TITLE: djbdns DNS Server LFS VERSION: any AUTHOR: Richard Lightman SYNOPSIS: djbdns is a collection of domain name service tools. These tools are a robust, secure and fast alternative to BIND. HINT: Limitation of this hint ======================= I have a small local network using djbdns. Caching and reverse resolution work fine inside it, but are not visible from the outside. In this hint, I have explained how to set up local dns servers. The instructions for setting up a name server that will answer queries from the internet are in the full instructions, but not in this HINT. It looks simple enough, but as I cannot test it, I will not write it up. If you are setting up a dns server with real ip adresses then read: The Full Documentation http://cr.yp.to/daemontools.html http://cr.yp.to/djbdns.html The documentation for djbdns is available as a separate tarball. See this installation notes below. I have put the html documentation trees for daemon tools (and ucpsi-tcp) into tarballs in the same style as the ones for djbdns. I have found there would be trouble distributing them. I am working on this, and a future version of this hint will include a script to make these tarballs. (DJB wants the modification dates to remain intact so it is easy to recognize old documentation. My script modifies some of the hyperlinks to point back to his site instead of non-existant files on the local machine. This changes the dates and so would break the terms of distribution.) A future version of this hint will contain a script to prepare these documentation tarballs. Selecting the software ====================== You could use BIND. I had difficulty compiling it, had real trouble understanding how it was configured, and I did not like the frequency of security patches for it. It is possible to reduce the chances of intrusion by running bind in a chroot environment. Have fun working out how to do that. BIND also has some exciting ideas about allowing spoofing. There are several dns programs in djbdns. They are picky about which external servers they use to reduce the ease of spoofing. They all run chrooted. They are all set for high availability - if one crashes, it will be restarted (at a limited rate to prevent some DOS attacks). There is a prize for the first person to publicly report a verifiable security hole in the latest version of djbdns. The djbdns package contains several types of dns server. If you are doing something strange, check the full documentation. For a single machine, the right answer is probably dnscache. To handle more than one, at least one will need tinydns. Any or all of them may benefit from dnscache as well. dnscache: Uses external servers to resolve dns queries, and keeps the results to speed up future queries. tinydns: Can handle dns and reverse dns queries, for some local networks, and query external servers for evrything else. daemontools: A collection of tools for managing UNIX services. They are required for djbdns. Installing daemontools ====================== Unpack sources: http://cr.yp.to/daemontools/daemontools-0.70.tar.gz echo /usr > conf-home make make setup check mkdir -p -m 555 /var/service Please do not delete the source tree yet. When you a confident that things are working, please mail D. J. Bernstein's site so that he will know what sort of systems can run his software: ( echo 'First M. Last'; cat VERSION systype \ direntry.h fork.h hasflock.h hasmkffo.h hassgact.h \ hasshsgr.h haswaitp.h iopause.h select.h uint64.h ) \ | mail djb-sysdeps@cr.yp.to Starting svscan (part of daemontools) ===================================== svscan is started by init. If svscan is somehow killed, init will restart it. Put the following line at the end of /etc/inittab: SV:345:respawn:env - PATH=/usr/sbin:/usr/bin:/bin svscan /var/service To start it up for the first time, without rebooting, type 'telinit Q' Installing djbdns ================= unpack sources: http://cr.yp.to/djbdns/djbdns-1.03.tar.gz echo /usr > conf-home make make setup check Please do not delete the source tree yet. When you a confident that things are working, please mail D. J. Bernstein's site so that he will know what sort of systems can run his software: ( echo 'First M. Last'; cat `cat SYSDEPS` ) \ | mail djb-sysdeps@cr.yp.to Also if you are running a dnsserver on the internet, please add the web page as requested in the full documentation. You do not have to, put I think you should install the documentation. If you are even thinking use puting a dns server on the internet, you should read it too. download: http://cr.yp.to/djbdns/doc.tar.gz gzip -cd < doc.tar.gz | (cd /usr/share; tar -xf -) slashdoc-merge This will create the following indexes: packages.html Index of DJB's software that has been installed, each line is a link to the documentation for that package on this system cfunctions.html Links to the documentation for C library functions in alphabetical order for the above packages commands.html Links to commands in alphabetical order from the above packages Setting up dnscache (part of djbdns) ==================================== You will need two new groups. Look inside /etc/group and choose the lowest two available group numbers (The number after the second colon on each line). In my case 14 & 15. groupadd -g 14 dnscache groupadd -g 15 dnscachelog You will need two new users. Look inside /etc/passwd and choose the lowest two available user id's (The number after the second colon on each line). In my case 11 & 12. useradd -u 11 -g dnscache dnscache useradd -u 12 -g dnscachelog dnscachelog Use the automated installer: dnscache-conf dnscache dnscachelog /var/dnscache 127.0.0.1 If you feel enthusiastic, use can pick some better random numbers: dd if=/dev/random of=/var/dnscache/seed bs=128 count=1 & Start ip up: ln -s /var/dnscache /var/service/dnscache To make sure it is used, add the following line to /etc/resolve.conf nameserver 127.0.0.1 If you replace 127.0.0.1 by the ip address of an interface on the machine running dnscache, then dnscache will answer queries sent to that ip address, from ip addresses in networks you specify. for example to allow queries from 192.168.1: touch /var/dnscache/root/ip/192.168.1 If you want dnscache to use a local dns servers, with IP address of, for example 192.168.1.2 and 192.168.1.3, put the following lines: 192.168.1.2 192.168.1.3 into /var/dnscache/root/servers/local.domain and into /var/dnscache/root/servers/1.168.192.in-addr.arpa Make these files readable by user dnscache Make dnscache read the files: svc -t /var/service/dnscache Setting up tinydns (part of djbdns) =================================== You will need two new groups, and two new user id's, just like for dnscache. Call them tinydns and tinydnslog Use the automated installer. You will need the ip-address that tinydns is runnig on eg for ip-address 192.168.1.2: tinydns-conf tinydns tinydnslog /var/tinydns 192.168.1.2 Start it up: ln -s /var/tinydns /var/service/tinydns Make 192.168.1.2 responsible for this part of the network cd /var/tinydns/root ../add-ns local.domain 192.168.1.2 ../add-ns 1.168.192.in-addr.arpa 192.168.1.2 make Add some hosts to your domain cd /var/tinydns/root ../add-host lum.local.domain 192.168.1.4 ../add-host ataru.local.domain 192.168.1.5 ../add-host shinobu.local.domain 192.168.1.6 make To make moroboshi an alias for ataru: cd /var/tinydns/root ../add-alias moroboshi.local.domain 192.168.1.5 make You can also set up mail exchangers handle delegation and all sorts of unusual things that are not required on my little private network. If you are interested, read the full instructions.