Setup DNS Server using DJBDNS

tux

15 years ago

The DNS server was deployed in CentOS release 4.4, ,kernel ver. 2.6.9-42.0.3.Elsmp, Intel Xeon 3.2 GHz 2G RAM

Software Requirements
Any Linux/Unix flavors

Packages needed:

a.   Daemontools (http://cr.yp.to/daemontools.html)
b.   UCSPI-TCP (http://cr.yp.to/ucspi-tcp.html)
c.   Djbdns (http://cr.yp.to/djbdns.html)
d.   Dnscache (http://cr.yp.to/dnscache.html)
e.   Tinydns (http://tinydns.org)
f.   Vegadns ( for web interface of tinydns, optional) (http://www.vegadns.org/)
g.   MySQL server (optional)
h.   Php, gcc, apache web server, perl, patch

Before installing djbdns , install daemontools and ucspi-tcp

1.DAEMONTOOLS

a. Create a /package directory:
mkdir -p /package
chmod 1755 /package
cd /package
b. Download the package daemontools-0.76.tar.gz into /package. Unpack the daemontools package:
tar zxvf daemontools-0.76.tar.gz

c. Compile
cd admin/daemontools-0.76
package/install

d. Verify if running, type ps –aux, you should see the “svscan” function now running

2. UCSPI-TCP

a. Download the package ucspi-tcp-0.88.tar.gz. Unpack the package
tar zxvf ucspi-tcp-0.88.tar.gz

b. Compile
cd ucspi-tcp-0.88
make
make setup check

3. DJBDNS (the core of our dns server)

a. Download the djbdns package latest djbdns-1.05.tar.gz.

b. Unpack the djbdns package
tar zxvf djbdns-1.05.tar.gz

c. Compile the djbdns programs: (patch first if needed)
cd djbdns-1.05
echo gcc -O2 -include /usr/include/errno.h > conf-cc
make
make setup check (successful if you produce the ffg. Output)
./install
./instcheck

4. TINYDNS (authoritative nameserver, the DNS server itself)

a.. Create users (tinydns and dnslog)
/usr/sbin/useradd -s /sbin/nologin -d /dev/null tinydns
/usr/sbin/useradd -s /sbin/nologin -d /dev/null dnslog

b. Create the first nameserver
tinydns-conf tinydns dnslog /etc/tinydns 1.2.3.5

where 1.2.3.5 is the IP tinydns should listen on

c. Start tinydns by telling svscan about it:
ln -s /etc/tinydns /service

d.   Verify if tinydns process is running, using ps –aux
root      3719 0.0 0.0 2388 284 ?        S    Nov14   0:00 supervise tinydns
tinydns   3723 0.0 0.0 2640 348 ?        S    Nov14   0:00 /usr/local/bin/tinydns
root      3718 0.0 0.0 2388 284 ?        S    Nov14   0:00 supervise log
dnslog    3722 0.0 0.0 2400 276 ?        S    Nov14   0:00 multilog t ./main

root 3706 0.0 0.0 2376 248 ? S Nov14 0:00 readproctitle service errors: …
If the “readproctitle service errors” line is clear, as above, you are all set

5 .DNSCACHE (the caching nameserver for the master DNS machine)

We will be setting up internal caching nameserver

a. Create user (dnscache)
/usr/sbin/useradd -s /sbin/nologin -d /dev/null dnscache

b. Create internal caching nameserver to be used by the server for DNS lookups
dnscache-conf dnscache dnslog /etc/dnscache 127.0.0.1

c. Start dnscache by telling svscan about it
ln -s /etc/dnscache /service

d. Verify if dnscache running, using ps –aux

root 3717 0.0 0.0 2388 284 ? S Nov14 0:00 supervise dnscache
dnscache 3721 0.0 0.0 3924 1436 ? S Nov14 0:00 /usr/local/bin/dnscache

e. Use it as our nameserver, edit /etc/resolv.conf, then save and exit
nameserver 127.0.0.1

f. Testing using the dig command
[root@ns1]# dig yahoo.com

; <<>> DiG 9.2.4 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22149
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;yahoo.com. IN A

;; ANSWER SECTION:
yahoo.com. 300 IN A 216.109.112.135
yahoo.com. 300 IN A 66.94.234.13

;; Query time: 167 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Nov 17 16:34:02 2006
;; MSG SIZE rcvd: 59

Tips:
a. manually refreshing or flushing the nameserver (flush it there’s recently made DNS change to a domain and you want your server to realize the changes quickly
svc -t /service/dnscache
b. we can adjust the level of traffic at which your nameserver will flish it’s cache by editing the file /etc/dnscache/env/CACHESIZE

SETTING UP TINYDNS

We can now tell the tinydns the hosts it should resolve by editing /etc/tinydns/root/data then run “make” to compile the data.cdb which tindydns reads

But for easy DNS management , we can use Vegadns

a. Download the vegadns package then unpack it on the web directory of your server (/var/www/html)
cd /var/www/html
tar zxvf vegadns-0.9.10.tgz

b. Rename the directory
mv vegadns-0.9.10 vegadns

c. Create the vegadns mysql server
mysqladmin -u root create vegadns –p

d. Create a user that will have rights on the vegadns database
mysql -u root -e “GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON vegadns.* TO vegadns@localhost IDENTIFIED BY ‘password'” mysql –p

e. Setting up vegadns, create “private” directories that will store template information, config information, caching information and session information

cd /var/www/html
mkdir -p vegadns_private/templates_c
mkdir vegadns_private/configs
mkdir vegadns_private/cache
mkdir vegadns_private/sessions

chown -R apache:apache vegadns_private
chmod -R 770 vegadns_private

f. Edit vegadns config.php, save and exit

vi vegadns/src/config.php

these are the things needed for editing:
$private_dirs = ‘/var/www/html/vegadns_private’;

// Mysql settings
$mysql_host = ‘localhost’;
$mysql_user = ‘vegadns’;
$mysql_pass = ‘password’;
$mysql_db = ‘vegadns’;
$vegadns_url = ‘http://iphere/vegadns/’;
$supportname = “OWT”;
$supportemail = “postmaster@owtel.com”;
$trusted_hosts = ‘127.0.0.1’;

g. Login to Vegadns Inteface
http://machineip/vegadns

default login account is:
Email: test@test.com
Password: test
h. Create your user account
i. Configure the default domain settings
This default domain template ensures that every time you create a new domain entry on your tinydns server, it gets created with certain basic settings and records (A records, MX records, nameservers, TTL settings etc.)

j. Create new domain entry

k. Writing the changes out to tinydns

Vegadns comes equipped with a handy script that writes all changes out to tinydns. This script is called update-data.sh.

Setup the update-data.sh script:

cd /var/www/html/vegadns
vi update-data.sh

Change the line to:
VEGADNS=’http://machineIP/vegadns/index.php’

chmod 750 update-data.sh
cp update-data.sh /usr/local/sbin/update-data.sh

l. Execute the script

update-data.sh

This will write the domain information entered in vegadns to our DNS server

/etc/tinydns/root/data

TESTING :

Test1. local query (private query)
Log into any server that is able to use the “dig” utility and do the following
dig @othermachineip owtalk.com

[root@otherserver ~]# dig @10.50.0.74 owtalk.com

; <<>> DiG 9.3.1 <<>> @10.50.0.74 owtalk.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22866
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;owtalk.com. IN A

;; ANSWER SECTION:
owtalk.com. 3600 IN A 202.130.144.102

;; AUTHORITY SECTION:
owtalk.com. 3600 IN NS ns1.owtalk.com.
owtalk.com. 3600 IN NS ns2.owtalk.com.

;; ADDITIONAL SECTION:
ns1.owtalk.com. 3600 IN A 202.130.144.102
ns2.owtalk.com. 3600 IN A 202.130.144.103

;; Query time: 5 msec
;; SERVER: 10.50.0.74#53(10.50.0.74)
;; WHEN: Fri Nov 17 19:15:47 2006
;; MSG SIZE rcvd: 112

Test 2. Remote query
Test the DNS server’ response when queried from an external location

http://domainwhitepages.com/

DNS Compliance

This will analyze and point out any inconsistencies and/or problems in our nameservers. To do this test, we use

http://www.dnsreport.com

Replication of DNS using rsync over ssh

Prepare a script something like this:

rsync -e ssh -az /etc/tinydns/root/data $host:/etc/tinydns/root/data
ssh $host “cd /etc/tinydns/root; make”

where $host is the second tinydns server

in order for it not to prompt password in ssh communication, setup authorized keys