122
122
timeout_seconds = 6
125
<!-- Guess what? All of the supported OSes that MaraDNS compiled on,
125
<!-- Guess what? All of the supported OSes that MaraDNS compiles on,
126
126
with the exception of the mingw32 semi-port (which has its own
127
127
workaround), have /dev/urandom support. So we don't need to tell
128
people how to set up a random_seed_file in the tutorial.
130
Good thing I wrote mkSecretTxt for Deadwood in Windows to have
131
a good source of random numbers
133
DOC HERE: Use mkSecretTxt.exe to make secret.txt in Windows
128
people how to set up a random_seed_file in the tutorial. -->
136
130
<A name=upstream>
137
131
<h2>Using other recursive DNS servers</h2>
140
It is possible to have Deadwood contact other recursive name servers,
134
It is possible to have MaraDNS contact other recursive name servers,
141
135
instead of contacting the actual root servers to process recursive
142
queries by using the variable <tt>upstream_servers</tt> in the dwood3rc file.
136
queries by using the variable <tt>upstream_servers</tt> in the mararc file.
146
140
In other words, one can use one's, say, ISP's DNS servers to resolve the
147
141
names, and have MaraDNS act as a cache for the ISP's DNS servers. Supposing
148
142
that the ISP name servers have the IPs 10.66.77.88 and 10.99.11.22, the
149
dwood3rc file will look like this:
143
mararc file will look like this:
152
146
ipv4_bind_addresses = "127.0.0.1"
177
171
ipv4_bind_addresses = "127.0.0.1"
178
172
chroot_dir = "/etc/maradns"
179
173
recursive_acl = "127.0.0.1"
181
root_servers["."] = "198.41.0.4,"
182
root_servers["."] += "192.228.79.201,"
183
root_servers["."] += "192.33.4.12,"
184
root_servers["."] += "128.8.10.90,"
185
root_servers["."] += "192.203.230.10,"
186
root_servers["."] += "192.5.5.241,"
187
root_servers["."] += "192.112.36.4,"
188
root_servers["."] += "128.63.2.53,"
189
root_servers["."] += "192.36.148.17,"
190
root_servers["."] += "192.58.128.30,"
191
root_servers["."] += "193.0.14.129,"
192
root_servers["."] += "199.7.83.42,"
193
root_servers["."] += "202.12.27.33"
175
ipv4_alias["icann"] = "198.41.0.4,"
176
ipv4_alias["icann"] += "192.228.79.201,"
177
ipv4_alias["icann"] += "192.33.4.12,"
178
ipv4_alias["icann"] += "128.8.10.90,"
179
ipv4_alias["icann"] += "192.203.230.10,"
180
ipv4_alias["icann"] += "192.5.5.241,"
181
ipv4_alias["icann"] += "192.112.36.4,"
182
ipv4_alias["icann"] += "128.63.2.53,"
183
ipv4_alias["icann"] += "192.36.148.17,"
184
ipv4_alias["icann"] += "192.58.128.30,"
185
ipv4_alias["icann"] += "193.0.14.129,"
186
ipv4_alias["icann"] += "199.7.83.42,"
187
ipv4_alias["icann"] += "202.12.27.33"
188
root_servers["."] = "icann"
196
191
This file will do the exact same thing as the following <tt>mararc</tt> file:
201
196
recursive_acl = "127.0.0.1"
204
The ICANN servers listed above are the ones that Deadwood use when no
199
The ICANN servers listed above are the ones that MaraDNS uses when no
205
200
root servers are specified.
204
As an aside, the <tt>ipv4_alias</tt> variable is a general purpose way of
205
giving names to any set of IPs in a <tt>mararc</tt> file. We can use
206
shortcuts like this, in fact:
210
ipv4_alias["localhost"] = "127.0.0.1"
211
ipv4_bind_addresses = "localhost"
212
chroot_dir = "/etc/maradns"
213
recursive_acl = "localhost"
214
ipv4_alias["icann-a"] = "198.41.0.4"
215
ipv4_alias["icann-b"] = "192.228.79.201"
216
ipv4_alias["icann-c"] = "192.33.4.12"
217
ipv4_alias["icann-d"] = "128.8.10.90"
218
ipv4_alias["icann-e"] = "192.203.230.10"
219
ipv4_alias["icann-f"] = "192.5.5.241"
220
ipv4_alias["icann-g"] = "192.112.36.4"
221
ipv4_alias["icann-h"] = "128.63.2.53"
222
ipv4_alias["icann-i"] = "192.36.148.17"
223
ipv4_alias["icann-j"] = "192.58.128.30"
224
ipv4_alias["icann-k"] = "193.0.14.129"
225
ipv4_alias["icann-l"] = "199.7.83.42"
226
ipv4_alias["icann-m"] = "202.12.27.33"
227
ipv4_alias["icann"] = "icann-a,icann-b,icann-c,icann-d,icann-e,icann-f,"
228
ipv4_alias["icann"] += "icann-g,icann-h,icann-i,icann-j,icann-k,icann-l,"
229
ipv4_alias["icann"] += "icann-m"
230
root_servers["."] = "icann"
233
This works the same as the above two examples. The reason why we don't have
234
commas in any of the aliases besides icann is because the comma before
235
the quote is only needed on a line before a line that uses
236
the <tt>+=</tt> operator.
240
Here is what a configuration file which uses OpenNIC's glue root servers
241
as the root servers. This list is current as of February 22, 2006; note
242
that OpenNIC frequently changes these IPs and you need to verify that
243
these IPs are current at <A
244
href=http://www.opennic.unrated.net/>http://www.opennic.unrated.net/</A>.
245
A number of alternate root server organizations no longer exist; please
246
make sure these people still exist before using this list.
249
ipv4_bind_addresses = "127.0.0.1"
250
chroot_dir = "/etc/maradns"
251
recursive_acl = "127.0.0.1"
253
# This ends with a comma because the next line is a += line
254
ipv4_alias["opennic"] = "131.161.247.232,"
255
ipv4_alias["opennic"] += "208.185.249.250,"
256
ipv4_alias["opennic"] += "66.227.42.140,"
257
ipv4_alias["opennic"] += "66.227.42.149,"
258
ipv4_alias["opennic"] += "64.81.44.251,"
259
ipv4_alais["opennic"] += "216.87.84.214,"
260
ipv4_alias["opennic"] += "208.185.249.251,"
261
ipv4_alias["opennic"] += "131.161.247.231,"
262
# This is the last line, so no comma at the end
263
ipv4_alias["opennic"] += "65.243.92.254"
264
# Considering how often alternate root DNS server lists change or disappear,
265
# we will have the ICANN list on hand as a backup.
266
ipv4_alias["icann"] = "198.41.0.4,"
267
ipv4_alias["icann"] += "192.228.79.201,"
268
ipv4_alias["icann"] += "192.33.4.12,"
269
ipv4_alias["icann"] += "128.8.10.90,"
270
ipv4_alias["icann"] += "192.203.230.10,"
271
ipv4_alias["icann"] += "192.5.5.241,"
272
ipv4_alias["icann"] += "192.112.36.4,"
273
ipv4_alias["icann"] += "128.63.2.53,"
274
ipv4_alias["icann"] += "192.36.148.17,"
275
ipv4_alias["icann"] += "192.58.128.30,"
276
ipv4_alias["icann"] += "193.0.14.129,"
277
ipv4_alias["icann"] += "198.32.64.12,"
278
ipv4_alias["icann"] += "202.12.27.33"
279
# Now, set the root servers; chance this to icann if you want to use the
280
# icann servers instead.
281
root_servers["."] = "opennic"
285
<h2>Having private host names</h2>
288
One may wish to have private host names when running MaraDNS as a recursive
289
name server. These are names that are not attached to the root servers,
290
but will resolve on the recursive name server. For example, it might make
291
sense to have "router.office." resolve to the IP of a router in an
296
There are two ways to do this with MaraDNS: By using a custom
297
root server for only names that end in "office", or by having the
298
authoritative half of MaraDNS handle custom name resolutions.
302
<A name="privateauth">
303
<h2>Using authoritative records for private names</h2>
306
We can have local names by taking advantage of the fact that
308
can act as both a recursive and authoritative name server on the same IP.
309
MaraDNS first looks up authoritative names before performing recursion.
310
For example, if <tt>www.google.com</tt> is defined in a MaraDNS zone
311
file, MaraDNS will use the value in the zone file instead of contacting
312
nameservers on the internet to get the IP for <tt>www.google.com</tt>.
316
The procedure to do this is as follows:
319
<li>Have an authoritative and recursive DNS server share the same IP. Make
320
sure this DNS server is not accessible from the public internet.
321
<li>For this authoritative server, have zone files for the zones which one
322
wants to have non-public information. Recursive queries will be resolved
323
as usual (since the authoritative server is also a recursive server);
324
authoritative queries for the special zones will get the special data.
325
<li>The <A href=man.maradns.html>maradns man page</A> has a section on
326
firewall configuration which
327
describes how to set up an IP filter to allow MaraDNS to send packets.
328
Basically, don't allow outside IPs to hit this combined server on port
329
53 (UDP); instead allow UDP connections to ports 15000-19095.
332
Here is how the configuration may look:
335
ipv4_bind_addresses = "192.168.0.1"
336
chroot_dir = "/etc/maradns"
337
recursive_acl = "192.168.0.0/24"
339
csv2["office."] = "db.office"
342
Replace 192.168.0.1 with the IP of the machine running the recursive MaraDNS;
343
replace 192.168.0.0/24 (This means "anything that begins with 192.168.0")
344
with the IP range allowed to access the recursive DNS server.
348
The file "db.example.com." will be a csv2 zone file with records for the
349
bogus example.com domain, such as router.example.com.
353
If you want to have some of these private names be CNAMES for hostnames
354
on the internet (e.g. "google.example.com. CNAME www.google.com."), please
355
read the <A href=dangling.html>dangling CNAME document</A>.
359
More information on having host names for an internal network is available
360
in the <A href="authoritative.html#network">network section of the
361
authoritative document</A>.
207
363
<A name="privateroot">
208
364
<h2>Private names with custom root servers</h2>
211
Deadwood can have custom root name servers
367
MaraDNS, starting with version 1.3.02, can have custom root name servers
212
368
that only resolve names in a subtree of the DNS space. In other words,
213
we can tell Deadwood to have 192.168.0.7 resolve all names ending in
369
we can tell MaraDNS to have 192.168.0.7 resolve all names ending in
214
370
<tt>office</tt> by having a line like this in one's mararc file:
250
393
csv2["office."] = "db.office"
397
<h2>Customizing the resolution of some names</h2>
400
One may wish to customize the resolution of certain names when using
401
MaraDNS as both an authoritative and recursive name server. For example,
402
if a high-profile domain is hijacked (such as what happened with
403
panix.com in January of 2005), it may be desirable to have the correct
404
name for the domain be temporarily locally set. This is also useful for
405
a list of blocked sites (so the user gets a friendly "this site is blocked"
406
instead of just being unable to connect to the site in question), and for
407
setups where some machines need special DNS resolution for names that
408
other machines do not need DNS resolution for.
412
The procedure for doing this is almost identical to the procedure for
413
having private host names as described above. Here is an example
414
relevant <tt>mararc</tt> file:
417
ipv4_bind_addresses = "192.168.0.1"
418
chroot_dir = "/etc/maradns"
419
recursive_acl = "192.168.0.0/24"
421
csv2["example.com."] = "db.example.com"
424
The only things that need to be changed in this mararc file are
425
the <tt>ipv4_bind_addresses</tt> and the <tt>recursive_acl</tt>
426
parameters. The <tt>csv2["example.com."]</tt> is <i>not</i> changed.
430
Now, let us suppose we want to have the A records for "www.phishsite.foo"
431
and "phishsite.foo" resolve to an IP address that we control the web
432
site for. We would add the following records (lines) to the file
433
<tt>/etc/maradns/db.example.com</tt>
436
www.phishsite.foo. 192.168.0.2
437
phishsite.foo. 192.168.0.2
440
We can also add a star record:
443
*.phishsite.foo. 192.168.0.2