OK BizSetup Email Server From Scratch On FreeBSD #2 - 80 Bind DNS
25 IMAPSYNC <- Intro -> 99 FreeBSD NAT64 Router
We believe in data independence, and support others who want data independence.
This tutorial is complete 2025-08-14 except there is no page for setting up postscreen.
This is version 2 and everthing works.
####################################### # Setup Authoritative Bind DNS Server # #######################################
Setup a local caching nameserver to speed up dns requests. Unbound, dnsmasq, and bind all have strengths and weaknesses. Dnsmasq is good with DHCP clients but doesn't support DNSSEC. Both bind and unbound are dnssec capable and one of them should be used if running your own nameserver with dkim certs. A local full caching DNS resolver is needed if using real time blacklists DNSRBL so choose either unbound or bind. Bind supports master/slave zones transfer, NAPTR records, and it is fast. Basic bind configuration isn't difficult.
pkg install bind920
rndc-confgen -a
wrote key file "/usr/local/etc/namedb/rndc.key"
cd /usr/local/etc/namedb
chown root:bind rndc.key
chmod 640 rndc.key
Enable bind in /etc/rc.conf
sysrc named_enable="YES"
Start bind.
service named start
service named status
named is running as pid 2154.
Check bind setup, you want to enable recursion for the server itself and any networks you trust. Also enable DNSSEC.
cd /usr/local/etc/namedb
nano /usr/local/etc/namedb/named.conf
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// DNSSEC
dnssec-validation auto;
// RECURSION
recursion yes;
allow-recursion {
127.0.0.1;
::1;
// okbsd external
147.135.37.135;
2604:2dc0:200:187::1;
// okdeb slave
15.204.113.148;
2604:2dc0:202:300::3645;
// my trusted home network(s)
trusted_net/cidr;
};
allow-query { any; };
// ...
listen-on {
127.0.0.1;
147.135.37.135;
};
listen-on-v6 {
::1;
2604:2dc0:200:187::1;
};
// if this is master, define slaves here
//allow-notify { 15.204.113.148; };
//allow-transfer { localhost; 15.204.113.148; };
//notify yes;
};
Do not define any master zones unless you plan to run your own DNS, it's not needed
for mail server setup.
rndc reload
Test Bind
nslookup google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 142.250.217.110
Name: google.com
Address: 2607:f8b0:400a:80b::200e
nslookup okbsd.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: okbsd.com
Address: 147.135.37.135
Name: okbsd.com
Address: 2604:2dc0:200:187::1
Make sure resolv.conf isn't a symbolic link, if it is remove it and recreate it.
ls -l /etc/resolv.conf
-rw-r--r-- 1 root wheel 91 Aug 1 12:03 /etc/resolv.conf
Modify /etc/resolv.conf to point to your local bind server.
nano /etc/resolv.conf
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 9.9.9.9
options edns0 trust-ad
search .
Check if DNSSEC works, look for for 'ad' flag.
dig @8.8.8.8 okbsd.com +dnssec +multiline
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
Bind on the server itself will display the 'aa' flag.
dig @127.0.0.1 okbsd.com +dnssec +multiline
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1