Page 1/7
Set up and run your own Cesidian Root DNS server
How-to for Debian 6.0, bind9 and IPv4Cesidian Root websitehttp://cesidianroot.net/
Last change 13.02.2012
Author Patrick Jansen
Administrator of the Cesidian G-Root DNS Server
First of all, before you set up and run your own server contact the Cesidian Root administration
Page 3/7 Open a shell as root
su root
-Update the local package apt-get update
Install the newest versions of all packages apt-get upgrade
Install the DNS server (bind9) and its documentation („man named“) apt-get install bind9 bind9-doc
Stop bind9 after installation /etc/init.d/bind9 stop
If you plan to run an IPv4 (not IPv6) DNS server only nano /etc/default/bind9
add „-4“ to the existing „OPTIONS“ line OPTIONS="-u bind -4"
Create a new directory for the Cesidian Root files mkdir /etc/bind/cesidian-root/
chmod bind:bind /etc/bind/cesidian-root/
Optional: Make a backup of original configuration files
cp /etc/bind/named.conf.default-zones /etc/bind/named.conf.default-zones_ORIG cp /etc/bind/named.conf.options /etc/bind/named.conf.options_ORIG
Set the root zone configuration
nano /etc/bind/named.conf.default-zones Change the lines
// prime the server with knowledge of the root servers zone "." {
type hint;
file "/etc/bind/db.root"; };
to
// prime the server with knowledge of the root servers //zone "." {
// type hint;
// file "/etc/bind/db.root"; //};
and below the above lines add // Cesidian Root Server
zone "." { type slave; file "/etc/bind/cesidian-root/cesidian-root.zone"; masters { 178.254.3.55; }; max-refresh-time 60; allow-transfer { any; }; };
Page 5/7 Set the DNS server configuration
nano /etc/bind/named.conf.options
Replace thewholefile content with the following one
// Limit control channel access ("rndc" command) controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; options { directory "/var/cache/bind"; zone-statistics yes; auth-nxdomain no; //dnssec-enable yes; //dnssec-validation yes; notify yes; notify-source * port *; notify-source-v6 * port *; transfers-in 10; transfers-out 10; transfers-per-ns 10; recursion yes; allow-recursion { any; }; allow-query { any; }; provide-ixfr yes; request-ixfr yes;
query-source address * port *; query-source-v6 address * port *;
listen-on port 53 {<your external IPv4>; }; listen-on port 3001 {<your external IPv4>; }; //listen-on-v6 port 53 {<your external IPv6>; }; //listen-on-v6 port 3001 {<your external IPv6>; }; preferred-glue AAAA; max-cache-size 0; cleaning-interval 60; lame-ttl 600; max-cache-ttl 604800; max-ncache-ttl 300; edns-udp-size 4096; max-udp-size 4096; transfer-source *; use-alt-transfer-source yes; version "Cesidian Root Server"; };
Replace<your external IPv4>with the external IPv4 of your DNS server If you’re running an IPv4 and IPv6 DNS server remove the // before
//listen-on-v6 port 53 {<your external IPv6>; }; //listen-on-v6 port 3001 {<your external IPv6>; };
The Cesidian Root administration will send you two additional files:cw.confandrapid.conf Copy both to /etc/bind/ and set their rights and owner with
chmod 644 /etc/bind/cw.conf /etc/bind/rapid.conf chown root:root /etc/bind/cw.conf /etc/bind/rapid.conf Enable them by
nano /etc/bind/named.conf.local
and add the following lines to the end of the file // Cesidian Root
include "/etc/bind/cw.conf"; include "/etc/bind/rapid.conf";
Start bind9
Note: before starting bind9 you have to open port 53 TCP & UDP and 3001 TCP & UDP in your firewall - but this is out of scope of this how-to
/etc/init.d/bind9 start
After some seconds there should be a file/etc/bind/cesidian-root/cesidian-root.zone -rw-r--r-- 1 bind bind 101K Feb 4 11:57 /etc/bind/cesidian-root/cesidian-root.zone The command
netstat -ln
should show something like this (reformatted output) tcp <your external IPv4>:53
tcp 127.0.0.1:53 by using listen-on port 53 { 127.0.0.1;<your external IPv4>; };
tcp 127.0.0.1:953 Control channel, see /etc/bind/named.conf.options
tcp <your external IPv4>:3001 udp <your external IPv4>:53
udp 127.0.0.1:53 by using listen-on port 53 { 127.0.0.1;<your external IPv4>; };
udp <your external IPv4>:3001
To determine bind’s status type rndc status
Page 7/7 To write server statistics to a file type
rndc stats | less /var/cache/bind/named.stats
To test your own DNS server follow the instructions to change the TCP/IP configuration of your computer onhttp://cesidianroot.net/crt/. Set the „Preferred DNS server“ of your computer to the external IP of your DNS server
Applications running on the Linux system can use the local bind9 as DNS server. Therefore replace the line
listen-on port 53 {<your external IPv4>; };
in/etc/bind/named.conf.optionswith
listen-on port 53 { 127.0.0.1;<your external IPv4>; };
In this case also the content of/etc/resolv.confhas to be changed to nameserver 127.0.0.1
The command
ping -c 1 zonefile.cesidian.root
should return an IP (currently84.200.212.28) now Anyway, always write-protect /etc/resolv.confwith chattr +i /etc/resolv.conf
otherwise the system can change it back to default during reboot
If you’re using „Monit“ to monitor daemons you can use a configuration like this
check process named with pidfile /var/run/named/named.pid start program "/etc/init.d/bind9 start" with timeout 15 seconds stop program "/etc/init.d/bind9 stop"
if failed host<your external IPv4>port 3001 type tcp protocol dns with timeout 5 seconds then restart if failed host<your external IPv4>port 53 type udp protocol dns with timeout 5 seconds then restart if totalcpu > 90% for 3 cycles then restart
if totalmemory > 150 MB for 3 cycles then restart if 5 restarts within 5 cycles then timeout
