What is djbdns?
djbdns is a DNS-server is a secure replacement for the buggy BIND and has been developed by Daniel Bernstein.
Installing djbdns
djbdns brings two servers with it: dnscache and tinydns. dnscache is a dns-resolver and tinydns is a dns-server. tinydns and dnscache can't run on the same IP-adress but on the same machine (i.e. two different NIC's). You have to decide how you want to set up djbdns.
Now let's get started:
First of all you need the djbdns- and daemontools-sources. You can get them here. The daemontools are necessary for running djbdns.
Install djbdns:
gunzip -d djbdns-1.05.tar.gz
tar xpf djbdns-1.05.tar
cd djbdns-1.05
echo gcc -O2 -include /usr/include/errno.h > conf-cc # Linux errno bug, as per http://cr.yp.to/djbdns/install.html.
make
su
make setup check
Install the daemontools:
mkdir -p /package
chmod 1755 /package
cp daemontools-0.76.tar.gz /package
cd /package
gunzip -d daemontools-0.76.tar.gz
tar xpf daemontools-0.76.tar
cd admin
cd daemontools-0.76
echo gcc -O2 -include /usr/include/errno.h > src/conf-cc # Linux errno bug, as per http://cr.yp.to/djbdns/install.html.
package/install
If no errors occured, djbdns and daemontools have been sucessfully installed.
Setting up dnscache and tinydns
You need to create an unprivileged djbdns group and three users (for tinydns, dnscache and log). You can create them with the following commands:
groupadd dnsuser
useradd -g dnsuser -d /dev/null -s /bin/false dnscache
useradd -g dnsuser -d /dev/null -s /bin/false tinydns
useradd -g dnsuser -d /dev/null -s /bin/false dnslog
Of course you can use different group- and usernames, you can choose which user you want to use for djbdns later. But remember: Use a group that has no access to other files or directories.
NOTE:
You should stop BIND or remove it before you start djbdns! On most systems that would be
/etc/init.d/bind stop (stopping)
rpm -e bind (removing)
/etc/init.d/bind stop (stopping)
apt-get remove bind9 (removing)
Set up local dnscache
dnscache-conf dnscache dnslog /etc/dnscache 127.0.0.1
Instead of dnscache and dnslog use the users you created.
/etc/dnscache is the directory where dnscache will put it's config files and 127.0.0.1 is the IP dnscache listens on.
Now link dnscache to /service so that svc can start it:
ln -s /etc/dnscachex /service
dnscache will now run on localhost and the machine it's running on can resolve hostnames via dnscache (change /etc/resolv.conf to 127.0.0.1)
Set up external dnscache
dnscache-conf dnscache dnslog /etc/dnscachex a.b.c.d
ln -s /etc/dnscachex /service
Now dnscache listens on the external interface (a.b.c.d). If you want hosts in 192.168.1.* and 10.0.*.* to be allowed to resolve hostnames just type:
touch /etc/dnscachex/root/ip/192.168.1
touch /etc/dnscachex/root/ip/10.0
Just create a files with the name of the IP's that are allowed to use dnscache. Now are all hosts in 192.168.1 and 10.0.*.* able to resolve hostnames via dnscache (127.0.0.1 is allowd by default).
Set up tinydns
tinydns-conf tinydns dnslog /etc/tinydns d.c.b.a
tinydns will now listen on your external interface d.c.b.a.
Note: tinydns can't listen on the same interface as your external dnscache does because they are both listening on port 53/udp! Now change to /etc/tinydns/root. First of all you have to create the nameserver-entry for your network (e.g. local.net):
./add-ns local.net 192.168.1.1
./add-ns 1.168.192.in-addr.arpa 192.168.1.1
Now add hosts of the local.net network, MX-entries and aliases as needed:
./add-host machine1.local.net 192.168.1.2
./add-host server.local.net 192.168.1.12
./add-mx mail.local.net 192.168.1.10
./add-alias smtp.local.net 192.168.1.10
Type
make
to create the database tinydns uses.
Now tell svscan about the new service:
ln -s /etc/tinydns /service
That's it!
Running tinydns and dnscache on the same IP
If you have to run dnscache and tinydns on such a machine, that also can answer DNS-queries, you have to bring up tinydns on 127.0.0.1 and dnscache on a.b.c.d. Then you have to tell dnscache to ask localhost for the domains tinydns provides (e.g. local.net in 192.168.0.*):
echo 127.0.0.1 > /etc/dnscachex/root/servers/local.net
echo 127.0.0.1 > /etc/dnscachex/root/servers/0.168.192.in-addr.arpa
svc -t /service/dnscachex
Now the external dnscache will ask tinydns on localhost about all local.net hosts.
NOTE:
This configuration should be used only in local networks that don't provide DNS for external machines but only for some local clients because no server can ever get an authoritative answer from tinydns!