DO NOT ATTEMPT THIS IF YOU USE A CONTROL PANEL LIKE CPANEL, PLESK OR ENSIM

I'll say that again just incase you missed it

DO NOT ATTEMPT THIS IF YOU USE A CONTROL PANEL LIKE CPANEL, PLESK OR ENSIM


What is DJBDNS?
DJBDNS is a dns server package writen by Dr D.J Bernstein, also the author of qmail, its writen in C and like all DJB programs is seperated into "small" chunks.
These are

dnscache - a DNS resolver (like what you set your clients dns settings to be)
tinydns - the DNS server itself
axfrdns - an implementation of a zone transfer server
A few "special" servers (loadbalancer, rbl server, "wall"dns etc)
DnsClients that will not be covered here

Why DJBDNS ?

Its secure. DJB has $500 of his own money riding on the securty guarantee. Which, at the time of writing this, has not been claimed.
Its Light weight (11000 lines of code if i remeber right) and VERY light on resources.
Its "zones" file makes sense (after you get used to it)

Requirements
a Unix OS (Linux, *BSD, Solaris etc). No windows here, sorry. (it *might* in a month of sundays work under that terible hack that is cygwin, but i'm not even going to suggest looking at that)
Preferably at least 2 IP's.

PreInstall

This is just creating a working folder (/downloads) and downloading the source for us to compile


Installing

First off, daemontools. Daemontools is a program that makes sure services are running, and if not, are restarted. Its also wrien by DJB.


Now if your a redhat / Fedora user, you will need to do the following to fix an issue with the glibc thats used in RH/Fedora




Ok back to the install now



tada! daemon tools is installed!

Now for UCSPI-TCP, it contains tcpserver, whihc is much like inetd, except not.




Now if your a redhat / Fedora user, you will need to do the following to fix an issue with the glibc thats used in RH/Fedora




back to the install



tada! done. See its not that painful is it!

Djbdns its self needs to be installed now



Guess what! Yup thats right RH/Fedora users, heres an extra step for you




and back to sanity again




Thats now djbdns installed. Walk in the park really isnt it!


Adding Users
Lets Add the users the daemons will run as


Linux



(Free)BSD


Other OS'es.... work it out your self :P

Setting Up DNSCache
This step is completley optional, however i do recommend this, especially if your running qmail. This is the DNS Resolver.

We are going to set it up so that it only listens on 127.0.0.1, this can be any ip address*, however we don't want others wasting our bandwidth now do we!

* It can't share ip addreses with TinyDNS



Tada! A dnscache instance is setup and listening on 127.0.0.1, your system should now also be using it to resolve names.

Setting Up TinyDNS
Supprisingly, this step is also optional, if your not wanting to run a dns server, you don't have to do this step.

However, i'm sure that you do :P

In this example we'll set up TWO TinyDNS instances, both sharing the same data files

The IP's we're using here are 9.8.7.6 and 9.8.7.5



And there we go, TinyDNS should be setup on both ip's sharing /etc/tinydns's data file.

Lets check that they really are running



If thats similar to what you see, all is fine


Editing your data file
I know what your saying, "great i've got a dns server, how do i change my zones". This is only a small subset of the record types covered here. If your wanting more, go to http://cr.yp.to/djbdns/tinydns-data.html

Lets say we have the domain wheely-bin.co.uk.




"what the heck are these symbols"... calm down dear, its a comerci^Wdata file.



So in the case of wheely-bin.co.uk the following records are created



So, edit your /etc/tinydns/root/data file adding your domains as needed, then when done


Thats your TinyDNS now running with the latest data file


UhOh Burnt milk

Ok this sections only really for when something/someone fscks up :P

For now, i'll tell you how to restart services running under daemontools. And add more as needed









[size=7]all typos, spelling mistakes etc etc are completley intentional

*for expansion*

I'm intrigued... tell me more.

well there once was a prince from the land of pasta .......but there was only one fork


DJB wrote it as he got pissed off with bind and its security issues, bloatyness, and the attituide (hahahahaha*) of ISC.

* DJB and TheoDerartatatararratrtar (OpenBSD man) are apparantly the most annoying people on the internet... that arnt 14 year olds. Having never spoken to either, i can't really comment

Stickied!

Good post!

Theo and DJB are the most annoying people, but whatever has come of it is awesome.

Look at djbdns, qmail, and then openBSD and the rest of the stuff.

Just an extra note for FreeBSD:

it is suggested to add a group named dnslog with gid 800, and the others with UID's of 810 upwards, like so:



Also setting the path where you are going to install djbdns is not needed, but makes it easier to find it later on if you can't remember where you stored it all.

The uid's in the lower range means that on a locked down box you can stop people from probing for these users by only allowing user access to the server when they have a uid higher than or equal to 1000. Which is where standard user accounts start. By Pure-FTPD and the standard FreeBSD FTP, it disallows connections for anyone under 1000 standard, so this is just another plus.

Yes, DJB writes very secure software but doesn't care much for maintainability by third-parties or developing it any further as long as it scratches 'his' particular itch.

One of my biggest bugbears with tinydns is that it does not support AAAA records out-of-the-box; the relevant RFCs have been set in stone for a long time now but DJB refuses to implement the functionality even though patches have been sent to him by a third-party developer.

His reason, "IPv6 is a mess and the current deployment is a mess"

That may be so but the RIRs such as ARIN, RIPE, APNIC, LACNIC, etc, etc as well as ICANN do not agree with him but he is allowing his own biased view to taint what would otherwise be a secure *and* feature-complete nameserver.

No-one else can distribute a patched version of djbdns unless DJB gives it his explicit blessing due to his choice of license.

This is also why I would never use qmail (also written by DJB) - secure, but incredibly ancient and it Does The Wrong Thing™ when an obviously-spoofed mail is delivered to it - it bounces back to the forged From: address rather than simply dropping the mail.

On the other hand, Theo De Raadt at least releases all the OpenBSD stuff under the BSD license which is about as open as you can get; I also happen to think that Theo's way of getting docs out of manufacturers is ingenious and whether you support the OpenBSD camp or not, a large portion of driver code written by the OpenBSD folks from docs obtained this way makes its' way back into the mainline Linux tree.

Anyway, this post is going way off topic so I'll shut up now :-)

Regards,
Terry Froy
Spilsby Internet Solutions
http://www.spilsby.net/

The entire bouncing issue with qmail is quite annoying, however if your domains are beeing done via the likes of vpopmail rather than virtual domains in qmail its self you can set vdeliver to drop the mail, it does still however get accepted.

If i remeber right the reason it accepts the mail is to prevent information leakage or something daft where spammers can harvest users that actually exist on your server.

There are a few patches available (such as goodrcptto and chkrcpto2) which do however work at stmp session time. Whilst its not an ideal solution to have to patch in features, i do in a way see the logic behind it.

Personally i'm a great fan of his software, don't care too much about adding features on to them my self, but its secure, lightweight, and doesnt require huge ammounts of effort to understand the config (mmm sendmails m4 mess, or cpanels exim mess....)

This reminds me of those big DO NOT PRESS buttons... if you don't say why, someone is BOUND to do it, lol.