Replacing Active Directory DNS with BIND on OpenWRT

22Jan17

TL;DR

I need local DNS for various home lab things, but the Windows VMs I’ve been using can be slow and unreliable after a power outage (which happens too frequently). Moving to BIND turned out to be much easier than I feared, and I chose OpenWRT devices to run it on as I wanted reliable turnkey hardware.

Background

My home network is a mixture of ‘production’ – stuff I need for working from home and that the family rely on, and ‘dev/test’ – stuff that I use for tinkering. Both of these things need DNS, which I’ve been running on Windows Active Directory (AD) since it was in Beta in 1999. For many years I had an always on box that ran as an AD server and my personal desktop, but that was before I became more concerned about power consumption and noise. For the last few years my AD has been on VMs running on a couple of physical servers at opposite ends of the house. That’s fine under normal circumstances, but leads to lots of ‘the Internet’s not working’ complaints if a power outage takes down the VM servers.

Why OpenWRT?

I already have a few TP-Link routers that have been re-purposed as WiFi access points, and since the stock firmware is execrable I’ve been running OpenWRT on them for years. They seem to have survived all of the power outages without missing a beat, and restart pretty quickly.

Why BIND?

Despite a (possibly undeserved) reputation for being difficult to configure and manage BIND is the DNS server that does it all (at least according to this comparison). It’s also available as an OpenWRT package so all I needed to do was follow the BIND HowTo and:

opkg update
opkg install bind-server bind-tools

Getting my zone files

Windows provides a command line tool to export DNS from Active Directory, and the files that it creates can be used directly as BIND zone files:

dnscmd /ZoneExport Microsoft.local MSzone.txt

The exports show up in %SystemRoot%\System32\Dns and it’s then a case of copying and cleaning up; the cleaning up being necessary because the exports are full of AD SVC records that I don’t need. I simply deleted en masse the SVC records, and tweaked the NS records to reflect the IPs of their new homes.

With clean zone files it was a simple matter of scping them over to the OpenWRT routers and configuring named.conf to pick them up and use my preferred forwarders[1]. A restart of named then allowed my new BIND server to do its thing:

/etc/init.d/named restart

Conclusion

I’d been put off BIND due to tales of its complexity, but for my purposes it’s a breeze to use. The fact that I was able to export my existing DNS setup straight into files that were suitable for use as BIND zone files made things extra easy.

Note

[1] I used to run a recursive DNS at home, but I found that it can be slow at times, so I’ve been using forwarders ever since. I’m not spectacularly keen on giving a list of everything I visit on the Internet to anybody, but ultimately I’ve settled on this selection of forwarders:

	forwarders {
		64.6.64.6;      # Verisign primary
                64.6.65.6;      # Verisign secondary
                8.8.8.8;        # Google primary
                208.67.222.222; # OpenDNS primary
                8.8.4.4;        # Google secondary
                208.67.220.220; # OpenDNS secondary
                80.80.80.80;    # Freenom primary
                80.80.81.81;    # Freenom secondary
	};

I really wish the a company with strong values (like CloudFlare) ran a service that I’d be happy to forward to, though the snoopers charter is making me reconsider my whole approach to DNS – I may have to tunnel my DNS traffic offshore like I’ve done with my Android tablet – anybody know a DNS server that can be forced to use a SOCKS proxy?



No Responses Yet to “Replacing Active Directory DNS with BIND on OpenWRT”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: