Running A MySQL-Based DNS Server: MyDNS - Page 3

3 Install dnscache

One very important thing to know about MyDNS is that it does not support external (recursive) DNS lookups, i.e. MyDNS will deliver answers only for domains that it is authoritative for! If you want to resolve other domains like, for example, www.google.com, you will have to install a DNS resolver like dnscache on your system, and it has to be installed on a separate IP address. To find out why the DNS server (MyDNS) and the DNS resolver (dnscache) are separated like that, have a look here: http://cr.yp.to/djbdns/separation.html

Normally, your ISP gives you IP addresses of name servers that you use for your internet connection at home or in your office so that your workstation can resolve names like www.google.com. The name server IP addresses are actually IP addresses of DNS resolvers like dnscache. Now if you want to give your customers your own name server IP addresses, you must set up a DNS resolver and give your customers the IP address of that DNS resolver.

Now, if you only have one IP address on your server, you could say, "Ok, I bind MyDNS to 127.0.0.1 and dnscache to my public IP address to get around this bottleneck.". Please read here to find out why this is a bad idea: http://www.fefe.de/djbdns/#sameip

If you do not want to install a DNS resolver on your system, you can skip this section.

Now lets say you have two public IP addresses, 1.2.3.4 and 1.2.3.5, and you want MyDNS to listen on 1.2.3.4 and dnscache to listen on 1.2.3.5.

Do the following steps to install dnscache:

groupadd dns
useradd -M -g dns -s /sbin/nologin -c DNS-Cache-User dnscache
useradd -M -g dns -s /sbin/nologin -c TinyDNS-User tinydns
useradd -M -g dns -s /sbin/nologin -c DNSlog-User dnslog

Create the dnscache init script:

cd /usr/local/sbin
wget http://www.servershak.com/dns/dnsctl
chmod 700 dnsctl
ln -s /usr/local/sbin/dnsctl /etc/init.d/dnsctl

Create the system startup links:

On Debian:

update-rc.d dnsctl defaults

On Fedora and RedHat:

chkconfig --levels 235 dnsctl on

Then we compile and install dnscache:

cd /usr/local/src
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
tar -zxvf ucspi-tcp-0.88.tar.gz
cd ucspi-tcp-0.88
make
make setup check

mkdir -p /var/package
chmod 1755 /var/package
cd /var/package
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
gunzip daemontools-0.76.tar
tar -xpf daemontools-0.76.tar
rm daemontools-0.76.tar
cd /var/package/admin/daemontools-0.76
package/install

cd /usr/local/src
wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
tar -xvzf djbdns-1.05.tar.gz
cd djbdns-1.05
make
make setup check

dnscache-conf dnscache dnslog /etc/dnscache 1.2.3.5
ln -s /etc/dnscache /service
touch /etc/dnscache/root/ip/1.2.3

Now dnscache is listening on 1.2.3.5. Now we have to tell MyDNS that it should listen on 1.2.3.4 only. Therefore we have to change the listen directive in /etc/mydns.conf:

listen = 1.2.3.4

and restart MyDNS:

/etc/init.d/mydns restart

Now if you try to resolve domain names on 1.2.3.5, you should get an answer. E.g., to resolve www.google.com, you can run

dig @1.2.3.5 www.google.com

In the same way you should be able to resolve domains handled by MyDNS (e.g. www.somedomain.com), but this time you dig 1.2.3.4:

dig @1.2.3.4 www.somedomain.com

4 Getting The Zones And Records From The Primary To The Secondary DNS Server

If both the primary and the secondary DNS server use MyDNS, you have three possibilities to get the data from the primary to the secondary DNS server:

  1. The old-fashioned way: you can use zone transfers. Therefore, you must change allow-axfr = no to allow-axfr = yes in /etc/mydns.conf and restart MyDNS on the primary DNS server. In addition to that, you have to specify the secondary DNS server's IP address in the xfer column in the soa table for the zones that should be transferred. Plus, make sure the firewall on the primary DNS does not block port 53 (TCP and UDP).
  2. Both the primary and secondary DNS use the same MySQL database. There is one drawback with this solution: if the MySQL server fails, then both the primary and the secondary DNS will fail at the same time...
  3. The preferred solution: use MySQL database replication to transfer the data from the primary to the secondary DNS. Make sure the firewall on the primary DNS does not block the MySQL port (normally 3306).

I recommend that you use MySQL replication. I have written a very precise guide about how to set this up here: https://www.howtoforge.com/mysql_database_replication so I do not have to cover this topic here again.

Links

Share this page:

3 Comment(s)