Skip to content. | Skip to navigation

Sections
Personal tools
What is this?
Hi, my name is Tom Lazar and I'm a Plone and Zope developer based in Berlin, Germany and this is my personal and professional (no big difference, really...) website.
Quills
Atom
RDF
RSS 2.0
Powered by Quills
 

djbDNS using FreeBSD jails

Filed Under:

Setting up a caching and authoritative nameserver for a local network using djbDNS.

Notes from following Life with DJBDNS, Quick & Dirty Guide to djbDNS and DJBDNS on FreeBSD HOW-TO (thanks, guys!) to set up an authoritative and caching nameserver using FreeBSD jails.

Requirements

Normally, when setting up tinydns and dnscache on the same host, you need two IP-addressees, one for each service. In practice this hardly is an obstacle because often one of the two can be a private address or even 127.0.0.1 and the strict separation of resolver and nameserver far outweighs this.

However, this has proven to be a somewhat annoying limitation in conjunction with FreeBSD jails because a) you can only assign one IP per jail and b) you can’t use 127.0.0.1 from inside a jail.

So until someone smarter than me comes up with something sexy I’ll just assume that I’ll need two jails for a setup involving dnscache and tinydns. The general idea is to provide a local network with a caching DNS server as well as be authoritative for that domain and provide name resolution for local machines. (Believe me, setting up something like this for local networks is well worth the effort – the importance of a working, sane DNS setup simply cannot be overstated!)

DNS cache

This will be the host that all clients in the network will use as their nameserver. It will serve non-authoritative answers for foreign domains and authoritative answers for the local network (which it obtains from the DNS jail which we’ll setup below). We’re assuming the fictitional address 1.2.3.4

  • install from ports /usr/ports/dns/djbdns
  • add users dnscache, tinydns and dnslog: 
        groupadd dnsusers
        pw useradd dnscache -s /bin/nologin
        pw useradd dnslog -s /bin/nologin
        pw groupmod dnsusers -m dnscache,dnslog

        mkdir /var/log/dnscache
        dnscache-conf dnscache dnslog /var/dnscache 1.2.3.4
  • modify /var/dnscache/log/run thus:

    exec setuidgid dnslog multilog t /var/log/dnscache

  • enable queries from the local network:

    touch /var/dnscache/root/ip/1.2.3

  • set ownership:

    chown -R dnscache:dnsusers /var/dnscache ; chown -R dnslog:dnsusers /var/log/dnscache ;

  • services: we need to enable svscan and create a link to the directory created by dnscache-conf 
        mkdir /var/service/
        cat "svscan_enable="YES" >> /etc/rc.conf
        ln -s /var/dnscache /var/service/
        /usr/local/etc/rc.d/svscan.sh start

You should now be able to perform lookups at the 1.2.3.4 addresse: dig @1.2.3.4 tomster.org

Authoritative DNS

We’re assuming the fictitional address 1.2.3.5.

  • install from ports /usr/ports/dns/djbdns
  • add users tinydns, tinydns and dnslog: 
        groupadd dnsusers
        pw useradd tinydns -s /bin/nologin
        pw useradd dnslog -s /bin/nologin
        pw groupmod dnsusers -m tinydns,dnslog

        mkdir /var/log/tinydns
        tinydns-conf tinydns dnslog /var/tinydns 1.2.3.5
  • modify /var/tinydns/log/run thus:

    exec setuidgid dnslog multilog t /var/log/tinydns

  • set ownership:

    chown -R tinydns:dnsusers /var/tinydns ; chown -R dnslog:dnsusers /var/log/tinydns ;

  • services: we need to enable svscan and create a link to the directory created by tinydns-conf 
        mkdir /var/service/
        cat "svscan_enable="YES" >> /etc/rc.conf
        ln -s /var/tinydns /var/service/
        /usr/local/etc/rc.d/svscan.sh start
  • edit /var/tinydns/root/data to create your local zones
  • after editing, cd to /var/tinydns/root and run “make”. This compiles the data.cdb which tinydns reads.

Regarding reverse lookups: While it’s true, that =-entries in the data file create both A and PTR records, you will still need to add a SOA entry for the reverse domain inside your data file, i.e.:

.3.2.1.in-addr.arpa:tinydns.yourdomain.com

Otherwise, tinydns will never deliver any answers to reverse queries to your IPs.

Voila! Try some dig @1.2.3.5 queries for some of the hosts you defined.

tying it together

Now all we need to do is to tell the dnscache about tinydns and the domains (including reverse) it’s authoritative for. This is done by creating a textfile with the name of the domain containing the IP of the nameserver responsible for it inside /var/dnscache/root/servers

cat 1.2.3.5 > /var/dnscache/root/servers/yourdomain.com
cat 1.2.3.5 > /var/dnscache/root/servers/3.2.1.in-addr.arpa

Thanks to Erdgeist for enduring my stupid questions on IM and prodding me into the right direction time and time again. Luv’ya!

  • There is no Step 8. That’s all there is to it.

Coach

Posted by Anonymous User at Aug 28, 2010 03:48 AM

Do not judgment on the trait of your approaching UGG Boots Sale Gucci tenure. The Gucci Pelham hovering pipe MBT Sneakers is currently one of the hottest Gucci handbags at the moment. You cede pride de facto adorning the dunks shoes of comprehending fashionistas on the streets of New York, London, Paris and beyond.This Cheap UGG Boots like prada shoes guarantee veritable will substitute a master turner wherever you fling Gucci Handbags. These essentiality occupy Gucci Bag GG material obscure brown leather trim, lustrous gold hardware, paired straps, clear closure, studs and inside blank seize. Its Dimensions are 20 inches loop by 12.2 inches height.
Weblog Authors

admin

admin

Tom Lazar

Location: Berlin, Germany
Tom Lazar