Running A MySQL-Based DNS Server: MyDNS - Page 3
3 Install dnscache
One very important thing to know about MyDNS is that it does not support external (recursive) DNS lookups, i.e. MyDNS will deliver answers only for domains that it is authoritative for! If you want to resolve other domains like, for example, www.google.com, you will have to install a DNS resolver like dnscache on your system, and it has to be installed on a separate IP address. To find out why the DNS server (MyDNS) and the DNS resolver (dnscache) are separated like that, have a look here: http://cr.yp.to/djbdns/separation.html
Normally, your ISP gives you IP addresses of name servers that you use for your internet connection at home or in your office so that your workstation can resolve names like www.google.com. The name server IP addresses are actually IP addresses of DNS resolvers like dnscache. Now if you want to give your customers your own name server IP addresses, you must set up a DNS resolver and give your customers the IP address of that DNS resolver.
Now, if you only have one IP address on your server, you could say, "Ok, I bind MyDNS to 127.0.0.1 and dnscache to my public IP address to get around this bottleneck.". Please read here to find out why this is a bad idea: http://www.fefe.de/djbdns/#sameip
If you do not want to install a DNS resolver on your system, you can skip this section.
Now lets say you have two public IP addresses, 22.214.171.124 and 126.96.36.199, and you want MyDNS to listen on 188.8.131.52 and dnscache to listen on 184.108.40.206.
Do the following steps to install dnscache:
useradd -M -g dns -s /sbin/nologin -c DNS-Cache-User dnscache
useradd -M -g dns -s /sbin/nologin -c TinyDNS-User tinydns
useradd -M -g dns -s /sbin/nologin -c DNSlog-User dnslog
Create the dnscache init script:
chmod 700 dnsctl
ln -s /usr/local/sbin/dnsctl /etc/init.d/dnsctl
Create the system startup links:
update-rc.d dnsctl defaults
On Fedora and RedHat:
chkconfig --levels 235 dnsctl on
Then we compile and install dnscache:
tar -zxvf ucspi-tcp-0.88.tar.gz
make setup check
mkdir -p /var/package
chmod 1755 /var/package
tar -xpf daemontools-0.76.tar
tar -xvzf djbdns-1.05.tar.gz
make setup check
dnscache-conf dnscache dnslog /etc/dnscache 220.127.116.11
ln -s /etc/dnscache /service
Now dnscache is listening on 18.104.22.168. Now we have to tell MyDNS that it should listen on 22.214.171.124 only. Therefore we have to change the listen directive in /etc/mydns.conf:
listen = 126.96.36.199
and restart MyDNS:
Now if you try to resolve domain names on 188.8.131.52, you should get an answer. E.g., to resolve www.google.com, you can run
dig @184.108.40.206 www.google.com
In the same way you should be able to resolve domains handled by MyDNS (e.g. www.somedomain.com), but this time you dig 220.127.116.11:
dig @18.104.22.168 www.somedomain.com
4 Getting The Zones And Records From The Primary To The Secondary DNS Server
If both the primary and the secondary DNS server use MyDNS, you have three possibilities to get the data from the primary to the secondary DNS server:
- The old-fashioned way: you can use zone transfers. Therefore, you must change allow-axfr = no to allow-axfr = yes in /etc/mydns.conf and restart MyDNS on the primary DNS server. In addition to that, you have to specify the secondary DNS server's IP address in the xfer column in the soa table for the zones that should be transferred. Plus, make sure the firewall on the primary DNS does not block port 53 (TCP and UDP).
- Both the primary and secondary DNS use the same MySQL database. There is one drawback with this solution: if the MySQL server fails, then both the primary and the secondary DNS will fail at the same time...
- The preferred solution: use MySQL database replication to transfer the data from the primary to the secondary DNS. Make sure the firewall on the primary DNS does not block the MySQL port (normally 3306).
I recommend that you use MySQL replication. I have written a very precise guide about how to set this up here: https://www.howtoforge.com/mysql_database_replication so I do not have to cover this topic here again.