INSTALLING DJBDNS Copyright (C) 2005 by Steve Litt Resources : I could not have created this document without the help of Kevin Korb : and his outstanding djbdns resource at : http://www.sanitarium.net/golug/djbdns.html. Kevin taught me djbdns, and : helped me through my first installation. : : And obviously, this couldn't have been done without Daniel J. Bernstein, : the creator of djbdns. In creating this document I made heavy use of his : authoritative djbdns website at http://cr.yp.to/djbdns.html. : : I'd also like to thank the people in my LUG, Greater Orlando Linux User : Group (GoLUG) for their help in this and my other Linux activities. Executive Summary : djbdns installation is reputed to be difficult, but keep it in : perspective. Imagine installing bind from source files. : The following summarizes the install/confgure process: Download source for daemontools, ucspi-tcp and djbdns Install daemontools Install ucspi-tcp Install djbdns Which consists of: tinydns: The authoritative resolver dnscache: The recursive (caching) resolver Configure dnscache on an alias to the network card Do not continue until external name resolution works Configure tinydns on 127.0.0.1 127.0.0.1 is best for SOHO where only subnet clients ask Link dnscache to tinydns Install all files su - Note about build directory : Unlike most installations, djb apps build in the directory that : eventually will house the files. Then other directories are : symlinked to those files. I suggest building them in : /usr/local/djbdns_package: Suggested structure /usr/local/djbdns_package daemontools ucspi-tcp djbdns mkdir /usr/local/djbdns_package;cd /usr/local/djbdns_package;chmod 1755 . Install daemontools cd /usr/local/djbdns_package tar xzvf whatever/daemontools-0.76.tar.gz cd admin/daemontools-0.76 echo gcc -O2 -include /usr/include/errno.h > compile/conf-cc This command is to work around a Linux bug package/install There may be warnings, but should be no errors This completes the installation Test daemontools installation ls -ldF /service This should indicate the existence of /service ls -ltr /usr/local/bin This should show many symlinks created with today's date grep svscanboot /etc/inittab Should yield something like "SV:123456:respawn:/command/svscanboot" Kevin Korb mentions this line might need to be moved toward the top Kevin Korb mentions with BSD it is added to /etc/rc.local And must be started itself If the preceding three commands yield the expected, assume success Install ucspi-tcp cd /usr/local/djbdns_package tar xzvf whatever/ucspi-tcp-0.88.tar.gz cd ucspi-tcp-0.88 echo gcc -O2 -include /usr/include/errno.h > conf-cc This command is to work around a Linux bug make There will be warnings, but should be no errors make setup check Test ucspi-tcp installation ls -ltr /usr/local/bin This should show many files created with today's date They will be later than symlinks created by daemontools install If the preceding command yield the expected, assume success Install djbdns cd /usr/local/djbdns_package /inst/linux/djbdns/djbdns-1.05.tar.gz cd djbdns-1.05 echo gcc -O2 -include /usr/include/errno.h > conf-cc make make setup check Test djbdns installation ls -ltr /usr/local/bin This should show many files created with today's date Including dnscache and tinydns They will be later than files created by ucspi-tcp install If the preceding command yield the expected, assume success Turn off named /etc/rc.d/init.d/named stop checkinstall named off checkinstall --list | grep named Verify it's turned off for all runlevels This prevents it from restarting on boot Create special users useradd tinydns useradd dnslog useradd dnscache Needn't configure these users further. You can set them for no shell??? Configure and test dnscache ps ax | grep svscan Verify svscan is running. Do not proceed until it does Create an alias IP in your nic's subnet dnscache will listen to this address Verify that you can ping this alias Create and populate the /service/dnscache directory mkdir /var/service dnscache-conf dnscache dnslog /var/service/dnscache 192.168.100.103 dnscache is the caching dns user dnslog is the multilog user /var/service/dnscache is the caching dns service directory 192.168.100.103 is the alias to which dnscache listens cd /var/service/dnscache/ dd if=/dev/urandom of=seed bs=128 count=1 This sets the random seed to something other than what was shipped cd root/ip touch 192.168.100 ln -s /var/service/dnscache /service/ Test ping www.yahoo.com ping www.microsoft.com : If either of these resolve (actual packet transfer isn't : necessary), then your recursive DNS (caching dns) is working. Troubleshooting Verify that your djdns-centric alias is pingable ping 192.168.100.103 If not pingable, redo the alias until it's pingable Verify that /etc/resolv.conf points to the alias, and only to the alias cat /etc/resolv.conf Verify that /service/dnscache is a symlink to /var/service/dnscache ls -ldF /service/dnscache DO NOT INCLUDE A TRAILING SLASH!!! If not a symlink, use the ln command Verify root server file is populated cat /service/dnscache/root/servers/@ Remember several of those IP addresses Verify connectivity with outside world ping 198.41.0.4 This IP address must be one of those in the @ file. If that doesn't work, try another from the @ file If those don't work, investigate your network/internet connection Verify a file corresponding to your subnet ls -ldF /service/dnscache/root/ip/192.168.100 If this file doesn't exist: touch /service/dnscache/root/ip/192.168.100 Verify that the dnscache interface points to your alias cat /service/dnscache/env/IP Restart your dnscache svc -d /service/dnscache Down dnscache svc -u /service/dnscache Bring it back up Normally you'd svc -t to do both, but you're leaving no stone unturned ping www.yahoo.com Verify that dnscache is up svstat /service/dnscache If it's not up, find out what's wrong. Use the logs. Investigate the logs less /service/dnscache/log/main/current : If it mentions something about users, make sure you created : the users. Other than that, research what it says. tail -n0 -f /service/dnscache/log/main/current : Now you see the log in real time. Try several ping commands : with that. Investigate anything that looks unusual. Use other tools dnsip www.yahoo.com dnsname `dnsip www.yahoo.com` dnsqr a www.yahoo.com dnstrace a www.yahoo.com 192.168.100.103 Find other ways to narrow the problem Configure tinydns ps ax | grep svscan Verify svscan is running. Do not proceed until it does Create and populate the /service/tiny directory tinydns-conf tinydns dnslog /var/service/tinydns 127.0.0.1 tinydns is the tinydns user dnslog is the multilog user /var/service/tinydns is the authoritative dns service directory 127.0.0.1 is the alias to which dnscache listens Because only this machine will actually serve authoritatively This works only if the machine serves only clients on this subnet ln -s /var/service/tinydns /service/ sleep 5 svstat /service/tinydns If it's not "up", troubleshoot Grab data from named on this box : Note: If there is no named server, you must create a : /service/tinydns/root/data file manually with an editor. See : "Creating the data file manually" later in this document. cd /service/tinydns/root service named start tcpclient 192.168.100.2 53 axfr-get domain.cxm data.named data.named.tmp 192.168.100.2 is the interface named runs on (probably the nic) axfr-get is a djbdns program domain.cxm is the domain whose data you want to convert data.named is the djbdns dns data file you want to write data.named.tmp is a temporary file cp -p data date.org cat data.named A djbdns dns file Might be defective If the data looks at all reasonable: cp -p data.named data service named stop tinydns-data Link dnscache and tinydns echo 127.0.0.1 > /service/dnscache/root/servers/domain.cxm Forward dns links dnscache at 192.168.100.103 to tinydns at 127.0.0.1 echo 127.0.0.1 > /service/dnscache/root/servers/100.168.192.in-addr.arpa Reverse dns links dnscache at 192.168.100.103 to tinydns at 127.0.0.1 svc -d /service/tinydns svc -d /service/dnscache svc -u /service/dnscache svc -u /service/tinydns Test ping wincli.domain.cxm wincli.domain.cxm is the FDQN of another box on the subnet If it works, you're authoritative If not, troubleshoot Troubleshoot Verify you still have outside resolution ping www.yahoo.com Verify everything's on svstat /service/dnscache svstat /service/tinydns Verify you have a reasonable data file cat /service/tinydns/root/data Look at the tinydns log less /service/tinydns/log/main/current Look at the log in realtime tail -f -n0 /service/tinydns/log/main/current On another commandline, ping wincli.domain.cxm : If you see lines scrolling, it probably means a problem with : authoritative resolution, so check your data file again, : make sure you run tinydns-data again from within : /service/tinydns/root, and restart tinydns with the svc -d : and svc -u commands. : : If you do not see lines scrolling, it probably means a bad : linkage from dnscache to tinydns. Re-verify the existance of : /service/dnscache/root/servers/domain.cxm : /service/dnscache/root/servers/domain.cxm, and verify that : file contains the string "127.0.0.1" (without the quotes) Creating the data file manually http://cr.yp.to/djbdns/tinydns-data.html Linetypes ^ @ & # + Z