User Tools

Site Tools


soft:bind

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
soft:bind [2019/07/14 21:57]
phil
soft:bind [2019/07/15 00:57] (current)
phil
Line 2: Line 2:
  
   * http://​www.zytrax.com/​books/​dns/​ very good documentation about dns and bind   * http://​www.zytrax.com/​books/​dns/​ very good documentation about dns and bind
 +
 +
 +===== Configuration =====
 +
 +
 +<​code>​
 +options {
 +  auth-nxdomain no;
 +  recursion no;
 +  listen-on-v6 port 53 { any; };
 +  listen-on port 53 { any; };
 +  notify explicit;
 +  rate-limit {
 +    responses-per-second 10;
 +  };
 +};
 +</​code>​
 +
 +===== Zone configuration =====
 +
 +
 +
 +<​code>​
 +key schwarz.in.philpep.org. {                ​
 +  algorithm hmac-sha512; ​       ​
 +  secret "XXX XXX==";​
 +};             
 +
 +zone "​philpep.org"​ {
 +  type master; ​                                                                                                                                                                          
 +  file "​zones/​philpep.org.db"; ​                                                                                                                                                          
 +  allow-transfer {                                                                                                                                                                       
 +    key schwarz.in.philpep.org.; ​                                                                                                                                                        
 +  };                                                                                                                                                                                     
 +  also-notify {
 +    192.168.96.5 key schwarz.in.philpep.org.;​
 +  };                            ​
 +};  ​
 +</​code>​
 +
 +This configure zone "​philpep.org"​ with one secondary dns server on "​192.168.96.5"​.
 +Primary and secondary master use a symetric hmac-sha512 keys. Theses keys can be generated with ''​dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST keyname.''​
 +
 +DNS zone transfer occur in two times:
 +
 +  - Master notifies all secondary servers about the new zone serial
 +  - Secondary issue a AXFR (full) or IXFR (incremental) zone transfer
 +
 +
 +Bind can be used for secondary servers as well, but you might consider using [[soft:​nsd|NSD]] instead.
 +
 +===== Dynamic DNS update =====
 +
 +You can dynamically modify a zone using [[https://​tools.ietf.org/​html/​rfc2136|RFC 2136]], at time of writting, only bind and [[https://​www.knot-dns.cz/​|knot]] server implement this. But only Bind implement fine grained update policy.
 +
 +==== DNS update script ====
 +
 +I use this script running in crontab every minutes on a router behind a dynamic ip address.
 +
 +<file dyndns.sh>​
 +#!/bin/sh
 +
 +set -e
 +
 +PATH=/​sbin:/​bin:/​usr/​sbin:/​usr/​bin
 +export PATH
 +
 +IFACE="​pppoe-wan"​
 +DNS_SERVER="​5.39.85.37"​
 +DNS_NAME="​foo.philpep.org"​
 +DNS_TTL="​300"​ # 5 minutes
 +DNS_KEY="/​root/​K0foo.philpep.org.+157+00000.private"​
 +
 +LOGGER="​logger -t dyndns"​
 +
 +# address on $IFACE
 +# addr=$(ip a show $PPP_IFACE | awk '$1 = "​inet"​ && $3 == "​peer"​ { print $2 }')
 +# use an external service
 +# addr=$(wget -O - https://​ifconfig.co/​ip)
 +old_addr=$(dig @$DNS_SERVER +short +time=1 +tries=3 $DNS_NAME) # WAIT max 3 seconds
 +
 +if [ "​$addr"​ != "​$old_addr"​ ]; then
 +  $LOGGER "​update dns from '​$old_addr'​ to '​$addr'"​
 +  cat << EOF | nsupdate -t 5 -k $DNS_KEY
 +server $DNS_SERVER
 +update delete $DNS_NAME A
 +update add $DNS_NAME $DNS_TTL A $addr
 +send
 +EOF
 +  $LOGGER "​update dns from '​$old_addr'​ to '​$addr':​ done"
 +fi
 +</​file>​
 +
 +On server side, only allow the key to update A entry for "​foo.example.com"​
 +
 +<​code>​
 +key foo.philpep.org. {
 +  algorithm hmac-sha512;​
 +  secret "XXX XXX==";​
 +};
 +
 +zone "​philpep.org"​ {
 +  # [...]
 +  update-policy {
 +    grant foo.philpep.org. name foo.philpep.org. a;
 +  };
 +};
 +</​code>​
 +
 +==== letsencrypt acme dns challenge ====
 +
 +This is useful to issue letsencrypt certificates for internal domain names (belong a public domain), or for wildcard certificates.
 +
 +  * https://​certbot-dns-rfc2136.readthedocs.io/​en/​stable/​
 +
 +On client side, install and configure certbot-dns-rfc2136:​
 +
 +<​code>​
 +apt-get install certbot python3-certbot-dns-rfc2136
 +</​code>​
 +
 +<file conf /​etc/​letsencrypt/​rfc2136.ini>​
 +dns_rfc2136_server = 192.168.62.2
 +dns_rfc2136_port = 53
 +dns_rfc2136_name = foo.in.philpep.org.
 +dns_rfc2136_secret = XXX XXX==
 +dns_rfc2136_algorithm = HMAC-SHA512
 +</​file>​
 +
 +Ensure to ''​chmod 600 /​etc/​letsencrypt/​rfc2136.ini''​
 +
 +On server side, configure the secret key and add a grant policy:
 +
 +<​code>​
 +key foo.in.philpep.org. {
 +  algorithm hmac-sha512;​
 +  secret "XXX XXX==";​
 +};
 +
 +zone "​philpep.org"​ {
 +  # [...]
 +  update-policy {
 +    # allow foo.in.philpep.org and/or *.foo.in.philpep.org
 +    grant foo.philpep.org. name _acme-challenge.foo.in.philpep.org. txt;
 +    # allow all subdomain of in.philpep.org
 +    # grant foo.in.philpep.org. zonesub txt;
 +  };
 +};
 +
 +</​code>​
 +
 +Then back on client, issue the certificate with:
 +
 +<​code>​
 +certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /​etc/​letsencrypt/​rfc2136.ini -d foo.in.philpep.org -d '​*.foo.in.philpep.org'​
 +</​code>​
soft/bind.1563141430.txt.gz ยท Last modified: 2019/07/14 21:57 by phil