Higher Logic notes on screwing with tech…

13Jun/111

Djbdns on ubuntu 10.04 server, migration from BIND and zone transfers to secondaries (BIND)

What are you going to do with rainy Sundays? Move from BIND to djbdns ofcourse :D I have been wanting to do this for quite some time, so here it goes...

Criteria for this djbdns:

  • Must use ubuntu base repositories (ease of maintenance)
  • Still play nicely with BIND slaves (can't change those :()
  • Still resolve custom internal domain (mine is *.prove)
  • DNS servering is separated from DNS resolving

Background info for the following technical steps:

  • dns server listening on 1.2.3.4
  • dns resolving service listening on 1.2.3.5
  • dns resolving service only allowing clients from 1.2.3.0/24
  • zones transferred from BIND, higherlogic.com.au and .prove (internal)

Setup tinydns (dns server) and dnscache (resolver cache)

Drill and lay down some foundations
# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
# alternatively install dbndns for extra debian goodness with ipv6 and others
apt-get install daemontools daemontools-run ucspi-tcp dbndns
# Users for the chroot jail
adduser --no-create-home --disabled-login --shell /bin/false dnslog
adduser --no-create-home --disabled-login --shell /bin/false tinydns
adduser --no-create-home --disabled-login --shell /bin/false dnscache

Build the house
# Config
tinydns-conf tinydns dnslog /etc/tinydns/ 1.2.3.4
dnscache-conf dnscache dnslog /etc/dnscache 1.2.3.5
cd /etc/dnscache; touch /etc/dnscache/root/ip/1.2.3
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/tinydns/

Check that its sturdy
# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/tinydns
svstat /etc/service/dnscache
# Shutting down
svc -d /etc/service/tinydns
svc -d /etc/service/dnscache
# Starting up
svc -u /etc/service/tinydns
svc -u /etc/service/dnscache

Pack the boxes at the old place
# Normal forward zone retrieval
tcpclient ns.higherlogic.com.au 53 axfr-get higherlogic.com.au zone-higherlogic.com.au zone-higherlogic.com.au.tmp
tcpclient ns.higherlogic.com.au 53 axfr-get prove zone-prove zone-prove.tmp
# Example Reverse IP
tcpclient dns1.mydomain.com 53 axfr-get 32.58.212.in-addr.arpa zone-32.58.212 zone-32.58.212.tmp

Move in!
# Create new combined zone db which will drive tinydns
cd /etc/tinydns/root/
sort -u zone* > data
make

If you host your own internal custom domain (*.prove in my case)
# Make sure the zone is setup in tinydns already
# Fix up your dnscache to resolve your custom zones and restart service
cd /service/dnscache
echo 1.2.3.4 > root/servers/prove
chmod 644 root/servers/prove
svc -t /etc/dnscache

Some tire-kicking?
# Test what djbdns is returning vs bind should be identical
tinydns-get a www.higherlogic.com.au
dnsq a www.higherlogic.com.au ns.higherlogic.com.au

Setup zone transfers with BIND using axfrdns

# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false axfrdns

# Config
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns 1.2.3.4
cd /etc/service ; ln -sf /etc/axfrdns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/axfrdns
# Shutting down
svc -d /etc/service/axfrdns
# Starting up
svc -u /etc/service/axfrdns

# Restrict zone transfers from 2.3.4.5 by editing /etc/axfrdns/tcp
=2.3.4.5:allow
:allow,AXFR="" #allows large queries through TCP

#update tcp file similar to tinydns
cd /etc/axfrdns
make

Last step setup a notify script

Tinydns.org has many different versions of this script tailored for various situations See Section: Database replication via the "Zone transfer" mechanism. I picked the James Raftery version.

   
css.php