Set up and run your own Cesidian Root DNS server

Set up and run your own Cesidian Root DNS server How-to for Debian 6.0, bind9 and IPv4 Cesidian Root website http://cesidianroot.net/ Last change 13.02.2012 Author Contact Patrick Jansen Administrator of the Cesidian G-Root DNS Server cesidian@qnea.de Page 1/7

First of all, before you set up and run your own server contact the Cesidian Root administration http://cesidianroot.net/contact.html Page 2/7

Open a shell as root su root - Update the local package apt-get update Install the newest versions of all packages apt-get upgrade Install the DNS server (bind9) and its documentation ( man named ) apt-get install bind9 bind9-doc Stop bind9 after installation /etc/init.d/bind9 stop If you plan to run an IPv4 (not IPv6) DNS server only nano /etc/default/bind9 add -4 to the existing OPTIONS line OPTIONS="-u bind -4" Create a new directory for the Cesidian Root files mkdir /etc/bind/cesidian-root/ chmod bind:bind /etc/bind/cesidian-root/ Optional: Make a backup of original configuration files cp /etc/bind/named.conf.default-zones /etc/bind/named.conf.default-zones_orig cp /etc/bind/named.conf.options /etc/bind/named.conf.options_orig Page 3/7

Set the root zone configuration nano /etc/bind/named.conf.default-zones Change the lines // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; to // prime the server with knowledge of the root servers //zone "." { // type hint; // file "/etc/bind/db.root"; // and below the above lines add // Cesidian Root Server zone "." { type slave; file "/etc/bind/cesidian-root/cesidian-root.zone"; masters { 178.254.3.55; max-refresh-time 60; allow-transfer { any; Page 4/7

Set the DNS server configuration nano /etc/bind/named.conf.options Replace the whole file content with the following one // Limit control channel access ("rndc" command) controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; options { directory "/var/cache/bind"; zone-statistics yes; auth-nxdomain no; //dnssec-enable yes; //dnssec-validation yes; notify yes; notify-source * port *; notify-source-v6 * port *; transfers-in 10; transfers-out 10; transfers-per-ns 10; recursion yes; allow-recursion { any; allow-query { any; provide-ixfr yes; request-ixfr yes; query-source address * port *; query-source-v6 address * port *; listen-on port 53 { <your external IPv4>; listen-on port 3001 { <your external IPv4>; //listen-on-v6 port 53 { <your external IPv6>; //listen-on-v6 port 3001 { <your external IPv6>; preferred-glue AAAA; max-cache-size 0; cleaning-interval 60; lame-ttl 600; max-cache-ttl 604800; max-ncache-ttl 300; edns-udp-size 4096; max-udp-size 4096; transfer-source *; use-alt-transfer-source yes; version "Cesidian Root Server"; Replace <your external IPv4> with the external IPv4 of your DNS server If you re running an IPv4 and IPv6 DNS server remove the // before //listen-on-v6 port 53 { <your external IPv6>; //listen-on-v6 port 3001 { <your external IPv6>; and replace <your external IPv6> with the external IPv6 of your DNS server. Page 5/7

The Cesidian Root administration will send you two additional files: cw.conf and rapid.conf Copy both to /etc/bind/ and set their rights and owner with chmod 644 /etc/bind/cw.conf /etc/bind/rapid.conf chown root:root /etc/bind/cw.conf /etc/bind/rapid.conf Enable them by nano /etc/bind/named.conf.local and add the following lines to the end of the file // Cesidian Root include "/etc/bind/cw.conf"; include "/etc/bind/rapid.conf"; Start bind9 Note: before starting bind9 you have to open port 53 TCP & UDP and 3001 TCP & UDP in your firewall - but this is out of scope of this how-to /etc/init.d/bind9 start After some seconds there should be a file /etc/bind/cesidian-root/cesidian-root.zone -rw-r--r-- 1 bind bind 101K Feb 4 11:57 /etc/bind/cesidian-root/cesidian-root.zone The command netstat -ln should show something like this (reformatted output) tcp <your external IPv4>:53 tcp 127.0.0.1:53 by using listen-on port 53 { 127.0.0.1; <your external IPv4>; tcp 127.0.0.1:953 Control channel, see /etc/bind/named.conf.options tcp <your external IPv4>:3001 udp <your external IPv4>:53 udp 127.0.0.1:53 by using listen-on port 53 { 127.0.0.1; <your external IPv4>; udp <your external IPv4>:3001 To determine bind s status type rndc status Page 6/7

To write server statistics to a file type rndc stats less /var/cache/bind/named.stats To test your own DNS server follow the instructions to change the TCP/IP configuration of your computer on http://cesidianroot.net/crt/. Set the Preferred DNS server of your computer to the external IP of your DNS server Applications running on the Linux system can use the local bind9 as DNS server. Therefore replace the line listen-on port 53 { <your external IPv4>; in /etc/bind/named.conf.options with listen-on port 53 { 127.0.0.1; <your external IPv4>; In this case also the content of /etc/resolv.conf has to be changed to nameserver 127.0.0.1 The command ping -c 1 zonefile.cesidian.root should return an IP (currently 84.200.212.28) now Anyway, always write-protect /etc/resolv.conf with chattr +i /etc/resolv.conf otherwise the system can change it back to default during reboot If you re using Monit to monitor daemons you can use a configuration like this check process named with pidfile /var/run/named/named.pid start program "/etc/init.d/bind9 start" with timeout 15 seconds stop program "/etc/init.d/bind9 stop" if failed host <your external IPv4> port 3001 type tcp protocol dns with timeout 5 seconds then restart if failed host <your external IPv4> port 53 type udp protocol dns with timeout 5 seconds then restart if totalcpu > 90% for 3 cycles then restart if totalmemory > 150 MB for 3 cycles then restart if 5 restarts within 5 cycles then timeout Replace <your external IPv4> with the external IPv4 of your DNS server Page 7/7