djbdns on a home server cable connection

Up to now, I have been using ZoneEdit for handling my DNS, but now I have begun to realize I cannot depend on them 100%. One of my zone files got messed up and now I'm ready to start doing my own DNS.

I'm running Redhat 9, and although I have BIND installed, I've been hearing many bad things about security and complexity, so I want to try using djbdns.

Before I get started, I have a few questions:

Since I am on cable, I have only one IP address: 24.116.177.127. From the howto's I have been reading, I think this is going to be a problem because they all say that I need to have 2 IPs in order to do this.

Since I am running my server behind a router, I am using a private IP for my server: 192.168.0.50. What IP's should I use for setting up djbdns?

I think the rest of the install seems pretty simple, but since I'm on cable, there are few howtos or instructions that explain how to handle my situation.

Thanks in advance for any help.

You've started off on the right foot, then

Just set both a.ns.your_domain.com and b.ns.your_domain.com to the same IP address (24.116.177.127) with your domain name registrar.

24.116.177.127 -- but make sure that your router forwards UDP traffic on port 53 to 192.168.0.50.

Ok, let me make sure I understand. When I update the domain record I need to put the same same thing for both name servers?

Why do they recommend I do this with 2 different IP's? Is it just more efficient or something?

Sorry, I'm very net to DNS.

You put the same IP, yes.

You registrar should have an option to create name server records for this domain. It's called "Create Name Server Host Records" on my registrar. You need to create the following:

a.ns.your_domain.com pointing to 24.116.177.127

b.ns.your_domain.com pointing to 24.116.177.127


It's for redundancy. Having two name server entries means you can have two separate name servers at two separate locations. However, if you have one machine serving web, mail, and DNS, then it's silly to have a second DNS server. See http://cr.yp.to/djbdns/third-party.html for further discussion.

Hmmm, they didn't seem to have this feature. Or maybe they do have it and I'm just looking in the wrong place. I'm with networksolutions.com for all of my domains.

Anyway, here's what I have done so far...

I downloaded and installed daemontools, ucspi-tcp, and djbdns-1.05. I installed all of them according to various howto's I have been reading. I created the users tinydns, dnslog, and dnscache.

From there, I ran...

# dnscache-conf dnscache dnslog /etc/dnscache 192.168.0.1
# touch /etc/dnscache/root/ip/192.168.0

Sorry, I know you said to use my external IP for both, but the howto's I have been reading all seemed to be doing it this way, so I figured I would go with the flow, so as not to confuse myself. Please let me know if this is a show-stopper, but from what I can tell it doesn't matter.

Then, I put "nameserver 192.168.0.1" into /etc/resolv.conf.

Then ran...

# ln -s /etc/dnscache /service
# tinydns-conf tinydns dnslog /etc/tinydns 24.116.177.127
# ln -s /etc/tinydns /service
# ./add-ns websupport.cc 24.116.177.127
# ./add-ns 177.116.24.in-addr.arpa 24.116.177.127


So far, I'm positive dnscache is working because I'm able to do an nslookup on various hosts and it works fine.

What I'm NOT sure about is whether tinydns is doing it's thing. The problem (I think) is that I need to change the name servers with network solutions. But what do I change them to? I think they should be ns1.websupport.cc and ns2.websupport.cc. Here is a copy of my data file so far. Please tell me if you see me doing anything wrong.

########################################

.websupport.cc:24.116.177.127:a:259200

# REVERSE LOOKUPS
.177.116.24.in-addr.arpa:24.116.177.127:a:259200

# COMPUTERS (Just one)
=slaveone.websupport.cc:24.116.177.127:3600

# NAMESERVER ALIASES FOR WEBSUPPORT
+ns1.websupport.cc:24.116.177.127:3600
+ns2.websupport.cc:24.116.177.127:3600

# SITE: DMBONEDUST.COM
.dmbonedust.com::ns1.dmbonedust.com:3600
.dmbonedust.com::ns2.dmbonedust.com:3600
+*.dmbonedust.com:24.116.177.127:3600
@dmbonedust.com:24.116.177.127:dmbonedust.com::3600

# SITE: DMJI.COM
.dmji.com::ns1.dmji.com:3600
.dmji.com::ns2.dmji.com:3600
+*.dmji.com:24.116.177.127:3600
@dmji.com:24.116.177.127:dmji.com::3600

########################################

You know, it's funny.... all of these howto's I have been reading only focus on what to do for installing djbdns. None of them say what to put for the nameservers with your domain registrar.

Anyway, thanks in advance for all your help thus far. It is sincerely appreciated.

Use this:
Before you ask why do a search here first, I don't want to go over the same thing hundred times, the data file format of tinydns has been discussed and answered almost a hundred times already.
Note on the wildcard, DON'T USE IT, add an A record (for the line begins with a +) by hand if needed.

Hey freebsd! Thanks for saving my bacon once again! I appreciate all the help with that apache problem last week. Everything is still running great.

I have setup the data file as you specified, and I went to my domain registrar to change one of the name servers so I could test everything. When I entered ns1.mydomain.com and ns2.mydomain.com, it asked me for the IP addresses for those name servers. So I entered my IP of 24.116.177.127 into both. It said I could not use the same IP numbers for both of them, so I tried just entering the one IP for the first name server. It then said it could not validate the IP number. Any idea what that means? What should I do? I know the port is open on my router. I have opened up UDP port 53.

Also, when I run ps -ef I see [dnscache <defunct>] which is always showing the current time no matter when I run the command. I have tried restarting dnscache with svc -t /service/dnscache/ but it still remains on the list. Supervise tinydns has been running since yesterday and it all seems to be working fine. Is this a problem I should be worried about?

And this time I searched heavily for these error messages before posting. I hate generating excess clutter on the forums unless I must.

Then you need to find ways to get around this.

Don't use -t, use in your script. To stop it use /usr/local/bin/svc -dx /service/* /service/*/log. Apparently there was a problem with your startup script or it's been started twice. The fix is to stop it completely, kill the processes by hand, remove anything in /services/ directory and recreate the symlink again, then fire up the script.

Oh man, this is so frustrating. I just ran the following commands...

svc -d /etc/tinydns
svc -d /etc/tinydns/log
svc -d /etc/dnscache
svc -d /etc/dnscache/log

and I check ps -ef and it says they are still running! So I moved the symlinks from /service somewhere else. This allowed me to kill the processes using kill. Now running ps -ef, they are gone. Horray!

Well, now I go and move the symlinks back and svscan starts them up again. Great. But when I run ps -ef again there is still dnscache defunct and now a new one... envuidgid defunct.

Obviously I have screwed up something terribly.

Beside tinydns and dnscache, what else is supervised? I just reread your first post and found out a problem because your redhat is not physically connected to the Internet, therefore, you can't use 24.116.177.127 in /etc/tinydns/root/IP. This file named IP must be an IP that has been ifconfig'd and correspond with your machine's IP. Apparently you are using non-routable IP like 192.168.0.50.
Sorry, my fault for not reading your first post but jumped directly to the data.cdb file of tinydns.
Anyhow, you should kill those processes, remove the symlinks and start it all over. I must mention that, you can't use the same IP for dnscache and tinydns, they must be different. If you run out of 192.168.0.x IP just create alias and ifconfig it properly. As far as your router port forwarding setup, you forward udp 53 to your tinydns's IP, you need not to do anything in router for dnscache's IP, since dnscache is merely a client tool for your redhat, and your LAN, and doesn't need to listen to connections made to 24.116.177.127 at all.

I have qmail running supervised, as well as the logging for that. Maybe there is some kind of conflict?

Like we talking about in that other forum, I'm still waiting on SpeakEasy to set everything up so I WILL eventually have more then one IP, but I only have one for now.

I think what you are telling me to do is.... I need to ifconfig so the machine will respond to more than one IP.... maybe that could be 192.168.0.51? That way I have more than one IP that I can listen on. Maybe have dnscache listening on 50 and tinydns listening on 51?

Exactly. And when 24.116.177.127 hasn't been ifconfig'd, or non-local, any djb software won't/can't use it. You just can't bind it to a remote IP that's not local.


Good idea, because you can't use 24.116.177.127 anywhere since it's been assigned to your router. Additional note:
1) You need to set tinydns to listen to 192.168.0.x IP
2) For dnscache you may set it to 192.168.0.x or 127.0.0.1 so it doesn't conflict with tinydns (both use udp 53). If you use 127.0.0.1 then your other computers on LAN can't utilize your dnscache, probably not what you wanted.
3) Better yet, just sell your router on ebay and use your box as the replacement then you can ifconfig your static IP locally. You don't shutdown your server do you?


Which package are you getting? How many box do you have? And what OS do they run?
Personally I run a half dozen of *BSDs machines for server purpose to split up the loads. All 6 have dnscache installed. 5 of the 6 listen on loopback and the primary one on 192.168.0.x. Those 5 use forward-only setup.

Ok then, I will start moving in that direction. Looking at djb's website, I found the following information about ifconfig (I've never used this command before -- big surprise, huh?)

ifconfig eth0:0 192.168.0.51 netmask 255.255.255.0

Then to setup the machine to respond to this IP after each reboot, I add the following to /etc/network/interfaces

auto eth0:0
iface eth0:0 inet static
address 192.168.0.51
netmask 255.255.255.0

Does all that sound good? This essentially sets up an alias to 192.168.0.51.

I think I will just use 127.0.0.1 for dnscache, since I only have one *nix machine and no need to share the cache with other (Windows) machines on the LAN.

I wouldn't mind dumping the router, but I need it for sharing the internet connection to my house, and I'm using it for a firewall. I'm not very good with iptables yet.... at least not good enough to protect my entire box from the open internet. Any recommendations for books on how to configure iptables? If I learned how, I wouldn't mind giving it a try.

I'm running Redhat 9. And no, I don't really shutdown the machine for very long.

The only thing Speakeasy had available in my area was SDSL. The package I'm getting is 768 up / 768 down with 4 IP's. Maybe I could pay for more, but they only mentioned that I would be getting 4. I didn't think to ask them about what you said in the apache forum about getting unlimited IP's. I was so glad to hear I could actually get more than one IP, that was good enough for me!

Then stick with your router, iptables is not a so stateful firewall anyway. If you are ready for a real stateful firewall ditch Linux and go for BSD.

If you qualify for this (too costly) you should be able to get 1.5/768 @ $89/month or even 3.0/768. Go here and check your CO distance.

You can get additional IP at $5.95/month (used to be $2.95) up to 32 for ADSL.

Build a couple more, you don't need the high end machine at all. A p133 with 64mb is quite enough, no X of course.