======================================
DJBDNS INSTALLATION
======================================
Server/System Requirements -
Hardware requirements:
CPU:Intel/AMD 1 Ghz+
Memory:1 Gb
HDD:40 Gb
Ethernet cards--2 cards per server.Minimum 100 Mbps
,server class quality
Software Requirements:
1.A single server running some sort of UNIX/Linux operating system(Fedora
Core 4).
2.At least 2 unused IP addresses.
3.Daemon tools
4.UCSPI-TCP
5.You will want ports 22 and 53 open
In addition to having djbdns, daemon tools and ucspi-tcp installed, you will also
need:
6.Apache
7.php 4 or higher with mysql functionality
8.mysql 3.x or 4.x installed
If You are installing a VegaDNS for exisisting DNS server(Not fresh installation)
Then please take a backup of following on any other machine and restore them
during installation of djbdns:
1.vegadns Database
2.data file in /etc/tinydns/root
3.List of ip addresses from /etc/dnscache/root/ip
1. Backup of vegadns Database:
-------------------------------
First Take a backup of Vegadns databases by following command:
mysqldump -u root -p [password] vegadns > vegadns.sql
Then restore that sql file during installation with following command
mysql -u root -p [password] vegadns < vegadns.sql
2. Backup of Data file :
-------------------------
cd /etc/tinydns/root
3. Backup of ip addresses:
--------------------------
Copy List of IP Addresses from /etc/dnscache/root/ip
touch ip/from/above/ ip list at that location only.
mkdir /downloads
cd /downloads
wget http://www.djbdnsrocks.org/downloads/djbdnsrocks.tar.gz
Now let's unpack it...
tar zxvf djbdnsrocks.tar.gz
cd djbdnsrocks
cd /downloads/djbdnsrocks
tar zxvf djbdns-1.05.tar.gz
cd djbdns-1.05
For REDHAT Users:
patch < /downloads/djbdnsrocks/djbdns_errnopatch
make
make setup check
A successful installation will install djbdns and all its tools into
/usr/local/bin. Now let's setup tinydns and dnscache(i.e.tinydns authoritative
nameserver).
First, you'll want to select the 2 IP addresses and 2 hostnames that you wish to
use for each of your nameservers.It is VERY IMPORTANT that you make sure that the
2 IP addresses you intend to use are functional and that they resolve to a working
server.Now register the 2 nameservers. Once you complete the registration process,
it generally takes around 24 hours for the new nameservers' registration to be
active and functional.
Installing Daemontools:
=======================
1. If you haven't already, unpack the djbdnsrocks package.
tar zxvf djbdnsrocks.tar.gz
2. mkdir -p /package
3 . chmod 1755 /package
4 . cd /package.
5. tar zxvf /path/to/djbdnsrocks/daemontools-0.76.tar.gz
For RedHat Users:
cd /package/admin/daemontools/src
patch < /downloads/djbdnsrocks/daemontools_errnopatch
If you don't get any errors, it's patched!
6.cd admin/daemontools-0.76
7. ./package/install
That's it. Daemontools is now installed! If you run a "ps -aux" (or whatever proc
list command tickles your fancy) you should see the "svscan" function now running!
Installing UCSPI-TCP:
=====================
1. If you haven't already, unpack the djbdnsrocks package.
tar zxvf djbdnsrocks.tar.gz
2. cd /downloads/djbdnsrocks
3. tar zxvf ucspi-tcp-0.88.tar.gz
Now install it
4. cd ucspi-tcp-0.88
For RedHat Users:
patch < /downloads/djbdnsrocks/ucspi-tcp_errnopatch
If you don't get any errors, it's patched!
5. make
6. make setup check
That's it! UCSPI should now be installed.
Deploying tinydns :
-------------------
The first thing you'll want to do is create the needed users on your system that
will enable your DNS server to function correctly. Lucky for you,some scripts to
do that...
For Redhat and most other Linux systems:
/downloads/djbdnsrocks/scripts/add_users_rh.script
Next, we will create the core of the first tinydns server.
In this example, I'm creating the first tinydns server for the IP address that
will serve ns1.djbdnsrocks.org
/usr/local/bin/tinydns-conf tinydns dnslog /etc/tinydns 1.3.5.7
Now, let's create our second tinydns server, which in the example is for the IP
address ns2.djbdnsrocks.org
/usr/local/bin/tinydns-conf tinydns dnslog /etc/tinydns2 2.4.6.8
Starting these 2 nameservers simply means adding them to the daemontools service
directory.
First, let's crank up the 1st nameserver:
ln -s /etc/tinydns /service
And now the 2nd...
ln -s /etc/tinydns2 /service
OK, that's it! They should now be up and running.
- Deploying dnscache -
======================
So let's set up our internal caching nameserver. It's incredibly easy.
By running the following command, the entire caching nameserver will be created...
dnscache-conf dnscache dnslog /etc/dnscache 127.0.0.1
Viola! That's it. It's all set up. Now all we have to do is crank it up and test
it out.
So let's crank it up...
ln -s /etc/dnscache /service
he last thing we need to do is to simple put the new caching nameserver into
operation and then test it out. Don't worry, because that's easy too...
First, make a backup of your server's original resolv.conf file...
cp /etc/resolv.conf /etc/resolv.conf.orig
Now let's edit the resolv.conf file...
vi /etc/resolv.conf
replace the current contents of the resolv.conf file with the following:
nameserver 127.0.0.1
Save and exit.
Please copy those IP addresses on location as given above.
Now let's test out our new internal caching nameserver
dig djbdnsrocks.org
svc -t /service/dnscache.This will flush your nameservers cache and query the
internet's root nameservers for the latest DNS information.
You can adjust the level of traffic at which your nameserver will flish it's cache
by editing the file /etc/dnscache/env/CACHESIZE.
Alright! So now you have an internal caching nameserver. Way to go.
- Deploying Vegadns -
======================
cd /path/to/your/server/web/directory
(Example: cd /var/www/html)
Now we unpack Vegadns into your server's public web directory...
tar zxvf /path/to/djbdnsrocks/vegadns-0.9.tar.gz
And let's rename it to something friendly...
mv vegadns-0.9 vegadns
Now it's time to create the vegadns database and database user. This database will
store all of your DNS server's domain records as well as all vegadns user
information.
First we create the vegadns database...
mysqladmin -u root create vegadns -p
Enter your mysql server's root password when prompted. Upon authentication, a new
database called "vegadns" will be created.
Now we create a user which will have rights on the vegadns database...
mysql -u root -e "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON
vegadns.* TO vegadns@localhost IDENTIFIED BY 'password'" mysql -p
Enter you mysql server's root password when prompted. Upon authentication, a new
user called "vegadns" will be added to your mysql server and that user will be
assigned all needed privileges on the "vegadns" database.
Alright. That's it for the database business.Now it's time to configure Vegadns
itself.
cd /path/to/your/server/web/directory/
(Example: cd /var/www/html)
mkdir -p vegadns_private/templates_c
mkdir vegadns_private/configs
mkdir vegadns_private/cache
mkdir vegadns_private/sessions
Now we will grant ownership of this new directory to whatever user your Apache
server runs as:
chown -R apache:apache vegadns_private
And now we set the correct permissions on the directory...
chmod -R 770 vegadns_private
OK, that's it for the private directory. Now it's time to edit the master Vegadns
config file.
/var/www/html/vegadns/src/config.php.
vi vegadns/src/config.php
Make sure that each of the following variables are set accordingly. As always, I
have highlighted in RED the areas where you will need to substitute in the correct
information.
$private_dirs = '/path/to/web/server/root/vegadns_private';
// Mysql settings
$mysql_host = 'localhost';
$mysql_user = 'vegadns';
$mysql_pass = 'password';
$mysql_db = 'vegadns';
$vegadns_url = 'http://127.0.0.1/vegadns/';
$supportname = "Your Organization";
$supportemail = "postmaster@yourdomain.com";
$trusted_hosts = '127.0.0.1';
Note: If you plan to administer your DNS server from somewhere besides localhost,
you will need to add that IP address to the $trusted_hosts variable above. Each IP
is separated by a comma.
Save and exit the file.
Log into your Vegadns interface:
http://yourdomain.com/vegadns (screenshot)
For our first login, we will use the default login account that comes with
Vegadns...
Email: test@test.com
Password: test
Once you are logged in, you'll want to start customizing your Vegadns setup and
then create some domain entries.
Configuring your user account :
--------------------------------
The first thing you will want to do is to change the login account information.
This is done by clicking on "accounts" and then editing the account info for the
"test@test.com" user (screenshot). You will want to do a couple things to that
user:
1. Change the name to yours
2. Change the email address to your own.
3. Change the password to a more personal one.
4. Keep the privileges set to "senior_admin".
You can also create any other users you may desire in the "accounts" section.
Fortunately, Vegadns comes equipped with a handy script that writes all changes
out to tinydns. This script is located at path/to/vegadns/update-data.sh.
update-data.sh
I have also modified the script so that it refreshed your server's internal cache
anytime the zone entries have been updated.
So first, let's backup the original version of the script...
mv vegadns/update-data.sh vegadns/update-data.orig
And now let's copy over the newer, modified script...
cp /downloads/djbdnsrocks/scripts/update_data_single.sh vegadns/update-data.sh
chmod 755 vegadns/update-data.sh
And now we will copy this script to a more handy location...
cp update-data.sh /usr/local/sbin/update-data.sh
OK, now it's time to test the update-data.sh script and make sure it's updating
our nameservers correctly.
update-data.sh
Let's see if it worked. If it worked, the scripts should have taken the domain
information you entered in Vegadns and written out to both of our nameservers. You
will want to verify new content in the following files. This can be done by
checking both the content of the files AND by checking the timestamp for each
file.
/etc/tinydns/root/data (will contain the readable zone entries)
/etc/tinydns2/root/data (should be identical to the file above)
/etc/tinydns/root/data.cdb (will consist of a mess of illegible code)
/etc/tinydns2/root/data.cdb (should be identical to the file above)
Once you have verified that the above files have been written to, we'll make a
final check to make sure that the files for each nameserver are EXACTLY IDENTICAL.
If the files are exactly identical, the following command should produce NO
OUTPUT. If they are not identical, the following commands will state their
differences.
diff /etc/tinydns/root/data /etc/tinydns2/root/data
diff /etc/tinydns/root/data.cdb /etc/tinydns2/root/data.cdb
If you find that the files are not identical, this is bad. For whatever reason,
the update-data.sh script is NOT writing the same data out to both nameservers.
You will need to go back over each step on this page and look for where you
screwed up.
Once you've successfully verified that both nameserver are being written to by the
update script, we will install a cronjob to run the update script every 10
minutes.
crontab -e
*/10 * * * * /usr/local/sbin/update-data.sh > /dev/null
Save and exit from the crontab editor.
Alright! You've done it. You now have a fully functioning DNS server and a user
friendly interface for managing all of your domains.
Testing:
Now that you've got your tinydns server 100% operational, it's time to throw a
series of tests at it to make sure that everything is working correctly. I'm going
to cover a few simple procedures tests:
Your first domain
dig @ your/ip/address zoneentry/from your domain
or
dig yahoo.com
DNS confirmation
So by now you should have pointed a domain at your nameservers as well as created
the zone entry for that domain on your nameservers via Vegadns. Now let's see if
you actually did it right. There are a few things we can do to test the new domain
out.
Test 1. A local query
dig @ your/ip/address zoneentry/from/your/domain
Hey, isn't that cool? It works! Now try the same query against your secondary
nameserver...
dig @your/secondary/ip/address zone/entry/from/your/domain
Among the troubleshooting steps you do, make sure your server is blocking DNS
requests with a firewall rule and also make sure that all permissions/ownership
settings on the tinydns and tinydns2 directory structures are correct.
Test 2. A remote query
This test requires that your nameservers be fully registered and that the domain
be active and pointing to your nameservers.
This is the most important test. We're now going to test the DNS server' response
when queried from an external location. In other words, we're going to query the
domain from the outside world where all the rules apply.
Let's go to http://domainwhitepages.com/
Enter your domain in the query box.and just focus on the "DNS records" test.
When the "DNS records" lookup is performed, you should get a complete readout of
your domain's DNS settings. The readout should look very much like the domain
information in Vegadns.
Test 3.DNS compliance
Our final test will analyze and point out any inconsistencies and/or problems in
our nameservers. To do this test, we're going to use http://www.dnsreport.com.
To do this test, you will need an active and functional domain name that is
currently running off of your nameservers.
So let's go to http://www.dnsreport.com....
And now I enter Domain name in the "DNS report" field. Then a press the button and
let the test go...
What comes back is a slew of test results. Every test result either passes, warns
or fails. Ideally, you want your DNS system to pass all tests. However, a few
warnings here and there do not constitute a crisis. What you really want to avoid
is the failures.
NS records at parent servers This is the second test performed and it makes sure
that the nameservers to which you have pointed your domain to (at the registrar
level) are reachable. A successful test in this area will show all of the
nameservers that you pointed your domain to.
You can typically tell if you nameserver if answering queries by looking at the
logs. For
example: tail -f /etc/tinydns/log/main/current
Parent nameservers have your nameservers listedJust like the test above, passing
this test is crucial. This test makes sure that the nameservers to which your
domain is pointing actually contain DNS information for that domain. Failing this
test would mean that you successfully pointed you domain to your nameservers but
that you failed to create the domain zone entry on the nameservers. In other
words, you forgot to add the domain to your nameservers via Vegadns.
NS records at your nameserversThis test makes sure that the zone entry for your
domain contains NS records that match the nameservers to which it points. For
example, djbdnsrocks.org points to ns1, ns2, ns3 and ns3.namegenie.net. In the
zone entry for djbdnsrocks.org (visible in Vegadns), there are 4 NS records in
place indicating all 4 nameservers. If, for example, the zone entry for
djbdnsrocks.org only contained an NS record for ns1 and ns2.namegenie.net, the
test would fail because there are no NS records for ns3 and ns4.namegenie.net. You
want to pass this test!
All nameservers report identical NS records Similar to the test above. It simply
makes sure that each of your nameservers contains the same NS records for your
domain.
and now your DNS server is up.
Setting Up Zone transer with Bind
---------------------------------
Ref: http://cr.yp.to/djbdns/run-server-bind.html
Ref: http://www.hackinglinuxexposed.com/articles/20020813.html
/usr/sbin/useradd -s /sbin/nologin -d /dev/null axfrdns
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns a.b.c.d
vi /etc/axfrdns/tcp
#Refer http://cr.yp.to/djbdns/tcp.html on how to set appropriate rules
# eg If you want to allow an IP address to transfer a zone from your DNS server,
add it to /etc/axfrdns/tcp:
# echo '131.193.178.160:allow,AXFR="heaven.af.mil"' >> /etc/axfrdns/tcp
# If you want to allow transfers of all zones, omit the ,AXFR="...":
# echo '131.193.178.160:allow' >> /etc/axfrdns/tcp
cd /etc/axfrdns/
make
ln -s /etc/axfrdns /service
sleep 5
svstat /service/axfrdns
Use the dnsnotify.pl script on http://www.lifewithdjbdns.com/#DNS%20secondaries to
transfer zones to the secondary Bind servers
eg ./usr/local/sbin/dnsnotify.pl zonetotransfer.com secondarydnsserver.com