User Tools

Site Tools


doc:howto:dns.maradns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:dns.maradns [2012/12/31 14:33]
amp
doc:howto:dns.maradns [2015/12/14 22:52] (current)
tmomas
Line 1: Line 1:
 +====== MaraDNS ======
 +MaraDNS is a full featured DNS server written with security, simplicity, and performance in mind. It supports redundancy, using primary and secondary servers.
  
 +
 +===== Preparation =====
 +==== Prerequisites ====
 +
 +==== Required Packages ====
 +^ Name ^ Version ^ Dependencies ^ Size ^ Description ​ ^ 
 +| maradns ​ | 1.3.07.09-1 ​ | libpthread ​ |  269717 | maradns is a DNS server written with security, simplicity, and performance in mind.  |
 +
 +
 +
 +===== Installation =====
 +[[doc:​techref:​opkg]]
 +<code bash>
 +opkg install maradns
 +vi /etc/mararc
 +. /​etc/​init.d/​maradns enable
 +. /​etc/​init.d/​maradns start
 +netstat -a
 +iptables -I INPUT -j ACCEPT -i eth0.1 -p tcp --dport 53
 +iptables -I INPUT -j ACCEPT -i eth0.1 -p udp --dport 53
 +</​code>​
 +
 +===== Configuration =====
 +The only configuration file is ''/​etc/​marac''​.\\
 +There four executables:​ ''​maradns'',​ ''​askmara'',​ ''​zoneserver''​ and ''​getzone''​.
 +
 +| maradns | dns server; answers requests from clients |
 +| askmara |corresponding query tool; like dig or nslookup ​ |
 +| zoneserver | zone transfer server; answers requests from secondary servers ​ |
 +| getzone ​ | corresponding query tool; like dig -axfr  |
 +
 +
 +==== DNS repeater ====
 +If you want MaraDNS to act like dnsmasq, as a recursive and/or authoritative DNS server edit ''/​etc/​mararc'':​
 +
 +|<​code>​
 +recursive_acl="​192.168.1.0/​24"​
 +</​code>​|
 +
 +If you want to tie the process to a specific interface, edit the ''​bind_address''​ parameter. This defaults to 0.0.0.0 meaning any interface. If both recursive and authoritative DNS is needed (i.e. you add a zonefile) you have to change this to the specific IP addresse(s) where you need maradns to listen, otherwise it will refuse to start.
 +
 +==== Primary Server ====
 +If you want it to act as a primary server to other secondaries,​ you'll need to start ''​zoneserver''​ additionally. Then add your zonefiles to ''/​etc/​marac''​.
 +
 +
 +==== Secondary Server ====
 +If you want to act as a secondary server, you'll need to do regular zonetransfers with ''​getzone''​. Generally you want to run a command like this on either a regular basis or triggered by some external event:
 +
 +<​code>​
 +getzone domain.test 192.168.1.2 > /​etc/​maradns/​db.domain.test
 +</​code>​
 +
 +Where <​code>​domain.test</​code>​
 + is the domain name, <​code>​192.168.1.2</​code>​
 + is the primary name server and <​code>​db.domain.test</​code>​
 + is the filename of the zonefile. You will also have to restart maradns and/or zoneserver after you transferred to zones.
 +
 +See [[doc:​howto:​notuci.config#​etccrontabsroot]] to utilize ''​crond''​ for that.
 +
 +
 +==== MaraDNS with dnsmasq ====
 +You can use ''​MaraDNS''​ and ''​dnsmasq''​ at the same time, but you will need to shut down the DNS functionality of ''​dnsmasq''​ by setting the option '​port'​ to '​0'​ in /​etc/​config/​dhcp. See [[doc:​uci:​dhcp]] for more informations.
 +
 +More information about dnsmasq in general can be found at [[oldwiki:​dns.server.dnsmasq]] or [[doc:​howto:​dhcp.dnsmasq]]
 +
 +
 +==== Separating internal and external DNS ====
 +
 +FIXME following uses NVRAM variable, these are not available any longer
 +
 +It is possible to run dnsmasq and MaraDNS concurrently and have both listen on different interfaces. This allows for the separation of internal and external DNS services, as detailed by synthrax on [[http://​forum.openwrt.org/​viewtopic.php?​id=4558|this post]]:
 +
 +I have both maradns and dnsmasq running on port 53. maradns serves public dns at the wan interface and dnsmasq takes care of the private subnet. in order for both to get along, you have to start maradns BEFORE dnsmasq.
 +
 +Additionally,​ you need to have the line:
 +
 +<​code>​
 +bind_address="​external_ip"​
 +</​code>​
 +
 +in your mararc file. To start the two name servers, you could modify ''/​etc/​init.d/​S50dnsmasq'':​
 +
 +|<​code>​
 +#!/bin/sh
 +. /​etc/​functions.sh
 +# maradns stuff starts here
 +publicip=$(whatismyip vlan1)
 +zonefile=/​etc/​maradns/​my_dns_zone
 +cat $zonefile.template |sed s/​external_ip/​$publicip/​ > $zonefile.zone
 +cat /​etc/​maradns/​mararc.template |sed s/​external_ip/​$publicip/​ > /etc/mararc
 +/​usr/​sbin/​maradns >/​var/​log/​maradns 2>&1 &
 +# maradns stuff ends here
 +# interface to use for DHCP
 +iface=lan
 +[...the script continues...]
 +</​code>​|
 +
 +this script does the following things:
 +
 +  - it determines your external IP address with a script i got from the old openwrt wiki. Instead of hardcoding "​vlan1",​ better to say:
 +<​code>​
 +publicip=$(whatismyip $(nvram get wan_ifname))
 +</​code>​
 +
 +  - it rewrites my maradns zone file to insert the external ip (just put "​external_ip"​ in place of the actual ip in the zone template)
 +  - it rewrites mararc to insert the correct IP in "​bind_address=..."​
 +  - finally, it starts maradns
 +
 +After maradns has started, port 53 of the external iface will be "​occupied",​ which dnsmasq will complain about in the syslog ("​[dnsmasq] setting --bind-interfaces option because of OS limitations"​). You can safely ignore this message or you could probably start dnsmasq explicitly with the --bind-interfaces option to get rid of the message. Now, am adding two more options apart from the normal ones:
 +
 +<​code>​
 +dnsmasq -a $(whatismyip $(nvram get lan_ifname)) -z
 +</​code>​
 +
 +BTW: this works fine for me, as my ISP does (almost) never change my assigned IP. if you have a provider which changes your ip with every dhcp lease period or so, you would probably need to place something similar in /​etc/​hotplug.d/​iface (or i don't know where)
 +
 +
 +===== Notes =====
 +  * Project Homepage [[http://​www.maradns.org/​]]