Perfect DjbDNS Setup On Ubuntu Server 8.04 (amd64) Hardy

Want to support HowtoForge? Become a subscriber!
Submitted by sidh4u (Contact Author) (Forums) on Thu, 2008-07-10 13:41. :: djbdns | Ubuntu | DNS

Perfect DjbDNS Setup On Ubuntu Server 8.04 (amd64) Hardy 

DjbDNS is a collection of Domain Name System tools. It includes software for all the fundamental DNS operations:

DNS cache: Finding addresses of Internet hosts. When a browser wants to contact, it first asks a DNS cache, such as djbdns's dnscache, to find the IP address of Internet service providers run dnscache to find IP addresses requested by their customers. If you're running a home computer or a workstation, you can run your own dnscache to speed up your web browsing.

DNS server: Publishing addresses of Internet hosts. The IP address of is published by HotWired's DNS servers. djbdns includes a general-purpose DNS server, tinydns; network administrators run tinydns to publish the IP addresses of their computers. djbdns also includes special-purpose servers for publishing DNS walls and RBLs.

DNS client: Talking to a DNS cache. djbdns includes a DNS client C library and several command-line DNS client utilities. Programmers use these tools to send requests to DNS caches.

DjbDNS also includes several DNS debugging tools, notably dnstrace, which administrators use to diagnose misconfigured remote servers.

Security features:

  • dnscache runs as a dedicated non-root uid inside a chroot jail, so it can't touch the rest of the machine.
  • tinydns runs as another dedicated non-root uid inside its own chroot jail.
  • walldns runs as another dedicated non-root uid inside its own chroot jail.
  • dnscache discards DNS queries from outside a specified list of IP addresses.
  • dnscache and the dns library use a new query ID and a new UDP port for each query packet. They discard DNS responses from any IP address other than the one that the corresponding query was just sent to.
  • dnscache uses a cryptographic generator to select unpredictable port numbers and IDs.
  • dnscache is immune to cache poisoning.

tinydns never caches information. It does not support recursion.



apt-get install build-essential
mkdir /tmp/downloads
cd $_
wget -c  HYPERLINK ""
tar -zxvf djb_errno_patches.tgz
wget -c   HYPERLINK ""
wget -c  HYPERLINK ""
wget -c  HYPERLINK ""


Install All The Packages

a. Install ucspi-tcp-src:

cd /tmp/downloads
tar -zxvf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88
patch -p1 < /tmp/downloads/ucspi-tcp-0.88.errno.patch
make setup check

b. daemontools

cd /tmp/downloads
tar -zxvf  daemontools-0.76.tar.gz
cd admin/daemontools-0.76/
touch /etc/inittab
patch -p1 < /tmp/downloads/daemontools-0.76.errno.patch

vi /etc/event.d/svscan

# svscan - daemontools

start on runlevel 2
start on runlevel 3
start on runlevel 4
start on runlevel 5
stop on runlevel 0
stop on runlevel 1
stop on runlevel 6

exec /command/svscanboot

This installer only creates links to all svscan commands in /command, so it's better to copy these:

cd /command
rm -rf *
cp /tmp/downloads/admin/daemontools/command/* /command/

That's all... then (you might need to reboot) ...

initctl start svscan

c. djbdns

cd /tmp/downloads
tar -zxvf djbdns-1.05.tar.gz
cd djbdns-1.05
echo gcc -O2 -include /usr/include/errno.h > conf-cc
make setup check


Configure Packages

Create users (if they haven't been created automatically):

adduser --no-create-home --disabled-login --shell /bin/false dnscache
adduser --no-create-home --disabled-login --shell /bin/false dnslog
adduser --no-create-home --disabled-login --shell /bin/false tinydns

Configure dnscache:

In our scenario, we need each master and slave server(s) as both “authoritative” and “caching”. So it is very important to understand that how to achieve these with djbdns. Unlike bind, djbdns uses individual IP for each kind of dns service. By default each system is ready with 2 IP's => one host-IP and other is loopback-IP. So any system on LAN should hit caching dns, hence the host-IP for caching-dns. And we will run authoritative on loopback-IP, and later bind that to caching-dns, hence LAN hosts can query authoritative host records also.

mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache <host-IP>
ln -sf /var/lib/svscan/dnscache /service

Check that “supervise” directory was create in /service/dnscache
To check it's running: just add only single entry like 'nameserver <host-IP>' in /etc/resolv.conf and do check some public website query using 'nslookup' or 'dig' from command-line.

Now you need to allow the LAN hosts to query from it. So just create a blank file named after your network or subnet as:

touch /etc/dnscache/root/ip/<subnet>

That's it. Now you can query from any of hosts of that <subnet>. Similarly you can enable multiple hosts, networks or subnets for query.
Unlike bind, you can adjust the nameserver's cache size by editing the file /etc/dnscache/env/CACHESIZE. Also you can manually refresh or flush the cache by running the following command:

svc -t /service/dnscache

Temporarily you can stop and start dnscache with the following commands:

svc -d /service/dnscache => to down the dnscache service
svc -u /service/dnscache => to up the dnscache service

Configure tinydns:

tinydns-conf tinydns dnslog /var/lib/svscan/tinydns <loopback-IP>
ln -sf /var/lib/svscan/tinydns /service

Check that “supervise” directory was created in /service/tinydns.

They don't contain any zone entries for any domains yet, but we'll get to that in a bit. Well unlike bind the zone information are written in a single file (even for multiple zones, including reverse-zones) and that is /var/lib/svscan/tinydns/root/data. This is a human writable file which is later converted in binary format using a tinydns-command and that binary is called cdb format, so that binary file is /var/lib/svscan/tinydns/root/data.cdb from where tinydns answers all queries. The syntax for zone records is very short and compact compared to bind. Here are some examples:

a. For name server entry:

b. For reverse-dns for above name-server:

c. For MX records:

d. A records:

e. Alias records for hosts:

And finally convert /var/lib/svscan/tinydns/root/data  to cdb format by



cd /var/lib/svscan/tinydns/root

At the end to bind these zone information to the caching-dns server, create files named like and etc. in the /var/lib/svscan/dnscache/root/servers/ directory, whose contents should be (the Loopback-IP). That's it. It's all set up.

Note: Whenever you are making any changes on data and create a changed data.cdb file, don’t forget to refresh or flash the cache.

svc -t /services/*


Slave Server Setup Using Djbdbs

Just follow and some tweaks on some files of Master and Slaves.

a. Changes on master's /var/lib/svscan/tinydns/root/Makefile: Edit the file as

remote: data.cdb
  rsync -az -e ssh data.cdb <slave-ip>:/service/tinydns/root/data.cdb
  ssh <slave-ip> 'svc -t /service/dnscache'
data.cdb: data
  svc -t /service/dnscache

 b. Changes on slave's /var/libsvscan/tinydns/root/data file as

# Do not edit data on this computer! data.cdb is copied from MASTER.
# The following line protects data.cdb by stopping make.

So if by mistake anybody types make command in /etc/tinydns/root/ directory or the command tinydns-data, this will just flash the cache as there is no data file in slave(s).

And yes just an auto-ssh login setup between master to slave(s) so that the above changes will automate the process. The above changes will push only the data.cdbfile over to the slave(s). So no chance of different data across name servers, means consistency across all.


Backup And Restore

As minimum we need just copy of the /var/lib/svscan/tinydns/root/data file or else at max the whole /var/lib/svscan/dnscache and /var/lib/svscan/tinydns. That's it.

For restoration, just set up dnscache or tinydns, it will hardly take any time, and copy the backup data. Finally soft link to /service. That's it.   

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by JpMaxMan (not registered) on Tue, 2010-10-12 19:37.

You should update your URL to the patch files: