Installing NDJBDNS on CentOS 6.4

Today I’m going to install a DNS server for my virtual lab!

This article is also valid for CentOS 6.3. I’ve updated this post removing some mistakes.

If you want a simple setup, use dnsmasq as it’s a really good solution and there are lots of fine tutorials out there, but if you are reading looking for DJBDNS, let me tell you that I started working with it when BIND (and other servers) suffered from a serious security problem. I loved it because it wasn’t vulnerable and easy to use though the installation was a little bit tricky.

Dr Daniel J. Berstein’s created djbdns as an alternative to BIND a long time ago, but the official website looks like if it hasn’t been updated in the last years. I still use the examples and howtos in that website.

Last week I found this page about NDJBDNS (New-DJBDNS)  offering “a brand new release of the DJBDNS” so
I thought it would be great to test this package in my laboratory.

If you’re using the EPEL repository (if not read this post’s point 2)

yum install ndjbdns

Also install bind-utils so we some useful tools like dig and host

yum install bind-utils

In today’s post I’m going to configure the following two NDJBDNS services:

  • tinydns. This service will resolve addresses for my local domain (macto.local). Warning: This post won’t help you if you want to run your own DNS server in the Internet.
  • dnscache. This service will resolve Internet addresses and will ask tinydns for addresses in my local domain but also It’ll ask root servers for authoritative answers and cache the responses for any other dns request.

As I want to use BOTH services and they listen by default on 53 TCP/UDP ports for the loopback address, I’ll configure tinydns to listen on 127.0.0.1 and dnscache on the server’s LAN address (e.g 192.168.1.20). Please edit /etc/ndjbdns/dnscache.conf and set your LAN address (e.g IP=192.168.1.20).

WARNING!!: dnscache requires you to specify which networks or servers can query your cache server  and you do that creating and empty file named after an IP or a subnet address (read this file: /etc/ndjbdns/ip/127.0.0.1). E.g: If I’d want to allow my 192.168.1.0/24 network to ask my cache server I’d create a file called /etc/ndjbdns/ip/192.168.1 and if I’d want to allow my 10.0.11.10 server I’d create a file called /etc/ndjbdns/ip/10.0.11.10

  • Start the cache service, check if it’s listening. If you use iptables allow DNS traffic.
service dnscache start

netstat -ntap | grep 53
tcp 0 0 192.168.1.20:53 0.0.0.0:* LISTEN 3378/dnscache

netstat -anup | grep 53
udp 0 0 192.168.1.20:53 0.0.0.0:* 3378/dnscache

iptables -I INPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT
service iptables save
  • Check if your cache is ready. If there is no answer check if you’ve read my previous warning.
[root@haddock ndjbdns]# dig @192.168.1.20 www.cnn.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @192.168.1.20 www.cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11479
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.cnn.com. IN A

;; ANSWER SECTION:
www.cnn.com. 3587 IN CNAME www.cnn.com.vgtf.net.
www.cnn.com.vgtf.net. 108 IN CNAME cnn-lax-tmp.gslb.vgtf.net.
cnn-lax-tmp.gslb.vgtf.net. 18 IN A 157.166.240.11

;; Query time: 0 msec
;; SERVER: 192.168.1.20#53(192.168.1.20)
;; WHEN: Thu Feb 14 20:50:06 2013
;; MSG SIZE rcvd: 110
  • Ok. Now it’s tyndns time! Start the tinydns service and check that is listening on the loopback address (by default /etc/ndjbdns/tinydns.conf)
service tinydns start

# netstat -anup | grep 53
udp 0 0 127.0.0.1:53 0.0.0.0:* 3519/tinydns
  • Now I want to configure tinydns to answer queries for my local domain macto.local (e.g haddock.macto.local, milou.macto.local…).
  • Let’s create an empty file called data which will be used to add the DNS entries. This file will be processed later to build a data.cdb binary file which contains the dns server database.
cd /etc/ndjbdns
touch data
  • Our dnscache server will be the name server for our domain and we’ll explain him how to solve my local domain addresses.
  • We’ll add DNS entries to our data file with the tinydns-edit command. Data.new will be a temporary file. Please use the man tiny-edit command for more information.
  • We have to submit our new DNS records using tinydns-data. This command will convert the data text file into a data.cdb database file.
tinydns-edit data data.new add ns macto.local 192.168.1.20 #Our name server is 192.168.1.20
tinydns-edit data data.new add host milou.macto.local 192.168.1.21 #Adding a host
tinydns-data

Note: If you want to remove an entry, edit the data file, remove the line and submit your changes with tinydns-data.

  • OK. Let’s check if tinydns server can resolve host names in my local domain:
# host milou.macto.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
milou.macto.local has address 192.168.1.21
  • Good!. Now we have to configure our cache server so it can answer queries for my local domain. In fact the cache server will forward the queries to the tinydns service (127.0.0.1)
  • Go to /etc/ndjbdns/servers and create a file with the name of your local domain (e.g macto.local). Now edit it and add a line like this 127.0.0.1. Thanks to that line, dnscache knows that if someone asks for xxxx.macto.local it’ll have to ask 127.0.0.1 (tinydns) for it.
# host milou.macto.local 192.168.1.20
Using domain server:
Name: 192.168.1.20
Address: 192.168.1.20#53
Aliases:

milou.macto.local has address 192.168.1.21

Updated:03/03/2013
————————-
If you want to solve DNS reverse requests:

  • I’ve created a file called 1.168.192.in-addr.arpa with the line 127.0.0.1 on it (thank you Gerben Roest)
  • I’ve added a ns record for X.X.X.X.in-addr.arpa (e.g 1.168.192.in-addr.arpa)
tinydns-edit data data.new add ns 1.168.192.in-addr.arpa 127.0.0.1
tinydns-data
service dnscache restart
service tinydns restart
-------------------------

That’s all 😀 !!!!, remember that if you want to use your new cache server don’t forget to change your /etc/resolv.conf 🙂

OK. It was a really long post if you’re reading this line thank you!!!… now maybe you prefer to run dnsmasq…. hehehe

P.S: I would like to thank Prasad J Pandit for his impressive effort in packaging NDJBDNS

P.S2: I also would like to thank Gerben Roest for his comment which helped me to clean some errors in my post

Advertisements

10 thoughts on “Installing NDJBDNS on CentOS 6.4

  1. Gerben Roest says:

    Unfortunately the latest 1.0.5.6 from EPEL doesn’t work right: It only uses the file “roots” in /etc/ndjbdns/servers and not @ or any other “own domain” – file. So it can’t use tinydns for your own domains.
    Also:
    – To start tinydns it would be “service tinydns start” (not service djbdns start)
    – It’s “touch data” and not “touch data.”
    – There are html tags in your tinydns-edit example
    – You should be able to add a file “0.0.10.in-addr.arpa” containing 127.0.0.1 if your local domain is on 10.0.0.x. Then dnscache/tinydns, *if it would work right* would be able to answer reverse DNS requests.

    Like

    • n40lab says:

      Thanks a lot for your comment, I’ve corrected the errors (html tags, data. and service tinydns start) you’ve pointed out, I’m sorry about the confusion. I’ve also added a new point for solving DNS reverse requests.

      There’s only one thing I don’t understand, I’m using one file for my own domain in the servers directory and it allows me to solve addresses for my local domain so it’s not using only the roots file, what’s wrong in my post so I can update it? Thank you in advance.

      Like

      • Gerben Roest says:

        I think there’s nothing wrong with your post regarding the own domain file. I did the same thing with a normal djbdns install (from source, from cr.yp.to) and put my domain file in /etc/dnscache/root/main/servers and that worked fine. So I think there’s something wrong with the EPEL release or something. I notified the guy who packages it about the problem, hopefully he finds something.

        Like

  2. Stu Green says:

    Thank you for this excellent tutorial and props to pjp for the great work done on this! I have just implemented ndjbdns in our production environment.

    Like

  3. phil young says:

    Does “ndjbdns-1.05.7-1.el6.x86_64” handle reverse-dns requests properly? It’s not working for me, but I think I set it up properly.

    Like

  4. Anonymous says:

    quit using .local as a private domain–it’s not private.
    See mDNS/Apple/Avahi and Unicast Dot Local ..

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s