Sections
|
 |
|
|
Setting up DJBDNS
Didactic assumptions
- You want to run a secure DNS service on your system(s). (BIND is not secure,
nor reliable.) Read DJBDNS's
security guarantee.
- You have three network interfaces:
127.0.0.1 - the IP address of the localhost/loopback interface.
192.168.0.3 - the IP address of the internal network interface.
131.174.117.141 - the IP address of the external network interface.
I assume that 127.0.0.1 needs no clarification. 192.168.0.3 is the IP with which the server
babbles with the rest of the machines on your intranet. 131.174.117.141 is the IP address
that your ISP provided to you in order to TCP/IP you into the scary dungeons of
the internet.
- Your intranet domain name is "intranet.purebsd.com" and your domain
name is "purebsd.com".
- The secondary name server is setup the same way like our server.
- You like to install machine dependend things into
/usr/local and
stuff that can grow into /var.
Goal
We are going to create a split-horizon DNS service:
- The intranet machines will contact your server for resolving DNS queries.
- The intranet machines will contact your server to query the private intranet domain "intranet.purebsd.com".
- The intranet machines will contact your server to query the public internet domain "purebsd.com".
- The server itself will be able to do all of the above.
- The server will transfer its primary zones to its secondary nameserver by means of the dnszxfr "program".
- The server will receive its secondary zones from its primary nameserver by means of the dnszxfr "program".
- The machines on the internet will only be able to query the public internet domain "purebsd.com".
Roadmap to the DJBDNS solution
This page documents one possible roadmap to install, configure and use DJBDNS.
Getting the software
For DJBDNS you need to download three tarballs:
- The latest djbdns package: djbdns-1.05.tar.gz
DJBDNS, obviously.
- The latest daemontools package: daemontools-0.76.tar.gz
Daemontools is a collection of tools for managing UNIX services. DJBDNS makes use of it.
- The latest ucspi-tcp package: ucspi-tcp-0.88.tar.gz
Ucspi-tcp is a collection of tools to create and accept TCP connections.
Installing the framework
To install these three packages:
- First, create a
package directory in /usr/local:
mkdir -p /usr/local/package
chmod 1755 /usr/local/package
ln -s /usr/local/package /package
cd /package
Extract the daemontools sources in /package:
tar xpfz daemontools-0.76.tar.gz
cd admin/daemontools-0.76
To compile and setup daemontools:
package/install
The directories /command and /service are created by the installation script.
/command is populated by symbolic links to programs located in /package or
/usr/local/package. Symbolic links located in /service are used by svscan
to start (daemontools compatible) services under supervision of supervise.
DJBDNS, daemontools and ucspi-tcp need those directories by default. If you don't like them and want to
change the names or locations of those directories, make sure you know exactly what you're doing when
hacking the Makefiles and source code.
Note: /command/svscanboot is automatically added to /etc/rc.local
- Extract the ucspi-tcp sources somewhere:
tar xvfz ucspi-tcp-0.88.tar
cd ucspi-tcp-0.88
To compile and install ucspi-tcp:
make
make setup check
- Extract the djbdns sources somewhere:
tar xvfz djbdns-1.05.tar
cd djbdns-1.05
To compile and install djbdns:
make
make setup check
Edit the /etc/dnsroots.global file to reflect the new IP address of
j.root-servers.net:
- Replace
198.41.0.10 with 192.58.128.30.
Now setup some nice system accounts for DJBDNS:
- Add "dnscache", "dnslog", "tinydns" and "dnszxfr"
as new accounts to the system by adding the following four lines to
/etc/master.passwd:
dnscache:*:90:90::0:0:dnscache:/nonexistent:/sbin/nologin
dnslog:*:91:91::0:0:dnslog:/nonexistent:/sbin/nologin
tinydns:*:92:92::0:0:tinydns:/nonexistent:/sbin/nologin
dnszxfr:*:93:93::0:0:DNS zone transfer agent:/var/djbdns/public-dnszxfr:/bin/sh
Note: make sure that each account entry is just one line. Do not spread over multiple lines or you
will corrupt the file.
Then run pwd_mkdb -p /etc/master.passwd to activate the changes.
- Add four new groups to
/etc/group:
dnscache:*:90:
dnslog:*:91:
tinydns:*:92:
dnszxfr:*:93:
- Change dnszxfr's password with a string of about 10 random characters found on your keyboard:
passwd dnszxfr
Now we can create the data directories of the various DJBDNS programs:
- First, create a directory where DJBDNS data directories will reside:
mkdir /var/djbdns
- Create a caching DNS service:
dnscache-conf dnscache dnslog \
/var/djbdns/private-dnscache 192.168.0.3
- Create an authorative DNS service for the intranet:
tinydns-conf tinydns dnslog \
/var/djbdns/private-tinydns 127.0.0.1
- Create an authorative DNS service for the internet:
tinydns-conf tinydns dnslog \
/var/djbdns/public-tinydns 131.174.117.141
- Create a directory for the zone transfer dnszxfr:
mkdir /var/djbdns/public-dnszxfr
chown dnszxfr:dnszxfr /var/djbdns/public-dnszxfr
chmod 700 /var/djbdns/public-dnszxfr
Getting ready
The data directories are created and already filled with some files
that form the framework. We have to finetune some of these files or
create some new files in order to let things run smoothly on our server.
- Edit
/var/djbdns/private-tinydns/run to increase the softlimit:
... vdir ./env softlimit -d500000 /usr/loc ...
- Edit
/var/djbdns/public-tinydns/run to increase the softlimit:
... vdir ./env softlimit -d500000 /usr/loc ...
- To enable the intranet to use dnscache's services:
cd /var/djbdns/private-dnscache/root/ip
touch 192.168.0
chmod 600 192.168.0
- In order to have
dnscache resolve 192.168.0.* and *.intranet.purebsd.com,
it has to know where to look:
cd /var/djbdns/private-dnscache/root/servers
echo 127.0.0.1 > 0.168.192.in-addr.arpa
echo 127.0.0.1 > intranet.purebsd.com
127.0.0.1 is the IP address that private-tinydns,
which knows about 129.168.0.* and *.intranet.purebsd.com, listens on.
- Edit
/var/djbdns/private-tinydns/root/Makefile to read:
data.cdb: data
/usr/local/bin/tinydns-data
data: private-zones-primary
cat private-zones-primary > data
- Edit
/var/djbdns/public-tinydns/root/Makefile to read:
data.cdb: data
@echo -n "[3] Creating 'data.cdb' from 'data'.. "
@/usr/local/bin/tinydns-data
@echo "OK"
data: public-zones-primary public-zones-secondary
@echo -n "[1] Creating 'data' from 'public-zones-primary' \
and 'public-zones-secondary'.. "
@cat public-zones-primary public-zones-secondary > data
@echo "OK"
@echo -n "[2] Copying primary zone to DNSZXFR transfer \
directory.. "
@/bin/cp -f public-zones-primary /var/djbdns/public-dnszxfr/
@echo "OK"
Note:All indented lines should be indented with tabs instead of spaces.
Make will complain if you fail to meet this requirement.
Prime time
Now we are ready to run the DJBDNS services:
- Go to the
/service directory:
cd /service
- Make symbolic links to
public-tinydns, private-tinydns and
private-dnscache:
ln -s /var/djbdns/private-dnscache .
ln -s /var/djbdns/private-tinydns .
ln -s /var/djbdns/public-tinydns .
- The services should be started automatically within seconds. To verify:
svstat /service/*
The output will be something similar to:
/service/private-dnscache: up (pid 17170) 686536 seconds
/service/private-tinydns: up (pid 15258) 686536 seconds
/service/public-tinydns: up (pid 22261) 686536 seconds
- You should let your system's DNS resolver(s) know what IP address
should be used to submit DNS queries to. Create/edit
/etc/resolv.conf
to have it use dnscache's IP address:
nameserver 192.168.0.3
Serving DNS records
The dnscache program is already providing resolving DNS services
to your system and intranet. But nothing is known about *.intranet.purebsd.com (the
intranet domain) nor *.purebsd.com (the public internet domain).
First, we're going to inform private-tinydns (the tinydns instance that knows
about *.intranet.purebsd.com) what it should know about the intranet.
- The tinydns data format is very simple (and easy to parse
for programs). Make yourself acquaintable with the tinydns
data format.
- Now that you know all about the tinydns data format, go to the
private-tinydns
directory to which tinydns chroot()'s:
cd /var/djbdns/private-tinydns/root
- There you create the file
private-zones-primary. It could look
like this:
# Zone: *.intranet.purebsd.com
#
.intranet.purebsd.com::atlantis.intranet.purebsd.com
@intranet.purebsd.com::atlantis.intranet.purebsd.com:10
'purebsd.com:PureBSD intranet
=antarctica.intranet.purebsd.com:192.168.0.1
=aldebaran.intranet.purebsd.com:192.168.0.2
=atlantis.intranet.purebsd.com:192.168.0.3
- To have
tinydns load the new private (primary) zone file just
run make. make processes the Makefile
file. That copies private-zones-primary to data
and calls tinydns-data to generate data.cdb
out of data.
The usage of private-zones-primary looks a bit clumsy or overdone,
but I found it to be more consistent with the public-tinydns approach I took.
Now we're going to have public-tinydns publish our beloved purebsd.com domain.
- Go to the
public-tinydns directory to which tinydns chroot()'s:
cd /var/djbdns/public-tinydns/root
- There you create the file
public-zones-primary. It could look
like this:
# Zone: *.purebsd.com
#
.purebsd.com::ns1.purebsd.com
.purebsd.com::ns2.purebsd.com
@purebsd.com::mail1.purebsd.com:10
@purebsd.com::mail2.purebsd.com:20
'purebsd.com:PureBSD - BSD resources
+ns1.purebsd.com:131.174.117.141
+ns2.purebsd.com:131.174.119.121
+mail1.purebsd.com:131.174.117.141
+mail2.purebsd.com:131.174.119.121
+www.purebsd.com:131.174.117.141
- To have
tinydns load the new public (primary) zone file just
run make. make processes the Makefile
file. That copies public-zones-primary and
public-zones-secondary to data
and calls tinydns-data to generate data.cdb out of data.
Make also copies the file public-zones-primary to the DNSXFR directory
so that DNSXFR can transfer it to the secondary nameserver(s).
Zone transfers
The setup and configuration of the The DNS zone transfer program "dnszxfr" will be coverend when the
rest of the DJBDNS setup is completed (and documented here ;-).
More reading
For more in-depth documentation for the DJBDNS, daemontools and ucspi-tcp programs:
|
