Currently the DNS services are hosted outside using Hosting services from other company, so the main target is to bring back the DNS services inside our office and using our own server.

We choose OpenBSD 5.2 for its lightweight and secure by default. Since we only have one machine at this moment (or maybe for quite a long time), we will be using the same machine to be our Web Server, and also our DNS server (which will acts as our primary and also secondary DNS server – by using alias on the network interface). This machine will be located in the DMZ zone behind the firewall – which we use Fortigate-60M firewall appliance.

The overall basic setup will looks like diagram below.

We have changed the registered IP into new IP for this entry purposes, Assuming the registered ip address for hosts:

firewall/gateway registered ip is 10.1.1.2

mail server registered ip is 10.1.1.5 and the internal DMZ ip is 192.168.1.2

the web server which will also act as the DNS Server, physically only one machine will hold two ip addresses, the registered ip for DNS 10.1.1.3 and 10.1.1.4 while the internal DMZ ip addresses is 192.168.1.3 and 192.168.1.4 (alias)

Basically the IP address will looks like below:

Firstly, all the references website that we use in order to setup, install and configure our server.

The packages/software:
http://cr.yp.to/djbdns.html
http://tinydns.org/

The installation guides:
http://www.djbdnsrocks.org/
http://pufferfish.wordpress.com/2006/12/10/installing-djbdns-on-openbsd-or-any-other-platform/

The O/S:
http://www.openbsd.org

Now the steps.

1. prepare, download and install the operating system, the OpenBSD 5.2, and set the 192.168.1.3 as the main IP address for the network interface. Make sure you put more space for the /var filesystem, since we will be using /var a lot, so we put around 120GB for the /var.

After the installation finish, reboot/restart the server. log-in as root and create alias IP for the network interface for the second IP address 192.168.1.4

The file to edit is /etc/hostname.bge0 (the .bge0 is the network interface name of our server, do a “ls -al /etc/hostname.*” to see your actual filename). Below are our /etc/hostname.bge0 entry. (refer to: http://www.openbsd.org/faq/faq6.html#Setup.aliases)

# cat /etc/hostname.bge0
inet 192.168.1.3 255.255.255.0
inet alias 192.168.1.4 255.255.255.255

To be sure, reboot the server, and log-in back as root, do a “ping” to both IP address or use “ifconfig” to see all the network interface.

2. Configure the nginx Web Server, it should comes with the OpenBSD, and the config file should be in the /etc folder. By default the web directory is located at /var/www.

3. Now comes to the TinyDNS installation.

Main reference site for the TinyDNS installation is the pufferfish.wordpress.com, but to install two TinyDNS services on one OpenBSD machine (with alias IP) we extend the references to the www.djbdnsrocks.org.

a. download and install the daemontools-0.76.tar.gz

b. download and install the ucspi-tcp-0.88.tar.gz

c. then download and install the djbdns/tinydns
d. add the group for dns

# groupadd -g 151 dns

e. add user: tinydns and dnslog

# useradd -g 151 -u 151 -d /nonexistent -c "tinydns" -s /sbin/nologin tinydns
# useradd -g 151 -u 152 -d /nonexistent -c "tinydns" -s /sbin/nologin dnslog

f. To run two tinydns services on one machine:

The syntax is:
# tinydns-conf tinydns dnslog /var/tinydns IP

where tinydns-conf is the utilities to setup the tinydns services, the user account to use is “tinydns” and the user account “dnslog” that will log all the queries and errors, “/var/tinydns” is the directory where the service is located, lastly the IP is the IP address the service will listen to.

for the first nameserver:
/usr/local/bin/tinydns-conf tinydns dnslog /var/tinydns1 192.168.1.3

for the second nameserver:
/usr/local/bin/tinydns-conf tinydns dnslog /var/tinydns2 192.168.1.4

We choose /var folder to standardise the location since the Web services is also using the /var. As you can see, the IP address that the services should listen to is the IP address DMZ and NOT the registered ip address. The registered IP address will be mapped to this DMZ IP address by the Firewall.

then the link:

ln -s /var/tinydns1 /service
ln -s /var/tinydns2 /service

Once you have done this, the services will be up, check the process using “ps -aux”, you should see both tinydns running, or you can check the tinydns log file in both /var/tinydns1/log/main/current and /var/tinydns2/log/main/current, you should see a line with “starting tinydns”.

Now we should add the DNS information.

There are two ways to add the DNS information, Manually or use the utilities command provided. We follow the Manually method as it’s much more fater and easier. Modify the /var/tinydns1/root/data file to look like this:


# -- name servers
.yourdomain.com:10.1.1.3:ns1.yourdomain.com:259200
.yourdomain.com:10.1.1.4:ns2.yourdomain.com:259200
.1.1.10.in-addr.arpa:10.1.1.3:ns1.yourdomain.com:259200

# -- yourdomain.com hosts
+yourdomain.com:10.1.1.3:86400
+www.yourdomain.com:10.1.1.3:86400
+webmail.yourdomain.com:10.1.1.5:86400
+mail.yourdomain.com:10.1.1.5:86400
+ns1.yourdomain.com:10.1.1.3:86400
+ns2.yourdomain.com:10.1.1.4:86400

# -- MX RECORDS
@yourdomain.com:10.1.1.5:mail.yourdomain.com::86400

Of course the domainname should be your domainname, and as you can see, all the IP address in the file must be the Registered IP address, NOT the DMZ IP address.

Copy the /var/tinydns1/root/data to the second service folder /var/tinydns2/root – override the data file in that folder. To make sure everything will start correctly, Reboot/Restart the server.

Once everything is startup OK, we need to look into one more service, the Packet Filtering or the “pf”, this service will startup by default on OpenBSD, so we need to create a rule to open/allow the DNS service to this server.

Since our server is behind the firewall so we decided to open all first, and then later on (someday) will restrict it. If we just let the default “pf” setting, the DNS services will be blocked – when do a port scanning from outside you will received something like “connection refused” instead of closed. So to open all, add the following lines into “/etc/pf.conf”


pass in log quick keep state
pass out log quick keep state

and as usual, to make sure everything will start correctly, restart/reboot the server.

4. Now the only thing left is to add the “Virtual IP” in the fortigate firewall to map the DNS service for Registered IP 10.1.1.3 to 192.168.1.3 and 10.1.1.4 to 192.168.1.4, and add a firewall Policy to all DNS service (tcp/udp) from WAN to the DMZ (specific to the server 192.168.1.3 and 192.168.1.4). as of now you can test the DNS server from outside using the “dig @10.1.1.3 yourdomain.com” and “dig @10.1.1.4 yourdomain.com”, because we need one more step complete it.

Log-in to your ISP provider where your domain is registered, and change the NameServer IP address to the new registered IP address in this case the Primary DNS (ns1.yourdomain.com) to 10.1.1.3 and the Secondary DNS (ns2.yourdomain.com) to 10.1.1.4.

You might need to wait for a few hours to it to be escalated. After that you can test the DNS from outside just using “dig yourdomain.com” without the specific IP address server, if everything OK, you should get the expected returns.

Happy New Year and Happy trying !

Tags: , , , , , , , , , , ,

One Response to “Setting up DNS Server Using TinyDNS/djbdns on OpenBSD behind Firewall”

  1. Özgür Kazançç? says:

    Firefox 19.0 Windows XP

    Great article! Really useful and logic.
    Many thanks for this.

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>