لطفا منتظر باشید ...
5.3. Alternatives to BIND
Those who have been concerned with the
number of security vulnerabilities found in the BIND server through
the years, or who prefer an easier DNS solution, may wish to
investigate an alternative, djbdns. This software, written from
scratch by D.J. Bernstein, provides a much more robust, simplified
and secure framework for DNS. djbdns is easy to install and
configure, and is much less complex than BIND, essentially the same
functionality. In this next section, we'll cover the
basics of installing and configuring a DNS server using djbdns. It is
important to note that a djbdns DNS server is designed to be just
that, a DNS server, meaning that by default it won't
be resolving queries for machines outside of your authority. For
that, you will need to build a separate caching server on a separate
machine or IP address. As recommended earlier, caches and DNS servers
should be separated for security reasons. To read more about this
topic, please refer to the djbdns web site at http://cr.yp.to/djbdnsl.
5.3.1. Installing djbdns
To run djbdns, you first need to
install another DJB program called daemontools, which is basically a
collection of tools used to manage various Unix daemons. To view full
documentation and source code for daemontools, visit its webpage at
http://cr.yp.to/daemontoolsl.
When you've successfully downloaded the software,
extract it to a directory on your machine and compile the software.
daemontools comes with a script that will automatically compile and
install the software. It can be launched as follows:
vlager# mkdir software
vlager# cd software
vlager# tar xzpf daemontools-0.76.tar.gz
vlager# cd admin/daemontools-0.76
vlager# package/install
When the script finishes, you can
remove the installation directories, and begin installing the next
dependency, ucspi-tcp, which is DJB's very own TCP
client-server handling program. It is also very easy to install:
vlager# mkdir softwareThis will install the software to the /usr/local
vlager# cd software
vlager# tar xzpf ucspi-tcp-0.88.tar.gz
vlager# cd ucspi-tcp-0.88
vlager# make
vlager# make setup check
directory on your machine. You won't need to do
anything else with the operation or configuration of this software
for the moment.
Once it
is installed, you are ready to install the djbdns software. The
djbdns installation is accomplished using the same steps documented
above for ucspi-tcp. This process will also
install djbdns to the /usr/local directory. You
will need to make sure that the svscan process is
running before configuring djbdns. svscan is part
of the daemontools package and must be running for
djbdns to function.When you've verified that
svscan is running, you can start the
configuration of the DNS server. The first step is to create two user
accounts, tinydns and
dnslog. djbdns will use both of these to conduct
its business, rather than run as root, as BIND installations often
do.Next, you will need to create a
directory for your DNS server's configuration files
and logs, and then configure it as follows:
vlager# mkdir /etc/tinydnsThe IP address 172.16.0.2 in the
vlager# tinydns-conf tinydns dnslog /etc/tinydns 172.16.0.2
example should be replaced with your DNS server's
external IP address. Following this, svscan
needs to be informed of the new service. This process accomplished
with three commands:
vlager# ln -s /etc/tinydns /serviceThis will complete the installation of your djbdns server; all
vlager# svstat /service/tinydns
that's left is to do is configure your hosts. Under
BIND, this is where a majority of the complexity and confusion
exists; dbjdns, however, makes adding new DNS records much
easier.
5.3.2. Adding Hosts
You
will need to configure your host information so that your DNS server
is providing a service. The first step in this process is to
establish yourself as an authority over your domain. For our example,
the Virtual Brewery, we will want to configure our DNS server to
answer all queries for the vbrew.com
domain. Rather than hassle with long zone files, this can be done
with a few short steps.
vlager# cd /service/tinydns/rootNow that the server will handle queries for our vbrew domain, we can use it to configure
vlager# ./add-ns vlager.com 172.16.1.1
vlager# ./add-ns 1.16.172.in-addr.arpa 172.16.1.1
vlager# make
individual hosts on our network. Fortuantely, this is just as easy as
the previous step. To associate an address to our favorite host,
vlager, and to our web server, we
need to use the following commands:
vlager# cd /service/tinydns/rootUsing the add-host
vlager# ./add-host vlager.vbrew.com 172.16.1.10
vlager# ./add-host www.vlager.com 172.16.1.11
vlager# ./add-alias mail.vbrew.com 172.16.1.10
vlager# make
command, we enter the FDQN followed by the IP addresss to create our
DNS records. You might have noticed the other command used in the
example, add-alias. This command adds an alias
to an already assigned IP. In the example, we have our host vlager set to also answer to the name
mail. This is useful if a server
serves multiple purposes. Take special notice of the last command
executed in the series, make. Things
won't work if you forget to execute this command,
since it is responsible for compiling the raw configuration file,
into one readable by the server. If you're having
problems with your installation, check this first.The
commands add-host, add-ns,
and add-alias just edit the master djbdns
configuration file called data located in
/service/tinydns/root. If you want to do this
manually, you can just open the datafile in your browser and add the
following lines:
=vlager.vbrew.com:172.16.1.10
=www.vlager.com:172.16.1.11
+mail.vbrew.com:172.16.1.10
You'll notice that the host
entry lines begin with = and the alias lines begin with a +
character. While the manual method does work, it adds more
complexity, since you will now be required to also manually check
your datafile for duplicate entries. Most administrators will just
want to stick with the automated tools to avoid complications.
5.3.3. Installing an External DNS Cache
When you've successfully created your DNS server and
have everything functioning properly, you may want to craete an
external DNS cache, so hosts on your network can resolve the IP
addresses of external machines. This is done by installing a DNS
cache, which again with djbdns is simple. Assuming that you have
svscan running, you must first create (or verify the
existance of) two system accounts, one for the cache program and one
for the logging mechanism. Though it isn't necessary
to do so, it is a good idea to call them something meaningful, such
as dnscache and dnslog,
respectively.Next, you'll need to
determine the IP address on which to run your DNS cache. Remember
this should be a different IP address than you're
using for your DNS server. Now, as root, create a directory for the
DNS service and configure it with the following commands:
vstout# mkdir /etc/dnscacheAgain, as root, you now need to inform svscan that you have a new
vstout# dnscache-conf dnscache dnslog /etc/dnscache <cache.ip.address>
service for it to run:
vstout# ln -s /etc/dnscache /serviceNow, to be certain that the new service is running, wait a few
moments and issue the following command:
vstout# svstat /service/dnscacheWhen you've made certain that the service is
/service/dnscache: up (pid 1139) 149 seconds
running, you need to tell it which IP addresses are authorized to
access the cache. In the case of the Virtual Brewery, we want to
authorize the entire 172.16 network,
so we'll enter the following command:
vstout# touch /etc/dnscache/root/ip/172.16Of course,
you'll want to make sure that your
/etc/resolv.conf knows about your new DNS cache.
You can test to see whether or not your cache is working with
nslookup, dig, or one of the
included djbdns tools, dnsip:
vlager# dnsip www.google.com
216.239.57.104 216.239.57.99
vlager#
