How To Install And Use The djbdns Name Server On Debian Etch
Version 1.0
Author: Falko Timme
djbdns is a very secure suite of DNS tools that consists out of multiple parts: dnscache, a DNS cache that can be used in /etc/resolv.conf instead of your ISP's name servers and that tries to sort out wrong (malicious) DNS answers; axfrdns, a service that runs on the master DNS server and to which the slaves connect for zone transfers; and tinydns, the actual DNS server, a very secure replacement for BIND.
I do not issue any guarantee that this will work for you!
1 Preliminary Note
I have tested djbdns on a Debian Etch system with the IP address 192.168.0.100. I'll explain how to use dnscache and tinydns (as a master DNS server), but not how to use axfrdns - maybe I'll cover that in another tutorial.
dnscache will listen on the local IP address 127.0.0.1, tinydns on the external IP address 192.168.0.100.
2 Installing djbdns
djbdns is not available as a binary package in the Debian repositories due to its "license" (until December 28, 2007, djbdns was license-free software), however there's a djbdns-installer package in the repositories that can be used to install djbdns. djbdns depends on daemontools and ucspi-tcp; again, there are only installer packages available for these programs. The installers are available in the Debian Etch contrib and non-free repositories, so we must make sure first that these are included in our /etc/apt/sources.list:
vi /etc/apt/sources.list
[...] deb http://ftp2.de.debian.org/debian/ etch main contrib non-free [...] |
Update your packages database afterwards:
apt-get update
Next we install the daemontools-installer:
apt-get install daemontools-installer
Now we can install the daemontools like this:
build-daemontools
You will be asked a few questions. You can always accept the default value by pressing ENTER:
Enter a directory where you would like to do this [/tmp/daemontools] <-- ENTER
Which format would you like to use? [fD] <-- ENTER
Press ENTER to continue... <-- ENTER
Do you want to remove all files in /tmp/daemontools,
except daemontools_0.76-9_i386.deb now? [Yn] <-- ENTER
Do you want to install daemontools_0.76-9_i386.deb now? [Yn] <-- ENTER
Do you want to purge daemontools-installer now? [yN] <-- ENTER
To install ucspi-tcp, we run
apt-get install ucspi-tcp-src
and then:
build-ucspi-tcp
You'll be asked a few questions again, and again you can accept the default values:
Enter a directory where you would like to do this [/tmp/ucspi-tcp] <-- ENTER
Press ENTER to continue... <-- ENTER
Do you want to remove all files in /tmp/ucspi-tcp,
except ucspi-tcp_0.88-10_i386.deb now? [Yn] <-- ENTER
Do you want to install ucspi-tcp_0.88-10_i386.deb now? [Yn] <-- ENTER
Do you want to purge ucspi-tcp-src now? [yN] <-- ENTER
Finally we install djbdns as follows:
apt-get install djbdns-installer
build-djbdns
Again, you'll be asked a few questions - accept the default values:
Enter a directory where you would like to do this [/tmp/djbdns] <-- ENTER
Press ENTER to continue... <-- ENTER
Do you want to remove all files in /tmp/djbdns,
except djbdns_1.05-11_i386.deb now? [Yn] <-- ENTER
Do you want to install djbdns_1.05-11_i386.deb now? [Yn] <-- ENTER
Do you want to purge djbdns-installer now? [yN] <-- ENTER
Next we configure dnscache, axfrdns, and tinydns (make sure you replace 192.168.0.100 with the external IP address of your system):
mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache
axfrdns-conf axfrdns dnslog /var/lib/svscan/axfrdns /var/lib/svscan/tinydns 192.168.0.100
tinydns-conf tinydns dnslog /var/lib/svscan/tinydns 192.168.0.100
ln -s /var/lib/svscan/dnscache /service
ln -s /var/lib/svscan/axfrdns /service
ln -s /var/lib/svscan/tinydns /service
Then we start djbdns:
/etc/init.d/djbdns restart
3 Using dnscache
To use dnscache, we replace the existing name servers in /etc/resolv.conf with 127.0.0.1, the IP address that dnscache is listening on.
Make a backup of /etc/resolv.conf:
cp /etc/resolv.conf /etc/resolv.conf-original
Then run the following commands to create a new /etc/resolv.conf (make sure you replace example.com with your own domain):
echo "domain example.com" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf
To test if dnscache is working, we can try to resolve a hostname, e.g. www.google.com:
dnsip www.google.com
If all goes well, it should display the IP addresses of www.google.com:
server1:~# dnsip www.google.com
66.249.93.104 66.249.93.147 66.249.93.99
server1:~#