Higher Logic notes on screwing with tech…


Djbdns on ubuntu 10.04 server, migration from BIND and zone transfers to secondaries (BIND)

What are you going to do with rainy Sundays? Move from BIND to djbdns ofcourse :D I have been wanting to do this for quite some time, so here it goes...

Criteria for this djbdns:

  • Must use ubuntu base repositories (ease of maintenance)
  • Still play nicely with BIND slaves (can't change those :()
  • Still resolve custom internal domain (mine is *.prove)
  • DNS servering is separated from DNS resolving

Background info for the following technical steps:

  • dns server listening on
  • dns resolving service listening on
  • dns resolving service only allowing clients from
  • zones transferred from BIND, higherlogic.com.au and .prove (internal)

Setup tinydns (dns server) and dnscache (resolver cache)

Drill and lay down some foundations
# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
# alternatively install dbndns for extra debian goodness with ipv6 and others
apt-get install daemontools daemontools-run ucspi-tcp dbndns
# Users for the chroot jail
adduser --no-create-home --disabled-login --shell /bin/false dnslog
adduser --no-create-home --disabled-login --shell /bin/false tinydns
adduser --no-create-home --disabled-login --shell /bin/false dnscache

Build the house
# Config
tinydns-conf tinydns dnslog /etc/tinydns/
dnscache-conf dnscache dnslog /etc/dnscache
cd /etc/dnscache; touch /etc/dnscache/root/ip/1.2.3
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/tinydns/

Check that its sturdy
# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/tinydns
svstat /etc/service/dnscache
# Shutting down
svc -d /etc/service/tinydns
svc -d /etc/service/dnscache
# Starting up
svc -u /etc/service/tinydns
svc -u /etc/service/dnscache

Pack the boxes at the old place
# Normal forward zone retrieval
tcpclient ns.higherlogic.com.au 53 axfr-get higherlogic.com.au zone-higherlogic.com.au zone-higherlogic.com.au.tmp
tcpclient ns.higherlogic.com.au 53 axfr-get prove zone-prove zone-prove.tmp
# Example Reverse IP
tcpclient dns1.mydomain.com 53 axfr-get 32.58.212.in-addr.arpa zone-32.58.212 zone-32.58.212.tmp

Move in!
# Create new combined zone db which will drive tinydns
cd /etc/tinydns/root/
sort -u zone* > data

If you host your own internal custom domain (*.prove in my case)
# Make sure the zone is setup in tinydns already
# Fix up your dnscache to resolve your custom zones and restart service
cd /service/dnscache
echo > root/servers/prove
chmod 644 root/servers/prove
svc -t /etc/dnscache

Some tire-kicking?
# Test what djbdns is returning vs bind should be identical
tinydns-get a www.higherlogic.com.au
dnsq a www.higherlogic.com.au ns.higherlogic.com.au

Setup zone transfers with BIND using axfrdns

# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false axfrdns

# Config
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns
cd /etc/service ; ln -sf /etc/axfrdns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/axfrdns
# Shutting down
svc -d /etc/service/axfrdns
# Starting up
svc -u /etc/service/axfrdns

# Restrict zone transfers from by editing /etc/axfrdns/tcp
:allow,AXFR="" #allows large queries through TCP

#update tcp file similar to tinydns
cd /etc/axfrdns

Last step setup a notify script

Tinydns.org has many different versions of this script tailored for various situations See Section: Database replication via the "Zone transfer" mechanism. I picked the James Raftery version.