djbdns: More Than Just a Mouthful of Consonants
There are many other convenience features that tinydns offers. For example, with tinydns, you do not need to remember to increment the serial on the SOA record each time you change something in a zone file. tinydns automatically generates serials from the last-modified timestamp on the data file, which ensures that they are incremented whenever the file changes.
If you ever have had to migrate DNS for an active domain, you will appreciate per-record timestamps. You can specify an exact time in the future for a record to change, without worrying about how it is cached around the Internet. tinydns dynamically calculates the TTL as it responds to queries. For example, if you want to migrate samba.example.com from 192.168.10.25 to 192.168.10.35 at 2 AM on October 15, 2008, you can add the following two records:
The last field on these records is a TAI64 timestamp representing 2008-10-15 02:00:00. (See Resources for tips on generating TAI64 timestamps.)
A cache that requests the A record for samba.example.com at 1:50:00 AM on October 15, 2008, will receive a response of 192.168.10.25 with a TTL of 600 seconds (ten minutes). A cache that requests the same record at 1:59:45 AM will receive the same response, except with a TTL of 15 seconds. After 2:00 AM, tinydns will begin responding automatically with the new IP, 192.168.10.35. Because all prior responses were set to expire at exactly 2:00 AM, all caches will check back immediately for the new address.
It's the little things like this that make djbdns such a wonderful piece of software.
BIND servers use zone transfers to replicate DNS data between servers. This process is rather complicated, has a history of problems and is not exactly easy to configure. Instead, Bernstein recommends using existing data transfer tools, such as rsync or scp, that are known to be fast, efficient and secure.
Let's add linux3.example.com as second DNS server for the example.com domain. Install djbdns on linux3 and configure tinydns as above (using the appropriate IP address). Update your data file on linux2 with the new record (anywhere in the file is fine):
Next, update /service/tinydns/root/Makefile on linux2 with the new make target. Replace everything in the Makefile with the following:
remote: data.cdb rsync -az -e ssh data.cdb \ 192.168.10.30:/service/tinydns/root/data.cdb data.cdb: data /usr/local/bin/tinydns-data
Be sure to use tabs instead of spaces at the beginning of the command lines in your Makefile. Now, when you run make it will compile data.cdb and immediately rsync it to linux3. We are using the IP for linux3 in the rsync command, because DNS should not rely on itself (it would fail if your DNS was broken). Also, you may want to create a special account for this purpose and configure passwordless ssh access using keys. Dan Bernstein provides more thorough instructions on his Web site for configuring DNS replication.
As I hope you have seen, DNS does not have to be a headache. Although BIND is ubiquitous on Linux, djbdns is more secure, more efficient and simply easier to use. And, now that it has been released into the public domain, there are no longer any philosophical reasons for rejecting it. We've only briefly covered what djbdns has to offer, so I hope you will read the on-line documentation, download it and experiment with it yourself. If you ever have found yourself babysitting a BIND instance, you may want to consider giving djbdns a chance.
Google Disappearing Act: tinyurl.com/ckx6x
DNS Fool Tips: www.dnsfool.com/tips
How to Install djbdns, by D. J. Bernstein: cr.yp.to/djbdns/install.html
Paul Jarc's cache-effect.pl: code.dogmap.org/djbdns
Mike Babcock's dnscacheproc.py: mikebabcock.ca/code/dnscacheproc
Replicating Your DNS Service: cr.yp.to/djbdns/run-server.html#replicate
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems
Join editor Bill Childers and Bit9's Paul Riegle on April 27 at 12pm Central to learn how to keep your Linux systems secure.
Free to Linux Journal readers.Register Now!
|Security Hardening with Ansible||Aug 18, 2014|
|Monitoring Android Traffic with Wireshark||Aug 14, 2014|
|IndieBox: for Gamers Who Miss Boxes!||Aug 13, 2014|
|Non-Linux FOSS: a Virtualized Cisco Infrastructure?||Aug 11, 2014|
|Linux Security Threats on the Rise||Aug 08, 2014|
|Android Candy: Oyster—Netflix for Books!||Aug 07, 2014|
- Security Hardening with Ansible
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- Monitoring Android Traffic with Wireshark
- Tech Tip: Really Simple HTTP Server with Python
- Readers' Choice Awards 2013
- RSS Feeds
- Returning Values from Bash Functions
- IndieBox: for Gamers Who Miss Boxes!
- Kernel Korner - Why and How to Use Netlink Socket
- Linux Security Threats on the Rise