Important: If you link here use the permalink (on the right at top and bottom of page!)

Links

DJB DNS

From time to time new servers run in trouble. Often the trouble has one common source: The ISPs nameservers ceased to exist or are failing. Don't know why this happens so often, but it's easy to fix this type of problem:

Install a local resolver

Some times ago I wrote a short document on how to install DJB DNS to prevent other type of failures. However running it also prevents you from the trouble of failing resolving nameservers of a third party. The service is lightweight, fast and robust.

So here is the update. It also fixes following common compile errors:
/usr/bin/ld: errno: TLS definition in /lib/libc.so.6 section .tbss mismatches non-TLS reference in buffer.a(buffer_put.o)
/usr/bin/ld: errno: TLS definition in /lib/libc.so.6 section .tbss mismatches non-TLS reference in tcpserver.o
/usr/bin/ld: errno: TLS definition in /lib/libc.so.6 section .tbss mismatches non-TLS reference in envdir.o

Note that in case you install this while your ISPs nameservers are down then the wget do not work as there currently is no name resolving. Then on another machine lookup the two addresses and add them to /etc/hosts like this:

BEFORE YOU USE THIS FIRST CHECK IF THE IPs ARE STILL VALID!
cat >>/etc/hosts <<EOF
131.193.36.21   cr.yp.to
192.203.178.37  www.qmail.org
EOF

Afterwards do not forget to remove them ;)

Prevent your machine from DNS hijacking

With the help of some tools written by D. J. Bernstein, you can elliminate the possible DNS resolver buffer overrun of your machine. Just start a shell (as nonprivileged user) and copy and paste following.

Caveats

  • It is believed that current linux distributions are not affected by the DNS resolver problem.
  • This code is thought for experienced system administrators only who know what they are doing.
  • If you are paranoid don't forget not to trust me!
Warning: Don't do following if you already have daemontools installed. This assumes you do not run anything from DJB yet!
# Setup local resolver, perhaps to prevent your machine from DNS hijacking
# (however I do not give any protection guarantee)
#
# You need wget and compilers installed.
#
# You can copy'n'paste this to your commandline directly.
# THIS HAS BEEN TESTED TO WORK ON:
# SuSE 8.0, 7.2, 7.1, 7.0, 6.0
# Debian Sarge, Debian Etch, Ubuntu 6.06 LTS
#
# Script made by Valentin Hilbig (Hint: Google me)
# This Works is placed under the terms of the Copyright Less License,
# see file COPYRIGHT.CLL.  USE AT OWN RISK, ABSOLUTELY NO WARRANTY. 

# RUN THIS AS ROOT!

# DOWNLOAD Packages from cr.yp.to

cd
mkdir -p cr.yp.to
cd cr.yp.to

wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz

# Unpack patches
wget http://www.qmail.org/netqmail-1.05.tar.gz
tar xfz netqmail-1.05.tar.gz

# Compile the easy stuff

rm -rf djbdns-1.05
tar xfz djbdns-1.05.tar.gz
( cd djbdns-1.05; patch < ../netqmail-1.05/other-patches/daemontools-0.76.errno.patch; )
( cd djbdns-1.05; make; )

rm -rf ucspi-tcp-0.88
tar xfz ucspi-tcp-0.88.tar.gz
patch -p0 < netqmail-1.05/other-patches/ucspi-tcp-0.88.errno.patch
( cd ucspi-tcp-0.88; make; )

# Install the easy stuff

( cd djbdns-1.05; make setup check; )
( cd ucspi-tcp-0.88; make setup check; )

# Now compile and install daemontools.
# As this is run from /sbin/init this must live in root /

HERE="`pwd`"

mkdir -p /package
chmod 1755 /package
cd /package

rm -rf admin/daemontools-0.76
tar xfz "$HERE"/daemontools-0.76.tar.gz
( cd admin; patch -p0 <"$HERE"/netqmail-1.05/other-patches/daemontools-0.76.errno.patch; )
cd admin/daemontools-0.76
package/install

# Restart init to let init execute svscanboot

init q

# Add the resolver

groupadd dnscache
useradd -g dnscache dnscache
useradd -g dnscache dnslog

/usr/local/bin/dnscache-conf dnscache dnslog /var/dnscache

ln -s /var/dnscache /service
svc -u /service/dnscache

# Fix the nameservers to point to current ICANN structure
# This assumes you have dig installed

{
echo "nameserver 127.0.0.1"
cat /etc/resolv.conf
} >/etc/resolv.conf.new
mv --backup=t /etc/resolv.conf.new /etc/resolv.conf

# Patch in the current list of root servers 
for a in a b c d e f g h i j k l m
do
  dig +short $a.root-servers.net.
done > /var/dnscache/root/servers/\@

svc -d /service/dnscache
svc -u /service/dnscache

# If this host is a nameserver, reconfigure bind not to listen on localhost:
# In options section add:
# listen-on { 1.2.3.4; };
# with 1.2.3.4 is your external IP address.
# Perhaps it also is a good idea to add
# recursion no;
# to named.conf and do the things below if your clients need a resolver:
#
# To fix the BIND Cache Buffer Overrun for your LAN:
# Switch off recoursion in BIND (man named)
# cp -rp /var/dnscache/. /var/dnscache2
# echo "your.ip.addr.ess" > /var/dnscache2/env/IP
# touch /var/dnscache2/root/ip/subnetIP.without.tailingzero
# ln -s /var/dnscache2 /service
# (Sorry, no more hints here, this is not real plug'n'play.)

The CLL can be found here: permalink.de/tino/cll

Addons

DHCLIENT setting

If you run dhclient3, then most times the computer learns the nameservers from DHCP. This means, the resolv.conf is overwritten on each lease refresh cycle.

To make your local nameserver permanent, you must add "prepend" to dhclient.conf. This differs a little bit on each system, but here is the solution for Debian Etch:
{
echo "prepend domain-name-servers 127.0.0.1;"
cat /etc/dhcp3/dhclient.conf
} > /etc/dhcp3/dhclient.conf.new
mv --backup=t /etc/dhcp3/dhclient.conf.new /etc/dhcp3/dhclient.conf
/etc/init.d/networking restart

-Tino
Updates:
  • 2008-01-23 added dhclient hint
  • 2007-08-15 added "init -q" and hint for "recursion no;"
  • 2007-05-23 fix for resolve problems (/etc/hosts) added
  • 2007-05-02 Some old quirx in the script removed (su - removed)
  • 2006-11-29 errno compile fix from qmail.org added
  • 2003-05-06 su - added
  • 2002-11-13 By making your BIND nonrecursive and use djbdns as DNS cache you can fix the BIND Cache Buffer Overrun, too.