Djbdns is a true replacement for BIND, with none of the latter's security baggage. In fact, the developer of djbdns, Dan Bernstein, offers a $500 reward for the first person who can legitimately compromise the product. Because djbdns was written with security in mind, he feels that his money is safe. In addition to the focus on security, the product runs inside a chroot jail as a nonroot user. A chroot jail locks users into a specific directory structure without any access to files not explicitly allowed by the administrator. Djbdns consists of a number of programs (listed in Table A) working in concert to provide DNS services. We'll discuss some of these programs and utilities later in this article during a sample installation and configuration.
| Service | Description |
| Dnscache | Dnscache is a local DNS cache that accepts recursive DNS queries from local clients and collects responses from other DNS servers. |
| TinyDNS | TinyDNS is responsible for making DNS information available to the Internet. TinyDNS handles load balancing and client differentiation, or directing clients to specific servers. |
| Walldns | Walldns hides local host information from requested reverse and forward records. |
| Rbldns | Rbldns is an IP address-listing DNS service. It can be used to publish a list of IP addresses that provide a specific service. |
| Dnsfilter | Dnsfilter is an IP-address-to-hostname conversion utility. |
| dnsip, dnsipq, dnsname, dnstxt, dnsmx | These are command line tools used to manage the DNS services. |
| dnsq, dnsqr, dnstrace | These are DNS debugging utilities. |
Utilities included in djbdns
How does djbdns stack up against BIND?BIND has been around a long time, and it's provided millions of users with the DNS services upon which the Internet runs. However, it has also been the subject of many major security bulletins and is a favored target among hackers. In many ways, djbdns is an easier solution to administer than BIND, especially when you want to implement a highly secure installation. For example, by default, djbdns runs as a nonroot user in a jailed environment. To implement this under BIND, you must follow a number of additional steps. In addition, the configuration files necessary for making djbdns work are much simpler than those for BIND. BIND follows the Internet Engineering Task Force standards more closely than the djbdns package does. For example, BIND supports the DNSSEC standard, while djbdns uses a more proprietary mechanism to protect the integrity of DNS data. Meeting the requirements
Before you can install the DNS components of djbdns, you need to first install a couple of other packages (by same author), which the DNS server relies on to operate. The first one is daemontools and the second is ucspi-tcp. The daemontools package consists of a number of tools used to manage UNIX services. For example, setuidgid runs another program under a specified account's user ID and group ID. The ucspi-tcp package includes command line tools for building TCP client-server applications. Installing the prerequisites
You can download daemontools from the daemontools installation page, and you can download ucspi-tcp here. I downloaded both of these packages as well as the djbdns package into my home directory at /home/slowe. If you are following along at home, be sure to change the directory reference to match your installation. To install daemontools, follow these instructions:
- Create a directory named /package at the root level of your Linux server by issuing the command mkdir /package at a prompt.
- Change the permissions for security by typing chmod 1755 /package.
- Change to the package directory by typing cd /package.
- Expand the daemontools distribution by typing gunzip -c /home/slowe/daemontools-0.76.tar | tar xpfv -.
- Change to the distribution directory by typing cd /package/admin/daemontools-0.76.
- Compile and install the utilities by typing package/install and pressing [Enter]. You will see a bunch of compilation information scroll down the screen.
- Change to the directory in which you downloaded ucspi-tcp. For me, the command is cd /home/slowe since the package is in my home directory.
- Expand the distribution with gunzip -dc ucspi-tcp-0.88.tar.gz | tar xvf -.
- Change to the expanded directory with cd ucspi-tcp-0.88.
- Compile the source code by typing make.
- Install the software by typing make setup check.
Installing djbdns is easy, and the process is the same as for the ucspi-tcp package. I saved the distribution downloaded from the djbdns Web site to my home directory. I then executed the following commands:
- gunzip -dc djbdns-1.05.tar.gz | tar xvf --
- cd djbdns-1.05
- make
- make setup check
