Install bind service on the Pi - just follow the instructions: 
    sudo apt-get install bind9
    Backup everything first:
    cd /etc/bind
    sudo cp named.conf.options named.conf.options.orig
    sudo cp named.conf.local named.conf.local.orig
    sudo cp named.conf.default-zones named.conf.default-zones.orig
    Create a new database file for HOME.LAN items. This will contain all the fixed IP names on the network - for example my router is at 192.168.1.1 and this Raspberry Pi is at 192.168.1.5.
    sudo nano db.home.lan
    Paste:
    ; Use semicolons to add comments.
    ; Host-to-IP Address DNS Pointers for home.lan
    ; Note: The extra “.” at the end of the domain names are important.
    ; The following parameters set when DNS records will expire, etc.
    ; Importantly, the serial number must always be iterated upward to prevent
    ; undesirable consequences. A good format to use is YYYYMMDDII where
    ; the II index is in case you make more that one change in the same day.
    home.lan. IN SOA raspberry.home.lan. hostmaster.home.lan. (
        2008080902 ; serial
        8H ; refresh
        4H ; retry
        4W ; expire
        1D ; minimum
    )
    ; NS indicates that raspberry is the name server on home.lan
    ; MX indicates that raspberry is (also) the mail server on home.lan
    home.lan. IN NS raspberry.home.lan.
    home.lan. IN MX 10 raspberry.home.lan.
    ; Set the address for localhost.home.lan
    localhost    IN A 127.0.0.1
    ; Set the hostnames in alphabetical order
    raspberry    IN A 192.168.0.15
    router      IN A 192.168.0.254
    Now we create a reverse lookup database file for our HOME.LAN fixed IP’s
    sudo nano db.rev.0.168.192.in-addr.arpa
    Paste:
    ; IP Address-to-Host DNS Pointers for the 192.168.0 subnet
    @ IN SOA raspberry.home.lan. hostmaster.home.lan. (
        2008080902 ; serial
        8H ; refresh
        4H ; retry
        4W ; expire
        1D ; minimum
    )
    ; define the authoritative name server
              IN NS raspberry.home.lan.
    ; our hosts, in numeric order
    1        IN PTR router.home.lan.
    5        IN PTR raspberry.home.lan.
    Create a new file to direct all blocked domains. This database file returns an IP address of 127.0.0.1 for all domains directed to it, and thus blocking all web requests.
    sudo nano db.blocked
    Paste
    ; BIND db file for ad servers - point all addresses to localhost
    $TTL    86400  ; one day
    @      IN      SOA    raspberry.home.lan. hostmaster.home.lan. (
                            2004061002      ; serial number YYMMDDNN
                            28800  ; refresh  8 hours
                            7200    ; retry    2 hours
                            864000  ; expire  10 days
                            86400 ) ; min ttl  1 day
    NS raspberry.home.lan.
    A 127.0.0.1
    * IN      A      127.0.0.1
    We now need to update the main bind config file, just a little configuration changes. Start with the Options file:
    sudo nano named.conf.options
    Now for me OpenDNS provides the best speeds over Google DNS, but that’s because I’m in the UK. Find the forwarders section and insert the OpenDNS settings:
    forwarders {
    212.159.6.9;
    212.159.6.10;
    };
    Second Options file tweak is the following, can’t remember for the life of my why, but I read this somewhere and it works well. Ensure these are present in the file: 
    dnssec-enable no;
    dnssec-validation no;
    Our two new database home.lan files need to be included in the bind9 system configuration, (This will pick up every home.lan domain request on your network), so edit:
    sudo nano named.conf.local
    Paste:
    zone "home.lan" IN {
        type master;
        file "/etc/bind/db.home.lan";
    };
    zone "0.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.rev.0.168.192.in-addr.arpa";
    };
    Finally, all the named files need to be brought together, so edit:
    sudo nano named.conf
    and I just include the following files
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.blocked";
    Hang on! What’s this named.conf.blocked file?? Well, I’ve written a Python script to generate this file. It works by downloading lists of iffy domains from two wonderful sources: http://winhelp2002.mvps.org & http://malwaredomains.com. It works by directing all domain requests each iffy website to our db.blocked file. For example:
    zone "x0.nl" {type master; file "/etc/bind/db.blocked";};
    zone "sp.sk" {type master; file "/etc/bind/db.blocked";};
    zone "51.la" {type master; file "/etc/bind/db.blocked";};
    Also, I’ve added functionality to the script, to take into account manually specified domains from a local file called: manualDomains.txt.  In my file I’ve added the TLDs RU and CN to totally block Russian and Chinese domains from all devices on my network.
    This sounds great - how do it get my hands on a copy? I’ve put all the code into a GIT repository, so you’ll need to install git first:
    sudo apt-get install git
    Pull down all the Python code and files:
    cd /etc/bind
    sudo git clone https://figsternet@bitbucket.org/figsternet/raspberrydns.git
    This creates the directory /etc/bind/raspberrydns which contains one Python script, one Bash script and a few text files.
    To re-generate the names.conf.blocked file with the latest information from malwaredomains.com etc, just type the following :
    cd /etc/bind/raspberrydns
    sudo ./bind9BadDomains.py
    Please note the Python script takes about 10mins to complete on the Raspberry Pi, obviously its much quicker on more meatier processors. Once done you’ll have a nice big juicy file called: named.conf.blocked.new. To get this in the right place and restart Bind9 to take all the above changes into account, just run the Bash script:
    sudo ./update.sh
    And that’s it really for the Pi side of things. Obviously you’ll want to test this, so in a terminal session on a different computer type the following:
    dig @192.168.0.15 google.co.uk
    You should see a large list of information here, but at the bottom there will be two lines of interest :
    ;; Query time: 149 msec
    ;; SERVER: 192.168.1.5#53(192.168.1.5)
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

it seems to work now but still a mess.
Successfully flushed the DNS Resolver Cache.
C:\Users\Laptop>nslookup
Default Server:  UnKnown
Address:  192.168.0.15
> bbc.co.uk
Server:  UnKnown
Address:  192.168.0.15
Non-authoritative answer:
Name:    bbc.co.uk
Addresses:  212.58.253.67
          212.58.251.195
pi@raspberrypi /etc/bind/raspberrydns $ sudo /etc/init.d/bind9 stop
[....] Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused
. ok
pi@raspberrypi /etc/bind/raspberrydns $ sudo ./bind9BadDomains.py
Start: 2013-06-24 16:24:08
Downloading...
Original: 31119
Processed: 22816
Duplicate: 8303
End: 2013-06-24 16:35:04
pi@raspberrypi /etc/bind/raspberrydns $ sudo ./update.sh
Copy existing named.conf.blocked file to backup
cp: cannot stat `/etc/bind/named.conf.blocked': No such file or directory
Stop the DNS service
[....] Stopping domain name service...: bind9rndc: connect failed: 127.0.0.1#953: connection refused
. ok
Copy the new files into place
mv: cannot stat `/etc/bind/named.conf.blocked': No such file or directory
Start the DNS service
[ ok ] Starting domain name service...: bind9.
Flush the DNS cache
Done...

now i'm getting thousands of this error....
Jun 24 16:36:24 raspberrypi named[3119]: zone acvs.mediaonenetwork.net/IN: not loaded due to errors.
Jun 24 16:36:24 raspberrypi named[3119]: /etc/bind/db.blocked:2: no current owner name
Jun 24 16:36:24 raspberrypi named[3119]: zone acvsrv.mediaonenetwork.net/IN: loading from master file /etc/bind/db.blocked failed: no owner
Jun 24 16:36:24 raspberrypi named[3119]: zone acvsrv.mediaonenetwork.net/IN: not loaded due to errors.
Jun 24 16:36:24 raspberrypi named[3119]: /etc/bind/db.blocked:2: no current owner name
Jun 24 16:36:24 raspberrypi named[3119]: zone mediastat.net/IN: loading from master file /etc/bind/db.blocked failed: no owner
Jun 24 16:36:24 raspberrypi named[3119]: zone mediastat.net/IN: not loaded due to errors.
Jun 24 16:36:24 raspberrypi named[3119]: /etc/bind/db.blocked:2: no current owner name
Jun 24 16:36:24 raspberrypi named[3119]: zone mediaxsds.net/IN: loading from master file /etc/bind/db.blocked failed: no owner
Jun 24 16:36:24 raspberrypi named[3119]: zone mediaxsds.net/IN: not loaded due to errors.
Jun 24 16:36:24 raspberrypi named[3119]: /etc/bind/db.blocked:2: no current owner name
Jun 24 16:36:24 raspberrypi named[3119]: zone mediazones.net/IN: loading from master file /etc/bind/db.blocked failed: no owner
/etc/bind/db.blocked:3: no current owner name
loading configuration from '/etc/bind/named.conf'
/etc/bind/db.blocked:3: no current owner name/etc/bind/db.blocked:3: no current owner name/etc/bind/db.blocked:3: no current owner name/etc/bind/db.blocked:3: no current $ owner nameJun 24 15:24:33 raspberrypi named[2294]: reading built-in trusted keys from f$

I'm at a loss..
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

here is a bit more info from syslog.
Jun 24 15:24:28 raspberrypi named[2294]: ----------------------------------------------------
Jun 24 15:24:28 raspberrypi named[2294]: BIND 9 is maintained by Internet Systems Consortium,
Jun 24 15:24:28 raspberrypi named[2294]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 24 15:24:28 raspberrypi named[2294]: corporation.  Support and training for BIND 9 are
Jun 24 15:24:28 raspberrypi named[2294]: available at https://www.isc.org/support
Jun 24 15:24:28 raspberrypi named[2294]: ----------------------------------------------------
Jun 24 15:24:28 raspberrypi named[2294]: adjusted limit on open files from 4096 to 1048576
Jun 24 15:24:28 raspberrypi named[2294]: found 1 CPU, using 1 worker thread
Jun 24 15:24:28 raspberrypi named[2294]: using up to 4096 sockets
Jun 24 15:24:28 raspberrypi named[2294]: loading configuration from '/etc/bind/named.conf'
/etc/bind/db.blocked:3: no current owner name/etc/bind/db.blocked:3: no current owner name/etc/bind/db.blocked:3: no current owner name/etc/bind/db.blocked:3: no curre$
Jun 24 15:24:33 raspberrypi named[2294]: using default UDP/IPv4 port range: [1024, 65535]
Jun 24 15:24:33 raspberrypi named[2294]: using default UDP/IPv6 port range: [1024, 65535]
Jun 24 15:24:33 raspberrypi named[2294]: no IPv6 interfaces found
Jun 24 15:24:33 raspberrypi named[2294]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 24 15:24:33 raspberrypi named[2294]: listening on IPv4 interface eth0, 192.168.0.15#53
Jun 24 15:24:33 raspberrypi named[2294]: generating session key for dynamic DNS
Jun 24 15:24:33 raspberrypi named[2294]: sizing zone task pool based on 22823 zones
Jun 24 15:24:47 raspberrypi named[2294]: set up managed keys zone for view _default, file 'managed-keys.bind'
Jun 24 15:24:47 raspberrypi named[2294]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Jun 24 15:24:33 raspberrypi named[2294]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Jun 24 15:24:33 raspberrypi named[2294]: using default UDP/IPv4 port range: [1024, 65535]
Jun 24 15:24:33 raspberrypi named[2294]: using default UDP/IPv6 port range: [1024, 65535]
Jun 24 15:24:33 raspberrypi named[2294]: no IPv6 interfaces found
Jun 24 15:24:33 raspberrypi named[2294]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 24 15:24:33 raspberrypi named[2294]: listening on IPv4 interface eth0, 192.168.0.15#53
Jun 24 15:24:33 raspberrypi named[2294]: generating session key for dynamic DNS
Jun 24 15:24:33 raspberrypi named[2294]: sizing zone task pool based on 22823 zones
Jun 24 15:24:47 raspberrypi named[2294]: set up managed keys zone for view _default, file 'managed-keys.bind'
Jun 24 15:24:47 raspberrypi named[2294]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Jun 24 15:24:47 raspberrypi named[2294]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jun 24 15:24:47 raspberrypi named[2294]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

it seems to block adverts  Grin
Community Veteran
Posts: 6,606
Thanks: 209
Fixes: 15
Registered: 16-02-2009

Re: Raspberry pi dns server

I just tried it on my Mint LMDE machine. It installed but I couldn't get it to resolve anything on home.lan.
And Adblock does the same job on FF. My youtube doesn't even show the "cant find" box.
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

I don't fully understand the bind setup configs properly, i was just giving it a bash because i have a spare raspberry to tinker with.
but i can confirm it is working, just not as i would like. I need to invest more time into understanding it, google hasn't presented me with an easy fix thus far.
it seems to speed stuff up no end with half the crap blocked, sites like bbc.co.uk load really fast. I did mean to try out npr's unbound but i've not got around to that yet, i guess it is the same sort of thing.
Does anybody have idea's on how safe this is to use full time running properly ?
I've used Adblock before but i was looking for a more wide deployment of blocking for my pads etc.
Moderator
Moderator
Posts: 17,329
Thanks: 963
Fixes: 113
Registered: 11-01-2008

Re: Raspberry pi dns server

you could always put squid on as a proxy and use adzapper http://adzapper.sourceforge.net/ that blocks adds ok.
Will Moderate For Thanks
Community Veteran
Posts: 6,606
Thanks: 209
Fixes: 15
Registered: 16-02-2009

Re: Raspberry pi dns server

I used to use that when I had a smoothwall firewall running. Back in the bad old days of M$ OS's  Cheesy
Moderator
Moderator
Posts: 17,329
Thanks: 963
Fixes: 113
Registered: 11-01-2008

Re: Raspberry pi dns server

well it still works Smiley
have done it on a pi yet, but it's something i might try.
Will Moderate For Thanks
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

Security with Bind using dnssec, is there any need to use dnssec as long as i'm using plusnet dns reslovers ? i know i'm caching local but isn't the bad stuff already blocked with the bad domains script thats running as well from the link above.
dnssec test http://dnssec.vs.uni-due.de/
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

My Conclusion to this solution is it to slow with the sheer amount of blocked zones in place. It is a shame because it works really well blocking stuff, but the raspberry just can't cope when used as a local cache/forwarder for the router, such a shame. Thanks for the input all.
Next project...  Unbound. I must be a sucker for punishment.
Community Veteran
Posts: 2,255
Thanks: 100
Fixes: 4
Registered: 18-02-2013

Re: Raspberry pi dns server

Just passing back over this post to update on my second attempt at curing a problem with the TG582n i needed to solve using a separate local dns cache/forwarder.
Well i am surprised in all honesty, Unbound works perfectly and does what i need it to do with no nonsense or fuss. yes it cost me 30 quid or so but well worth the price for better control imo. Installing unbound was very simple on the raspberry pi using npr's tutorial http://npr.me.uk/pidns.html i'm also using opendns and add-blocking which works very well indeed for a small network with fast  game machines that are constantly needing to resolve in large volume which will be constant for the summer holidays, for which i think we are well prepaired for now. All info on installing Unbound is covered on npr's website along with add-blocking and dnssec etc. here is a dnssec test http://dnssec.vs.uni-due.de/  Many thanks again to npr for the tireless info he provides, and also the personal help and input on using opendns forwarders on this project which i've added below. Should you need to use your own forwarders etc, you would just type those few lines at the bottom of your unbound.conf file obviously changing the ip address to those you prefer. Below i have added a few sites i found usefull to me on this project.
forward-zone:
name: "."
forward-addr: 208.67.222.123
forward-addr: 208.67.220.123


https://calomel.org/
http://www.unbound.net/documentation/howto_statistics.html
http://www.debuntu.org/how-to-monitoring-a-server-with-munin/