Tinydns as secondary name server :: Working, but hacked :: What is the "proper" way

Question

Spent a wonderful 6 hours setting up djbdns (tinydns + dnscache) as a secondary name server. I managed to hack together a working solution, but am confused as to why it did not work out of the box.

Both primary & secondary name servers live behind a Cisco ASA, external IPs get NAT'd to appropriate internal subnets, in this case DMZ for the name servers.

Primary NS is run by a Plesk-type CP, so djbdns configuration is all GUI, and runs fine. Now, until I discovered the extortion that is secondary name server hosting, I was considering offloading this task to a 3rd party. No thanks, trop cher for this frere. Anyway, roll-your- own-time: have a file server sitting in colo rack not doing much of anything, let's put it to work.

Following this tutorial:

http://www.howtoforge.com/clean-djbdns-dns-server-on-centos-dnscache-and-tinydns-a-to-z

I got everything installed just fine; however, nothing worked, or at least only digs against localhost worked. I needed dig@dmz-ip foo.com to resolve.

Not knowing any better, I hacked the dnscache & tindns env/IP files, reversing them, so tinydns listens on dmz and dnscache on localhost. Restarted both services and voila, was able to dig from remote laptop to secondary name server IP and resolve the domains that we host, wonderful.

So, I thought, well I should do this properly, and blew away everything, reinstalled, and set tinydns to listen on dmz and dnscache on localhost (as I had done in manually hacking env/IP files). Tried to dig @localhost foo.com, nada; same deal with dig@dmz-ip foo.com. WTF? Yes, wtf. In Noob mode, I tried tindyns on localhost, both on dmz, etc., nothing worked.

In the end I installed dnscache on the dmz, tinydns on localhost, and then env/IP reversed them (dnscache on localhost & tinydns on dmz). It's the only way I've found to get them working, and am completely at a loss as to why I could not just install without having to hack env/IP files.

djbdns users, feel free to chime in, am glad I finally have a working setup, but that was a hellacious evening, would like a clean setup if at all possible...

score 5 · Answer 1 · edited Oct 07 '21 at 07:18

5

Before starting to do something strange and hacked you should know what you are trying to achieve. This means to understand the meaning and the concept of a secondary name server. Which is not a caching or forwarding DNS server. Also having both DNS servers sitting in one network (behind NAT) absurds the concept.

First thing would be to read RFC 1034, RFC 1995, RFC 1996 and probably this draft. Then you can rethink your setup and probably come to the conclusion that the best software for doing this job would be BIND.

edited Oct 07 '21 at 07:18

Community

1

answered Oct 22 '11 at 12:24

mailq

16,882
2
36
66

+1 for the spanking, deserved, but not "the" answer since: 1) budget hosting setup, so cheapest solution is indeed to setup both name servers on the same network (/27 split into 3 subnets in our case); 2) BIND is not an option since the CP we use runs djbdns, so the most direct solution is setting up a secondary djbdns name server who's data.cdb file is rsync'd over primary name server. – virtualeyes Oct 22 '11 at 15:03
should be, "is rsync'd over (from) primary name server" – virtualeyes Oct 22 '11 at 15:21
1

Sorry, I can't downvote the comment. You asked for the "proper" way and I offered the correct way. And that you can't do it from the command line is just a technical issue but not the conceptual problem you have in the first place. – mailq Oct 22 '11 at 16:55
I have done it, and via terminal to boot (see my answer). Your way may be the correct way (although DJB would surely disagree), but the solution in place now is more than sufficient for my needs: automated, and tied into existing CP that runs primary NS. With limited resources, geographically separate name servers are not realistic, nor is strict adherence to the RFCs you provided. – virtualeyes Oct 23 '11 at 09:32

score 1 · Accepted Answer · answered Oct 22 '11 at 15:14

1

Would have been nice to have found this thread (by DJB himself) in my Google searches last night:

http://cr.yp.to/djbdns/run-server.html

Took @10 minutes to setup, grab data.cdb from production name server, and off to the races, double barrel name servers. 6 hours vs. 10 minutes, time lost, but I guess I learned a few things along the way.

@mailq brought up excellent points, but for quick & dirty budget hosting, 3rd party secondary name server, BIND, etc., not happening in this scenario. I have a working setup, non-hacked as per above link, that dovetails nicely with CP-driven primary name server, and works behind the ASA, cool stuff (when it works that is ;-))

answered Oct 22 '11 at 15:14

virtualeyes

665
3
10
28

Looks like you've answered your own question. Please select this as the resolution. – Joseph Kern Oct 22 '11 at 15:36
there's a 2 day delay before you can answer your own question; in other words, I already tried – virtualeyes Oct 23 '11 at 09:18
Don't forget. Today is the big day! – Joseph Kern Oct 24 '11 at 14:17
indeed, the big day, first time I have answered my own question (though @mailq surely disagrees with my decision ;-)) – virtualeyes Oct 24 '11 at 16:20

Tinydns as secondary name server :: Working, but hacked :: What is the "proper" way

2 Answers2