1. Open port 53

Open UDP and TCP Port 53 for incoming requests using iptables update iptables starting script to allow incoming packets to port 53.

mkdir /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

create a file there called 45AllowPUBDNS

# begin file

my $status=$tinydnsextstatus || ’disabled’
$OUT = allow_udp_in(53,($status eq ’enabled’)) ;
$OUT = allow_tcp_in(53,($status eq ’enabled’)) ;

#end file

Then you need to expand the template and restart masq to apply the new rule

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/rc.d/init.d/masq restart

You should see : Shutting down IP masquerade and firewall rules : Done ! Enabling IP masquerading : done If you see a bunch of errors check to make sure everything in 45AllowPUBDNS is exactly as it is shown here.

2. Create two user accounts for the public dns to use.

This is directly from the the tinydns configuration pages. Create two users. I named mine ’tinydnsext’ and ’logdnsext’. You need one to run the service and one to run the logs as I understand it. Create these users using the e-smith server-manager user panel.

Or :

groupadd -g 710 tinydnsext
useradd -u 710 -d /var/service/tinydnsext -c « DNS external user » -g 710 -s /bin/false tinydnsext
rm -fr /var/service/tinydnsext
groupadd -g 711 logdnsext
useradd -u 711 -d /var/service/logdnsext -c « DNS external user » -g 711 -s /bin/false logdnsext
rm -fr /var/service/logdnsext

Leave the accounts locked (don’t reset the password – we don’t need them).

3. Create a new tinydns service called something like tinydsext (so you know it’s external DNS)

This will create a whole new tinydns service called tinydnsext in the /var/service dir. I put it there because that is where the e-smith internal tinydns is. The IP at the end here can be anything but 127.0.0.1 and it is just a place holder until we get the templates set up to change it. It is the listening IP for the new DNS service.
If you know your external IP you can put it in there.

tinydns-conf tinydnsext logdnsext /var/service/tinydnsext 1.2.3.4

Now you need to enabled tinydnsext sercice. Do :

config set tinydnsext service status enabled
/sbin/e-smith/expand-template /var/service/tinydnsext/env/IP
/sbin/e-smith/expand-template /var/service/tinydnsext/root/data
/etc/rc.d/init.d/tinydnsext restart

If you ever want to shut off the external dns you simply run

/sbin/e-smith/db configuration tinydnsext setprop status disabled
/sbin/e-smith/expand-template /var/service/tinydnsext/env/IP
/etc/rc.d/init.d/tinydnsext restart

or you can just stop tinydnsext service but it will start again upon reboot Now you need to make all the tmeplate files for the tinydnsext
Create the directory /etc/e-smith/templates-custom/var/service/tinydnsext
copy all the files from /etc/e-smith/templates/var/service/tinydns to the custom directory above

cd /etc/e-smith/templates-custom/var/service/tinydnsext/env
pico IP

You should see this

my $ip = $tinydns’ListenIP’ || « 127.0.0.1 » ;
« $ip » ;

change it to look like this

my $ip = $ExternalIP ;
« $ip » ;

and save your changes cd ../root/data
delete the file 70genericHostARecords – we don’t need it. delete the entire ’sub get_generic_hostentries’ function from 00functions
replace the occurance of ’$LocalIP’ with ’$ExternalIP’
and ’$LocalNetmask’ with ’$ExternalNetmask’
and ’127.0.0.1’ with ’$ExternalIP’
in 30NameServers, 50DomainARecords expand the templates

/sbin/e-smith/expand-template /var/service/tinydnsext/env/IP
/sbin/e-smith/expand-template /var/service/tinydnsext/root/data

compile the data into tinydns format, make sure you cd to the proper directory

cd /var/service/tinydnsext/root ; make

restart the service – you need one more symbolic for this

ln -s daemontools /etc/rc.d/init.d/tinydnsext
/etc/rc.d/init.d/tinydnsext restart

Create a file /etc/e-smith/events/actions/update-dnsext

# begin file
# !/usr/bin/perl -w
#———————————————————————-
# copyright (C) 2002 Mitel Networks Corporation
#
# This program is free software ; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation ; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY ; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program ; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Technical support for this program is available from Mitel Networks
# Please visit our web site www.mitel.com/sme/ for details.
#———————————————————————- package esmith ;
use strict ;
use Errno ;
use esmith ::templates ;
#————————————————————
# Configure djbdns’s tinydns DNS server
#————————————————————
#set the ListenIP to external IP
esmith ::templates ::processTemplate (
TEMPLATE_PATH => « /var/service/tinydnsext/env/IP »,
PERMS => 0644,
) ; #apply the new external IP to the data file for external zones esmith ::templates ::processTemplate
(
TEMPLATE_PATH => « /var/service/tinydnsext/root/data »,
) ; chdir « /var/service/tinydnsext/root »
or warn « Failed to change working directory » ;
system(« /usr/local/bin/tinydns-data ») == 0
or warn(« Failed to update tinydns external zone data.\n ») ;exit (0) ;
#end file

This will automatically update the external DNS ListeningIP and all the records to point to the right IP whenever a new domain is added or the external IP changes Create three symbolic links to this file

ln -s /etc/e-smith/actions/update-dnsext /etc/e-smith/events/ip-change/S86update-dnsext
ln -s /etc/e-smith/actions/update-dnsext /etc/e-smith/events/domain-create/S51update-dnsext
ln -s /etc/e-smith/actions/update-dnsext /etc/e-smith/events/domain-delete/S51update-dnsext

The last will refresh the domain listings omitting the domain you just removed.
These all apply to the server-manager processes. you must set tinydnsext up as a service by issuing the command

ln -s /var/service/tinydnsext /service/tinydnsext

This will keep it running no matter what

Receive delegation

For more information, visit at http://cr.yp.to/djbdns/tcp.html.
Allow zone transfer from primary server to secondary name server. First create a user

groupadd -g 412 axfrdnsext
useradd -u 412 -d /var/service/axfrdnsext -c « DNS Zone transfer user » -g 412 -s /bin/false axfrdnsext
rm -fr /var/service/axfrdnsext

Create service directory (public IP address = 1.2.3.4)

axfrdns-conf axfrdnsext logdnsext /var/service/axfrdnsext /var/service/tinydnsext 1.2.3.4

If you want to allow an IP address to transfer all zones from your DNS server, add it to /var/service/axfrdnsext/tcp :

echo ’:allow,AXFR= » »’ >> /var/service/axfrdnsext/tcp

As root, compile /etc/axfrdns/tcp into a hashed database

cd /var/service/axfrdnsext/
make

As root, tell svscan about the new service, and use svstat to check that the service is up :

ln -s /var/service/axfrdnsext /service
sleep 5
svstat /service/axfrdnsext

How to receive a delegation from .fr

I would like to expand this page, giving step-by-step delegation instructions.
Contributions are welcome. Before contacting the registrar, you will have to add

&:198.41.0.4:a.root-servers.net
&:128.9.0.107:b.root-servers.net
&:192.33.4.12:c.root-servers.net
&:128.8.10.90:d.root-servers.net
&:192.203.230.10:e.root-servers.net
&:192.5.5.241:f.root-servers.net
&:192.112.36.4:g.root-servers.net
&:128.63.2.53:h.root-servers.net
&:192.36.148.17:i.root-servers.net
&:192.58.128.30:j.root-servers.net
&:193.0.14.129:k.root-servers.net
&:198.32.64.12:l.root-servers.net
&:202.12.27.33:m.root-servers.net
.localhost
.1.0.0.127.in-addr.arpa
=localhost:127.0.0.1

to /service/tinydnsext/root/data. This is necessary because the .fr registrar refuses to delegate to a server that does not have this information. This is bad practice, because it forces you to keep track of information that’s only necessary for a cache, even if you aren’t running a cache.

How to receive a delegation from .in-addr.arpa

If you are in charge of a block of IP addresses, and you want to provide reverse lookups for those IP addresses, you will need a corresponding name in the in-addr.arpa domain. For example, if you are in charge of IP addresses 1.8.7.0 through 1.8.7.255, the domain 7.8.1.in-addr.arpa should be delegated to you.

For concreteness, these instructions assume that the name is 7.8.1.in-addr.arpa, and that you have two computers running DNS servers, the first server on IP address 1.8.7.200 and the second server on IP address 1.8.7.201.

The normal procedure has two steps. First, tell your DNS servers that they should answer questions for 7.8.1.in-addr.arpa, and that they should announce 1.8.7.200 and 1.8.7.201 as the DNS server addresses for 7.8.1.in-addr.arpa :

cd /service/tinydns/root ./add-ns 7.8.1.in-addr.arpa 1.8.7.200 ./add-ns 7.8.1.in-addr.arpa 1.8.7.201 make

Second, tell the parent server administrator to delegate 7.8.1.in-addr.arpa to the server a.ns.7.8.1.in-addr.arpa on IP address 1.8.7.200 and the server b.ns.7.8.1.in-addr.arpa on IP address 1.8.7.201. Fees for this delegation are typically included in the fees for allocating the IP addresses in the first place.

Unfortunately, some parent administrators impose extra restrictions that prevent the normal procedure from working. In particular, ARIN (IP addresses in America) and RIPE (IP addresses in Europe) both insist that all their delegations be glueless. This means that the DNS servers need names outside in-addr.arpa. Gluelessness is bad practice, because it slows down DNS lookups and sometimes destroys DNS lookups, but ARIN and RIPE don’t care. (Reported May 2001.)

To deal with ARIN and RIPE, edit /service/tinydns/root/data manually to specify server names in some other domain that you control, let’s say x.org :

.7.8.1.in-addr.arpa:1.8.7.200:a.reversens.x.org .7.8.1.in-addr.arpa:1.8.7.201:b.reversens.x.org

Then tell the parent server administrator to delegate 7.8.1.in-addr.arpa to the server a.reversens.x.org on IP address 1.8.7.200 and the server b.reversens.x.org on IP address 1.8.7.201.

APNIC (IP addresses in Asia and Australia) doesn’t insist on glueless delegations, but it does insist that you set up TCP service. (Reported June 2001.)

How to test configuration

For iptables rules do :

iptables -vL -n

For adjusting domain DNS Servers for domain example.com :

db domains setprop example.com PrimaryDNS dns1.example.com PrimaryDNSIP 1.2.3.4 SecondaryDNS dns2.example.com SecondaryDNSIP 1.2.3.5