macos - update - OSX Mavericks-BIND no longer installed… how to get local DNS server working?




package manager mac (5)

I used to use a local DNS server running on the MAC until I discovered DNSMasq on DD-WRT

I setup a DD-WRT router for my LAN and WIFI and then used the DNSMasq feature of DD-WRT to list all entires that should map to development machines.

Log into your DD-WRT router:

Under Services, Enable DNSMasq

Under "Additional DNSMasq options" list each entry you want to mask:

address=/[url]/[ip]

Examples:

address=/www.dev.mysite.com/192.168.1.10
address=/photos.dev.mysite.com/192.168.1.11
address=/static.dev.mysite.com/192.168.1.12

This is almost like running your own DNS server on the router just for local addresses but without the overhead.

This way I can connect to local development machines via the LAN and all mobile devices via WIFI without much hassle.

Advantages:

  • No DNS server overhead on your MAC
  • No DNS configuration required just works via DHCP
  • Easily connect mobile devices via WIFI to development machines!
  • Easy to maintain & configure via router interface

I have always used BIND on OSX to provide a local DNS resolver for my local development machines, particularly to facilitate virtual machines accessing my local dev environment.

Foolishly I decided to upgrade to OSX Mavericks overnight and it appears BIND is no longer installed - even when the command line developer tools are added.

Anyone have a suggestion of how to restore this functionality, or if the latest OSX has an alternative DNS solution in place?

Thanks, Steve


Bind is installed in Mavericks. Just files have moved. You can find all the zone files in /Library/Server/named/.

Apple actually have done a good job going for a more compliant implementation compared to 10.6.8.

It's easy to modify the files by hand.

My $0.02

LL


Installing Homebrew and using it to installing bind seems the best route.

There are few little "gotcha's", so I put together this bash script to simplify it all.

1) Install Homebrew.

2) Save this file to your Mac as "ConfigureBrewBindOnOSX10_9.sh" and run it (sh ./ConfigureBrewBindOnOSX10_9.sh) , or run it's commands line-by-line by hand (if you want to see more detail as you go.

Contents of ConfigureBrewBindOnOSX10_9.sh

#!/bin/bash

# Last Updated: Jun 17, 2014
# [email protected]
#
# Run as root or sudo the commands that need it as you go.

# 1) USE HOMEBREW TO INSTALL BIND

brew install bind

# 2) CONFIGURE BIND

# Create a custom launch key for BIND

/usr/local/sbin/rndc-confgen > /etc/rndc.conf
head -n 6 /etc/rndc.conf > /etc/rndc.key

# Set up a basic named.conf file.
# You may need to replace 9.10.0-P2 with the current version number if it is out of date.

cat > /usr/local/homebrew/Cellar/bind/9.10.0-P2/etc/named.conf  <<END
//
// Include keys file
//
include "/etc/rndc.key";

// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.

//
// Default controls
//
controls {
        inet 127.0.0.1 port 54 allow {any;}
        keys { "rndc-key"; };
};

options {
        directory "/var/named";
};

// 
// a caching only nameserver config
// 
zone "." IN {
    type hint;
    file "named.ca";
};

zone "localhost" IN {
    type master;
    file "localhost.zone";
    allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "named.local";
    allow-update { none; };
};

logging {
        category default {
                _default_log;
        };

        channel _default_log  {
                file "/Library/Logs/named.log";
                severity info;
                print-time yes;
        };
};

END

# Symlink Homebrew's named.conf to the typical /etc/ location. 
ln -s /usr/local/homebrew/Cellar/bind/9.10.0-P2/etc/named.conf /etc/named.conf 


# Create directory that bind expects to store zone files

mkdir /var/named

curl http://www.internic.net/domain/named.root > /var/named/named.ca


# 3) CREATE A LuanchDaemon FILE: 

cat > /System/Library/LaunchDaemons/org.isc.named.plist <<END
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Disabled</key>
        <false/>
        <key>EnableTransactions</key>
        <true/>
        <key>Label</key>
        <string>org.isc.named</string>
        <key>OnDemand</key>
        <false/>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/local/sbin/named</string>
                <string>-f</string>
        </array>
        <key>ServiceIPC</key>
        <false/>
</dict>
</plist>
END

chown root:wheel /System/Library/LaunchDaemons/org.isc.named.plist 
chmod 644 /System/Library/LaunchDaemons/org.isc.named.plist 

# Shutdown bind (if it was running)
#launchctl unload /System/Library/LaunchDaemons/org.isc.named.plist


# Launch BIND and set it to start automatically on system reboot.
launchctl load -wF /System/Library/LaunchDaemons/org.isc.named.plist

Let me know if you need any help, I've successfully configured this on quiet a few machines.


Men & Mice is offering BIND installers for free at http://support.menandmice.com/download/bind/macosx/10.9-Mavericks/

MacOS X 10.4 (PPC), 10.5/10.6 (x86) and 10.7/10.8 (and new) 10.9 (x86_64)

Here is my recommendation for a basic "/etc/named.conf" file for BIND 9.9.4. Many basic configuration recommendations in the Internet and templates from BIND installations in Linux/BSD distributions have not been updated to recent updates in BIND and are not optimal (although they continue to work)

// BIND named.conf caching only DNS server
// configuration file for 
// BIND 9.7 and up
options {
    // set the DNS servers "home" directory
    // all files with relative path names
    // will be read or written from this
    // directory
    directory "/var/named";
    // disable query-logging on start
    // query-logging can be enabled using
    // "rndc querylog"
    querylog no;
};

// automatic empty zone for the "localhost" name
zone "localhost" IN {
   type master;
   database "_builtin empty . nothing.invalid.";
};

// logging template for a caching DNS server
logging {
   channel syslog { syslog daemon; severity info; };
   channel security { file "security.log" versions 10 size 50M; print-time yes; };
   channel query_log {
     file "query.log" versions 10 size 50M; severity debug; print-time yes;
   };
   category general       { syslog; };
   category security      { security; };
   category queries       { query_log; };
   category dnssec        { security; };
   category default       { syslog; };
   category resolver      { syslog; };
   category client        { syslog; };
   category query-errors  { query_log; };
   category edns-disabled { syslog; };
};

Some comments:

  • rndc.key does not need to be imported using an import statement. if no dedicated rndc configuration is present, rndc.key will be read by named on startup by default
  • if no "control" block is defined, the defaul control statement is being used. The default control configuration is

    controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; };

  • never specify "query-source" with an port number for an caching DNS server (I would prefer not to see it even it commented out, someone might enable it and create a security hole), it is a security risk (it disables UDP port randomization abd therefor enables easy DNS cache spoofing)

  • no need to specify an empty zone for "0.0.127.in-addr.arpa.", as it is (among a couple of other empty zones) in the default BIND config since version 9.5.x
  • the zone specification for "localhost" shows how to define an empty zone that does not require an extra zonefile on disk
  • for caching DNS servers that operate in the Internet DNS, I highly recommend to use the "root.hints" (list of root DNS servers) that is build into the BIND by not specifying a zone of type "hint". The "build-in" root hints are updated every time the BIND program is updated.
  • the logging statement gives a list of logging categories that are interesting for a caching DNS server. "query-logging" (logs all queries received by the DNS server) can hurt the performance of a busy DNS server (> 1000 queries per second), it is disabled in the option block but can be enabled (toggled) using "rndc querylog". The status of the querylog function (enabled/disabled) can be looked up using "rndc status"





osx-mavericks