How To Install And Use The djbdns Name Server On Debian Etch

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2008-01-22 17:54. :: Debian | djbdns | DNS

How To Install And Use The djbdns Name Server On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 01/15/2008

djbdns is a very secure suite of DNS tools that consists out of multiple parts: dnscache, a DNS cache that can be used in /etc/resolv.conf instead of your ISP's name servers and that tries to sort out wrong (malicious) DNS answers; axfrdns, a service that runs on the master DNS server and to which the slaves connect for zone transfers; and tinydns, the actual DNS server, a very secure replacement for BIND.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I have tested djbdns on a Debian Etch system with the IP address 192.168.0.100. I'll explain how to use dnscache and tinydns (as a master DNS server), but not how to use axfrdns - maybe I'll cover that in another tutorial.

dnscache will listen on the local IP address 127.0.0.1, tinydns on the external IP address 192.168.0.100.

 

2 Installing djbdns

djbdns is not available as a binary package in the Debian repositories due to its "license" (until December 28, 2007, djbdns was license-free software), however there's a djbdns-installer package in the repositories that can be used to install djbdns. djbdns depends on daemontools and ucspi-tcp; again, there are only installer packages available for these programs. The installers are available in the Debian Etch contrib and non-free repositories, so we must make sure first that these are included in our /etc/apt/sources.list:

vi /etc/apt/sources.list

[...]
deb http://ftp2.de.debian.org/debian/ etch main contrib non-free
[...]

Update your packages database afterwards:

apt-get update

Next we install the daemontools-installer:

apt-get install daemontools-installer

Now we can install the daemontools like this:

build-daemontools

You will be asked a few questions. You can always accept the default value by pressing ENTER:

Enter a directory where you would like to do this [/tmp/daemontools] <-- ENTER

Which format would you like to use? [fD] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/daemontools,
except daemontools_0.76-9_i386.deb now? [Yn]
<-- ENTER

Do you want to install daemontools_0.76-9_i386.deb now? [Yn] <-- ENTER

Do you want to purge daemontools-installer now? [yN] <-- ENTER

To install ucspi-tcp, we run

apt-get install ucspi-tcp-src

and then:

build-ucspi-tcp

You'll be asked a few questions again, and again you can accept the default values:

Enter a directory where you would like to do this [/tmp/ucspi-tcp] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/ucspi-tcp,
except ucspi-tcp_0.88-10_i386.deb now? [Yn]
<-- ENTER

Do you want to install ucspi-tcp_0.88-10_i386.deb now? [Yn] <-- ENTER

Do you want to purge ucspi-tcp-src now? [yN] <-- ENTER

Finally we install djbdns as follows:

apt-get install djbdns-installer

build-djbdns

Again, you'll be asked a few questions - accept the default values:

Enter a directory where you would like to do this [/tmp/djbdns] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/djbdns,
except djbdns_1.05-11_i386.deb now? [Yn]
<-- ENTER

Do you want to install djbdns_1.05-11_i386.deb now? [Yn] <-- ENTER

Do you want to purge djbdns-installer now? [yN] <-- ENTER

Next we configure dnscache, axfrdns, and tinydns (make sure you replace 192.168.0.100 with the external IP address of your system):

mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache
axfrdns-conf axfrdns dnslog /var/lib/svscan/axfrdns /var/lib/svscan/tinydns 192.168.0.100
tinydns-conf tinydns dnslog /var/lib/svscan/tinydns 192.168.0.100

ln -s /var/lib/svscan/dnscache /service
ln -s /var/lib/svscan/axfrdns /service
ln -s /var/lib/svscan/tinydns /service

Then we start djbdns:

/etc/init.d/djbdns restart

 

3 Using dnscache

To use dnscache, we replace the existing name servers in /etc/resolv.conf with 127.0.0.1, the IP address that dnscache is listening on.

Make a backup of /etc/resolv.conf:

cp /etc/resolv.conf /etc/resolv.conf-original

Then run the following commands to create a new /etc/resolv.conf (make sure you replace example.com with your own domain):

echo "domain example.com" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf

To test if dnscache is working, we can try to resolve a hostname, e.g. www.google.com:

dnsip www.google.com

If all goes well, it should display the IP addresses of www.google.com:

server1:~# dnsip www.google.com
66.249.93.104 66.249.93.147 66.249.93.99
server1:~#


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by hansfn (registered user) on Tue, 2008-03-11 01:13.

I know this howto is written for etch (stable), but I recommend using these binary packages from sid (unstable) - a lot less work... If you also install daemontools-run, you get more control over daemontools.

Assuming you have installed all these packages (from sid), the "Next we configure dnscache, axfrdns, and tinydns" step becomes

dnscache-conf dnscache dnslog /etc/dnscache
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns 192.168.0.100
tinydns-conf tinydns dnslog /etc/tinydns 192.168.0.100

followed by 

update-service --add /etc/dnscache
update-service --add /etc/axfrdns
update-service --add /etc/tinydns

You don't maintain the symlinks manually anymore, and you can use update-service to remove the service to.

Submitted by Ivan (not registered) on Sun, 2008-11-16 13:31.

I believe the progams are not supervised[1] when done like that, which should be avoided.

[1] man 8 supervise