philpep's wiki

User Tools

Site Tools

Trace:
soft:bind

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
soft:bind [2019/07/14 21:57]
phil 		soft:bind [2019/07/14 23:11]
phil
Line 2: Line 2:
  
   * http://www.zytrax.com/books/dns/ very good documentation about dns and bind   * http://www.zytrax.com/books/dns/ very good documentation about dns and bind
 +
 +
 +===== Configuration =====
 +
 +
 +<code>
 +options {
 +  auth-nxdomain no;
 +  recursion no;
 +  listen-on-v6 port 53 { any; };
 +  listen-on port 53 { any; };
 +  notify explicit;
 +  rate-limit {
 +    responses-per-second 10;
 +  };
 +};
 +</code>
 +
 +===== Zone configuration =====
 +
 +
 +
 +<code>
 +key schwarz.in.philpep.org. {                
 +  algorithm hmac-sha512;        
 +  secret "XXX XXX==";
 +};             
 +
 +zone "philpep.org" {
 +  type master;                                                                                                                                                                           
 +  file "zones/philpep.org.db";                                                                                                                                                           
 +  allow-transfer {                                                                                                                                                                       
 +    key schwarz.in.philpep.org.;                                                                                                                                                         
 +  };                                                                                                                                                                                     
 +  also-notify {
 +    192.168.96.5 key schwarz.in.philpep.org.;
 +  };                            
 +};  
 +</code>
 +
 +This configure zone "philpep.org" with one secondary dns server on "192.168.96.5".
 +Primary and secondary master use a symetric hmac-sha512 keys. Theses keys can be generated with ''dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname.''
 +
 +DNS zone transfer occur in two times:
 +
 +  - Master notifies all secondary servers about the new zone serial
 +  - Secondary issue a AXFR (full) or IXFR (incremental) zone transfer
 +
 +
 +Bind can be used for secondary servers as well, but you might consider using [[soft:nsd|NSD]] instead.
 +
 +===== Dynamic DNS update =====
 +
 +You can dynamically modify a zone using [[https://tools.ietf.org/html/rfc2136|RFC 2136]], at time of writting, only bind and [[https://www.knot-dns.cz/|knot]] server implement this. But only Bind implement fine grained update policy.
 +
 +==== DNS update script ====
 +
 +I use this script running in crontab every minutes on a router behind a dynamic ip address.
 +
 +<file dyndns.sh>
 +#!/bin/sh
 +
 +set -e
 +
 +PATH=/sbin:/bin:/usr/sbin:/usr/bin
 +export PATH
 +
 +IFACE="pppoe-wan"
 +DNS_SERVER="5.39.85.37"
 +DNS_NAME="foo.philpep.org"
 +DNS_TTL="300" # 5 minutes
 +DNS_KEY="/root/K0foo.philpep.org.+157+00000.private"
 +
 +LOGGER="logger -t dyndns"
 +
 +# address on $IFACE
 +# addr=$(ip a show $PPP_IFACE | awk '$1 = "inet" && $3 == "peer" { print $2 }')
 +# use an external service
 +# addr=$(wget -O - https://ifconfig.co/ip)
 +old_addr=$(dig @$DNS_SERVER +short +time=1 +tries=3 $DNS_NAME) # WAIT max 3 seconds
 +
 +if [ "$addr" != "$old_addr" ]; then
 +  $LOGGER "update dns from '$old_addr' to '$addr'"
 +  cat << EOF | nsupdate -t 5 -k $DNS_KEY
 +server $DNS_SERVER
 +update delete $DNS_NAME A
 +update add $DNS_NAME $DNS_TTL A $addr
 +send
 +EOF
 +  $LOGGER "update dns from '$old_addr' to '$ppp_addr': done"
 +fi
 +</file>
 +
 +On server side, only allow the key to update A entry for "foo.example.com"
 +
 +<code>
 +key foo.philpep.org. {
 +  algorithm hmac-sha512;
 +  secret "XXX XXX==";
 +};
 +
 +zone "philpep.org" {
 +  # [...]
 +  update-policy {
 +    grant foo.philpep.org. name foo.philpep.org. a;
 +  };
 +};
 +</code>
 +
 +==== letsencrypt acme dns challenge ====
 +
 +This is useful to issue letsencrypt certificates for internal domain names (belong a public domain), or for wildcard certificates.
 +
 +  * https://certbot-dns-rfc2136.readthedocs.io/en/stable/
 +
 +On client side, install and configure certbot-dns-rfc2136:
 +
 +<code>
 +apt-get install certbot python3-certbot-dns-rfc2136
 +</code>
 +
 +<file conf /etc/letsencrypt/rfc2136.ini>
 +dns_rfc2136_server = 192.168.62.2
 +dns_rfc2136_port = 53
 +dns_rfc2136_name = foo.in.philpep.org.
 +dns_rfc2136_secret = XXX XXX==
 +dns_rfc2136_algorithm = HMAC-SHA512
 +</file>
 +
 +Ensure to ''chmod 600 /etc/letsencrypt/rfc2136.ini''
 +
 +On server side, configure the secret key and add a grant policy:
 +
 +<code>
 +key foo.in.philpep.org. {
 +  algorithm hmac-sha512;
 +  secret "XXX XXX==";
 +};
 +
 +zone "philpep.org" {
 +  # [...]
 +  update-policy {
 +    # allow foo.in.philpep.org and/or *.foo.in.philpep.org
 +    grant foo.philpep.org. name _acme-challenge.foo.in.philpep.org. txt;
 +    # allow all subdomain of in.philpep.org
 +    # grant foo.in.philpep.org. zonesub txt;
 +  };
 +};
 +
 +</code>
 +
 +Then back on client, issue the certificate with:
 +
 +<code>
 +certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d foo.in.philpep.org -d '*.foo.in.philpep.org'
 +</code>
soft/bind.txt ยท Last modified: 2019/07/15 00:57 by phil

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki