Daniel J. Bernstein wrote a DNS server so thoroughly well that he offers $1000 to the first person to publicly report a verifiable security hole in the latest version of it.

The only problem is that setting it up is a pain. It is as though every Linux distribution has to change things just for the sake of changing them… constantly, so following the djbdns installation instructions line-by-line isn’t always an option under Linux.

Here are the steps I took to run djbdns on Debian 8 “Jessie”:

A Few Prerequisites

Official steps are in green, broken steps are in red, modified steps are in yellow.

The following commands will need to be issued as root.

You will need build essentials and wget:

				apt-get update
				apt-get install build-essential wget
		
			mkdir -p /package
			chmod 1755 /package
			cd /package
			wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
			gunzip daemontools-0.76.tar
			tar -xpf daemontools-0.76.tar
			rm -f daemontools-0.76.tar
			cd admin/daemontools-0.76
		

This next command will fail, so hold off on it for now:

			package/install
		
Edit ./src/error.h. Replace extern int errno; on line 6 with #include <errno.h>, then save.

Now run the installer:

package/install
			cd ~
			wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
			gunzip ucspi-tcp-0.88.tar
			tar -xf ucspi-tcp-0.88.tar
			cd ucspi-tcp-0.88
		

These next commands will fail, so hold off on them for now:

			make
			make setup check
		
Edit ./error.h. Replace extern int errno; on line 4 with #include <errno.h>, then save.

Now run the compiler and installer:

			make
			make setup check
		

Step 3: Install djbdns

This will go smoothly since he has already accounted for the errno issue.

			cd ~
			wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
			gunzip djbdns-1.05.tar
			tar -xf djbdns-1.05.tar
			cd djbdns-1.05
			echo gcc -O2 -include /usr/include/errno.h > conf-cc
			make
			make setup check
		

Create /lib/systemd/system/daemontools.service with the following contents:

			[Unit]
			Description=DJB daemontools
			After=sysinit.target

			[Service]
			ExecStart=/command/svscanboot
			Restart=always

			[Install]
			WantedBy=multi-user.target
		

Save, change permissions, create symbolic link, then start:

			chmod 644 /lib/systemd/system/daemontools.service
			ln -s /lib/systemd/system/daemontools.service /etc/systemd/system/multi-user.target.wants/daemontools.service
			service daemontools start
		

Create users:

			useradd --no-create-home --shell /bin/false Gtinydns
			useradd --no-create-home --shell /bin/false Gdnslog
		

Create initial base configuration:

			tinydns-conf Gtinydns Gdnslog /etc/tinydns [HOST IP]
			ln -s /etc/tinydns /service/tinydns
		

Check to ensure that the service has been loaded:

			sleep 5
			svstat /service/tinydns
		

It should respond with something along the lines of:

			/service/tinydns: up (pid 2979) 7 seconds
		

Management

START SERVICEsvc -u /service/tinydns
STOP SERVICEsvc -d /service/tinydns
DNS DATA FILE/etc/tinydns/root/data

The data file is in tinydns-data format which can be referred to here: http://cr.yp.to/djbdns/tinydns-data.html.

Run `make` in the /etc/tinydns/root directory to update after changing the data file. No restart is required.

Addendum

In later versions of Linux, something is causing djbdns to exceed its default softlimit of 300,000 bytes. If djbdns intermittently stops answering queries, the softlimit may need to be increased in the /etc/tinydns/run shellscript.

			#!/bin/sh
			exec 2>&1

			# upped softlimit from 300000 to 400000 to 
			# prevent tinydns process cycling per
			# https://groups.google.com/g/linux.debian.bugs.dist/c/cM8dIVUXfKc
			exec envuidgid Gtinydns envdir ./env softlimit -d400000 /usr/local/bin/tinydns
		

← Older Newer →

Responses (3)

  • Many thanks for this very useful, thorough and clean tutorial.

  • Thanks a ton for the time saver. Your installation steps worked perfectly for me with Debian 9.8.0 on amd64.

Leave a Reply

You must be logged in to post a comment.