Building a Public DNS Server with tinydns

You’ve set up some servers (mail, web, FTP) that need to be accessible to the outside world. They need domain names, like, since you don’t want people using IP addresses. You want to run your own DNS server to provide those names. You tried BIND, and it was just too complicated. Or you heard some scary talk about BIND security problems. Whatever the reason, you’ve decided to use djbdns. So how do you make it go?


First, follow the preparatory steps in to run a public DNS server. Then follow these steps to install and set up tinydns, which is the authoritative DNS server component of djbdns. If you are also running dnscache, it must not have the same IP address as tinydns. This is a very important security measure. Both dnscache and tinydns will fail silently if you do it anyway.

Follow these steps in for djbdns installation. Then, create two system users, using any names you like. They will own the tinydns server, and the dnslog:

# useradd -d /dev/null -s /bin/false tinydns

# useradd -d /dev/null -s /bin/false dnslog

Run tinydns-conf to create directories and set the IP address of the tinydns server. List your system users in the order shown here:

# tinydns-conf tinydns dnslog /etc/tinydns

Create a startup entry in service:

# ln -s /etc/tinydns /service

Wait a few seconds, then run svstat to verify that it started:

# svstat /service/tinydns /service/tinydns: up (pid 6811) 14 seconds

If tinydns won’t stay up continuously, check the logfile in /etc/tinydns/log/main/current. That will tell you where the problem is.

Now it’s time to create your host entries. This shows how to create entries using the scripts that come with tinydns. In this example the domain name is, which is duly registered with a domain name registrar.






DNS, mail





Web server



Create the host entries as follows:

# cd /service/tinydns/root

# ./add-ns

# ./add-ns

# ./add-host

# ./add-host

# ./add-host

# ./add-alias

# ./add-alias

# make

That’s all it takes to build a tinydns server.

The previous commands inserted data into /etc/tinydns/root/data; here’s what it looks like:

You typically configure djbdns by running configuration scripts, not by editing the data file by hand. Here are the available configuration scripts:


Creates both an A (alias) record and a PTR (reverse pointer)


Adds a mail server


Adds a name server


Creates an A record but not a matching PTR


Adds a child name server—use this when you want to act like an ISP and host other name servers

Here is a list of the leading symbols used by tinydns:

. (leading dot)

Name server


Both pointer (PTR) and A record


A record


NS and A records


MX and A records

As you can see, tinydns thoughtfully calculates the time-to-live (TTL) values for you. The TTL tells caching servers, in seconds, how often they should come back to refresh their information. tinydns will continue to adjust these automatically; don’t worry about tweaking them manually.

You can edit the djbdns data file manually, if you want. You can add comments, change the order of the entries, whatever you like. The scripts are for convenience, and to ensure that each entry is in the correct format. Just remember to run make every time you make a change, to convert the file to /etc/tinydns/root/data.cdb.

The clear separation of functions is one of the strengths of djbdns. You do not want your caching server anywhere near your authoritative DNS server. In other words, the IP addresses listed in /etc/resolv.conf should never match any IP addresses listed in NS records. If your caching server is compromised and is running on the same IP address as your DNS server, the attacker could misdirect all of your traffic, including "secure" web applications.