Installing NDJBDNS on CentOS 6.4

Today I’m going to install a DNS server for my virtual lab!

This article is also valid for CentOS 6.3. I’ve updated this post removing some mistakes.

If you want a simple setup, use dnsmasq as it’s a really good solution and there are lots of fine tutorials out there, but if you are reading looking for DJBDNS, let me tell you that I started working with it when BIND (and other servers) suffered from a serious security problem. I loved it because it wasn’t vulnerable and easy to use though the installation was a little bit tricky.

Dr Daniel J. Berstein’s created djbdns as an alternative to BIND a long time ago, but the official website looks like if it hasn’t been updated in the last years. I still use the examples and howtos in that website.

Last week I found this page about NDJBDNS (New-DJBDNS)  offering “a brand new release of the DJBDNS” so
I thought it would be great to test this package in my laboratory.

If you’re using the EPEL repository (if not read this post’s point 2)

yum install ndjbdns

Also install bind-utils so we some useful tools like dig and host

yum install bind-utils

In today’s post I’m going to configure the following two NDJBDNS services:

  • tinydns. This service will resolve addresses for my local domain (macto.local). Warning: This post won’t help you if you want to run your own DNS server in the Internet.
  • dnscache. This service will resolve Internet addresses and will ask tinydns for addresses in my local domain but also It’ll ask root servers for authoritative answers and cache the responses for any other dns request.

As I want to use BOTH services and they listen by default on 53 TCP/UDP ports for the loopback address, I’ll configure tinydns to listen on 127.0.0.1 and dnscache on the server’s LAN address (e.g 192.168.1.20). Please edit /etc/ndjbdns/dnscache.conf and set your LAN address (e.g IP=192.168.1.20).

WARNING!!: dnscache requires you to specify which networks or servers can query your cache server  and you do that creating and empty file named after an IP or a subnet address (read this file: /etc/ndjbdns/ip/127.0.0.1). E.g: If I’d want to allow my 192.168.1.0/24 network to ask my cache server I’d create a file called /etc/ndjbdns/ip/192.168.1 and if I’d want to allow my 10.0.11.10 server I’d create a file called /etc/ndjbdns/ip/10.0.11.10

  • Start the cache service, check if it’s listening. If you use iptables allow DNS traffic.
service dnscache start

netstat -ntap | grep 53
tcp 0 0 192.168.1.20:53 0.0.0.0:* LISTEN 3378/dnscache

netstat -anup | grep 53
udp 0 0 192.168.1.20:53 0.0.0.0:* 3378/dnscache

iptables -I INPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT
service iptables save
  • Check if your cache is ready. If there is no answer check if you’ve read my previous warning.
[root@haddock ndjbdns]# dig @192.168.1.20 www.cnn.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @192.168.1.20 www.cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11479
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.cnn.com. IN A

;; ANSWER SECTION:
www.cnn.com. 3587 IN CNAME www.cnn.com.vgtf.net.
www.cnn.com.vgtf.net. 108 IN CNAME cnn-lax-tmp.gslb.vgtf.net.
cnn-lax-tmp.gslb.vgtf.net. 18 IN A 157.166.240.11

;; Query time: 0 msec
;; SERVER: 192.168.1.20#53(192.168.1.20)
;; WHEN: Thu Feb 14 20:50:06 2013
;; MSG SIZE rcvd: 110
  • Ok. Now it’s tyndns time! Start the tinydns service and check that is listening on the loopback address (by default /etc/ndjbdns/tinydns.conf)
service tinydns start

# netstat -anup | grep 53
udp 0 0 127.0.0.1:53 0.0.0.0:* 3519/tinydns
  • Now I want to configure tinydns to answer queries for my local domain macto.local (e.g haddock.macto.local, milou.macto.local…).
  • Let’s create an empty file called data which will be used to add the DNS entries. This file will be processed later to build a data.cdb binary file which contains the dns server database.
cd /etc/ndjbdns
touch data
  • Our dnscache server will be the name server for our domain and we’ll explain him how to solve my local domain addresses.
  • We’ll add DNS entries to our data file with the tinydns-edit command. Data.new will be a temporary file. Please use the man tiny-edit command for more information.
  • We have to submit our new DNS records using tinydns-data. This command will convert the data text file into a data.cdb database file.
tinydns-edit data data.new add ns macto.local 192.168.1.20 #Our name server is 192.168.1.20
tinydns-edit data data.new add host milou.macto.local 192.168.1.21 #Adding a host
tinydns-data

Note: If you want to remove an entry, edit the data file, remove the line and submit your changes with tinydns-data.

  • OK. Let’s check if tinydns server can resolve host names in my local domain:
# host milou.macto.local 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
milou.macto.local has address 192.168.1.21
  • Good!. Now we have to configure our cache server so it can answer queries for my local domain. In fact the cache server will forward the queries to the tinydns service (127.0.0.1)
  • Go to /etc/ndjbdns/servers and create a file with the name of your local domain (e.g macto.local). Now edit it and add a line like this 127.0.0.1. Thanks to that line, dnscache knows that if someone asks for xxxx.macto.local it’ll have to ask 127.0.0.1 (tinydns) for it.
# host milou.macto.local 192.168.1.20
Using domain server:
Name: 192.168.1.20
Address: 192.168.1.20#53
Aliases:

milou.macto.local has address 192.168.1.21

Updated:03/03/2013
————————-
If you want to solve DNS reverse requests:

  • I’ve created a file called 1.168.192.in-addr.arpa with the line 127.0.0.1 on it (thank you Gerben Roest)
  • I’ve added a ns record for X.X.X.X.in-addr.arpa (e.g 1.168.192.in-addr.arpa)
tinydns-edit data data.new add ns 1.168.192.in-addr.arpa 127.0.0.1
tinydns-data
service dnscache restart
service tinydns restart
-------------------------

That’s all 😀 !!!!, remember that if you want to use your new cache server don’t forget to change your /etc/resolv.conf 🙂

OK. It was a really long post if you’re reading this line thank you!!!… now maybe you prefer to run dnsmasq…. hehehe

P.S: I would like to thank Prasad J Pandit for his impressive effort in packaging NDJBDNS

P.S2: I also would like to thank Gerben Roest for his comment which helped me to clean some errors in my post

Advertisements