Run a Local DNS Server for internal lan on TrueNAS 13?

[Geoff]

Hi,

Have a home TrueNAS box built from an old I5, presently updating to TrueNAS 13 stable.

I'd like to run a DNS server for my internal lan 192.168.11.x that can also reference an external DNS (say 8.8.8.8) and cache for internet lookups as well.

No, my router can't do that. (It's been lobotomized by the ISP and can barely manage minimal DHCP)

Is there a how to on this somewhere? No, not interested in making 20 plus HOSTS files instead, I want a DNS. The NAS is the only system that's always up so it's the logical place to put it.

Any advice gratefully accepted. I'm sure I've seen this somewhere, something about a jail? Whatever that is?

Regards

Geoff
ETWebs

 

[elvisimprsntr]

Can you put your ISP modem/firewall in bridge mode? If so, that allows you to place your own firewall behind your ISPs equipment, set up your own firewall to host all the services you want with either a consumer router or install open source enterprise class firewall software https://pfsense.org on your own appliance. That would be the more logical place to host services like DHCP, DNS, IDS/IPS, NTP, VPN, etc.

 

[Patrick M. Hausen]

A jail is a lightweight "virtual machine" with a separate copy of the operating system and any services you might want to install but running on the same kernel as the NAS host. It's a great way to do exactly what you want to. You can even improve upon the pure DNS a bit and add e.g. AdGuard Home. But you will need to get your hands dirty and use the command line. Are you familiar with Unix/Linux?

 

[Geoff]

Can you put your ISP modem/firewall in bridge mode? If so, that allows you to place your own firewall behind your ISPs equipment, set up your own firewall to host all the services you want with either a consumer router or install open source enterprise class firewall software https://pfsense.org on your own appliance. That would be the more logical place to host services like DHCP, DNS, IDS/IPS, NTP, VPN, etc.

I don't have root access to the lobotomized modem. The ISP doesn't allow it.
Very restrictive, even UPNP options are disabled and hidden. So no. Also they won't configure a user supplied modem for the SIP telephony. Period, because they can't lock you out of the SIP settings. You must use their modem, they will not even supply the SIP etc credentials to end users like me. You must use their modem and they configure it and SIP. You can fiddle with a few things, do port forwarding to some degree but not UPNP.... DNS is limited to a static 'home' domain, you can't add hosts et al. They'll allow consumer side for the internet connection, but not telephony. All phone systems here are VOIP now, there is no analog POTS anymore. I tried for three months to get support for Asterix based FreePBX and they simply stopped responding to the support request. We have an IP phone I'm locked out of as well, I can't even load phone numbers in it, they demand you send them a CSV file and they'll do it. Naturally I told them what to do with that idea.
I'm just me at home using an old I5 as a NAS, I don't want to install any more hardware if it can be avoided. Need to keep it simple and cheap. I take it pfsense won't live on the same hardware as TrueNAS? I've never heard of pfsense to be honest. I just want a local DNS for a small lan of about 15-20 PCs, phones, printers and a couple of switches etc, with the ability to cache internet lookups as well. My internet domain is hosted elsewhere online, so don't need that at all.

 

[Geoff]

A jail is a lightweight "virtual machine" with a separate copy of the operating system and any services you might want to install but running on the same kernel as the NAS host. It's a great way to do exactly what you want to. You can even improve upon the pure DNS a bit and add e.g. AdGuard Home. But you will need to get your hands dirty and use the command line. Are you familiar with Unix/Linux?

Ok, well, I've managed to create a jail and install the DNSMASQ plugin. Depends what you mean by 'familiar'. I've used it a lot and I use WHM and CPANEL to run some web and mail servers, I can edit text files, but the default editor is so user angry I simply can't stand using it. I'm actually learning to hate Linux on the desktop because even very simple things like mapping a network drive require inserting cryptic commands into an obscure text file buried somewhere in the system.
Seems this is no different.
I've had a quick look at the dnsmasq.conf file, and it's not encouraging.

I was hoping DNSMASQ might have a GUI option, but it seems not.

I administer real domains online through a provider and that's easy enough, creating hosts, DMARC, DKIM SPF etc but the code for this resembles C and I don't code. (Not since TurboPascal anyway - I consider C one step from assembler in crypticness.)

I have a single class c 192.168.11.x network. Did consider HOSTS files, but too many to edit if something changes.

So a local DNS seems to be the go, but it's so fiendishly complicated on a Linux box I'm having second thoughts about even attempting it.

I had a look at BIND (also a plugin) and got part way through the conf file and just deleted the jail.

I don't want it to be publishing a domain on the internet or something because I misconfigured it and it wasn't clear to me what I needed or what I needed to comment out.

I do have a Win10 box that's normally on all the time - it was my 'server' before I built the TrueNAS box, so there's probably some simpler DNS I can run on that which would at least be easier to configure, but running such things on a Win box is against my religion. Would really prefer it on the NAS if I do it at all, but like everything Linux, it's incredibly tedious and the documentation is cryptic at best so it seems I'm going to need more guidance than I thought I would.

I've worked in IT most of forty years, but not linux much, VMS yes, Netware yes (DNS on that was GUI and very simple). But not Windows servers as such or even AD domains - they seemed to be just an easy way to break lots of things at once, we avoided them and life was good.

I suppose I'm not a clueless noob, except with doing DNS servers on linux boxes. Put it this way, I lost interest in Linux as a desktop when I had to find and edit obscure files somewhere with cryptic commands just to get scroll arrows to appear in Libre Writer, which is completely ridiculous. I can do HOST files and even domain records just fine, I manage several customer domain records and that's childishly simple, but the config for this looks like it will be easy to break something.

If I had a half decent router (Huawei s$&t the ISP supplies, then they lobotomise it more) I'd do it there, but I can't... and no I can't put in my own, they won't support our IP phones if I do (and there is no POTS here anymore, it's all VOIP)

As near as I can tell, I can't even access the files in the jail from elsewhere so I can use a real text editor instead of whatever it is that 'edit' on BSD provides. Nothing written in the last 40 years apparently. Why are default text editors on all linux systems absolute crawling horrors? To discourage people from using them?

Ok, enough whining. Just needed to vent I suppose. Any guidance/examples would be much appreciated. And is it possible to install an at least somewhat usable text editor for the jail BSD? I really can't use whatever 'edit' is.

Cheers

Geoff
ETWebs

 

[elvisimprsntr]

pfSense might be a better long term solution rather than trying to cobble something together with jails/plugins. Maybe even pick up some marketable knowledge in the process.
1. pfSense can be virtualized very easily, even on TrueNAS CORE/SCALE
2. Or you can buy a used fanless mini PC off evilBay and put it behind your ISPs kit (except for SIP phones). Does mean you will be running double NAT if you can't put the ISPs kit in bridge mode.

Qotom Q305p 3205u Mini PC COM Serial Port IPC POS Computer RS-232 4GB 32GB SSD | eBay

Default 3205U Dual Core Processor, 1.5GHz, 2M Cache mSATA 1xFull Size Mini-PCIe for SSD. Support Msata SSD. Hard Drive. Serial Port 4 x RS-232 (COM1, COM2, COM3, COM4) Weight 1.1kg. 1, Full-length for 3G, Half-length for Wi-Fi Module by Default.

www.ebay.com

 

[danb35]

I take it pfsense won't live on the same hardware as TrueNAS?

It could, by way of a virtual machine, though I wouldn't ordinarily recommend doing so, and I think it would likely be overkill for your needs (I'd also prefer OPNsense over pfSense, but that would likewise be overkill for your needs).

Broadly speaking, you have three four options:

• If appropriate software is available via a plugin, install it that way.
  • Strongly discouraged; plugins are deprecated and a "path to sadness" in the words of iX' CTO
• If appropriate software is available under FreeBSD at all, create a jail, and install it there
  • "Appropriate software" certainly is available under FreeBSD; you can run dnsmasq as a DNS cache, unbound as a full resolver, etc. But I'm not aware of anything that would give a GUI or other web interface in this regard
• Create a VM with a suitable OS, and install whatever software you like there.
• Run your DNS on separate hardware, which could be as minimal as a Raspberry Pi or other single-board computer of that ilk
  • I understand you want to avoid additional hardware, but Raspberry Pis used to be cheap, and many of the similar SBCs still are--and it'd be nice to not have DNS for your whole network depend on your NAS being up

The third is what I chose for local DNS on my parents' NAS--create a VM under TrueNAS, install the latest LTS version of Ubuntu on that, and install Pi-Hole there. Pi-Hole is marketed as a network-level ad blocker, which it does pretty well, but it does it by acting as your network's DNS server. By default it uses dnsmasq and caches whatever backend server(s) you tell it to use, but you can also install unbound and use it as a full-fledged recursive resolver.

As an alternative to Pi-Hole, you could also look at Technitium. Also has a nice GUI, seems to offer more comprehensive DNS capabilities, but doesn't seem to be nearly as well-known.

And is it possible to install an at least somewhat usable text editor for the jail BSD?

I'm not certain, but ee may be available in the plugin. It isn't great, but I think it's better than edit.

Or, if you allow the root user to access via SSH, you can use a "real editor" on your desktop machine (e.g., BBEdit on Mac, Notepad++ on Windows) to connect via SFTP and edit the files that way.

 

[sretalla]

I was hoping DNSMASQ might have a GUI option, but it seems not.

If you're still going down the DNS jail route, you can probably get one of these to work with a bit of skill:

GitHub - skitzo2000/unboundgui: A web GUI running a local DNS server with Unbound.

A web GUI running a local DNS server with Unbound. - skitzo2000/unboundgui

github.com

GitHub - kroy-the-rabbit/dnsgui: A web GUI running a local DNS server with Unbound.

A web GUI running a local DNS server with Unbound. - kroy-the-rabbit/dnsgui

github.com

Otherwise, the good recommendations from others would certainly do it... pfSense, PiHole, AdGuard all do DNS really well and offer GUI + additional benefits like ad-blocking.

 

[danb35]

pfSense, PiHole, AdGuard all do DNS really well

We should distinguish between routers that also provide DNS (e.g., pfSense, OPNsense) and DNS packages (Pi-Hile, AdGuard, Technitium). Surely you could configure either pfSense or OPNsense to do this--LAN interface only, disable DHCP, then configure DNS there as desired. But you're using anti-aircraft guns to try to swat a mosquito in that case.

 

[Patrick M. Hausen]

The third is what I chose for local DNS on my parents' NAS--create a VM under TrueNAS, install the latest LTS version of Ubuntu on that, and install Pi-Hole there. Pi-Hole is marketed as a network-level ad blocker, which it does pretty well, but it does it by acting as your network's DNS server. By default it uses dnsmasq and caches whatever backend server(s) you tell it to use, but you can also install unbound and use it as a full-fledged recursive resolver.

Or create a jail and install AdGuard Home which comes with a nice UI. It needs an upstream recursive DNS server, but local-unbound is bundled with FreeBSD and can serve that role.

FreshPorts -- www/adguardhome: Network-wide ads & trackers blocking DNS server

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control...

www.freshports.org

 

[sretalla]

We should distinguish between routers that also provide DNS

Fair point, although I wasn't specifically trying to frame them as equal in all regards, just that you can do DNS with a GUI using those things.

If you're looking to just have an internal DNS separate from your routing product, PiHole or AdGuard are the well supported options to go with for a GUI.

 

[Whattteva]

Or create a jail and install AdGuard Home which comes with a nice UI. It needs an upstream recursive DNS server, but local-unbound is bundled with FreeBSD and can serve that role.

FreshPorts -- www/adguardhome: Network-wide ads & trackers blocking DNS server

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control...

www.freshports.org

If I'm not mistaken, doesn't PiHole also come with a web UI? I have never used either, but heard such about them. Hmm, doesn't seem pihole is available via the ports though.

Also, local_unbound isn't meant to be used in that manner and more as a local cache. Hence the local prefix. The handbook advises you to use Unbound from the ports instead.

FreshPorts -- dns/unbound: Validating, recursive, and caching DNS resolver

Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. Goals: * A validating recursive DNS resolver. * Code diversity in the DNS resolver...

www.freshports.org

Here's the relevant snippet from the handbook concerning that:

 

[danb35]

doesn't PiHole also come with a web UI?

It does (and a pretty nice one), but AFAIK doesn't run on FreeBSD (hence my installing it in an Ubuntu VM on my parents' NAS rather than in a jail).

local_unbound isn't meant to be used in that manner

If its use with AdGuard is similar to its use with Pi-Hole, unbound would be providing lookups only for AdGuard, which would then serve them to the rest of the network. But that's just a (somewhat informed) guess.

create a jail and install AdGuard Home

Not something I'd been familiar with, hence my not discussing it, but that does sound like a strong candidate. Create a jail, shell into the jail, then pkg install adguardhome && sysrc adguardhome_enable=YES && service adguardhome start, browse to the UI, configure from there? That beats setting up a VM.

Edit: though I don't see where to set up DNS host overrides in AdGuardHome, and it seems like that's what OP needs.

 

[Patrick M. Hausen]

@danb35 Ah - yes. I set these in BIND which serves as the upstream recursive and local authoritative server here.

 

[Whattteva]

It does (and a pretty nice one), but AFAIK doesn't run on FreeBSD (hence my installing it in an Ubuntu VM on my parents' NAS rather than in a jail).

Ah, is it nicer than Adguard Home? Also, I wasn't aware of it, but apparently this exists (it's a feature checklist comparison of the two side-by-side) and at least according to this list, AdguardHome has a bunch of advantages in terms of features.

GitHub - AdguardTeam/AdGuardHome: Network-wide ads & trackers blocking DNS server

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

 

[danb35]

Ah, is it nicer than AdGuard Home?

I'd say it's a little prettier, but my experience with AdGuard Home began this morning. But you can configure host overrides through the GUI in Pi-Hole, and apparently (per Patrick above) not with AGH, which would be a deal-breaker for me.

 

[victort]

I would not encourage running any sort of DNS on a VM, jail, or docker. I would rather have someone invest a little bit on hardware and run pfsense, OPNsense, or PI-hole on that.

Reason being that if the server it’s running on goes down, it takes the firewall down. Ideally you will want it on separate hardware.

This isn’t always possible I suppose, and running it on a VM will still work and many people do it successfully.

 

[Whattteva]

Reason being that if the server it’s running on goes down, it takes the firewall down. Ideally you will want it on separate hardware.

What does DNS have to do with firewall? They are two separate things.

if the DNS goes down, you just won't have any name resolutions, but your network will still work perfectly (well, you'd have to be really good with looking up IP addresses).

 

[victort]

You’re right. I meant to say router. But even then you’d still be right.

But in the case of pfsense, it’s all in one package.

 

[Davvo]

I don't have root access to the lobotomized modem. The ISP doesn't allow it.
Very restrictive, even UPNP options are disabled and hidden. So no. Also they won't configure a user supplied modem for the SIP telephony. Period, because they can't lock you out of the SIP settings. You must use their modem, they will not even supply the SIP etc credentials to end users like me. You must use their modem and they configure it and SIP. You can fiddle with a few things, do port forwarding to some degree but not UPNP.... DNS is limited to a static 'home' domain, you can't add hosts et al. They'll allow consumer side for the internet connection, but not telephony. All phone systems here are VOIP now, there is no analog POTS anymore. I tried for three months to get support for Asterix based FreePBX and they simply stopped responding to the support request. We have an IP phone I'm locked out of as well, I can't even load phone numbers in it, they demand you send them a CSV file and they'll do it. Naturally I told them what to do with that idea.
I'm just me at home using an old I5 as a NAS, I don't want to install any more hardware if it can be avoided. Need to keep it simple and cheap. I take it pfsense won't live on the same hardware as TrueNAS? I've never heard of pfsense to be honest. I just want a local DNS for a small lan of about 15-20 PCs, phones, printers and a couple of switches etc, with the ability to cache internet lookups as well. My internet domain is hosted elsewhere online, so don't need that at all.

Feels like changing your ISP would be a simpler solutions. Can't believe such restrictions are legal somewhere.
Good luck.