Building a Public DNS Server with tinydns

You’ve set up some servers (mail, web, FTP) that need to be accessible to the outside world. They need domain names, like www.oreilly.com, since you don’t want people using IP addresses. You want to run your own DNS server to provide those names. You tried BIND, and it was just too complicated. Or you heard some scary talk about BIND security problems. Whatever the reason, you’ve decided to use djbdns. So how do you make it go?

More...

First, follow the preparatory steps in to run a public DNS server. Then follow these steps to install and set up tinydns, which is the authoritative DNS server component of djbdns. If you are also running dnscache, it must not have the same IP address as tinydns. This is a very important security measure. Both dnscache and tinydns will fail silently if you do it anyway.

Follow these steps in for djbdns installation. Then, create two system users, using any names you like. They will own the tinydns server, and the dnslog:

# useradd -d /dev/null -s /bin/false tinydns

# useradd -d /dev/null -s /bin/false dnslog

Run tinydns-conf to create directories and set the IP address of the tinydns server. List your system users in the order shown here:

# tinydns-conf tinydns dnslog /etc/tinydns 208.201.239.36

Create a startup entry in service:

# ln -s /etc/tinydns /service

Wait a few seconds, then run svstat to verify that it started:

# svstat /service/tinydns /service/tinydns: up (pid 6811) 14 seconds

If tinydns won’t stay up continuously, check the logfile in /etc/tinydns/log/main/current. That will tell you where the problem is.

Now it’s time to create your host entries. This shows how to create entries using the scripts that come with tinydns. In this example the domain name is pixels.net, which is duly registered with a domain name registrar.


Address

Hostname

Role

Alias

208.201.239.36

parsley

DNS, mail

 

208.201.239.37

sage

FTP

ftp

208.201.239.38

rosemary

Web server

www

 

Create the host entries as follows:

# cd /service/tinydns/root

# ./add-ns pixels.net 208.201.239.36

# ./add-ns .239.201.208.in-addr.arpa 208.201.239.36

# ./add-host parsley.pixels.net 208.201.239.36

# ./add-host sage.pixels.net 208.201.239.37

# ./add-host rosemary.pixels.net 208.201.239.38

# ./add-alias ftp.pixels.net 208.201.239.37

# ./add-alias www.pixels.net 208.201.239.38

# make

That’s all it takes to build a tinydns server.

The previous commands inserted data into /etc/tinydns/root/data; here’s what it looks like:

.pixels.net:208.201.239.36:a:259200

.239.201.208.in-addr.arpa:208.201.239.36:a:259200

=parsley.pixels.net:208.201.239.36:86400

=sage.pixels.net:208.201.239.37:86400

=rosemary.pixels.net:208.201.239.38:86400

+ftp.pixels.net:208.201.239.37:86400

+www.pixels.net:208.201.239.38:86400

You typically configure djbdns by running configuration scripts, not by editing the data file by hand. Here are the available configuration scripts:

add-host

Creates both an A (alias) record and a PTR (reverse pointer)

add-mx

Adds a mail server

add-ns

Adds a name server

add-alias

Creates an A record but not a matching PTR

add-childns

Adds a child name server—use this when you want to act like an ISP and host other name servers

Here is a list of the leading symbols used by tinydns:

. (leading dot)

Name server

=

Both pointer (PTR) and A record

+

A record

&

NS and A records

@

MX and A records

As you can see, tinydns thoughtfully calculates the time-to-live (TTL) values for you. The TTL tells caching servers, in seconds, how often they should come back to refresh their information. tinydns will continue to adjust these automatically; don’t worry about tweaking them manually.

You can edit the djbdns data file manually, if you want. You can add comments, change the order of the entries, whatever you like. The scripts are for convenience, and to ensure that each entry is in the correct format. Just remember to run make every time you make a change, to convert the file to /etc/tinydns/root/data.cdb.

The clear separation of functions is one of the strengths of djbdns. You do not want your caching server anywhere near your authoritative DNS server. In other words, the IP addresses listed in /etc/resolv.conf should never match any IP addresses listed in NS records. If your caching server is compromised and is running on the same IP address as your DNS server, the attacker could misdirect all of your traffic, including "secure" web applications.