Prerequisite Packages
- daemontools
- daemontools-run
- svtools
- ucspi-tcp-ipv6
The versions in Debian are all fine.
DJBDNS Package
- dbndns (source: djbdns)
At this point (Feb 2014), Debian only has a package in experimental, and it hasn't been updated in quite awhile. I (kbare) hacked on it a bit in order to make the packages for cclub.
My changes were:
- Converted the packaging to the 3.0 (quilt) format. This makes it easier to work on in the future, and separates packager-introduced changes from the upstream code.
Updated the package to use a more recent patch for IPv6 suppport (test25; existing packaging had test23). (http://www.fefe.de/dns/)
- Applied the "query merging in dnstransport" patch to fix CVE-2008-4392. Note: this can increase dnscache CPU utilization quite a bit under heavier loads (due to linear datastructures). I don't think it should be a problem in our environment (since we are no longer running open resolvers), but if we see machines falling over due to CPU usage, we should consider disabling the query merging and/or finding an alternate fix for CVE-2008-4392.
- Applied the SRV record patch for tinydns-data.
- Applied cclub's OKCLIENT patch.
- For dbndns, resolved conflicting changes between the query merging, OKCLIENT, and IPv6 patches.
- Updated manpages to reflect new features from the SRV record and IPv6 patches.
Setup
If you plan on setting up both authorititave DNS (tinydns, axfrdns) and a DNS resolver (dnscache), you will need a machine/VM with two IP addresses.
Ensure the appropriate users (tinydns, dnslog, dnscache, axfrdns) exist on the system of interest.
To add them (only if they aren't already there!):
grep '^[^:]*dns[^:]*:' /afs/club/service/etc/passwd.service >> /etc/passwd.system
/afs/club/system/scripts/sh/passwd-update.sh
tinydns
# This sets up a default tinydns (authoritative DNS server) service. The
# daemon will run as user tinydns, and logs will be owned by dnslog. Files for
# the service will go in /var/tinydns. The daemon will listen on «primary-ip».
tinydns-conf tinydns dnslog /var/tinydns «primary-ip»
# Prevent tinydns from starting until later in the boot sequence.
touch /var/tinydns/down
# Tell supervise about tinydns.
ln -s /var/tinydns /etc/service/tinydns
Cclub specific steps:
# Setup cron jobs for syncing the database:
ln -sf /var/rsync/dns /afs/club.cc.cmu.edu/service/dns
crontab -e -u rsync
# Add the following (if it isn't already there), without the '#':
# 55 * * * * /afs/club.cc.cmu.edu/system/scripts/sh/rsync-dns.sh
# And do an initial run of the script to populate the rsynced copy:
su rsync -c 'cd && /afs/club.cc.cmu.edu/system/scripts/sh/rsync-dns.sh'
mkdir /var/tinydns/tmp
crontab -e
# Add the following (if it isn't already there), without the '#':
# 00 * * * * cd /var/tinydns/tmp && /afs/club.cc.cmu.edu/system/scripts/sh/dnsupdate.sh
# And do an initial run of the script to create the initial data.cdb:
(cd /var/tinydns/tmp && /afs/club.cc.cmu.edu/system/scripts/sh/dnsupdate.sh)
axfrdns
Tinydns (and, for cclub, the relevant cron jobs) must be configured first. (Though, if for some strange reason you want to run axfrdns without tinydns, you can perform the tinydns setup and just prevent it from running.)
# This sets up a default axfrdns (zone transfer/TCP DNS server) service. The
# daemon will run as user axfrdns, and logs will be owned by dnslog. Files for
# the service will go in /var/axfrdns. The daemon will chroot to /var/tinydns/root,
# where the database is located. The daemon will listen on «primary-ip».
axfrdns-conf axfrdns dnslog /var/axfrdns /var/tinydns «primary-ip»
# Change to default-allow (TBD: maybe we want to restrict AXFR?):
echo :allow > /var/axfrdns/tcp
tcprules /var/axfrdns/tcp.cdb /var/axfrdns/tcp.cdb.tmp < /var/axfrdns/tcp
# Prevent axfrdns from starting until later in the boot sequence.
touch /var/axfrdns/down
# Tell supervise about axfrdns.
ln -s /var/axfrdns /etc/service/axfrdns
dnscache
# This sets up a default dnscache (caching resolver) service. The daemon will
# run as user dnscache, and logs will be owned by dnslog. Files for the
# service will go in /var/dnscache. The daemon will listen on «secondary-ip».
dnscache-conf dnscache dnslog /var/dnscache «secondary-ip»
# Increase the cache size.
echo 64000000 > /var/dnscache/env/CACHESIZE
echo 70000000 > /var/dnscache/env/DATALIMIT
# Enable the CVE-2008-4392 fix.
echo 1 > /var/dnscache/env/MERGEQUERIES
# Prevent dnscache from starting until later in the boot sequence.
touch /var/dnscache/down
# Tell supervise about dnscache.
ln -s /var/dnscache /etc/service/dnscache
Cclub specific steps:
# Open the resolver up to CMU networks.
touch /var/dnscache/root/ip/128.2
touch /var/dnscache/root/ip/128.237
# Forward instead of doing recursive resolution.
echo 1 > /var/dnscache/env/FORWARDONLY
# To the Andrew DNS resolvers (IPs are correct as of 09 Feb 2014).
cat > /var/dnscache/root/servers/@ << END
128.2.1.10
128.2.1.11
END
# Fastpath .club.cc.cmu.edu and .cmucc.org to the local tinydns/axfrdns servers.
# *Only* do this if the machine is in fact running tinydns and axfrdns!
echo «primary-ip» > /var/dnscache/root/servers/club.cc.cmu.edu
echo «primary-ip» > /var/dnscache/root/servers/cmucc.org
## If the machine is not running tinydns/axfrdns, make it contact the
## authoritative club DNS servers for things in the club domains (IPs are
## correct as of 09 Feb 2014).
# cat > /var/dnscache/root/servers/club.cc.cmu.edu << END
# 128.237.157.11
# 128.237.157.13
# 128.2.204.149
# END
# cp /var/dnscache/root/servers/club.cc.cmu.edu /var/dnscache/root/servers/cmucc.org
# Or a third alternative is to not create club.cc.cmu.edu and cmucc.org files.
# That means the dnscache will need to contact andrew to resolve local names.
Start the Services at Boot
svinitd-create tinydns axfrdns dnscache > /etc/init.d/dbndns
chmod a+x /etc/init.d/dbndns
update-rc.d dbndns defaults