Daniel J. Bernstein wrote a DNS server so thoroughly well that he offers $1000 to the first person to publicly report a verifiable security hole in the latest version of it.
The only problem is that setting it up is a pain. It is as though every Linux distribution has to change things just for the sake of changing them… constantly, so following the djbdns installation instructions line-by-line isn’t always an option under Linux.
Here are the steps I took to run djbdns on Debian 8 “Jessie”:
A Few Prerequisites
Official steps are in green, broken steps are in red, modified steps are in yellow.
The following commands will need to be issued as root.
You will need build essentials and wget:
apt-get update apt-get install build-essential wget
Step 1: Install daemontools
mkdir -p /package chmod 1755 /package cd /package wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz gunzip daemontools-0.76.tar tar -xpf daemontools-0.76.tar rm -f daemontools-0.76.tar cd admin/daemontools-0.76
This next command will fail, so hold off on it for now:
package/install
Now run the installer:
package/install
Step 2: Install ucspi-tcp
cd ~ wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz gunzip ucspi-tcp-0.88.tar tar -xf ucspi-tcp-0.88.tar cd ucspi-tcp-0.88
These next commands will fail, so hold off on them for now:
make make setup check
Now run the compiler and installer:
make make setup check
Step 3: Install djbdns
This will go smoothly since he has already accounted for the errno issue.
cd ~ wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz gunzip djbdns-1.05.tar tar -xf djbdns-1.05.tar cd djbdns-1.05 echo gcc -O2 -include /usr/include/errno.h > conf-cc make make setup check
Step 4: Load daemontools on Init
Create /lib/systemd/system/daemontools.service with the following contents:
[Unit] Description=DJB daemontools After=sysinit.target [Service] ExecStart=/command/svscanboot Restart=always [Install] WantedBy=multi-user.target
Save, change permissions, create symbolic link, then start:
chmod 644 /lib/systemd/system/daemontools.service ln -s /lib/systemd/system/daemontools.service /etc/systemd/system/multi-user.target.wants/daemontools.service service daemontools start
Step 5: djbdns Server Configuration
Create users:
useradd --no-create-home --shell /bin/false Gtinydns useradd --no-create-home --shell /bin/false Gdnslog
Create initial base configuration:
tinydns-conf Gtinydns Gdnslog /etc/tinydns [HOST IP] ln -s /etc/tinydns /service/tinydns
Check to ensure that the service has been loaded:
sleep 5 svstat /service/tinydns
It should respond with something along the lines of:
/service/tinydns: up (pid 2979) 7 seconds
Management
| START SERVICE | svc -u /service/tinydns |
|---|---|
| STOP SERVICE | svc -d /service/tinydns |
| DNS DATA FILE | /etc/tinydns/root/data |
The data file is in tinydns-data format which can be referred to here: http://cr.yp.to/djbdns/tinydns-data.html.
Run `make` in the /etc/tinydns/root directory to update after changing the data file. No restart is required.
Addendum
In later versions of Linux, something is causing djbdns to exceed its default softlimit of 300,000 bytes. If djbdns intermittently stops answering queries, the softlimit may need to be increased in the /etc/tinydns/run shellscript.
#!/bin/sh exec 2>&1 # upped softlimit from 300000 to 400000 to # prevent tinydns process cycling per # https://groups.google.com/g/linux.debian.bugs.dist/c/cM8dIVUXfKc exec envuidgid Gtinydns envdir ./env softlimit -d400000 /usr/local/bin/tinydns