DJBDNS Howto Options

[facecake]

DO NOT ATTEMPT THIS IF YOU USE A CONTROL PANEL LIKE CPANEL, PLESK OR ENSIM

I'll say that again just incase you missed it

DO NOT ATTEMPT THIS IF YOU USE A CONTROL PANEL LIKE CPANEL, PLESK OR ENSIM


What is DJBDNS?
DJBDNS is a dns server package writen by Dr D.J Bernstein, also the author of qmail, its writen in C and like all DJB programs is seperated into "small" chunks.
These are

dnscache - a DNS resolver (like what you set your clients dns settings to be)
tinydns - the DNS server itself
axfrdns - an implementation of a zone transfer server
A few "special" servers (loadbalancer, rbl server, "wall"dns etc)
DnsClients that will not be covered here

Why DJBDNS ?

Its secure. DJB has $500 of his own money riding on the securty guarantee. Which, at the time of writing this, has not been claimed.
Its Light weight (11000 lines of code if i remeber right) and VERY light on resources.
Its "zones" file makes sense (after you get used to it)

Requirements
a Unix OS (Linux, *BSD, Solaris etc). No windows here, sorry. (it *might* in a month of sundays work under that terible hack that is cygwin, but i'm not even going to suggest looking at that)
Preferably at least 2 IP's.

PreInstall

CODE

mkdir /downloads/

cd /downloads/

wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz

wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz

wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz

This is just creating a working folder (/downloads) and downloading the source for us to compile


Installing

First off, daemontools. Daemontools is a program that makes sure services are running, and if not, are restarted. Its also wrien by DJB.

CODE

mkdir -p /package

chmod 1755 /package

cd /package

tar zxvf /downloads/daemontools-0.76.tar.gz

Now if your a redhat / Fedora user, you will need to do the following to fix an issue with the glibc thats used in RH/Fedora

CODE

cd /package/admin/daemontools/src

wget http://www.wheely-bin.co.uk/sm/patch/daemontools_errnopatch

patch < daemontools_errnopatch

Ok back to the install now

CODE

cd /package/admin/daemontools-0.76

./package/install

tada! daemon tools is installed!

Now for UCSPI-TCP, it contains tcpserver, whihc is much like inetd, except not.

CODE

cd /downloads/

tar zxvf ucspi-tcp-0.88.tar.gz

cd ucspi-tcp-0.88

Now if your a redhat / Fedora user, you will need to do the following to fix an issue with the glibc thats used in RH/Fedora

CODE

wget http://www.wheely-bin.co.uk/sm/patch/ucspi-tcp_errnopatch

patch < ucspi-tcp_errnopatch

back to the install

CODE

make && make setup check

tada! done. See its not that painful is it!

Djbdns its self needs to be installed now

CODE

cd /downloads/

tar zxvf djbdns-1.05.tar.gz

cd djbdns-1.05

Guess what! Yup thats right RH/Fedora users, heres an extra step for you

CODE

wget http://www.wheely-bin.co.uk/sm/patch/djbdns_errnopatch

patch < djbdns_errnopatch

and back to sanity again

CODE

make && make setup check

Thats now djbdns installed. Walk in the park really isnt it!


Adding Users
Lets Add the users the daemons will run as


Linux

CODE

/usr/sbin/useradd -s /sbin/nologin -d /dev/null tinydns

/usr/sbin/useradd -s /sbin/nologin -d /dev/null dnslog

/usr/sbin/useradd -s /sbin/nologin -d /dev/null dnscache

(Free)BSD

CODE

pw useradd tinydns -s /sbin/nologin -d /dev/null

pw useradd dnslog -s /sbin/nologin -d /dev/null

pw useradd dnscache -s /sbin/nologin -d /dev/null

Other OS'es.... work it out your self :P

Setting Up DNSCache
This step is completley optional, however i do recommend this, especially if your running qmail. This is the DNS Resolver.

We are going to set it up so that it only listens on 127.0.0.1, this can be any ip address*, however we don't want others wasting our bandwidth now do we!

* It can't share ip addreses with TinyDNS

CODE

dnscache-conf dnscache dnslog /etc/dnscache 127.0.0.1

ln -s /etc/dnscache /service

cp /etc/resolv.conf /etc/resolv.conf.pre-dnscache

echo "nameserver 127.0.0.1" > /etc/resolv.conf

Tada! A dnscache instance is setup and listening on 127.0.0.1, your system should now also be using it to resolve names.

Setting Up TinyDNS
Supprisingly, this step is also optional, if your not wanting to run a dns server, you don't have to do this step.

However, i'm sure that you do :P

In this example we'll set up TWO TinyDNS instances, both sharing the same data files

The IP's we're using here are 9.8.7.6 and 9.8.7.5

CODE

/usr/local/bin/tinydns-conf tinydns dnslog /etc/tinydns 9.8.7.6

/usr/local/bin/tinydns-conf tinydns dnslog /etc/tinydns2 9.8.7.5

cd /etc/tinydns2

rm -rf root

ln -s /etc/tinydns/root

ln -s /etc/tinydns /service

ln -s /etc/tinydns2 /service

And there we go, TinyDNS should be setup on both ip's sharing /etc/tinydns's data file.

Lets check that they really are running

CODE

root@morningside# ps aux |grep tinydns

root     96785  0.0  0.1  1476  828  p3  S+    9:58PM   0:00.00 grep tinydns

root       397  0.0  0.0  1188   92  d0- I    31May05   0:00.05 supervise tinydns

root       399  0.0  0.0  1188   92  d0- I    31May05   0:00.05 supervise tinydns2

tinydns    412  0.0  0.0  1328  136  d0- S    31May05   0:12.16 /usr/local/bin/tinydns

tinydns    415  0.0  0.0  1328  136  d0- I    31May05   0:11.77 /usr/local/bin/tinydns

If thats similar to what you see, all is fine


Editing your data file
I know what your saying, "great i've got a dns server, how do i change my zones". This is only a small subset of the record types covered here. If your wanting more, go to http://cr.yp.to/djbdns/tinydns-data.html

Lets say we have the domain wheely-bin.co.uk.

CODE

##########

# wheely-bin.co.uk

##########



#SOA

.wheely-bin.co.uk:70.84.53.139:ns1.wheely-bin.co.uk

.wheely-bin.co.uk:70.84.53.138:ns0.wheely-bin.co.uk



#MX

@wheely-bin.co.uk::wheely-bin.co.uk:10:86400



#A

+wheely-bin.co.uk:70.84.53.138:86400

+*.wheely-bin.co.uk:70.84.53.138:86400

"what the heck are these symbols"... calm down dear, its a comerci^Wdata file.

CODE

# Comment

.domain:ip:x This Creates a NS record (x.ns.domain, or just x if its a fqdn its self), an A record (for x.ns.fqdn) or none if X is a fqdn, and a SOA record for domain

@domain:ip:x:priority:ttl This Creates a MX record showing x.mx.domain (or just x if its a full name, as in this case) with the priority of pri, an A record of x as x.mx.domain (or not as in this case)

+domain:ip:ttl  creates a A record for domain pointing to IP

So in the case of wheely-bin.co.uk the following records are created

CODE

A Records for ns1.wheely-bin.co.uk & ns0.wheely-bin.co.uk pointing to 70.84.53.139 and .138 respectivly. a MX record for wheely-bin.co.uk, priority 10, pointing to wheely-bin.co.uk. An A record for wheely-bin.co.uk pointing to 70.84.53.138. and a Wildcard *.wheely-bin.co.uk pointing to 70.84.53.138

So, edit your /etc/tinydns/root/data file adding your domains as needed, then when done

CODE

cd /etc/tinydns/root

make

Thats your TinyDNS now running with the latest data file


UhOh Burnt milk

Ok this sections only really for when something/someone fscks up :P

For now, i'll tell you how to restart services running under daemontools. And add more as needed

CODE

svc -t /service/tinydns     - This Restarts tinydns

svc -d /service/tinydns     - This Stops tinydns

svc -u /service/tinydns     - This starts tinydns

[size=7]all typos, spelling mistakes etc etc are completley intentional

[facecake]

*for expansion*

[cprompt]

I'm intrigued... tell me more.

[facecake]

well there once was a prince from the land of pasta .......but there was only one fork


DJB wrote it as he got pissed off with bind and its security issues, bloatyness, and the attituide (hahahahaha*) of ISC.

* DJB and TheoDerartatatararratrtar (OpenBSD man) are apparantly the most annoying people on the internet... that arnt 14 year olds. Having never spoken to either, i can't really comment

[klaude]

Stickied!

Good post!

[X-Istence]

Theo and DJB are the most annoying people, but whatever has come of it is awesome.

Look at djbdns, qmail, and then openBSD and the rest of the stuff.

[X-Istence]

Just an extra note for FreeBSD:

it is suggested to add a group named dnslog with gid 800, and the others with UID's of 810 upwards, like so:

CODE

pw groupadd nofiles -g 800

pw useradd dnslog -u 810 -g 800 -c "Logging for dns" -d /usr/local/djbdns/ -s /sbin/nologin

pw useradd dnscache -u 811 -g 800 -c "dnscache" -d /usr/local/djbdns/ -s /sbin/nologin

pw useradd tinydns -u 812 -g 800 -c "tinydns" -d /usr/local/djbdns/ -s /sbin/nologin

Also setting the path where you are going to install djbdns is not needed, but makes it easier to find it later on if you can't remember where you stored it all.

The uid's in the lower range means that on a locked down box you can stop people from probing for these users by only allowing user access to the server when they have a uid higher than or equal to 1000. Which is where standard user accounts start. By Pure-FTPD and the standard FreeBSD FTP, it disallows connections for anyone under 1000 standard, so this is just another plus.

[LiteForce]

Yes, DJB writes very secure software but doesn't care much for maintainability by third-parties or developing it any further as long as it scratches 'his' particular itch.

One of my biggest bugbears with tinydns is that it does not support AAAA records out-of-the-box; the relevant RFCs have been set in stone for a long time now but DJB refuses to implement the functionality even though patches have been sent to him by a third-party developer.

His reason, "IPv6 is a mess and the current deployment is a mess"

That may be so but the RIRs such as ARIN, RIPE, APNIC, LACNIC, etc, etc as well as ICANN do not agree with him but he is allowing his own biased view to taint what would otherwise be a secure *and* feature-complete nameserver.

No-one else can distribute a patched version of djbdns unless DJB gives it his explicit blessing due to his choice of license.

This is also why I would never use qmail (also written by DJB) - secure, but incredibly ancient and it Does The Wrong Thing™ when an obviously-spoofed mail is delivered to it - it bounces back to the forged From: address rather than simply dropping the mail.

On the other hand, Theo De Raadt at least releases all the OpenBSD stuff under the BSD license which is about as open as you can get; I also happen to think that Theo's way of getting docs out of manufacturers is ingenious and whether you support the OpenBSD camp or not, a large portion of driver code written by the OpenBSD folks from docs obtained this way makes its' way back into the mainline Linux tree.

Anyway, this post is going way off topic so I'll shut up now :-)

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

[facecake]

The entire bouncing issue with qmail is quite annoying, however if your domains are beeing done via the likes of vpopmail rather than virtual domains in qmail its self you can set vdeliver to drop the mail, it does still however get accepted.

If i remeber right the reason it accepts the mail is to prevent information leakage or something daft where spammers can harvest users that actually exist on your server.

There are a few patches available (such as goodrcptto and chkrcpto2) which do however work at stmp session time. Whilst its not an ideal solution to have to patch in features, i do in a way see the logic behind it.

Personally i'm a great fan of his software, don't care too much about adding features on to them my self, but its secure, lightweight, and doesnt require huge ammounts of effort to understand the config (mmm sendmails m4 mess, or cpanels exim mess....)

[ChuFuong]

<span style='font-size:30pt;line-height:100%'>DO NOT ATTEMPT THIS IF YOU USE A CONTROL PANEL LIKE CPANEL, PLESK OR ENSIM</span>

I'll say that again just incase you missed it

<span style='font-size:30pt;line-height:100%'>DO NOT ATTEMPT THIS IF YOU USE A CONTROL PANEL LIKE CPANEL, PLESK OR ENSIM</span>

This reminds me of those big DO NOT PRESS buttons... if you don't say why, someone is BOUND to do it, lol.