Using djbdns with Mandrakelinux

Vincent Danen

March 25, 2008

Like qmail, djbdns is open source but has a restrictive license which makes distributing it a trifle difficult for many vendors. However, it is distributable in binary form if you follow the license and the packager assures to the best of their ability that the binary package works well and conforms to the default and recommended installation instructions from the main site.

Because of this, MandrakeSoft is unable to ship djbdns directly. However, I have been maintaining a djbdns RPM package since March of 2001 that will run under Mandrakelinux. This does not mean that djbdns is any more difficult to install than any other package for Mandrakelinux. In fact, if you download a special RPM called djbsupport, you will be able to easily install djbdns and other DJB software with a single command.

For those not sure of what djbdns is, it is a DNS server similar to BIND which is distributed as part of the Mandrakelinux distribution, and many other distributions as well. It is a drop-in replacement for BIND that is much more secure. With the recent and not-so-recent vulnerabilities persistent in the BIND software, many people are looking for alternatives. As well, many others believe that no alternatives exist. They are resigned to running buggy and broken software falsely believing that they don't have a choice. For the longest time perhaps this was the case, but it isn't anymore. The djbdns packages provide a full DNS server (like BIND), and also a caching nameserver (djbdns-extcache and djbdns-localcache) which are replacements for the caching-nameserver package for Mandrakelinux which act as an external or local caching DNS server. If you're not convinced about djbdns' security, you should know that there has never been a verified security hole in djbdns and the author even offers a reward if you find one with his security guarantee.

The djbdns package is built and maintained by Vincent Danen for use on Mandrakelinux systems. I assure you, the packages were built with a few things in mind: stability, easy configuration, and conforming to the license.

NOTE: I changed one thing in the package that is not standard to the install instructions on the djbdns website. On the website, the default standard location for service files is /etc (ie. /etc/dnscachex, /etc/tinydns, etc.). To make svc (or the service monitor, which is a part of the daemontools packages) aware of these services, you must symlink /etc/tinydns to /service/tinydns. I did not think this was appropriate because logging information, configuration information, and so forth is stored in sub-directories beneath these files. It's fine for configuration, but not good for variable and logging data. As a result, /etc/tinydns (and the other services like dnscachex and axfrdns) were re-located to a special directory called /var/djbdns/tinydns (and so on). This makes more sense because /var is a good place for transient data like logs. Because of this, if you are looking at instructions on the djbdns website, keep in mind that when they talk about /etc/tinydns, if you install the RPMs, you should be using /var/djbdns/tinydns. Likewise, the /service directory is located in /var/djbdns/service. This was to make it easier to control djbdns as a separate process from other programs using svc, like qmail. However, to retain compatability with the author's distribution license, symlinks are created in /service for djbdns control, and symlinks are created in /etc that point to the appropriate location.

Installing djbdns

The first step is to decide what you need. There are three djbdns packages available: djbdns is the full DNS server; djbdns-localcache is a caching nameserver for the local machine only; djbdns-extcache is a caching nameserver for external machines. If you want to run an external caching nameserver (ie. use one DNS server for your LAN), you will want to install djbdns-extcache. If you want a caching nameserver for the local host only, then you should install djbdns-localcache. If you want to setup a full DNS server, you will want to install both djbdns and djbdns-localcache. The djbdns package itself does not do any DNS lookups, so the DNS server you are setting up will either have to use an external server for DNS lookups, or a local-only caching nameserver. The reasoning behind this is the author's belief that a full DNS server should never double as an external caching nameserver (unlike BIND and some other DNS server packages). The djbdns and djbdns-extcache packages intentionally conflict because they cannot be used together unless you bind the nameserver to one interface (ie. eth0) and the external caching nameserver to another interface (ie. eth1). Because they are two different services, they will compete for the same interface if you attempt it, and only one service will be able to bind to it.

The easiest way to install djbdns is to use the djbsupport package that is a simple wrapper for urpmi. You can obtain it from ftp.rpmhelp.net/pub/[version]/djbsupport/. Packages are provided for 7.2, 8.0, 8.0/ppc, and 8.1.

You don't have to install djbsupport if you don't want to. All it does is execute the following as root:

# urpmi.addmedia qmail ftp://ftp.rpmhelp.net/pub/Mandrake/djbware/[ver]/RPMS \
 with ../base/hdlist.cz

Replace [ver] with the version of Mandrakelinux you are using (7.2, 8.0, ppc/8.0, or 8.1). Cooker users can use 8.1.

Once you have djbsupport installed or have used the above commandline to add ftp.rpmhelp.net to your urpmi mediums, execute:

# rpm -e bind caching-nameserver
# urpmi djbdns

Replace djbdns with djbdns-extcache or djbdns-localcache, depending on your needs. This will remove BIND and the caching-nameserver package from your system and will install your selected djbdns package, along with daemontools and ucspi-tcp, which are required to run djbdns.

Configuring djbdns-extcache

The installer should configure djbdns-extcache to work properly on your system. You should only have to start djbdns (/etc/rc.d/init.d/djbdns start) and point /etc/resolv.conf to your IP address to have a fully-functioning caching nameserver. Note that by default it allows connections to any IP addresses in your network (ie. if your IP address is 192.168.5.10, it will allow connections from any 192.168.5.* IP address).

If you want to change this to further restrict or allow access to your external caching nameserver, you can do so by creating 0 byte files in /var/djbdns/dnscachex/root/ip. For instance, to allow the 192.168.25.* network you would do: touch /var/djbdns/dnscachex/root/ip/192.168.25. If you wanted to allow a single host (let's say 152.12.34.21), you would do: touch /var/djbdns/dnscachex/root/ip/152.12.34.21. You will need to restart djbdns after making this kind of change.

Configuring djbdns-localcache

If you installed djbdns-localcache, you will have a local-only caching nameserver that is pre-configured. All you need to do is edit /etc/resolv.conf and tell it to use 127.0.0.1 as the nameserver and then start djbdns.

Configuring djbdns

When you install djbdns for the full DNS server, the installer makes a few educated guesses to configure your system. It will not work right out of the box, however! You will need to configure it further on your own to ensure it works properly. We will take a look at those steps and how to accomplish them with these RPMs. The instructions are basically the same as the Upgrading from BIND pages written by the author.

The installer will set your system up with some defaults. It will try to obtain your system's internet IP address from eth0 and configure tinydns with it. If this is not correct, you will need to remove the /var/djbdns/tinydns directory and re-create it with the proper IP address by using:

# /usr/bin/tinydns-conf tinydns dnslog
# /var/djbdns/tinydns [your_IP_address]

You will need to do the same for axfrdns (which negotiates zone transfers) by removing the /var/djbdns/axfrdns directory and re-creating it with the proper IP address by using:

# /usr/bin/axfrdns-conf axfrdns dnslog /var/djbdns/axfrdns
# /var/djbdns/tinydns [your_IP_address]

You can also define what systems are allowed to perform zone transfers on your system. This is accomplished by editing the /var/djbdns/axfrdns/tcp file. By default it looks something like this:

192.168.1.12.:allow
:allow,AXFR=

The installer uses the IP address of eth0 in the place of the 192.168.1.12 address noted in the example. If that IP address is incorrect, you will need to modify the file and then recompile the hash database by issuing:

# cd /var/djbdns/axfrdns
# make

If you are running a network and replacing two BIND servers (a primary and secondary), you can do the same with djbdns. Install the RPMs on both systems and chose which will be the primary. On the primary nameserver, edit the /var/djbdns/tinydns/root/Makefile file. By default, the commands to perform zone transfers from the primary to secondary servers is disabled. djbdns uses rsync over ssh to perform the transfer. This is odd, but efficient. Uncomment the following lines in the Makefile and change the IP address as appropriate:

remote: data.cdb
       rsync -az -e ssh data.cdb 192.168.1.13:/var/djbdns/tinydns/root/data.cdb

Change the above example 192.168.1.13 IP address to that of your secondary DNS server. Now, whenever you run make remote it will transfer the data.cdb file (which is the compiled data file) to your secondary server. To automate this, edit your /etc/cron.daily/djbdns cronjob file and uncomment the following line:

#make remote >/dev/null

Now every day the data.cdb file will be sent to your secondary nameserver.

On the secondary nameserver system, edit the /var/djbdns/tinydns/root/Makefile file and make sure it contains only the "9" number in the file. This tells make to exit. You need to do this to ensure make doesn't change the data.cdb file since it is generated on the primary system.

The final step is to start djbdns itself. For more configuration techniques, refer to the djbdns web resources.

Finally, you can start djbdns by using:

# /etc/rc.d/init.d/djbdns start

After configuration, you should have a fully working DNS server. At this point, you should have removed BIND from your system and are able to enjoy a nice and secure DNS server instead, without the fear of compromise usually attributed to those running BIND. =) Man pages are included in the package and are located in the standard man page locations (/usr/share/man).

Resources

Here are a few resources to help you configure DNS data with djbdns (as the configuration files are quite different from BIND):