Daniel J. Bernstein wrote a DNS server so thoroughly well that he offers $1000 to the first person to publicly report a verifiable security hole in the latest version of it.

The only problem is that setting it up is a pain. It is as though every Linux distribution has to change things just for the sake of changing them… constantly, so following the djbdns installation instructions line-by-line isn’t always an option under Linux.

Here are the steps I took to run djbdns on Debian 8 “Jessie”:

A Few Prerequisites

Official steps are in green, broken steps are in red, modified steps are in yellow.

The following commands will need to be issued as root.

You will need build essentials and wget:

apt-get update
apt-get install build-essential wget
mkdir -p /package
chmod 1755 /package
cd /package
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
gunzip daemontools-0.76.tar
tar -xpf daemontools-0.76.tar
rm -f daemontools-0.76.tar
cd admin/daemontools-0.76

This next command will fail, so hold off on it for now:

package/install
Edit ./src/error.h. Replace extern int errno; on line 6 with #include <errno.h>, then save. Now run the installer:
package/install
cd ~
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
gunzip ucspi-tcp-0.88.tar
tar -xf ucspi-tcp-0.88.tar
cd ucspi-tcp-0.88

These next commands will fail, so hold off on them for now:

make
make setup check
Edit ./error.h. Replace extern int errno; on line 4 with #include <errno.h>, then save. Now run the compiler and installer:
make
make setup check

Step 3: Install djbdns

This will go smoothly since he has already accounted for the errno issue.

cd ~
wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
gunzip djbdns-1.05.tar
tar -xf djbdns-1.05.tar
cd djbdns-1.05
echo gcc -O2 -include /usr/include/errno.h > conf-cc
make
make setup check

Create /lib/systemd/system/daemontools.service with the following contents:

[Unit]
Description=DJB daemontools
After=sysinit.target

[Service]
ExecStart=/command/svscanboot
Restart=always

[Install]
WantedBy=multi-user.target

Save, change permissions, create symbolic link, then start:

chmod 644 /lib/systemd/system/daemontools.service
ln -s /lib/systemd/system/daemontools.service /etc/systemd/system/multi-user.target.wants/daemontools.service
service daemontools start

Create users:

useradd --no-create-home --shell /bin/false Gtinydns
useradd --no-create-home --shell /bin/false Gdnslog

Create initial base configuration:

tinydns-conf Gtinydns Gdnslog /etc/tinydns [HOST IP]
ln -s /etc/tinydns /service/tinydns

Check to ensure that the service has been loaded:

sleep 5
svstat /service/tinydns

It should respond with something along the lines of:

/service/tinydns: up (pid 2979) 7 seconds

Management

         STOP:  svc -d /service/tinydns
        START:  svc -u /service/tinydns
DNS DATA FILE:  /etc/tinydns/root/data
                RUN `make` IN SAME DIRECTORY TO UPDATE,
                NO RESTART/RELOAD REQUIRED

The data file is in tinydns-data format which can be referred to here: http://cr.yp.to/djbdns/tinydns-data.html.


← Older Newer →

Responses (3)

  • Many thanks for this very useful, thorough and clean tutorial.

  • Thanks a ton for the time saver. Your installation steps worked perfectly for me with Debian 9.8.0 on amd64.

Leave a Reply

You must be logged in to post a comment.