|
BIND, the Buggy Internet Name Daemon is like Microsoft Windows. The
damn thing doesn't work. Every version has been brimming with bugs.
--D.J.Bernstein ( http://cr.yp.to/djbdns/ad/unbind.html
)
This document is intended to
describe installation of DjbDNS ( A secure DNS daemon) The most up-to-date
version of this documet can be found at : http://enderunix.org/documents/eng/djbdns_installation_en.html
--Omer Faruk Sen <[email protected]>
DjbDNS is a DNS software written by Dj Bernstein who is also coder of
Qmail, Ezmlm, Public File. It is intended to be a secure replacement
of BIND which is written by ISC. DjbDNS is consists of following
pieces:
a) Authoritive Name Server (tinydns)
b) DNS Resolver
(dnscache)
c) A set of tools to query name system (dnsq, dnsqr,
dnstrace, dnsip, dnsipq, dnstxt, dnstracesort, dnsname, dnsmx,
dnsfilter)
d) Zone transfer server and client ( axfrdns and
axfr-get)
e) walldns: A reverse dns wall to protect your systems
behind your Firewall
f) pickdns: A load-balancing dns server
(obsolete).
g) rbldns IP-address-listing DNS server
h) Some scripts
to create tinydns-data file.
| Resolver and Authoritive Name
Server |
First it must be made clear that
resolver and authoritive name servers are completely different things. A
resolver asks for a domain. (for example yildiz.edu.tr) in a reverse
order. It first queries who holds information for .tr. That question is
asked to Root-Servers. The answer obtained by resolver and cached in
RAM. Following "tr", the root server for "tr" TLD is queried for
authoritive name server of "edu.tr". This continues until last authoritive
name server is queried (authoritive name server of yildiz.edu.tr). And
finally "http://www.yildiz.edu.tr/" is
obtained from 193.140.1.1 ( yildiz.edu.tr's authoritive name server).
Briefly
RESOLVER
:
The system that queries (and caches answer) authoritive name
servers
AUTHORITIVE NAME SERVER: System that holds information
for a domain
**Authoritive Name Server and Resolver can not bind same
IP address. You have to choose different IPs. Maybe an internal IP for
RESOLVER and a Real Ip for Authoritive Name Server. DjbDNS uses different
binaries to implement authoritive name server ( tinydns) and resolver (
dnscache ) on the same computer. This idea may seem confusing and
unnecessary first. But is the first step to security!! (This is also
called Split Horizon)
To install DjbDNS you have to install
daemontools and ucspi-tcp. Ucspi-tcp is required if you are going to
install zone transfer server, axfrdns . To install it follow those
commands.
|
$ wget daemontools-0.76.tar.gz
$
tar zxvf daemontools-0.76.tar.gz
$ cd daemontools-0.76
# make
setup check
# mkdir /service
#svscan /service
& |
Now we have a working daemontools package on our
system. Daemontools (as its name implies) is a tool for daemons running
on your system. It checks daemon if it is running or it can restart, stop
or start a service. Thi services must be linked under first argument of
svscan command comes with daemontools. ( # svscan /service &
)
For next reboot we have to add a startup script which called through /etc/rc.local
:
---------------starts here ( /etc/rc.djbdns ) ------------
#!/bin/sh
export PATH="$PATH:/usr/local/bin"
svscan /service &
------------ends here--------------
Now for axfrdns (zone transfer ) to work we install ucspi-tcp
% gunzip ucspi-tcp-0.88.tar
% tar -xf ucspi-tcp-0.88.tar
% cd ucspi-tcp-0.88
Compile the ucspi-tcp programs:
% make
As root, install the ucspi-tcp programs under /usr/local:
# make setup check
|
Now it is time to install DjbDNS with following
commands
% gunzip djbdns-1.05.tar
% tar -xf djbdns-1.05.tar
% cd djbdns-1.05
Compile the djbdns programs:
% make
As root, install the djbdns programs under /usr/local:
# make setup check
|
Now it is time to configure dnscache and
tinydns:
Now we are going to configure TINYDNS (Authoritive
Name Server). All tools required for that comes with djbdns package. First
we have to determine a few things.
a)The user which tinydns is going to run as
b)The user
which tinydns's logs are handled by
c)IP address of tinydns
d)The
directory which we store configuration files and startup
scripts
After deciding and creating those users and the required
IP we issue that command:
#tinydns-conf tinydns dnslog /etc/tinydns
193.140.1.1
#ln -s /etc/tinydns
/service
In 5 seconds our server will be up and running
After starting
tinydns we can now ( It is important to realize we can add and update zone
file while tinydns running. It will automaticly update itself to use new "
data.cdb " )
You can manually add new dns records but it is
best to use add-* scripts reside at /etc/tinydns/root/ . To accomplish
that we issue those following commands.
|
#cd /etc/tinydns/root
#./add-ns yildiz.edu.tr
193.140.1.1
{ *.yildiz.edu.tr authoritive nameserver will be 193.140.1.1 ;
SOA}
#./add-ns 1.140.193.in-addr-arpa 193.140.1.1 {reverse
authoritive nameserver will be 193.140.1.1 }
#./add-host
ogis.yildiz.edu.tr
193.140.1.3 { Adding
host }
#./add-alias www2.yildiz.edu.tr
193.140.1.3 {Addding an alias for an ip that
is defined BEFORE }
#./add-mx yildiz.edu.tr
193.140.1.1
{193.140..1.1 will be mx for yildiz.edu.tr}
#./add-mx
yildiz.edu.tr 193.140.1.5
{Secondary mx for yildiz.edu.tr }
#./add-childdns ece.yildiz.edu.tr 193.140.1.15 {
NS servers for subdomains }
#
make
{tindns-data will be run and data.cdb is created
} |
Here is the content of data file which
is modified by add-* scripts and used by tinydns-data command to create
data.cdb. You have to re-run "make" to activate changes for
tinydns.
.yildiz.edu.tr:193.140.1.1:a:259200
{authoritive name server starts with . for yildiz.edu.tr}
=www.yildiz.edu.tr:193.140.1.1:86400
{ a record for www.yildiz.edu.tr
}
.1.140.193.in-addr.arpa:193.140.1.1:a:259200
{*.1.140.193's authoritive nameserver
}
=ogis.yildiz.edu.tr:193.140.1.3:86400
{A record for ogis.yildiz.edu.tr
}
+www2.yildiz.edu.tr:193.140.1.3:86400
{CNAME record for 193.140.1.3. Note " + " is used}
@yildiz.edu.tr:193.140.1.3:a::86400
{ MX record for yildiz.edu.tr mx
kaydı.Priority is indicated with letter "a"
}
@yildiz.edu.tr:193.140.1.5:b::86400
{ Second MX record for yildiz.edu.tr için
ikinci.
}
&ece.yildiz.edu.tr:193.140.1.15:86400
{ Send all queries for *.ece.yildiz.edu.tr
to 193.140.1.15} |
Now everything for our server is ready. We can now
query our authoritive name server with " dnsq ". dnsq is designed to query
authoritive name servers. If we need to query dnsqr we use " dnsqr "
or we can use other commands:
a) dnsname 193.140.1.1
http://www.yildiz.edu.tr/
b)
dnsmx
0 http://www.yildiz.edu.tr/
Others
are : dnsip, dnstxt, dnszone, dnstrace, dnstracesort .
| Configuring DNSCACHE
(Resolver) |
Dnscache is our resolver. It also caches
answers to re-use it for the next time in a period of TTL value set in
Authoritive name server that tells dnscache to cache it in memory for that
given time. Again you must decide on
a)The user which dnscache is going to run as
b)The user
which dnscache's logs are handled by
c)IP address of dnscache
d)The
directory which we store configuration files and startup
scripts
#dnscache-conf dnscache dnslog /etc/dnscachex
192.168.1.1
#ln -s /etc/dnscachex
/service
At above dnscachex is used to reflect
that anyone whois is allowed can connect and query our dnscache. If we are
installing dnscache just as a caching-server for our local machine we can
use "dnscache" and 127.0.0.1 for IP.
We have to edit some variables in /etc/dnscache.
Those are
1)Who are allowed to connect my dnscache
#cd
/service/dnscache/root/ip/
#touch 193.140.1
#touch 193.140.1.3
To allow 193.140.1.0
network to query cache and to host 193.140.1.3
2)Amount of RAM that is used for caching
#cd
/etc/dnscachex/env
#echo "10000000" > CACHESIZE
#echo
"30000000" > DATALIMIT
And we now have to restart dnscache by
issuing that command:
#svc -t /service/dnscachex ( this
command comes with daemontools and -t parameter is used to up and down a
service)
Now our dnscache program is running.
| Axfrdns and Axfrdns-get (Zone
transfer Server and Client) |
It is a requirement to run 2 dns server for your corporate
or educational authoritive dns server.
Prerequisites :
1)
Ucspi-TCP
For dns queries that is larger than 512 bytes and zone
transfer TCP protocol is used. To accomlish that we have to use
uscpi-tcp.
gunzip ucspi-tcp-0.88.tar
tar -xf ucspi-tcp-0.88.tar
cd ucspi-tcp-0.88
Compile the ucspi-tcp programs: make
As root, install the ucspi-tcp programs under
/usr/local: make setup check
|
We have to decide followings to set up axfrdns:
a)The user which axfrdns is going to run as
b)The user
which axfrdns's logs are handled by
c)IP address of axfrdns
d)The
directory which we store configuration files and startup
scripts
| #axfrdns-conf axfrdns dnslog /etc/axfrdns
/etc/tinydns
193.140.1.1
{This IP can be same with tinydns IP cause it uses tcp instead
of UDP that tinydns uses }
#cd /etc/axfrdns
#echo
"193.140.1.:allow,AXFR="yildiz.edu.tr/1.140.193.in-addr.arpa"
> /etc/axfrdns/tcp {193.140.1.0
network is allowed to transfer zone }
#make
#ln -s
/etc/axfrnds
/service
|
Now it is time to setup axfr-get. Axfrdns-get is
a zone transfer client that can be called within
tcpclient.
# tcpclient authoritive_name_server_IP 53 axfr-get
yildiz.edu.tr fn fn.tmp
This command downloads zone for yildiz.edu.tr. The
required file is "fn" we can easily run a script to replace it with
/etc/tinydns/root/data and run make command to load new zone
file.
|
|