djbdns on Debian

******************************************************

Local DNS cache:

Index
******************************************************
This document is for the archives, I actually no longer use djbdns, I use bind9.

Having a local DNS cache is highly recommended provided you currently do not have a DNS server or other server that provides a DNS caching function on your network. I have found that using a broadband router (or similar) as a primary name server does not provide the same functionality a true DNS server provides. Name server settings are located in /etc/resolv.conf. If you choose not to use a local DNS cache then at least use a real DNS server as your primary. I have seen SpamAssassin time out on RBL lookups if it cannot perform DNS queries quickly enough. This can have a big effect on the final spam score. I will not pretend that I understand the capabilities of the daemontools program that we will install. I only understand that we need it in order to use the djbdns (dnscache) program that will provide us with a locally installed DNS cache. We are going to configure our spamfilter using something similar to the configuration "How to run a cache on a workstation" located on the djbdns web site: http://cr.yp.to/djbdns.html. You may also consider providing the service we install on this machine to other machines on your network, but it is best not to burden this machine any more than necessary or complicate installation. See "How to run an external cache for your network" on the aforementioned web site if you wish to do this. Note that you may need to modify our firewall (iptables) if you choose to provide this service to other machines:
iptables -A FIREWALL -p udp -m udp --dport 53 -j ACCEPT
iptables -A FIREWALL -p tcp -m tcp --dport 53 -j ACCEPT
See the "Create Firewall Rules:" section above.

Also note that your /etc/apt/sources.list will need to have "contrib" sources listed (as shown above in the "Change apt-get settings:" section). If you add "contrib" sources, make sure you run "apt-get update" afterwards.

Other good sources of information are http://www.lifewithdjbdns.org/ and http://www.fredshack.com/docs/djbdns.html and http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/files/aixfiles/resolv.conf.htm.

Read the notes above to determine if you need a local DNS cache before continuing.
Back up our resolv.conf file:
cp /etc/resolv.conf /etc/resolv.conf-original

Download the daemontools installer:
apt-get install daemontools-installer

Per the instructions, install daemontools (just hit [Enter] at any questions it asks):
build-daemontools

The svscan daemon will now be running. It runs programs it finds in the /service directory that daemontools created.
Download the UCSPI-TCP installer:
apt-get install ucspi-tcp-src

Install UCSPI-TCP (just hit [Enter] at any questions it asks):
build-ucspi-tcp

Download the djbdns installer:
apt-get install djbdns-installer

Install djbdns (just hit [Enter] at any questions it asks):
build-djbdns

Configure the dnscache program:
dnscache-conf dnscache dnslog /etc/dnscache

Create a symlink to the dnscache program in the /service directory so svscan will start it:
ln -s /etc/dnscache /service

Wait at least 5 seconds, then see if the dnscache service is running:
svstat /service/dnscache

Create a new resolv.conf (pointing to ourselves as the DNS server):

echo "domain example.com"  > /etc/resolv.conf

echo "nameserver 127.0.0.1" >> /etc/resolv.conf

Test that you are able to resolve a host name on the Internet:
dnsip www.cnn.com

We changed resolv.conf and passwd files, so we need to give Postfix new copies:
LINUX2

Tail the log file to verify dnscache is working:
tail -40 /service/dnscache/log/main/current

If you can't get this to work, I would check your firewall settings. If you need to disable this, copy your original resolv.conf back (then run LINUX2 again). My systems worked fine for months, and then one day they were unable to resolve host names. I changed "domain example.com" to my FQDN host name "domain sfa.example.com" and it started working again, I have no idea why. My only thought was that it was interacting with other name servers on my network, or confusing my proxy server.