The most commonly used DNS server software is ISC BIND, the "Berkeley Internet
Name Daemon". However, this software has a bad security track record and is in
my opinion a pain to configure.
Mr. D.J. Bernstein developed "djbdns", which comes with a guarantee: if anyone
finds a security vulnerability within djbdns, you will get one thousand
dollars. This price has been claimed once. But djbdns has a far
better track record than BIND.
Well, attaching your own name to your DNS implementation and tying a price to
it if someone finds a vulnerability in it, does show some confidence. But
there is more to it. D.J. Bernstein already pointed out some important
security risks regarding DNS and made djbdns immune against them, even before
it became a serious world-wide security issue. However, djbdns is to this
day vulnerable to a variant of this type of attack and the dbndns package is
as of 2010 still not patched. Although the risk is small, you must be
aware of this. I still think that djbdns is less of a security risk,
especially regarding buffer overflows, but it is up to you to decide which
risk you want to take.
The nice thing about djbdns is that it consists of several separate programs,
that each perform a dedicated task. This is in stark contrast with BIND, which
is one single program that performs all DNS functionality. One can argue that
djbdns is far more simpler and easy to use.
So this post is about setting up djbdns on a Debian Linux host as a forwarding
server, thus a 'DNS cache'. This is often used to speed up DNS queries.
Clients do not have to connect to the DNS server of your ISP but can use your
local DNS server. This server will also cache the results of queries, so it
will reduce the number of DNS queries that will be sent out to your ISP DNS
server or the Internet.
Debian Lenny has a patched version of djbdns in its repository. The applied
patch adds IPV6 support to djbdns. This is how you install it:
apt-get install dbndns
The dbndns package is actually a fork of the original djbdns software. Now the
program we need to configure is called 'dnscache', which only does one thing:
performing recursive DNS queries. This is exactly what we want.
To keep things secure, the djbdns software must not be run with superuser
(root) privileges, so two accounts must be made: one for the service, and one
useradd -g dnscache dnscache
useradd -g dnscache dnscachelog
The next step is to configure the dnscache software like this:
dnscache-conf dnscache dnscachelog /etc/dnscache 192.168.0.10
The first two options tell dnscache which system user accounts to use for this
service. The /etc/dnscache directory stores the dnscache configuration. The
last option specifies which IP address to listen on. If you don't specify an
IP address, localhost (127.0.0.1) is used. If you want to run a forwarding DNS
server for your local network, you need to make dnscache listen on the IP
address on your local network, as in the example.
Djbdns relies on daemontools and in order to be started by daemontools we need
to perform one last step:
ln -s /etc/dnscace /etc/service/
Within a couple of seconds, the dnscache software will be started by the
daemontools software. You can check it out like this:
A positive result will look like this:
/etc/service/dnscache: up (pid 6560) 159 seconds
However, the cache cannot be used just yet. Dnscache is governed by some text-
based configuration files in the /etc/dnscache directory. For example, the
./env/IP file contains the IP address that we configured previously on which
the service will listen.
By default, only localhost will be able to access the dnscache. To allow
access to all clients on the local network you have to create a file with the
name of the network in ./root/ip/. If your network is 192.168.0.0/24 (thus 254
hosts), create a file named 192.168.0:
Now clients will be able to use the dnscache. Now you are running a simple
forwarding DNS server and it probably took you under ten minutes to configure
it. Although djbdns is not very well maintained in Debian Lenny, there is
currently not a really good alternative for BIND. PowerDNS is not very
secure (buffer overflows) and djbdns / dbndns has in more than 10 years
never been affected by this type of vulnerability.