How To Install And Use The djbdns Name Server On Debian Etch

Version 1.0
Author: Falko Timme

djbdns is a very secure suite of DNS tools that consists out of multiple parts: dnscache, a DNS cache that can be used in /etc/resolv.conf instead of your ISP's name servers and that tries to sort out wrong (malicious) DNS answers; axfrdns, a service that runs on the master DNS server and to which the slaves connect for zone transfers; and tinydns, the actual DNS server, a very secure replacement for BIND.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I have tested djbdns on a Debian Etch system with the IP address 192.168.0.100. I'll explain how to use dnscache and tinydns (as a master DNS server), but not how to use axfrdns - maybe I'll cover that in another tutorial.

dnscache will listen on the local IP address 127.0.0.1, tinydns on the external IP address 192.168.0.100.

 

2 Installing djbdns

djbdns is not available as a binary package in the Debian repositories due to its "license" (until December 28, 2007, djbdns was license-free software), however there's a djbdns-installer package in the repositories that can be used to install djbdns. djbdns depends on daemontools and ucspi-tcp; again, there are only installer packages available for these programs. The installers are available in the Debian Etch contrib and non-free repositories, so we must make sure first that these are included in our /etc/apt/sources.list:

vi /etc/apt/sources.list

[...]
deb http://ftp2.de.debian.org/debian/ etch main contrib non-free
[...]

Update your packages database afterwards:

apt-get update

Next we install the daemontools-installer:

apt-get install daemontools-installer

Now we can install the daemontools like this:

build-daemontools

You will be asked a few questions. You can always accept the default value by pressing ENTER:

Enter a directory where you would like to do this [/tmp/daemontools] <-- ENTER

Which format would you like to use? [fD] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/daemontools,
except daemontools_0.76-9_i386.deb now? [Yn]
<-- ENTER

Do you want to install daemontools_0.76-9_i386.deb now? [Yn] <-- ENTER

Do you want to purge daemontools-installer now? [yN] <-- ENTER

To install ucspi-tcp, we run

apt-get install ucspi-tcp-src

and then:

build-ucspi-tcp

You'll be asked a few questions again, and again you can accept the default values:

Enter a directory where you would like to do this [/tmp/ucspi-tcp] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/ucspi-tcp,
except ucspi-tcp_0.88-10_i386.deb now? [Yn]
<-- ENTER

Do you want to install ucspi-tcp_0.88-10_i386.deb now? [Yn] <-- ENTER

Do you want to purge ucspi-tcp-src now? [yN] <-- ENTER

Finally we install djbdns as follows:

apt-get install djbdns-installer

build-djbdns

Again, you'll be asked a few questions - accept the default values:

Enter a directory where you would like to do this [/tmp/djbdns] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/djbdns,
except djbdns_1.05-11_i386.deb now? [Yn]
<-- ENTER

Do you want to install djbdns_1.05-11_i386.deb now? [Yn] <-- ENTER

Do you want to purge djbdns-installer now? [yN] <-- ENTER

Next we configure dnscache, axfrdns, and tinydns (make sure you replace 192.168.0.100 with the external IP address of your system):

mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache
axfrdns-conf axfrdns dnslog /var/lib/svscan/axfrdns /var/lib/svscan/tinydns 192.168.0.100
tinydns-conf tinydns dnslog /var/lib/svscan/tinydns 192.168.0.100

ln -s /var/lib/svscan/dnscache /service
ln -s /var/lib/svscan/axfrdns /service
ln -s /var/lib/svscan/tinydns /service

Then we start djbdns:

/etc/init.d/djbdns restart

 

3 Using dnscache

To use dnscache, we replace the existing name servers in /etc/resolv.conf with 127.0.0.1, the IP address that dnscache is listening on.

Make a backup of /etc/resolv.conf:

cp /etc/resolv.conf /etc/resolv.conf-original

Then run the following commands to create a new /etc/resolv.conf (make sure you replace example.com with your own domain):

echo "domain example.com" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf

To test if dnscache is working, we can try to resolve a hostname, e.g. www.google.com:

dnsip www.google.com

If all goes well, it should display the IP addresses of www.google.com:

server1:~# dnsip www.google.com
66.249.93.104 66.249.93.147 66.249.93.99
server1:~#

Falko Timme

About Falko Timme

Falko Timme is an experienced Linux administrator and founder of Timme Hosting, a leading nginx business hosting company in Germany. He is one of the most active authors on HowtoForge since 2005 and one of the core developers of ISPConfig since 2000. He has also contributed to the O'Reilly book "Linux System Administration".

Share this page:

Suggested articles

3 Comment(s)

Add comment

Comments

By:

I know this howto is written for etch (stable), but I recommend using these binary packages from sid (unstable) - a lot less work... If you also install daemontools-run, you get more control over daemontools.

Assuming you have installed all these packages (from sid), the "Next we configure dnscache, axfrdns, and tinydns" step becomes

dnscache-conf dnscache dnslog /etc/dnscache
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns 192.168.0.100
tinydns-conf tinydns dnslog /etc/tinydns 192.168.0.100

followed by 

update-service --add /etc/dnscache
update-service --add /etc/axfrdns
update-service --add /etc/tinydns

You don't maintain the symlinks manually anymore, and you can use update-service to remove the service to.

By: Ivan

I believe the progams are not supervised[1] when done like that, which should be avoided.

[1] man 8 supervise

By: Wayne Smith