Installing NDJBDNS on CentOS 6.4

Today I’m going to install a DNS server for my virtual lab!

This article is also valid for CentOS 6.3. I’ve updated this post removing some mistakes.

If you want a simple setup, use dnsmasq as it’s a really good solution and there are lots of fine tutorials out there, but if you are reading looking for DJBDNS, let me tell you that I started working with it when BIND (and other servers) suffered from a serious security problem. I loved it because it wasn’t vulnerable and easy to use though the installation was a little bit tricky.

Dr Daniel J. Berstein’s created djbdns as an alternative to BIND a long time ago, but the official website looks like if it hasn’t been updated in the last years. I still use the examples and howtos in that website.

Last week I found this page about NDJBDNS (New-DJBDNS)  offering “a brand new release of the DJBDNS” so
I thought it would be great to test this package in my laboratory.

If you’re using the EPEL repository (if not read this post’s point 2)

yum install ndjbdns

Also install bind-utils so we some useful tools like dig and host

yum install bind-utils

In today’s post I’m going to configure the following two NDJBDNS services:

  • tinydns. This service will resolve addresses for my local domain (macto.local). Warning: This post won’t help you if you want to run your own DNS server in the Internet.
  • dnscache. This service will resolve Internet addresses and will ask tinydns for addresses in my local domain but also It’ll ask root servers for authoritative answers and cache the responses for any other dns request.

As I want to use BOTH services and they listen by default on 53 TCP/UDP ports for the loopback address, I’ll configure tinydns to listen on and dnscache on the server’s LAN address (e.g Please edit /etc/ndjbdns/dnscache.conf and set your LAN address (e.g IP=

WARNING!!: dnscache requires you to specify which networks or servers can query your cache server  and you do that creating and empty file named after an IP or a subnet address (read this file: /etc/ndjbdns/ip/ E.g: If I’d want to allow my network to ask my cache server I’d create a file called /etc/ndjbdns/ip/192.168.1 and if I’d want to allow my server I’d create a file called /etc/ndjbdns/ip/

  • Start the cache service, check if it’s listening. If you use iptables allow DNS traffic.
service dnscache start

netstat -ntap | grep 53
tcp 0 0* LISTEN 3378/dnscache

netstat -anup | grep 53
udp 0 0* 3378/dnscache

iptables -I INPUT -p tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 53 -j ACCEPT
service iptables save
  • Check if your cache is ready. If there is no answer check if you’ve read my previous warning.
[root@haddock ndjbdns]# dig @

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11479
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

; IN A


;; Query time: 0 msec
;; WHEN: Thu Feb 14 20:50:06 2013
;; MSG SIZE rcvd: 110
  • Ok. Now it’s tyndns time! Start the tinydns service and check that is listening on the loopback address (by default /etc/ndjbdns/tinydns.conf)
service tinydns start

# netstat -anup | grep 53
udp 0 0* 3519/tinydns
  • Now I want to configure tinydns to answer queries for my local domain macto.local (e.g haddock.macto.local, milou.macto.local…).
  • Let’s create an empty file called data which will be used to add the DNS entries. This file will be processed later to build a data.cdb binary file which contains the dns server database.
cd /etc/ndjbdns
touch data
  • Our dnscache server will be the name server for our domain and we’ll explain him how to solve my local domain addresses.
  • We’ll add DNS entries to our data file with the tinydns-edit command. will be a temporary file. Please use the man tiny-edit command for more information.
  • We have to submit our new DNS records using tinydns-data. This command will convert the data text file into a data.cdb database file.
tinydns-edit data add ns macto.local #Our name server is
tinydns-edit data add host milou.macto.local #Adding a host

Note: If you want to remove an entry, edit the data file, remove the line and submit your changes with tinydns-data.

  • OK. Let’s check if tinydns server can resolve host names in my local domain:
# host milou.macto.local
Using domain server:
milou.macto.local has address
  • Good!. Now we have to configure our cache server so it can answer queries for my local domain. In fact the cache server will forward the queries to the tinydns service (
  • Go to /etc/ndjbdns/servers and create a file with the name of your local domain (e.g macto.local). Now edit it and add a line like this Thanks to that line, dnscache knows that if someone asks for xxxx.macto.local it’ll have to ask (tinydns) for it.
# host milou.macto.local
Using domain server:

milou.macto.local has address

If you want to solve DNS reverse requests:

  • I’ve created a file called with the line on it (thank you Gerben Roest)
  • I’ve added a ns record for (e.g
tinydns-edit data add ns
service dnscache restart
service tinydns restart

That’s all 😀 !!!!, remember that if you want to use your new cache server don’t forget to change your /etc/resolv.conf 🙂

OK. It was a really long post if you’re reading this line thank you!!!… now maybe you prefer to run dnsmasq…. hehehe

P.S: I would like to thank Prasad J Pandit for his impressive effort in packaging NDJBDNS

P.S2: I also would like to thank Gerben Roest for his comment which helped me to clean some errors in my post