TITLE:		djbdns DNS Server
LFS VERSION:	any
AUTHOR:		Richard Lightman <richard@reika.demon.co.uk>

SYNOPSIS:
	djbdns is a collection of domain name service tools. These tools are a robust, secure and fast alternative to BIND.

HINT:

Limitation of this hint
=======================

I have a small local network using djbdns. Caching and reverse
resolution work fine inside it, but are not visible from the
outside. In this hint, I have explained how to set up local dns
servers. The instructions for setting up a name server that will
answer queries from the internet are in the full instructions,
but not in this HINT.

It looks simple enough, but as I cannot test it, I will not
write it up. If you are setting up a dns server with real
ip adresses then read:

The Full Documentation
http://cr.yp.to/daemontools.html
http://cr.yp.to/djbdns.html

The documentation for djbdns is available as a separate
tarball. See this installation notes below.

I have put the html documentation trees for daemon tools
(and ucpsi-tcp) into tarballs in the same style as the ones
for djbdns. I have found there would be trouble distributing
them. I am working on this, and a future version of this hint
will include a script to make these tarballs. (DJB wants the
modification dates to remain intact so it is easy to recognize
old documentation. My script modifies some of the hyperlinks
to point back to his site instead of non-existant files on
the local machine. This changes the dates and so would break
the terms of distribution.) A future version of this hint will
contain a script to prepare these documentation tarballs.


Selecting the software
======================

You could use BIND. I had difficulty compiling it, had real
trouble understanding how it was configured, and I did not
like the frequency of security patches for it. It is possible
to reduce the chances of intrusion by running bind in a chroot
environment. Have fun working out how to do that. BIND also
has some exciting ideas about allowing spoofing.

There are several dns programs in djbdns. They are picky about
which external servers they use to reduce the ease of spoofing.
They all run chrooted. They are all set for high availability -
if one crashes, it will be restarted (at a limited rate to
prevent some DOS attacks). There is a prize for the first person
to publicly report a verifiable security hole in the latest
version of djbdns.

The djbdns package contains several types of dns server. If
you are doing something strange, check the full documentation.
For a single machine, the right answer is probably dnscache.
To handle more than one, at least one will need tinydns. Any
or all of them may benefit from dnscache as well.

dnscache:
Uses external servers to resolve dns queries, and keeps the
results to speed up future queries.

tinydns:
Can handle dns and reverse dns queries, for some local networks,
and query external servers for evrything else.

daemontools:
A collection of tools for managing UNIX services. They are
required for djbdns.


Installing daemontools
======================

Unpack sources: http://cr.yp.to/daemontools/daemontools-0.70.tar.gz

  echo /usr > conf-home
  make
  make setup check
  mkdir -p -m 555 /var/service

Please do not delete the source tree yet. When you a confident
that things are working, please mail D. J. Bernstein's site
so that he will know what sort of systems can run his software:

   ( echo 'First M. Last'; cat VERSION systype \
   direntry.h fork.h hasflock.h hasmkffo.h hassgact.h \
   hasshsgr.h haswaitp.h iopause.h select.h uint64.h ) \
   | mail djb-sysdeps@cr.yp.to


Starting svscan (part of daemontools)
=====================================

svscan is started by init. If svscan is somehow killed, init will
restart it. Put the following line at the end of /etc/inittab:

SV:345:respawn:env - PATH=/usr/sbin:/usr/bin:/bin svscan /var/service

To start it up for the first time, without rebooting, type 'telinit Q'


Installing djbdns
=================

unpack sources: http://cr.yp.to/djbdns/djbdns-1.03.tar.gz
  echo /usr > conf-home
  make
  make setup check

Please do not delete the source tree yet. When you a confident
that things are working, please mail D. J. Bernstein's site
so that he will know what sort of systems can run his software:

     ( echo 'First M. Last'; cat `cat SYSDEPS` ) \
     | mail djb-sysdeps@cr.yp.to

Also if you are running a dnsserver on the internet, please
add the web page as requested in the full documentation.

You do not have to, put I think you should install the documentation.
If you are even thinking use puting a dns server on the internet, you
should read it too.
download: http://cr.yp.to/djbdns/doc.tar.gz

gzip -cd < doc.tar.gz | (cd /usr/share; tar -xf -)
slashdoc-merge

This will create the following indexes:
packages.html   Index of DJB's software that has been installed, each
                line is a link to the documentation for that package on
                this system
cfunctions.html Links to the documentation for C library functions
                in alphabetical order for the above packages
commands.html   Links to commands in alphabetical order from the
                above packages



Setting up dnscache (part of djbdns)
====================================

You will need two new groups. Look inside /etc/group and choose the lowest
two available group numbers (The number after the second colon on each line).
In my case 14 & 15.

  groupadd -g 14 dnscache
  groupadd -g 15 dnscachelog

You will need two new users. Look inside /etc/passwd and choose the lowest
two available user id's (The number after the second colon on each line).
In my case 11 & 12.

  useradd -u 11 -g dnscache dnscache
  useradd -u 12 -g dnscachelog dnscachelog

Use the automated installer:
  dnscache-conf dnscache dnscachelog /var/dnscache 127.0.0.1

If you feel enthusiastic, use can pick some better random numbers:
  dd if=/dev/random of=/var/dnscache/seed bs=128 count=1 &

Start ip up:
  ln -s /var/dnscache /var/service/dnscache

To make sure it is used, add the following line to /etc/resolve.conf

nameserver 127.0.0.1

If you replace 127.0.0.1 by the ip address of an interface on the
machine running dnscache, then dnscache will answer queries sent
to that ip address, from ip addresses in networks you specify.
for example to allow queries from 192.168.1:
  touch /var/dnscache/root/ip/192.168.1

If you want dnscache to use a local dns servers, with IP address of,
for example 192.168.1.2 and 192.168.1.3, put the following lines:

192.168.1.2
192.168.1.3

into /var/dnscache/root/servers/local.domain and
into /var/dnscache/root/servers/1.168.192.in-addr.arpa
Make these files readable by user dnscache
Make dnscache read the files:
  svc -t /var/service/dnscache


Setting up tinydns (part of djbdns)
===================================

You will need two new groups, and two new user id's, just like for
dnscache. Call them tinydns and tinydnslog

Use the automated installer. You will need the ip-address that
tinydns is runnig on eg for ip-address 192.168.1.2:
  tinydns-conf tinydns tinydnslog /var/tinydns 192.168.1.2

Start it up:
 ln -s /var/tinydns /var/service/tinydns

Make 192.168.1.2 responsible for this part of the network
cd /var/tinydns/root
../add-ns local.domain 192.168.1.2
../add-ns 1.168.192.in-addr.arpa 192.168.1.2
make

Add some hosts to your domain
cd /var/tinydns/root
../add-host lum.local.domain 192.168.1.4
../add-host ataru.local.domain 192.168.1.5
../add-host shinobu.local.domain 192.168.1.6
make

To make moroboshi an alias for ataru:
cd /var/tinydns/root
../add-alias moroboshi.local.domain 192.168.1.5
make

You can also set up mail exchangers handle delegation and all sorts
of unusual things that are not required on my little private network.
If you are interested, read the full instructions.

