OpenBSD and FreeBSD resources » DJBDNS http://purebsd.com Tue, 01 Jun 2010 06:01:11 +0000 en hourly 1 http://wordpress.org/?v=3.1 Setting up DJBDNS http://purebsd.com/setting-up-djbdns.html http://purebsd.com/setting-up-djbdns.html#comments Tue, 01 Jun 2010 04:59:26 +0000 admin http://purebsd.com/?p=33 Didactic assumptions

  • You want to run a secure DNS service on your system(s). (BIND is not secure, nor reliable.) Read DJBDNS’s security guarantee.
  • You have three network interfaces:
    127.0.0.1 – the IP address of the localhost/loopback interface.
    192.168.0.3 – the IP address of the internal network interface.
    131.174.117.141 – the IP address of the external network interface.

    I assume that 127.0.0.1 needs no clarification. 192.168.0.3 is the IP with which the server babbles with the rest of the machines on your intranet. 131.174.117.141 is the IP address that your ISP provided to you in order to TCP/IP you into the scary dungeons of the internet.

  • Your intranet domain name is «intranet.purebsd.com» and your domain name is «purebsd.com».
  • The secondary name server is setup the same way like our server.
  • You like to install machine dependend things into /usr/local and stuff that can grow into /var.

Goal

We are going to create a split-horizon DNS service:

  • The intranet machines will contact your server for resolving DNS queries.
  • The intranet machines will contact your server to query the private intranet domain «intranet.purebsd.com».
  • The intranet machines will contact your server to query the public internet domain «purebsd.com».
  • The server itself will be able to do all of the above.
  • The server will transfer its primary zones to its secondary nameserver by means of the dnszxfr «program».
  • The server will receive its secondary zones from its primary nameserver by means of the dnszxfr «program».
  • The machines on the internet will only be able to query the public internet domain «purebsd.com».

Roadmap to the DJBDNS solution

This page documents one possible roadmap to install, configure and use DJBDNS.

Getting the software

For DJBDNS you need to download three tarballs:

  1. The latest djbdns package: djbdns-1.05.tar.gz
    DJBDNS, obviously.
  2. The latest daemontools package: daemontools-0.76.tar.gz
    Daemontools is a collection of tools for managing UNIX services. DJBDNS makes use of it.
  3. The latest ucspi-tcp package: ucspi-tcp-0.88.tar.gz
    Ucspi-tcp is a collection of tools to create and accept TCP connections.

Installing the framework

To install these three packages:

  1. First, create a package directory in /usr/local:
    mkdir -p /usr/local/package
    chmod 1755 /usr/local/package
    ln -s /usr/local/package /package
    cd /package

    Extract the daemontools sources in /package:
    tar xpfz daemontools-0.76.tar.gz
    cd admin/daemontools-0.76

    To compile and setup daemontools:
    package/install

    The directories /command and /service are created by the installation script./command is populated by symbolic links to programs located in /package or/usr/local/package. Symbolic links located in /service are used by svscan to start (daemontools compatible) services under supervision of supervise. DJBDNS, daemontools and ucspi-tcp need those directories by default. If you don’t like them and want to change the names or locations of those directories, make sure you know exactly what you’re doing when hacking the Makefiles and source code.

    Note: /command/svscanboot is automatically added to /etc/rc.local

  2. Extract the ucspi-tcp sources somewhere:
    tar xvfz ucspi-tcp-0.88.tar
    cd ucspi-tcp-0.88

    To compile and install ucspi-tcp:
    make
    make setup check
  3. Extract the djbdns sources somewhere:
    tar xvfz djbdns-1.05.tar
    cd djbdns-1.05

    To compile and install djbdns:
    make
    make setup check

Edit the /etc/dnsroots.global file to reflect the new IP address of j.root-servers.net:

  • Replace 198.41.0.10 with 192.58.128.30.

Now setup some nice system accounts for DJBDNS:

  1. Add «dnscache», «dnslog», «tinydns» and «dnszxfr» as new accounts to the system by adding the following four lines to /etc/master.passwd:

    dnscache:*:90:90::0:0:dnscache:/nonexistent:/sbin/nologin
    dnslog:*:91:91::0:0:dnslog:/nonexistent:/sbin/nologin
    tinydns:*:92:92::0:0:tinydns:/nonexistent:/sbin/nologin
    dnszxfr:*:93:93::0:0:DNS zone transfer agent:/var/djbdns/public-dnszxfr:/bin/sh

    Note: make sure that each account entry is just one line. Do not spread over multiple lines or you will corrupt the file.

    Then run pwd_mkdb -p /etc/master.passwd to activate the changes.

  2. Add four new groups to /etc/group:
    dnscache:*:90:
    dnslog:*:91:
    tinydns:*:92:
    dnszxfr:*:93:
  3. Change dnszxfr’s password with a string of about 10 random characters found on your keyboard:
    passwd dnszxfr

Now we can create the data directories of the various DJBDNS programs:

  1. First, create a directory where DJBDNS data directories will reside:
    mkdir /var/djbdns
  2. Create a caching DNS service:
    dnscache-conf dnscache dnslog \
    /var/djbdns/private-dnscache 192.168.0.3
  3. Create an authorative DNS service for the intranet:
    tinydns-conf tinydns dnslog \
    /var/djbdns/private-tinydns 127.0.0.1
  4. Create an authorative DNS service for the internet:
    tinydns-conf tinydns dnslog \
    /var/djbdns/public-tinydns 131.174.117.141
  5. Create a directory for the zone transfer dnszxfr:
    mkdir /var/djbdns/public-dnszxfr
    chown dnszxfr:dnszxfr /var/djbdns/public-dnszxfr
    chmod 700 /var/djbdns/public-dnszxfr

Getting ready

The data directories are created and already filled with some files that form the framework. We have to finetune some of these files or create some new files in order to let things run smoothly on our server.

  1. Edit /var/djbdns/private-tinydns/run to increase the softlimit:
    ... vdir ./env softlimit -d500000 /usr/loc ...
  2. Edit /var/djbdns/public-tinydns/run to increase the softlimit:
    ... vdir ./env softlimit -d500000 /usr/loc ...
  3. To enable the intranet to use dnscache’s services:
    cd /var/djbdns/private-dnscache/root/ip
    touch 192.168.0
    chmod 600 192.168.0
  4. In order to have dnscache resolve 192.168.0.* and *.intranet.purebsd.com, it has to know where to look:
    cd /var/djbdns/private-dnscache/root/servers
    echo 127.0.0.1 > 0.168.192.in-addr.arpa
    echo 127.0.0.1 > intranet.purebsd.com

    127.0.0.1 is the IP address that private-tinydns, which knows about 129.168.0.* and *.intranet.purebsd.com, listens on.
  5. Edit /var/djbdns/private-tinydns/root/Makefile to read:
    data.cdb: data
    /usr/local/bin/tinydns-data

    data: private-zones-primary
    cat private-zones-primary > data

  6. Edit /var/djbdns/public-tinydns/root/Makefile to read:
    data.cdb: data
    @echo -n "[3] Creating 'data.cdb' from 'data'.. "
    @/usr/local/bin/tinydns-data
    @echo "OK"

    data: public-zones-primary public-zones-secondary
    @echo -n "[1] Creating 'data' from 'public-zones-primary' \
    and 'public-zones-secondary'.. "
    @cat public-zones-primary public-zones-secondary > data
    @echo "OK"

    @echo -n "[2] Copying primary zone to DNSZXFR transfer \
    directory.. "
    @/bin/cp -f public-zones-primary /var/djbdns/public-dnszxfr/
    @echo "OK"

    Note:All indented lines should be indented with tabs instead of spaces. Make will complain if you fail to meet this requirement.

Prime time

Now we are ready to run the DJBDNS services:

  1. Go to the /service directory:
    cd /service
  2. Make symbolic links to public-tinydnsprivate-tinydns and private-dnscache:
    ln -s /var/djbdns/private-dnscache .
    ln -s /var/djbdns/private-tinydns .
    ln -s /var/djbdns/public-tinydns .
  3. The services should be started automatically within seconds. To verify: svstat /service/*
    The output will be something similar to:
    /service/private-dnscache: up (pid 17170) 686536 seconds
    /service/private-tinydns: up (pid 15258) 686536 seconds
    /service/public-tinydns: up (pid 22261) 686536 seconds
  4. You should let your system’s DNS resolver(s) know what IP address should be used to submit DNS queries to. Create/edit /etc/resolv.conf to have it use dnscache‘s IP address:
    nameserver 192.168.0.3

Serving DNS records

The dnscache program is already providing resolving DNS services to your system and intranet. But nothing is known about *.intranet.purebsd.com (the intranet domain) nor *.purebsd.com (the public internet domain).
First, we’re going to inform private-tinydns (the tinydns instance that knows about *.intranet.purebsd.com) what it should know about the intranet.

  1. The tinydns data format is very simple (and easy to parse for programs). Make yourself acquaintable with the tinydns data format.
  2. Now that you know all about the tinydns data format, go to the private-tinydnsdirectory to which tinydns chroot()’s:
    cd /var/djbdns/private-tinydns/root
  3. There you create the file private-zones-primary. It could look like this:
    # Zone: *.intranet.purebsd.com
    #
    .intranet.purebsd.com::atlantis.intranet.purebsd.com
    @intranet.purebsd.com::atlantis.intranet.purebsd.com:10
    'purebsd.com:PureBSD intranet
    =antarctica.intranet.purebsd.com:192.168.0.1
    =aldebaran.intranet.purebsd.com:192.168.0.2
    =atlantis.intranet.purebsd.com:192.168.0.3
  4. To have tinydns load the new private (primary) zone file just run makemake processes the Makefile file. That copies private-zones-primary to data and callstinydns-data to generate data.cdb out of data.

    The usage of private-zones-primary looks a bit clumsy or overdone, but I found it to be more consistent with the public-tinydns approach I took.

Now we’re going to have public-tinydns publish our beloved purebsd.com domain.

  1. Go to the public-tinydns directory to which tinydns chroot()’s:
    cd /var/djbdns/public-tinydns/root
  2. There you create the file public-zones-primary. It could look like this:
    # Zone: *.purebsd.com
    #
    .purebsd.com::ns1.purebsd.com
    .purebsd.com::ns2.purebsd.com
    @purebsd.com::mail1.purebsd.com:10
    @purebsd.com::mail2.purebsd.com:20
    'purebsd.com:PureBSD - BSD resources
    +ns1.purebsd.com:131.174.117.141
    +ns2.purebsd.com:131.174.119.121
    +mail1.purebsd.com:131.174.117.141
    +mail2.purebsd.com:131.174.119.121
    +www.purebsd.com:131.174.117.141
  3. To have tinydns load the new public (primary) zone file just run makemake processes the Makefile file. That copies public-zones-primary and public-zones-secondary to data and calls tinydns-data to generate data.cdb out of data.

    Make also copies the file public-zones-primary to the DNSXFR directory so that DNSXFR can transfer it to the secondary nameserver(s).

Zone transfers

The setup and configuration of the The DNS zone transfer program «dnszxfr» will be coverend when the rest of the DJBDNS setup is completed (and documented here ;-) .

More reading

For more in-depth documentation for the DJBDNS, daemontools and ucspi-tcp programs:

]]> http://purebsd.com/setting-up-djbdns.html/feed 0