Installing DJBDNS on OpenBSD or any other platform
Posted December 10, 2006on:
First off, DJBDNS to the newbie (me when i installed it) is very intimidating. It makes you want to resort to BIND within a few minutes but please do try to put in the effort to complete the install and configure it somewhat. DJBDNS is simply beautiful. Its small, efficient and further more, secure.
Professor Dan Bernstein at UIC has offered a $500 to the first person to report a security hole. Guarantee.
Before we go any further, this tutorial assumes that you already know a lot of things. It assumes that you have some idea of what DNS is and what its purpose is. It also assumes that you know a little bit of UNIX and if you consider yourself an admin, then you must most certainly know a lot more than that. You do not need to be an expert. I say that because I am no expert by any means. This tutorial is actually aimed towards those admins that just want to get it working but dont want to be lost in the process.
So lets start with the install shall we?
Before proceeding with this install, be sure to read up on how dns works.
How DNS works
Google for ‘How DNS works’ will also provide you with a few links that probably aren’t as dense as cr.yp.to.
In this tutorial, we will learn to install an authorative server for the domain name anoop.net.
Before you install djbdns, you must install daemontools and ucspi-tcp. So …
download daemontools to your machine.
download ucspi-tcp also.
download djbdns as well.
Once you have downloaded these three utilities, proceed with the following steps as root.
# mkdir -p /package
# chmod 1755 /package
# mv daemontools-0.76.tar.gz /package
# cd /package
# gunzip daemontools-0.76.tar
# tar -xpf daemontools-0.76.tar
# rm daemontools-0.76.tar
# cd admin/daemontools-0.76
I copied these steps verbatim from cr.yp.to just to avoid confusion. Then as root.
This last step will install daemontools on to your machine. Daemontools is a collection of tools that will manage services that you tell it to manage. For more information about daemontools, visit the Daemontools home page
Next, we will install the ucspi-tcp. ucspi-tcp is a pretty simple concept. All it does is listens for tcp connections on certain ports and then executes appropriate programs based on your choice once a connection is made. So, to install ucspi-tcp, do the following as root. Ucspi-tcp is located at the ucspi-tcp home page
# gunzip ucspi-tcp-0.88.tar
# tar -xf ucspi-tcp-0.88.tar
# cd ucspi-tcp-0.88
compile the program by executing
install it by typing
# make setup check
Once, you’ve installed both, we can begin the install of djbdns.
# gunzip djbdns-1.05.tar
# tar -xf djbdns-1.05.tar
# cd djbdns-1.05
compile the program
# make setup check
So, you’re probably asking yourself this question:
“Ok, Anoop, now what? How do i make this thing work?”
Well, hold your horses you impatient bum! We’re getting to that part.
So now we create the proper accounts. Usually you will find instructions on creating 4 accounts and groups. In this case we will only create two accounts and 1 group. I am only creating two account because I am only running one real service, tinydns because I want it to only be an authorative server and not a caching server.
The accounts are: tinydns and dnslog
The group is: dns
If you have dns as a group already then you may consider other names that are similar. Dont go off naming ur group “harry” or something like that.
this is what i did
# groupadd -g 91 dns
# useradd -g 91 -u 91 -d /nonexistent -c “tinydns” -s /sbin/nologin tinydns
# useradd -g 91 -u 92 -d /nonexistent -c “tinydns” -s /sbin/nolodin dnslog
ok once this is done, we will use ‘tinydns-conf’ in order to setup the service. Visit the tinydns-conf page
# tinydns-conf tinydns dnslog /var/tinydns IP
In the command above, we are specifying the account to run tinydns and the account that will log all the queries and errors and such. ‘/var/tinydns’ in this case is the directory where the service is. The webpage will suggest using /etc/tinydns but i have chosen to use /var/tinydns in my case, you may do the same or use DJB’s suggestions.
IP is the IP address that you want the service to listen on.
Once, you have run this command and /var/tinydns is created. You must run the service. We will do so by executing the following command.
# ln -s /var/tinydns /service
Once, you have done this, the service will start within 5 seconds. To confirm that the service is started. You can do several things. Check /var/tinydns/log/main/current for something like
@400000004013927704b7aa1c starting tinydns
or do ‘netstat -a’ and look for something like
udp 0 0 IP.domain *.*
You can also check to see if its running by issuing the following command
# svstat /service/tinydns and expect a response like
/service/tinydns: up (pid 22445) 135495 seconds
If you see that its only up for 1 seconds, then check the log file mentioned above to see what the error is.
The only error i’ve ever encountered is:
@40000000401323980aecbecc softlimit: fatal: unable to run /usr/local/bin/tinydns: out of memory
To fix this problem, i edited the ‘run’ file located in /var/tinydns/ and edited the run file to reflect the softlimit i desired. My setting is at 5000000 as opposed to the 30000 that its usually set at.
To edit the file, execute ‘svc -d /service/tinydns’ to down the service and stop it from restarting. Then ‘vi /var/tinydns/run’ and change the softlimit. Once, you’re done, execute ‘svc -u /service/tinydns’ to bring the service back up. To learn more about the svc command, consult The svc program
So, at this point, you should see the service running by one of the many ways I mentioned above.
Now, we need to add hosts and nameservers and mx records and such. For this example, I’ve listed my domain and its hosts and nameservers and mx records.
There are two ways to provide the dns information. Manually or use the commands provided.
The file to edit is located in /var/tinydns/root/ and is named ‘data’.
If you do a directory listing, you will notice other utilities such as add-host, add-ns, …
You may use these utilities to add the appropriate information to your data file but I prefer to do it manually because I can keep better track of whats going on. Considering I don’t make DNS changes everyday to my one domain, I’d like to not forget what belongs where.
Below I have paste a sample file and a brief explanation of what it means.
# — name servers
# — anoop.net hosts
# — MX RECORDS
You will notice that the information above looks pretty much the same except for the symbols preceding every line that isnt a comment(#)
the ( . ) will specify a name server and its syntax is domain:ip:primary|secondary:TTL
The TTL is also known as Time To Live and you’ve probably heard of it. Its simply an amount of time that a caching server holds the records for until they are “stale” and purged. To find our more about what TTL is, consult Ask Mr. DNS Archive.
The ( + ) symbols that you see specify hosts. For example, I wish for people to visit http://www.anoop.net or anoop.net and so I tell djbdns that i wish these hostnames to represent these IP addresses (22.214.171.124). So if anyone on the net types http://www.anoop.net in their browser, they will be able to pull up my webpage. It will also work if i put in anoop.net.
You may notice that all the hosts point to the same IP address (126.96.36.199). Yes you can do this and there is nothing wrong with it provided you handle those hostnames correctly under apache but that is beyond the scope of this document.
The last symbol you see is ( @ ) and that specifies the MX record. MX Records is the information that specifies which servers on the internet are to handle email requests for your particular domain. Obviously this should me the IP for your mailserver.
There are other types of records that you can specify but these are the records that I use and so I’ve mentioned them here breifly.
Once, you’ve edited or used the utilities to setup your domain’s information, you have to do one more step to make it live.
If the response you see is like the above, then you’ve succesfully created the .cdb file.
To test that your installation has worked, execute
# dnsq a domainname.TLD server.IP.address
and inspect the information it return to ensure that it is according to specification.
This concludes this tutorial, Please feel free to link to this tutorial or contact anoop.
Needless to say, I’ve only installed djbdns on OpenBSD but if this process works for you on other platforms, please do let me know so that I may make a note of it. I make no guarantees nor do I take any responsibility for any damages incurred from this tutorial.
Many thanks to kitchen for ironing out any crinks in my install.