How To Install And Use The djbdns Name Server On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 01/15/2008

djbdns is a very secure suite of DNS tools that consists out of multiple parts: dnscache, a DNS cache that can be used in /etc/resolv.conf instead of your ISP's name servers and that tries to sort out wrong (malicious) DNS answers; axfrdns, a service that runs on the master DNS server and to which the slaves connect for zone transfers; and tinydns, the actual DNS server, a very secure replacement for BIND.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I have tested djbdns on a Debian Etch system with the IP address 192.168.0.100. I'll explain how to use dnscache and tinydns (as a master DNS server), but not how to use axfrdns - maybe I'll cover that in another tutorial.

dnscache will listen on the local IP address 127.0.0.1, tinydns on the external IP address 192.168.0.100.

2 Installing djbdns

djbdns is not available as a binary package in the Debian repositories due to its "license" (until December 28, 2007, djbdns was license-free software), however there's a djbdns-installer package in the repositories that can be used to install djbdns. djbdns depends on daemontools and ucspi-tcp; again, there are only installer packages available for these programs. The installers are available in the Debian Etch contrib and non-free repositories, so we must make sure first that these are included in our /etc/apt/sources.list:

vi /etc/apt/sources.list

[...]
deb http://ftp2.de.debian.org/debian/ etch main contrib non-free
[...]

Update your packages database afterwards:

apt-get update

Next we install the daemontools-installer:

apt-get install daemontools-installer

Now we can install the daemontools like this:

build-daemontools

You will be asked a few questions. You can always accept the default value by pressing ENTER:

Enter a directory where you would like to do this [/tmp/daemontools] <-- ENTER

Which format would you like to use? [fD] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/daemontools,
except daemontools_0.76-9_i386.deb now? [Yn] <-- ENTER

Do you want to install daemontools_0.76-9_i386.deb now? [Yn] <-- ENTER

Do you want to purge daemontools-installer now? [yN] <-- ENTER

To install ucspi-tcp, we run

apt-get install ucspi-tcp-src

and then:

build-ucspi-tcp

You'll be asked a few questions again, and again you can accept the default values:

Enter a directory where you would like to do this [/tmp/ucspi-tcp] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/ucspi-tcp,
except ucspi-tcp_0.88-10_i386.deb now? [Yn] <-- ENTER

Do you want to install ucspi-tcp_0.88-10_i386.deb now? [Yn] <-- ENTER

Do you want to purge ucspi-tcp-src now? [yN] <-- ENTER

Finally we install djbdns as follows:

apt-get install djbdns-installer

build-djbdns

Again, you'll be asked a few questions - accept the default values:

Enter a directory where you would like to do this [/tmp/djbdns] <-- ENTER

Press ENTER to continue... <-- ENTER

Do you want to remove all files in /tmp/djbdns,
except djbdns_1.05-11_i386.deb now? [Yn] <-- ENTER

Do you want to install djbdns_1.05-11_i386.deb now? [Yn] <-- ENTER

Do you want to purge djbdns-installer now? [yN] <-- ENTER

Next we configure dnscache, axfrdns, and tinydns (make sure you replace 192.168.0.100 with the external IP address of your system):

mkdir /var/lib/svscan
dnscache-conf dnscache dnslog /var/lib/svscan/dnscache
axfrdns-conf axfrdns dnslog /var/lib/svscan/axfrdns /var/lib/svscan/tinydns 192.168.0.100
tinydns-conf tinydns dnslog /var/lib/svscan/tinydns 192.168.0.100

ln -s /var/lib/svscan/dnscache /service
ln -s /var/lib/svscan/axfrdns /service
ln -s /var/lib/svscan/tinydns /service

Then we start djbdns:

/etc/init.d/djbdns restart

3 Using dnscache

To use dnscache, we replace the existing name servers in /etc/resolv.conf with 127.0.0.1, the IP address that dnscache is listening on.

Make a backup of /etc/resolv.conf:

cp /etc/resolv.conf /etc/resolv.conf-original

Then run the following commands to create a new /etc/resolv.conf (make sure you replace example.com with your own domain):

echo "domain example.com" > /etc/resolv.conf
echo "nameserver 127.0.0.1" >> /etc/resolv.conf

To test if dnscache is working, we can try to resolve a hostname, e.g. www.google.com:

dnsip www.google.com

If all goes well, it should display the IP addresses of www.google.com:

server1:~# dnsip www.google.com
66.249.93.104 66.249.93.147 66.249.93.99
server1:~#