Title: djbdns_debian_setup_notes.txt Subject: Setup djbdns on Debian Author: John Stile Reference:http://gentoo-wiki.com/HOWTO_Setup_a_DNS_Server_with_DJBDNS --------------------- Djbdns 67.100.62.250 authoritative for eng.stilen.com and 60.168.192.in-addr.arpa 192.168.0.1 cache/resolving server --------------------- # Find packages for daemontools, ucspi, and djbdns engfirewall:~# aptitude search daemontools v daemontools-installer - v daemontools-run - engfirewall:~# aptitude search djbdns v djbdns - v djbdns-installer - v libdjbdns-dev - p libdjbdns1 - DNS client library designed to replace the BIND res_*/dn_* library p libdjbdns1-dev - DNS client library designed to replace the BIND res_*/dn_* library engfirewall:~# aptitude search ucspi p ucspi-proxy - Connection proxy for UCSPI tools p ucspi-unix - UNIX-domain socket client-server command-line tools # Install packages engfirewall:~# aptitude --with-recommends ucspi-unix djbdns djbdns-installer libdjbdns1 libdjbdns1-dev daemontools-installer daemontools-run # To install I had to add new source to /etc/apt/sources.list deb http://smarden.org/pape/Debian/ sarge unofficial deb-src http://smarden.org/pape/Debian/ sarge unofficial engfirewall:~# apt-get update engfirewall:~# apt-get install djbdns djbdns-doc daemontools daemontools-run djbdns djbdns-doc ucspi-tcp # Create new users engfirewall:~# useradd Gtinydns engfirewall:~# useradd Gaxfrdns engfirewall:~# useradd Gdnslog engfirewall:/etc# grep ^G /etc/shadow Gtinydns:!:12935:0:99999:7::: Gaxfrdns:!:12935:0:99999:7::: Gdnslog:!:12935:0:99999:7::: Gdnscache:!:12935:0:99999:7::: # This removes all previous data #DON"T RUN# svc -x /service/* #DON"T RUN# rm -rf /etc/axfrdns /etc/tinydns /etc/dnscache #------------------------------------------------- # Setup dnscache server, # Serv on ip 192.168.0.1 (eth0:1) # Allow clients queries from 192.168.0.0/24 subnet #------------------------------------------------- # verify djbdns is installed correctly engfirewall:/etc# dnsip www.oreillynet.com 208.201.239.37 208.201.239.36 # Bind dnscache server to 192.168.0.1 (eth0) engfirewall:/etc/# dnscache-conf Gdnscache Gdnslog /etc/dnscache 192.168.0.1 # Create allow list engfirewall:/etc# touch /etc/dnscache/root/ip/192.168.0 # Start service engfirewall:/etc# ln -s /etc/dnscache /service/ # Check log file engfirewall:/etc# tail -f /etc/dnscache/log/main/current # verify / test engfirewall:/etc# svstat /service/* /service/dnscache: up (pid 11112) 202 seconds # Check ports engfirewall:/etc# netstat -nap |grep ':53' tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN 11112/dnscache udp 0 0 192.168.0.1:53 0.0.0.0:* 11112/dnscache # test lookup from client on 192.168.0.0/24 subnet jstile@genx ~/svn_SERVICE/engfirewall $ env DNSCACHEIP=192.168.0.1 dnsqr a www.yahoo.com 1 www.yahoo.com: 193 bytes, 1+9+0+0 records, response, noerror query: 1 www.yahoo.com answer: www.yahoo.com 298 CNAME www.yahoo.akadns.net answer: www.yahoo.akadns.net 60 A 66.94.230.39 answer: www.yahoo.akadns.net 60 A 66.94.230.35 answer: www.yahoo.akadns.net 60 A 66.94.230.37 answer: www.yahoo.akadns.net 60 A 66.94.230.38 answer: www.yahoo.akadns.net 60 A 66.94.230.47 answer: www.yahoo.akadns.net 60 A 66.94.230.44 answer: www.yahoo.akadns.net 60 A 66.94.230.36 answer: www.yahoo.akadns.net 60 A 66.94.230.48 # Other tools dnsqr, dnstrace, dnsip, tinydns-get, dnsipq, dnsmx, dnsname # tell cache server names of internal zones, and authoritative name servers: engfirewall:/etc/dnscache/root# echo -e '67.100.62.250 192.168.50.42' > /etc/dnscache/root/servers/eng.stilen.com engfirewall:/etc/dnscache/root# echo -e '192.168.50.45\n192.168.50.42' > /etc/dnscache/root/servers/ms.stilen.com engfirewall:/etc/dnscache/root# echo -e '192.168.50.45\n192.168.50.42' > /etc/dnscache/root/servers/stilen.com engfirewall:/# echo "67.100.62.250" >> /service/dnscache/root/servers/60.168.192.in-addr.arpa # Test fails from client jstile@genx ~ $ env DNSCACHEIP=192.168.0.1 dnsqr a ms.stilen.com 1 ms.stilen.com: 29 bytes, 1+0+0+0 records, response, authoritative, nxdomain query: 1 ms.stilen.com # Rebuild cache after these changes engfirewall:/etc/dnscache/root# svc -t /service/* # Now the test works!!! jstile@genx ~ $ env DNSCACHEIP=192.168.0.1 dnsqr a ms.stilen.com 1 ms.stilen.com: 77 bytes, 1+3+0+0 records, response, noerror query: 1 ms.stilen.com answer: ms.stilen.com 600 A 192.168.50.42 answer: ms.stilen.com 600 A 192.168.50.45 answer: ms.stilen.com 600 A 192.168.50.63 # Test just a host name on domain stilen.com jstile@genx ~ $ env DNSCACHEIP=192.168.0.1 dnsqr a subversion01.stilen.com 1 subversion01.stilen.com: 55 bytes, 1+1+0+0 records, response, noerror query: 1 subversion01.stilen.com answer: subversion01.stilen.com 3600 A 192.168.0.11 # Test just a host name on domain ms.stilen.com jstile@genx ~ $ env DNSCACHEIP=192.168.0.1 dnsqr a yahoo.com # Test just a host name on domain eng.stilen.com jstile@genx ~ $ env DNSCACHEIP=192.168.0.1 dnsqr a svn.eng.stilen.com FAILED!!! Because whe have not created the zone yet #------------------------------------------------- # Setup tinydns server, # Serv on ip 192.168.0.1 (eth0) # Allow clients queries from 192.168.0.0/24 subnet #---c--------------------------------------------- # setup the main server tinydns-conf Gtinydns Gdnslog /etc/tinydns 67.100.62.250 # startup ln -s /etc/tinydns /service/ # Verify it's running svstat /service/* /service/dnscache: up (pid 11112) 1666 seconds /service/tinydns: up (pid 15734) 100 seconds # Check log file tail -f /etc/tinydns/log/main/current # create authoritative zones: pudhs /service/tinydns/root/ ./add-ns eng.stilen.com 67.100.62.250 ./add-ns 60.168.192.in-addr.arpa 67.100.62.250 ./add-ns 67.60.168.192.in-addr.arpa 67.100.62.250 popd # Add hosts: pushd /service/tinydns/root i=1 while [ $i -lt 255 ];do # format: host-001.eng.stilen.com Forward_Host=`printf "%s%03d%s\n" "host-" "$i" ".eng.stilen.com" ` # Create the record ./add-host $Forward_Host 192.168.0.$i let i=$i+1 done ./add-alias subversion01.eng.stilen.com 192.168.0.11 ./add-alias build.eng.stilen.com 192.168.0.25 ./add-alias engfirewall_0.eng.stilen.com 192.168.0.1 ./add-alias ns1.eng.stilen.com 192.168.0.27 ./add-alias gal1.eng.stilen.com 192.168.0.41 ./add-alias gal2.eng.stilen.com 192.168.0.42 ./add-alias gal3.eng.stilen.com 192.168.0.43 ./add-alias gal4.eng.stilen.com 192.168.0.44 ./add-alias gal5.eng.stilen.com 192.168.0.45 ./add-alias gal6.eng.stilen.com 192.168.0.46 ./add-alias svn.eng.stilen.com 192.168.0.11 # Create data.cdb out of data file engfirewall:/service/tinydns/root# make # Restart the tinydns server engfirewall:/service/tinydns/root# svc -t /service/* # List of symbols from data file: # leadning . -> a nameserver # = -> both PTR and A reccord # + -> A record # & -> NS and A record # @ -> MX and A record # # -> Comments # Test just a host name on domain eng.stilen.com jstile@genx ~ $ env DNSCACHEIP=192.168.0.1 dnsqr a svn.eng.stilen.com 1 svn.eng.stilen.com: 50 bytes, 1+1+0+0 records, response, noerror query: 1 svn.eng.stilen.com answer: svn.eng.stilen.com 86400 A 192.168.0.11 SUCCESS!!! Out dnscache server got record from tinydns. #------------------------------------------------- # Setup axferdns as second ms.stilen.com #------------------------------------------------- engfirewall:~# axfrdns-conf Gaxfrdns Gdnslog /etc/axfrdns /etc/tinydns 67.100.62.250 engfirewall:~# ln -s /etc/axferdns /service/ engfirewall:~# vi /etc/axfrdns/tcp # Allow zone transfers from netwrok 192.168.0.* 192.168.0.:allow # Allow zone transfers from netwrok 192.168.50.* 192.168.50.:allow # this might be finer tuned 192.168.50.45:allow,AXFR="internal/50.168.192.in-addr.arpa" 192.168.50.45:allow,AXFR="internal/ms.stilen.com" 192.168.50.42:allow,AXFR="internal/50.168.192.in-addr.arpa" 192.168.50.42:allow,AXFR="internal/ms.stilen.com" :deny # Test a zone transfer from 192.168.50.45 tcpclient 192.168.50.45 53 axfr-get stilen.com zone-stilen.com zone-stilen.com.tmp Creates file zone-stilen.com containg ips. Use it to populate /etc/tinydns/root/data Run make in /etc/tinydns/root/ engfirewall:~# netstat -nap |grep :53 tcp 0 0 67.100.62.250:53 0.0.0.0:* LISTEN 2075/tcpserver tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN 2076/dnscache udp 0 0 67.100.62.250:53 0.0.0.0:* 2077/tinydns udp 0 0 192.168.0.1:53 0.0.0.0:* 2076/dnscache ----------------- END ------------------ The rest of this is old..... # Create service directories engfirewall:~# tinydns-conf Gtinydns Gdnslog /etc/tinydns 192.168.0.189 engfirewall:~# axfrdns-conf Gaxfrdns Gdnslog /etc/axfrdns /etc/tinydns 192.168.0.189 engfirewall:~# ls -alF /etc/tinydns /etc/axfrdns /etc/axfrdns: total 17 drwxr-sr-t 4 root root 168 2005-06-01 10:06 ./ drwxr-xr-x 72 root root 4720 2005-06-01 10:06 ../ drwxr-sr-x 2 root root 96 2005-06-01 10:06 env/ drwxr-sr-x 3 root root 120 2005-06-01 10:06 log/ -rw-r--r-- 1 root root 45 2005-06-01 10:06 Makefile -rwxr-xr-x 1 root root 157 2005-06-01 10:06 run* -rw-r--r-- 1 root root 76 2005-06-01 10:06 tcp /etc/tinydns: total 9 drwxr-sr-t 5 root root 144 2005-06-01 10:06 ./ drwxr-xr-x 72 root root 4720 2005-06-01 10:06 ../ drwxr-sr-x 2 root root 96 2005-06-01 10:06 env/ drwxr-sr-x 3 root root 120 2005-06-01 10:06 log/ drwxr-sr-x 2 root root 232 2005-06-01 10:06 root/ -rwxr-xr-x 1 root root 99 2005-06-01 10:06 run* # Allow zone transfers from your network 192.168.0.*: engfirewall:~# vi /etc/axfrdns/tcp # sample line: 1.2.3.4:allow,AXFR="heaven.af.mil/3.2.1.in-addr.arpa" #:deny # Allow zone transfers from netwrok 192.168.0.* 192.168.0.:allow # Allow zone transfers from netwrok 192.168.50.* 192.168.50.:allow # Allow zone transfers from authorized zone 131.193.178.* #131.193.178.:allow # Allow non-zone transfers from anywhere :allow,AXFR="" engfirewall:~# cd /etc/axfrdns engfirewall:/etc/axfrdns# make tcprules tcp.cdb tcp.tmp < tcp # Setup replication of zone files engfirewall:/etc/axfrdns# vi /etc/tinydns/root/Makefile ## Setup replication of zone files via rsync #remote: data.cdb # rsync -az -e ssh data.cdb 1.8.7.201:/etc/tinydns/root/data.cdb ## Setup replication of zone files via ssh #remote: data.cdb # scp data.cdb 1.8.7.201:/etc/tinydns/root/data.cdb.tmp # ssh 1.8.7.201 mv /etc/tinydns/root/data.cdb.tmp \ # /etc/tinydns/root/data.cdb data.cdb: data /usr/local/bin/tinydns-data # transfer the zone for msil.com to this server engfirewall:/etc/tinydns/root# tcpclient 192.168.50.42 53 axfr-get stilen.com zone-stilen.com zone-stilen.com.tmp axfr-get: fatal: unable to read from network: timed out engfirewall:/etc/tinydns/root# engfirewall:/etc/tinydns/root# tcpclient 192.168.50.45 53 axfr-get stilen.com zone-stilen.com zone-stilen.com.tmp # merge zones into a data file and run make engfirewall:/etc/tinydns/root# sort -u zone* > data engfirewall:/etc/tinydns/root# make # Test local lookup: engfirewall:/etc/tinydns/root# cd /etc/tinydns/root engfirewall:/etc/tinydns/root# tinydns-get a www.stilen.com dnsq a stilen.com 192.168.0.189 engfirewall:/etc/tinydns/root# tinydns-get MX stilen.com 15 stilen.com: 77 bytes, 1+0+1+0 records, response, authoritative, noerror query: 15 stilen.com authority: stilen.com 3600 SOA kenny.ms.stilen.com admin.ms.stilen.com 119 900 600 86400 3600 # This fails becasue the daemon is not running yet engfirewall:/etc/tinydns/root# dnsq a stilen.com 192.168.0.189 1 stilen.com: connection refused # start the tinydns service (service stats in 5 seconds) engfirewall:/etc/tinydns/root# ln -s /etc/tinydns /etc/axfrdns /service # Check listening ports engfirewall:/etc/tinydns/root# lsof -i tcp tcpserver 7408 root 3u IPv4 10521 TCP engfirewall:domain (LISTEN) engfirewall:/etc/tinydns/root# lsof -i udp tinydns 7404 Gtinydns 3u IPv4 10490 UDP engfirewall:domain # Rerun lookup test engfirewall:/etc/tinydns/root# dnsq a stilen.com 192.168.0.189 1 stilen.com: 77 bytes, 1+0+1+0 records, response, authoritative, noerror query: 1 stilen.com authority: stilen.com 3600 SOA kenny.ms.stilen.com admin.ms.stilen.com 119 900 600 86400 3600 # See if this looks like the company bind server engfirewall:/etc/tinydns/root# dnsq a stilen.com 192.168.50.45 1 stilen.com: 77 bytes, 1+0+1+0 records, response, authoritative, weird ra, noerror query: 1 stilen.com authority: stilen.com 3600 SOA kenny.ms.stilen.com admin.ms.stilen.com 119 900 600 86400 3600 # # Allow this host to perform recursive lookups and cache results # # Test communication with other dns servers engfirewall:/etc/tinydns/root# dnsq a www.aol.com 192.203.230.10 engfirewall:/etc/tinydns/root# dnsq a www.aol.com 192.48.79.30 # Create user accounts engfirewall:/etc/tinydns/root# useradd Gdnscache engfirewall:/etc/tinydns/root# useradd Gdnslog # Create cache service directory, configure to use external host 192.168.50.45 engfirewall:/etc/tinydns/root# dnscache-conf Gdnscache Gdnslog /etc/dnscache 192.168.0.189 engfirewall:/etc/tinydns/root# ls -alF /etc/dnscache/ total 13 drwxr-sr-t 5 root root 168 2005-06-01 11:15 ./ drwxr-xr-x 73 root root 4744 2005-06-01 11:15 ../ drwxr-sr-x 2 root root 184 2005-06-01 11:15 env/ drwxr-sr-x 3 root root 120 2005-06-01 11:15 log/ drwxr-sr-x 4 root root 96 2005-06-01 11:15 root/ -rwxr-xr-x 1 root root 142 2005-06-01 11:15 run* -rw------- 1 root root 128 2005-06-01 11:15 seed # start the new servcie engfirewall:/etc/tinydns/root# ln -s /etc/dnscache /service engfirewall:/etc/tinydns/root# sleep 5 engfirewall:/etc/tinydns/root# svstat /service/dnscache /service/dnscache: up (pid 7446) 0 seconds # authorize all clients who's ip starts with 192.168.0.* to use this cache engfirewall:/etc/tinydns/root# touch /etc/dnscache/root/ip/192.168.0 engfirewall:/etc/tinydns/root# touch /etc/dnscache/root/ip/192.168.50 # Look at the cache engfirewall:/etc/tinydns/root# cat /service/dnscache/log/main/current # Trun off the cacheing for now engfirewall:/etc/tinydns/root# rm -rf /var/service/dnscache ------------------------------------------- # Install dhcp Server aptitude install dhcp /etc/init.d/dhcp stop mv /etc/init.d/dhcp /etc/init.d/dhcp.down update-rc.d -f dhcp remove ------------------------------------------- Refernce: http://www.linuxguruz.com/iptables/howto/2.4routing-4.html Network setup: eth0 is on the .60 subnet eth1 is on the .50 subnet aptitude install iproute libatm1 ip link list # Show link status ip addr show # Show ip ip route show # show route ip route ls # show route ip neigh show # view arp cache (populate with ping) ip neigh delete 192.168.50.45 dev eth1 # delete from apr cache * Must have kernel compiled with: "IP: advanced router" and "IP: policy routing" features. ip rule list # Default route rules ip route list table main # View the main route table ip route add 192.168.50.0/24 dev eth1 # ip route add 192.168.0.0/24 dev eth0 # # echo 200 John >> /etc/iproute2/rt_tables # ip rule add from 10.0.0.10 table John # ip rule ls 0: from all lookup local 32765: from 10.0.0.10 lookup John 32766: from all lookup main 32767: from all lookup default # ip route add default via 195.96.98.253 dev ppp2 table John # generate Johns table # ip route flush cache # flush the cache # Not sure what this did for me modprobe ipip #enable ip forwarding to be a router echo "1" > /proc/sys/net/ipv4/ip_forward