Section 9.7. BIND Is Too Complex for My Growing Network


9.7. BIND Is Too Complex for My Growing Network

There was a time where every node on the worldwide network could easily be stored in one file. When the Advanced Research Projects Agency started its network (ARPANET), there were four nodes.

As this network grew, there was a need for a distributed database; out of this grew the Domain Name Service (DNS). The most common version of DNS is known as the Berkeley Internet Name Daemon (BIND). Unfortunately, the BIND configuration process is complex and is a common target of cracker attacks.

An alternative DNS server is D.J. Bernstein's djbdns. As noted on his web site, http://cr.yp.to/djbdns/install.html, he has offered to pay anyone for a verifiable security hole. For more information on djbdns, see http://www.lifewithdjbdns.com and Michael Bauer's Linux Server Security (O'Reilly).

If you're a stickler for open source licenses, djbdns may not be for you. For Bernstein's view on licenses, see http://cr.yp.to/distributors.html.


9.7.1. djbdns Components

There are several components associated with djbdns. djbdns contains a caching nameserver, acquiring data from other authoritative nameservers on other networks. It also includes an authoritative nameserver component, which you can use for your growing local network. The components of djbdns are:


dnscache

The key to djbdns is dnscache, which is a caching nameserver. As long as you keep it separate from other nameservers, it is secure.


tinydns

While dnscache can take data from other authoritative nameservers, tinydns can serve as the authoritative nameserver for your local network. Make sure to install it on a computer other than the one hosting dnscache.


axfrdns

Whenever you run an authoritative DNS server, even tinydns, you need to be able to transfer information. The axfrdns software allows tinydns to exchange data with authoritative and caching DNS servers.

9.7.2. Installing djbdns

To install djbdns, navigate to http://cr.yp.to/djbdns/install.html and follow these steps:

  1. Install the daemontools package. Navigate to http://cr.yp.to/daemontools/install.html and download the latest version of this package from the associated link.

  2. Unzip and unpack the associated package with the following command:

     tar xzvf daemontools-*.tar.gz 

  3. Navigate to the directory with the unpacked files:

     cd admin/daemontools-* 

  4. Start the installation program to compile and configure this package, which is available in the package/ subdirectory (which requires root permissions):

     package/install 

  5. Install the ucspi-tcp package. Navigate to http://cr.yp.to/ucspi-tcp/install.html and download the latest version of this package from the associated link.

  6. Unzip and unpack the associated package with the following command:

     tar xzvf ucspi-tcp-*.tar.gz 

  7. Navigate to the directory with the unpacked files:

     cd ucspi-tcp-* 

  8. Compile the associated programs:

     make 

  9. Install the associated programs; by default, they're installed in /usr/local/bin:

     make setup check 

  10. Download the latest version of the djbdns package from the URL listed at the beginning of this section.

  11. Unzip and unpack the associated package with the following command:

     tar xzvf djbdns-*.tar.gz 

  12. Navigate to the directory with the unpacked files:

     cd djbdns-* 

  13. Compile the unpacked files:

     make 

  14. Install the associated programs; by default, they're installed in /usr/local/bin:

     make setup check 

  15. Repeat the previous steps on another computer. You can then configure the dnscache caching server on one system and the tinydns authoritative server on another system.

If you see an error during one of the make commands, you may need to run the following command (or something similar) to add the noted code. Depending on the package, the conf-cc file may be in the directory where you've unpacked files, or in the src/ subdirectory:

 echo gcc -O2 -include /usr/include/errno.h > conf-cc 


If everything works, you can confirm it with the /usr/local/bin/dnsip command, which works like the nslookup command. I've done so on my computer as follows:

 # /usr/local/bin/dnsip  www.linuxexam.com  64.202.167.192 

The daemontools package includes special service configuration tools in the /usr/local/bin directory. Specifically, the svscan and svstat scripts check the /service directory for linked services, which you'll configure in the next section.

9.7.3. Configuring djbdns

Now you can configure djbdns on your systems. Remember, you'll want to configure the dnscache and tinydns components on different computers, as described in the following two sections.

9.7.3.1. Configuring dnscache on one computer

To configure dnscache on one computer, use the dnscache-conf script in the /usr/local/bin directory. You'll also want to reconfigure the directory with the associated logfile. Take the following steps:

  1. Create appropriate users for the dnscache service. As suggested by http://www.lifewithdjbdns.com, the users are dnscache and dnslog.

    The -s option specifies the default shell; for these users, it should never point to a regular shell. It's best to keep it consistent with other users, as defined in your /etc/passwd file. For example, on SUSE Linux, enter:

     useradd -d /dev/null -s /sbin/nologin dnscache useradd -d /dev/null -s /sbin/nologin dnslog 

    In many cases, you may be able to use /dev/null as a home directory for each user. That would be safest. But that's not allowed on all distributions. You can specify instead a directory that does not exist.

  2. Now use the dnscache-conf command to configure the account, the log account, the configuration directory, and the local IP address.

    The following command assumes the account is dnscache, the log account is dnslog, the configuration directory is /etc/dnscache, and the local IP address is 192.168.0.12:

     /usr/local/bin/dnscache-conf dnscache dnslog /etc/dnscache 192.168.0.12 

  3. Add your subnet to the directory of allowed hosts, /etc/dnscache/root/ip. Based on the previous step, you can add your subnet with the following command:

     touch /etc/dnscache/root/ip/192.168.0 

  4. Tell the svscan script about the djbdns service. You can do so by making a link to the /service directory:

     ln -s /etc/dnscache /service 

  5. Verify that the dnscache service is running:

     /usr/local/bin/svstat /service/dnscache 

    You may see a message to the effect that the service has been up for 0 seconds. That is not necessarily a problem. It may simply mean that no computer on your network has used this DNS service yet.

  6. Use the DNS Query command, /usr/local/bin/dnsqr, with a DNS record type and the URL of your choice. Standard name records include an a; mail server records are associated with mx. One example is:

     # /usr/local/bin/dnsqr a  www.oreilly.com  1 www.oreilly.com: 65 bytes, 1+2+0+0 records, response, noerror query: 1 www.oreilly.com answer: www.oreilly.com 20441 A 208.201.239.36 answer: www.oreilly.com 20441 A 208.201.239.37 

  7. Now you can configure clients on this and other computers on your network to use this DNS server, typically through /etc/resolv.conf.

  8. Finally, it's best to store all logfiles in the /var/log directory. In that way, the logrotate script that is normally configured as a daily cron job can maintain and manage the size of your dnscache logs. To do so, open the /etc/dnscache/log/run file in a text editor and make sure it includes the following two lines:

     #!/bin/sh exec /usr/local/bin/setuidgid dnslog multilog t /var/log/dnscache 

  9. Naturally, this means you'll also need to create the new log directory, and make sure the ownership matches the user you've created for this service. Once complete, you can then restart the dnscache service with the following commands:

     mkdir /var/log/dnscache chown tinydns   /var/log/dnscache /usr/local/bin/svcstat -h /service/dnscache 

9.7.3.2. Configuring tinydns on a second computer

To configure tinydns on a second computer, you can use the tinydns-conf script in the /usr/local/bin directory. You'll also want to reconfigure the directory with the associated logfile. To configure tinydns, take the following steps:

  1. Create appropriate users for the tinydns service. As suggested by http://www.lifewithdjbdns.com, appropriate users are tinydns and dnslog. But remember, you're on a different computer, so you'll need to create both users:

     useradd -d /dev/null -s /sbin/nologin tinydns useradd -d /dev/null -s /sbin/nologin dnslog 

  2. Configure the tinydns service. The tinydns-conf command can configure the account, the log account, the configuration directory, and the local IP address.

    The following command assumes the account is tinydns, the log account is dnslog, the configuration directory is /etc/tinydns, and the local IP address is 192.168.0.15:

     /usr/local/bin/tinydns-conf tinydns dnslog /etc/tinydns 192.168.0.15 

  3. Now start the tinydns service. As described in the previous section, you can do so with a link to the /service directory:

     ln -s /etc/tinydns /service 

  4. Make sure the service is running with the following command:

     /usr/local/bin/svstat /service/tinydns 

  5. Next, add the names and IP addresses for the computers on your network. The file with the data you need is /etc/tinydns/root/data. You can use the scripts in the /etc/tinydns/root directory to add IP addresses to that file. For example, the following commands point your tinydns server to authoritative nameservers on external networks:

     /etc/tinydns/root/add-ns had1.or.comcast.net 204.127.205.8 /etc/tinydns/root/add-host debian.example.com 192.168.0.15 /etc/tinydns/root/add-host suse1.example.com 192.168.0.12 /etc/tinydns/root/add-host enterprise4a.example.com 192.168.0.11 

    Other commands are available in the /etc/tinydns/root directory, including:

    • add-alias for aliases, such as web or FTP servers

    • add-mx for mail servers

    • add-childns for other DNS servers

    Run the commands you need to identify all of the hosts and servers on your network.

  6. Navigate to the /etc/tinydns/root directory and then run the make command. This processes the information from the datafile into data.cdb, which is read by the tinydns server.

  7. Now configure clients on this and other computers on your network to use this DNS server, typically through /etc/resolv.conf.

  8. Finally, do the following to store all logfiles in the /var/log directory. Open the /etc/tinydns/log/run file in a text editor and make sure it includes the following two lines:

     #!/bin/sh exec /usr/local/bin/setuidgid tinydns multilog t /var/log/tinydns 

    Now, the logrotate script, which is normally executed as a daily cron job, can maintain and manage the size of your dnscache logs.

  9. Naturally, this means you'll also need to create the new log directory, and make sure the ownership matches the user you've created for this service. Once complete, you can then restart the tinydns service with the following commands:

     mkdir /var/log/tinydns chown tinydns /var/log/tinydns /usr/local/bin/svcstat -h /service/tinydns 



Linux Annoyances for Geeks
Linux Annoyances for Geeks: Getting the Most Flexible System in the World Just the Way You Want It
ISBN: 0596008015
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Michael Jang

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net