DJBDNSCurve6

tinydns

Purpose

tinydns is a DNS authoritative content server answering iterative requests. Recursive queries are rejected. It supports UDP queries over IPv4 and IPv6, though without the EDNS0 extention. DNS queries and responses maybe subject of message encryptions in the DNSCurve format either as the 'streamline' or in the 'txt' format. tinydns however, does not support DNSSec. tinydns can simultaneously bind to IPv4 and IPv6 network addresses and supports 'reverse IPv6-anycasting'. Unlike other authoritative DNS servers tinydns does not cache its bailiwick zone records.

Programs

System Setup

It is preferrable to install D.J. Bernsteins's daemontools or Bruce Guenter's daemontools-encore. Further alternatives are Gerrit Pape's runit though in principal systemd and any of its derivates or the the s6 toolbox to manage Unix services will do.

Given the first two, tinydns-conf can be successfully applied to setup tinydns.

tinydns runs chrooted under a particular user, typically tinydns. while located usually at /etc/tinydns.

The run script for tinydns looks like:

#!/bin/sh exec 2>&1 exec envdir ./env sh -c ' exec envuidgid tinydns softlimit -d "$DATALIMIT" /usr/local/bin/tinydns '

Here, envdir is used to source tinydns's ./env directory and populating the required environment variables, while softlimit may be used to restrict the heap memory (used for TCP only).
Prior of calling tinydns some random seed needs to become available.

tinydns logs to STDOUT which shall be managed by multilog with a dedicated systems user and rotation capability.

A run script for multilog can be very generic:

#!/bin/sh exec setuidgid daemon multilog t s1677721 /var/log/tinydns

It should be noted, that tinydns writes condensed log lines without a timestamp while appending this to the current file. Thus, it is advisable to restrict the logfile size.

Service Configuration

tinydns can run in two different security modes:

DNSCurve enable: In case a DNSCurve public key curvedns-keygen has been generated and its name has been used as delegated name server to the upstream ones, encryption of DNS messages is possible by an enabled iterative resolver.
Plain DNS: Without this setting, DNS queries and responses are unencrypted transmitted over UDP.

The main tinydns configuration is provided in the directory ./env. Here one defines in particular files:

IP: The IP addreses tinydns listens to and sends responses.
ROOT: The path to the 'root' directory (could be on a ram disk).
uz5... : The DNSCurve public key as file name including the (hexadecimal) public key as content.
CURVEDNS_PRIVATE_KEY: Including the DNSCurve private key.

Content Configuration

tinydns uses ./root/data to store your zone data in this ASCII file to be transformed into the binary file data.cdb. For this purpose a Makefile is provided in this directory to be matter of invocation by the standard Unix command make. Now, make calls tinydns-data to generate data.cdb from data suited for tinydns.

First Step: Adding DNS Resource Records

Apart from populating the data file by means of an editor, the following scripts can be used to automatically append entries with default settings in here while using a properly called tinydns-edit:

add-ns: Required to include your own nameserver.
add-host: Setting an hostname with an IPv4 address.
add-host6: Setting an hostname with an IPv6 address.
add-alias: Setting an alias with an IPv4 address.
add-alias6: Setting an alias with an IPv6 address.
add-mx: Setting up Mail Exchanger (MX) records.
add-childns: Providing a delegation to a child name server.

These scripts are generated by means of tinydns-conf. All other DNS records need to be manually included by means of an editor defining those in data as explained in tinydns-data. The tinydns-data data format is well-suited for automated updates.

Extraction of x509 fingerprints and RSA public keys can be easily achieved using the stripts add-tlsa.sh and pubkey.sh available in the installation's script directory.

Second Step: Compiling DNS Resource Records

Using make the content of the file data is now compiled into the data.cdb (and updated). Now, tinydns can pick up the new/changed content and providing the given information as answer to iterative queries.

Third Step: Checking DNS Answers

Since tinydns given its resource records can work in 'split horizon' manner, it might be necessary to check the DNS responses per IP address. tinydns-get simulates a DNS lookup while allowing to define a source IP address of the query. Other client tools like dnsq might provide wrong answers since they are invoked from your local IP environment.