In the DHCP configuration outlined in the previous section, the clients are sent the upstream provider’s DNS server IP addresses. This is the simplest way to set things up, but you might want to go to a step further and run your own DNS server.

There are two common reasons to run your own DNS server: caching DNS lookups for performance reasons or hosting a domain. DNS caching can improve performance by handling repeated DNS lookups locally. This probably won’t make a very big difference unless your upstream DNS server has noticeable delays. The proper hosting of a domain is a more advanced topic; if you wish to do this, you should consult the DNS server documentation for information on configuration.

By running DNS as an additional service on the gateway, a new potential point of vulnerability is introduced. BIND, the most widely used DNS server, has a history of security issues. To help limit exposure, it should be set up in a chroot environment. The latest version of BIND and documentation can be found at http://www.isc.org/products/BIND/.

FreeBSD has a caching DNS server that can be enabled fairly easily. Set the following:

named_enable="YES"

in /etc/rc.conf, and it will start at boot time. Note that this is not chrooted by default. The man pages will provide information on how to set this up to be chrooted.

If you do decide to configure the gateway with a caching DNS server, make sure you change the DHCP configuration file to give the proper gateway IP addresses in option domain-name-server. The address will be different for the wired and wireless segments as the gateway’s two interfaces for those segments have different IP addresses. The DNS server should also have zone files to handle reverse lookups on your internal address space by the clients.