Hello everyone,

I'm not really wanting to start another battle over BIND vs DJBDNS so please vent those frustrations else where.

What I _would_ like to know is what can a DNS server or cacher (be it DJBDNS or BIND) do for me? My blurt:

I'm a Uni student wanting to eventually move into the field of network security. My home network is more complex than it needs to be and is going to get even more so as I'm doing this to learn how to build/configure/use the different types of machines. I have an OpenBSD router, FreeBSD fileserver, OpenBSD DNS server/cacher (eventually) and have visions of setting up / learning more of them. Possibly even a honey net in the very near future.

My Internet connection is a DSL connection. I do _not_ have a website or Intranet but would like to know what a DNS server or cacher can do for me - not to mention which one (server/cacher) I'd be using. I also do _not_ have a domain name although may possibly get one, especially if beneficial.

Basically my initial intention was to have a 'cacheing' system that would handle all the DNS requests by my workstations, do the lookups and store the answers. My understanding is that for this I need a cache rather than a server as a server is intended to 'serve' the addresses of the systems you have in an Intranet or for a site?

Any help would be greatly apprecitated. I'm currently working my way through both the Bernstein website to figure out what I want and also "Life with djbdns" - http://www.lifewithdjbdns.com


Thanks again in advance,
Gsee

Can anyone please give me an answer on this one?

I think you pretty much said it all. The caching server will do name lookups and store the answers. I'm only familiar with djbdns, and I have no experience with BIND. But from what I know with djbdns, you can setup your dns cache so that its usable by other machines on your network. So instead of putting in your ISP's nameservers into /etc/resolv.conf, you can put in the IPs of your local nameserver and it will do the lookups for you.

djbdns also has "tinydns" which as you described is used for being an authority for a domain. You define the ip addresses, TTL's etc., with tinydns' config files and it can provide info for your domain records.

I have read lifewithdjbdns and I wasn't impressed. It looked like the author tried to do a good job, but I felt that it wasn't a very good tutorial for how to install it. What I ended up doing was finding several tutorials for installing it and blending them together into one that worked for me.

Here is the result...

https://www.servershak.com/default.pl?&x=djbdns

This pretty well covers the installation of dnscache, so I think you'll find it pretty complete for that purpose. But for tinydns, it's incomplete because I don't have any information on how to setup the config files. There are automated scripts that DJB includes that will allow you to setup the config files, but many people prefer to edit the config file manually.

for a free subdomain check out hopto.org .

Donboy, I'd like say thank you. That was the exact kind of post I was after.

I have followed the instructions on

https://www.servershak.com/default.pl?&x=djbdns

as best as I could - altering things marginally to suit OpenBSD. I think everything has completed corretly, however when I reach the step

Quote:

Way #2 - dnscache can be used by all machines on your network

and attempt:

/usr/local/bin/dnscache-conf dnscache dns /etc/dnscache 192.168.0.5

I receive:

dnscache-conf: fatal: unknown account dns

However this:

dns:*:1001:

appears in /etc/group

Any suggestions?

Thanks again for your post.

Gsee

I have heard that if you delete the users/groups and readd them, it will start working.

http://www.bsdforum.org/forums/showt...p?threadid=686

Otherwise, I'm not really sure. I've googled a bit trying to help you, as I'm sure you've done also. But I can't seem to find anything of value to help with your problem.

Thanks again Donboy,

I've resolved MY version of the problem and discovered that it's an issue with the doc you supplied me. The reason I had the error reported is because I followed the doc explicitly however the doc contradicts itself.

At the beginning of the setup three user accounts are created:
dnscache
tinydns
dnslog

The step at which I was having issues indicates I should enter this:

/usr/local/bin/dnscache-conf dnscache dns /etc/dnscache 192.168.0.50


which returned that dns was not a valid account.

When assessing the syntax of the dnscache-conf command I received this:

dnscache-conf: usage: dnscache-conf acct logacct /dnscache [ myip ]

which to me would imply that the command I should have been running is:

/usr/local/bin/dnscache-conf dnscache dnslog /etc/dnscache 192.168.0.50 - NB that the dns account which caused issues is now dnslog, one of the accounts created earlier. That command ran without a problem. I did this over ssh from work and haven't returned yet. I'm anxious to see if this setup is now working.

Thanks for your help

Gsee

Bah! You're absolutely right. Thanks for finding that. My document is not complete and needed a good audit. I wrote it for people like youself who are interested in using djbdns but needed a good howto. I apologize for the error. It was totally my mistake. I will correct it now. Thanks for finding that problem. Good luck with it and let me know if I can be of anymore help.

Not a problem.

Please let it be known that what I wrote in my last message was not intended to be rude or anything of that nature. As I said I discovered the problem whilst at work and wrote the post straight after to avoid forgetting, thus I may have been a fraction short - unintentionally.

In terms of auditing the howto - that's the only problem I managed to find - other than the purple on black background was a tad difficult to read at times.

More importantly, my only additional question would be:

As I want this box to handle my lookups AND cache them, my understanding is that the DNS server should have a resolv file of:
nameserver 127.0.0.1
nameserver My.ISP.DNS.IP

and then all workstations beneath should have a resolv file of
nameserver My.DNS.Ip.Addr

Would that be correct? In which case, the DNS server would look to itself for the answer, if not found it would query my ISP's DNS?

Thanks for your support on this one DonBoy - all in all this thread is turning into a fairly comprehensive howto and explanation to DJBDNS.

Thanks again,
gsee

Yeah, you're right. That way, you're querying your own dnscache first and then querying your ISP second. If youre own dns server happens to be too busy, it's got a backup. I think you're limited to only 3 nameservers in your resolv.conf. Any beyond that are ignored.

Thanks for the compliments. I hope that was my only error. Now all I need to do to make it more complete is explain the tinydns config file (under root/data). Most everyone else simple gives a little info on DJB's *-conf commands for adding records.

Anyway, thanks again and good luck.

Ok, I've followed the instructions and everything seems to be happy as I had no errors.

My only problem is - it doesn't work

When logged into the DNS Server (affectionately known as MyDNS) tried the following:

resolv.conf
nameserver 127.0.0.1
nameserver ISP.DNS.IP.ADDR
lookup file blind

$ ping www.google.com
reply
reply blah blah

resolv.conf
nameserver 127.0.0.1
lookup file blind

$ping www.google.com
Unknown host

What's going wrong?

Furthermore, when using OpenBSD 3.6 what do I have to do to enable the workstations to use this box as their DNS server/lookup-er with ONE network card?

Gsee

I'm a little confused. You tried to ping google.com, but what was the "reply" and "blah" parts? It almost seems like you're saying it worked the first time but failed the second time??

Also, you shouldn't use ping for something like this. Try using "host", "dnsip" or "dig" instead. Consult the man pages for each one to understand what arguments you can give it.

You can also do...

tail -f /etc/dnscache/log/main/current

and look at what the logs are saying about your dns request. It may yield some information that will help you understand what is the problem. Also, I would expect this to work fine since you've got your ISP's DNS servers listed as the backup, so there should be no reason why it doesn't work.

Also, are you trying to do this on a machine running dnscache? or is this being run on a machine that is querying your dnscache machine??

Well, I think your questions are already answered but I'll try and make myself clearer.

I'm doing this all directly from the DNS Server - (well... I've ssh'd into it, but close enough to being direct).

Now...

On MyDNS I tried to ping www.google.com - just to see if it could resolve the hostname/IP Address. The first time I did this my resolv.conf was as follows:

nameserver 127.0.0.1 # Enable MyDNS to query itself
nameserver My.ISP.DNS.IP # Enables MyDNS to query my isp if answer isn't cached.
lookup file blind

now... with the above resolv.conf I typed:
ping www.google.com and the ping reached the destination without any trouble:

$ ping www.google.com
PING www.google.akadns.net (216.239.57.99): 56 data bytes
64 bytes from 216.239.57.99: icmp_seq=0 ttl=240 time=197.413 ms
64 bytes from 216.239.57.99: icmp_seq=1 ttl=240 time=197.513 ms
64 bytes from 216.239.57.99: icmp_seq=2 ttl=240 time=194.660 ms
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 194.660/196.528/197.513/1.417 ms

Now, from here I wanted to test that my DNS server was actually caching and capable of using its own cache for the same request. To do this I removed my ISP's DNS Server from the resolv.conf:

resolv.conf

nameserver 127.0.0.1 # Enable MyDNS to query itself
#nameserver My.ISP.DNS.IP # Enable MyDNS to query ISP's DNS Server
lookup file blind

Then tried to ping www.google.com again - theoretically if the first ping had been cached then MyDNS shouldn't need my ISP's DNS Server to locate www.google.com - should it? Isn't that the point? - however, I got this:

MyDNS# ping www.google.com
ping: unknown host: www.google.com
MyDNS#

I'm kinda tired at now so I'll try the dig etc tomorrow and let you know what happens, but I still feel the ping should work at least to determine this.

Thanks again,
Gsee

Yeah, I still think the log files can help you understand what's happening.

Try this...

http://dqd.com/~mayoff/notes/djbdns/dnscache-log.html

...for an explanation of what the log files are telling you, or post your log files here and maybe I can help you decipher them.

I think you're right... something isn't working. And to be fair, ping should work ok just as well as anything else. Ping is supposed to resolve domain names into ip's for the purpose of a ping, so it should work for what you're doing, but it's kind of like using the butt end of a screwdriver as a hammer -- there are better tools for the job.

When running the command

"tail -f /etc/dnscache/log/main/current"

I initially received this:

$ tail -f /etc/dnscache/log/main/current
@4000000041b5675b287e62ec starting

then I did:
$ ping www.google.com
$ tail -f /etc/dnscache/log/main/current

and got this again:

@4000000041b5675b287e62ec starting

I thought maybe something hadn't 'started' correctly so I rebooted the system and now receive this:

$ tail -f /etc/dnscache/log/main/current
@4000000041b5675b287e62ec starting
@4000000041b83092105b957c starting

I ping google again and still get the same response. So as per the logs it appears the service is starting, it just isn't doing anything. Perhaps djbdns isn't listening correctly? Again I ask what do I need to do with OpenBSD to enable ONE Network Card to both listen for requests and make requests when the answer isn't cached?

Thanks
Gsee