blog-contributions/opsec/dns/index.html

1166 lines
44 KiB
HTML
Raw Normal View History

2024-07-25 12:23:36 +02:00
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>bind9 DNS setup</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
2024-10-06 21:59:43 +02:00
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
2024-07-25 12:23:36 +02:00
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
2024-08-12 23:22:38 +02:00
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
2024-07-25 12:23:36 +02:00
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
2024-08-18 22:50:34 +02:00
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nothing@nowhere - 2024-05-28</ba></p>
2024-07-25 12:23:36 +02:00
<h1>bind9 DNS setup </h1>
<img src="0.png" style="width:200px">
<p>In this tutorial we're going to take a look at how to setup DNS servers using bind9. </p>
<p><u>Disclaimer:</u> If you want this service to remain anonymous, make sure you at least keep <a href="../sensitiveremotevshome/index.html">TOR between you and the service</a> from the <a href="../anonymousremoteserver/index.html">VPS acquisition</a> to actual service usage. </p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Initial Setup </b></h2>
<p>First install the requirements:</p>
<pre><code class="nim">
root@Temple:~# apt update -y ; apt upgrade -y ; apt install bind9 -y
root@Temple:~# systemctl disable --now ufw
</code></pre>
<p>Next we edit the /etc/bind/named.conf.options file to define which ip the dns server will serve:</p>
<pre><code class="nim">
root@Temple:~# vim /etc/bind/named.conf.options
listen-on {
10.10.10.0/24;
10.1.0.0/16;
...
};
#OR
listen-on { any; };
listen-on-v6 { any; };
</code></pre>
<p>Next, we allow the queries to come from any sources (not just local)</p>
<pre><code class="nim">
allow-query { any; };
</code></pre>
<p>and lastly, we add the forwarders which are the dns servers that bind9 will ask if it can't find the domain names, we can put cloudflare's dns servers for example:</p>
<pre><code class="nim">
forwarders {
1.1.1.1;
1.0.0.1;
};
</code></pre>
<p>Here's the result, save it with :wq</p>
<pre><code class="nim">
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
forwarders {
1.1.1.1;
1.0.0.1;
};
};
</code></pre>
<p>Then restart bind9:</p>
<pre><code class="nim">
root@Temple:~# systemctl restart bind9
root@Temple:~# systemctl status bind9
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-11-02 20:37:26 UTC; 4s ago
Docs: man:named(8)
Main PID: 2863095 (named)
Tasks: 8 (limit: 4584)
Memory: 30.0M
CGroup: /system.slice/named.service
└─2863095 /usr/sbin/named -f -u bind
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Nov 02 20:37:26 Temple named[2863095]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 02 20:37:26 Temple named[2863095]: resolver priming query complete
Nov 02 20:37:30 Temple named[2863095]: listening on IPv4 interface tun0, 10.8.0.1#53
Nov 02 20:37:30 Temple named[2863095]: listening on IPv6 interface tun0, fe80::5822:e1cd:a277:e3e3%124941#53
Nov 02 20:37:30 Temple named[2863095]: no longer listening on 10.8.0.1#53
Nov 02 20:37:30 Temple named[2863095]: no longer listening on fe80::5822:e1cd:a277:e3e3%124941#53
</code></pre>
<p>and then finally we test if the dns works, let's ask our dns server for the ip address of google:</p>
<pre><code class="nim">
[ 10.66.66.2/32 ] [ /dev/pts/20 ] [Nextcloud/blog]
→ nslookup google.com temple.void.yt
Server: temple.void.yt
Address: 78.141.239.68#53
Non-authoritative answer:
Name: google.com
Address: 172.217.169.14
Name: google.com
Address: 2a00:1450:4009:81d::200e
</code></pre>
<p>And it worked ! Now let's setup an A record on our DNS server, for itself. To do that we need to specify the zones we're going to manage:</p>
<pre><code class="nim">
root@Temple:/etc/bind# vim named.conf.local
root@Temple:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
root@Temple:~# vim /etc/bind/zones.rfc1918
root@Temple:~# cat /etc/bind/zones.rfc1918
zone "void.yt" {
type master;
file "db.void.yt";
allow-update { none; };
};
</code></pre>
<p>Here we want to setup a subdomain of void.yt so let's do it in the db.void.yt file:</p>
<pre><code class="nim">
$TTL 604800
@ IN SOA ns1.void.yt. void.yt. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
3600 IN NS ns1.void.yt.
3600 IN NS ns2.void.yt.
; name servers - A records
ns1.void.yt. IN A 78.141.239.68
ns2.void.yt. IN A 45.76.133.0
; other hosts - A records
host1.void.yt. IN A 1.1.1.1
host2.void.yt. IN A 1.0.0.1
</code></pre>
<p>And now we restart the bind9 service, and test if we can resolve the host1.void.yt domain:</p>
<pre><code class="nim">
root@Temple:/etc/bind# systemctl restart bind9
root@Temple:/etc/bind# systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 10:28:16 UTC; 51s ago
Docs: man:named(8)
Main PID: 3710 (named)
Tasks: 8 (limit: 4582)
Memory: 29.7M
CGroup: /system.slice/bind9.service
└─3710 /usr/sbin/named -f -u bind
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Nov 14 10:28:16 Temple named[3710]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 14 10:28:16 Temple named[3710]: resolver priming query complete
</code></pre>
<p>To do that we use nslookup:</p>
<pre><code class="nim">
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
→ nslookup host1.void.yt temple.void.yt
Server: temple.void.yt
Address: 78.141.239.68#53
Name: host1.void.yt
Address: 1.1.1.1
</code></pre>
<p>Now we fill in the db file for the rest of the hosts we need, i'll post my complete config just for reference:</p>
<pre><code class="nim">
root@Temple:/etc/bind# vim db.void.yt
root@Temple:/etc/bind# cat db.void.yt
$TTL 604800
@ IN SOA ns1.void.yt. void.yt. (
7 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
3600 IN NS ns1.void.yt.
3600 IN NS ns2.void.yt.
; name servers - A records
ns1.void.yt. IN A 78.141.239.68
ns2.void.yt. IN A 45.76.133.0
; A records, public IPs
temple 3600 IN A 78.141.239.68
mail 3600 IN A 45.76.133.0
mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
;void.yt
3600 IN MX 10 mail.void.yt.
3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
autoconfig 3600 IN CNAME void.yt.
autodiscover 3600 IN CNAME void.yt.
asciinema 3600 IN CNAME void.yt.
blog 3600 IN CNAME void.yt.
chat 3600 IN CNAME void.yt.
cloud 3600 IN CNAME void.yt.
codimd 3600 IN CNAME void.yt.
cryptpad 3600 IN CNAME void.yt.
cyberchef 3600 IN CNAME void.yt.
ghostblog 3600 IN CNAME void.yt.
git 3600 IN CNAME void.yt.
gomez 3600 IN CNAME void.yt.
haste 3600 IN CNAME void.yt.
img 3600 IN CNAME void.yt.
irc 3600 IN CNAME void.yt.
jitsi 3600 IN CNAME void.yt.
kb 3600 IN CNAME void.yt.
kutt 3600 IN CNAME void.yt.
lady 3600 IN CNAME void.yt.
lain 3600 IN CNAME void.yt.
latex 3600 IN CNAME void.yt.
mind 3600 IN CNAME void.yt.
notes 3600 IN CNAME void.yt.
openproject 3600 IN CNAME void.yt.
pad 3600 IN CNAME void.yt.
privatebin 3600 IN CNAME void.yt.
pve 3600 IN CNAME void.yt.
routeur 3600 IN CNAME void.yt.
safe 3600 IN CNAME void.yt.
shells 3600 IN CNAME void.yt.
status 3600 IN CNAME void.yt.
sx 3600 IN CNAME void.yt.
test 3600 IN CNAME void.yt.
tube 3600 IN CNAME void.yt.
u 3600 IN CNAME void.yt.
www 3600 IN CNAME void.yt.
zabbix 3600 IN CNAME void.yt.
root@Temple:/etc/bind# systemctl restart bind9
root@Temple:/etc/bind# systemctl status bind9
● bind9.service - BIND Domain Name Server
Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 11:37:30 UTC; 2s ago
Docs: man:named(8)
Main PID: 18839 (named)
Tasks: 8 (limit: 4582)
Memory: 29.3M
CGroup: /system.slice/bind9.service
└─18839 /usr/sbin/named -f -u bind
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 14 11:37:30 Temple named[18839]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 14 11:37:30 Temple named[18839]: resolver priming query complete
</code></pre>
<p>Now, let's setup our secondary DNS server, first let's update the primary DNS server's zones.rfc1918 file as follows:</p>
<pre><code class="nim">
root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
zone "void.yt" IN {
type master;
file "/etc/bind/db.void.yt";
allow-update { none; };
allow-transfer { 45.76.133.0; };
also-notify { 45.76.133.0; };
};
root@Temple:/etc/bind# systemctl restart bind9
</code></pre>
<p>In the allow-transfer and allow-notify parameters we put the public IP of our second DNS server. Next we restart bind9, and setup bind9 on the second server as a slave to our first server:</p>
<pre><code class="nim">
root@mail:~# apt install bind9 -y
root@mail:~# vim /etc/bind/named.conf.local
root@mail:~# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
root@mail:~# vim /etc/bind/zones.rfc1918
root@mail:~# cat /etc/bind/zones.rfc1918
zone "void.yt" {
type slave;
file "/etc/bind/db.void.yt";
masters {78.141.239.68;};
};
root@mail:~# vim /etc/bind/db.void.yt
root@mail:~# cat /etc/bind/db.void.yt
$TTL 604800
@ IN SOA ns2.void.yt void.yt. (
8 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; name servers - NS records
IN NS ns1.void.yt.
IN NS ns2.void.yt.
; name servers - A records
ns1.void.yt. IN A 78.141.239.68
ns2.void.yt. IN A 45.76.133.0
; A records, public IPs
temple 3600 IN A 78.141.239.68
mail 3600 IN A 45.76.133.0
mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
;void.yt
3600 IN MX 10 mail.void.yt.
3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
autoconfig 3600 IN CNAME void.yt.
autodiscover 3600 IN CNAME void.yt.
asciinema 3600 IN CNAME void.yt.
blog 3600 IN CNAME void.yt.
chat 3600 IN CNAME void.yt.
cloud 3600 IN CNAME void.yt.
codimd 3600 IN CNAME void.yt.
cryptpad 3600 IN CNAME void.yt.
cyberchef 3600 IN CNAME void.yt.
ghostblog 3600 IN CNAME void.yt.
git 3600 IN CNAME void.yt.
gomez 3600 IN CNAME void.yt.
haste 3600 IN CNAME void.yt.
img 3600 IN CNAME void.yt.
irc 3600 IN CNAME void.yt.
jitsi 3600 IN CNAME void.yt.
kb 3600 IN CNAME void.yt.
kutt 3600 IN CNAME void.yt.
lady 3600 IN CNAME void.yt.
lain 3600 IN CNAME void.yt.
latex 3600 IN CNAME void.yt.
mind 3600 IN CNAME void.yt.
notes 3600 IN CNAME void.yt.
openproject 3600 IN CNAME void.yt.
pad 3600 IN CNAME void.yt.
privatebin 3600 IN CNAME void.yt.
pve 3600 IN CNAME void.yt.
routeur 3600 IN CNAME void.yt.
safe 3600 IN CNAME void.yt.
shells 3600 IN CNAME void.yt.
status 3600 IN CNAME void.yt.
sx 3600 IN CNAME void.yt.
test 3600 IN CNAME void.yt.
tube 3600 IN CNAME void.yt.
u 3600 IN CNAME void.yt.
www 3600 IN CNAME void.yt.
zabbix 3600 IN CNAME void.yt.
</code></pre>
<p></p>
<pre><code class="nim">
root@mail:/etc/bind# systemctl restart bind9
root@mail:/etc/bind# systemctl status bind9
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 14:34:38 UTC; 1min 17s ago
Docs: man:named(8)
Main PID: 94005 (named)
Tasks: 5 (limit: 2340)
Memory: 17.8M
CPU: 46ms
CGroup: /system.slice/named.service
└─94005 /usr/sbin/named -f -u bind
Nov 14 14:34:38 mail named[94005]: running
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: Transfer started.
Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#53677
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transferred serial 9
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transfer: could not set file modification time of '/etc/bind/db.void.yt': permission denied
Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.001 secs (1118000 bytes/sec) (serial 9)
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: sending notifies (serial 9)
Nov 14 14:34:38 mail named[94005]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 14 14:34:38 mail named[94005]: resolver priming query complete
root@mail:/etc/bind# systemctl disable --now apparmor
root@mail:/etc/bind# chown bind:bind -R /etc/bind
root@mail:/etc/bind# systemctl restart bind9
root@mail:/etc/bind# systemctl status bind9
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-11-14 14:39:17 UTC; 1s ago
Docs: man:named(8)
Main PID: 94210 (named)
Tasks: 4 (limit: 2340)
Memory: 14.1M
CPU: 29ms
CGroup: /system.slice/named.service
└─94210 /usr/sbin/named -f -u bind
Nov 14 14:39:17 mail named[94210]: running
Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: Transfer started.
Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#51509
Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: transferred serial 9
Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.004 secs (279500 bytes/sec) (serial 9)
Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: sending notifies (serial 9)
Nov 14 14:39:17 mail named[94210]: dumping master file: /etc/bind/tmp-PF5Ud0HF2G: open: permission denied
Nov 14 14:39:17 mail named[94210]: resolver priming query complete
Nov 14 14:39:17 mail named[94210]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
</code></pre>
<p>And from there let's check if the domain name resolution works:</p>
<pre><code class="nim">
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
→ nslookup ns1.void.yt temple.void.yt
Server: temple.void.yt
Address: 78.141.239.68#53
Name: ns1.void.yt
Address: 78.141.239.68
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
→ nslookup ns2.void.yt temple.void.yt
Server: temple.void.yt
Address: 78.141.239.68#53
Name: ns2.void.yt
Address: 45.76.133.0
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
→ nslookup ns2.void.yt mail.void.yt
Server: mail.void.yt
Address: 45.76.133.0#53
Name: ns2.void.yt
Address: 45.76.133.0
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
→ nslookup ns1.void.yt mail.void.yt
Server: mail.void.yt
Address: 45.76.133.0#53
Name: ns1.void.yt
Address: 78.141.239.68
</code></pre>
<p>Everything looks good, we can resolve domain names on both the master and slave DNS servers</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Dynamic bind9 DNS setup</b></h2> </br> </br>
<p>Now for my current setup, i need my void.yt domain name to resolve a public IP that often changes, therefore i need a dynamic bind9 DNS setup for the A record of my void.yt domain. It is possible to set it up with bind9, so let's do it:</p>
<pre><code class="nim">
oot@Temple:/etc/bind# apt install bind9utils
root@Temple:/etc/bind# which ddns-confgen
/usr/sbin/ddns-confgen
root@Temple:/etc/bind# ddns-confgen -s void.yt
# To activate this key, place the following in named.conf, and
# in a separate keyfile on the system or systems from which nsupdate
# will be run:
key "ddns-key.void.yt" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
# Then, in the "zone" statement for the zone containing the
# name "void.yt", place an "update-policy" statement
# like this one, adjusted as needed for your preferred permissions:
update-policy {
grant ddns-key.void.yt name void.yt ANY;
};
# After the keyfile has been placed, the following command will
# execute nsupdate using this key:
nsupdate -k <<b></b>keyfile>
</code></pre>
<p>Now that's done, we follow the instructions that the command just output for us, starting with named.conf.local edit:</p>
<pre><code class="nim">
root@Temple:/etc/bind# vim /etc/bind/named.conf.local
root@Temple:/etc/bind# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
key "ddns-key.void.yt" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
</code></pre>
<p>Next, we setup the update-policy for our void.yt zone:</p>
<pre><code class="nim">
root@Temple:/etc/bind# vim zones.rfc1918
root@Temple:/etc/bind# cat zones.rfc1918
zone "void.yt" {
type master;
file "/etc/bind/db.void.yt";
allow-transfer { 45.76.133.0; };
also-notify { 45.76.133.0; };
update-policy {
grant ddns-key.void.yt name void.yt ANY;
};
};
root@Temple:/etc/bind# systemctl restart bind9
</code></pre>
<p>Now that's done, we're going to setup the dynamic DNS script on our client whose public IP is changing often:</p>
<pre><code class="nim">
root@home:~# which nsupdate
/usr/bin/nsupdate
root@home:~# vim /etc/ddnssupdate.key
root@home:~# cat /etc/ddnssupdate.key
key "ddns-key.void.yt" {
algorithm hmac-sha256;
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
};
root@home:~# cd /var/www/void.yt/
root@home:/var/www/void.yt# vim dyndns.sh
root@home:/var/www/void.yt# cat dyndns.sh
#!/bin/bash
#MYIP=$(dig +short myip.opendns.com @resolver1.opendns.com)
MYIP=$(curl ifconfig.me)
KEY=/etc/ddnsupdate.key
NS=ns1.void.yt
DOMAIN=void.yt.
ZONE=void.yt.
nsupdate -k $KEY -v <<b></b><<b></b> EOF
server $NS
zone $ZONE
update delete $DOMAIN A
update add $DOMAIN 30 A $MYIP
send
EOF
</code></pre>
<p>Now let's test it:</p>
<pre><code class="nim">
root@home:/var/www/void.yt# chattr -i /etc/resolv.conf
root@home:/var/www/void.yt# vim /etc/resolv.conf
root@home:/var/www/void.yt# cat /etc/resolv.conf
#nameserver 1.1.1.1
#nameserver 1.0.0.1
nameserver 78.141.239.68
nameserver 45.76.133.0
root@home:/var/www/void.yt# chattr +i /etc/resolv.conf
root@home:/var/www/void.yt# chmod +x dyndns.sh
root@home:/var/www/void.yt# ./dyndns.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 14 100 14 0 0 89 0 --:--:-- --:--:-- --:--:-- 89
update failed: SERVFAIL
</code></pre>
<p>Now if you get this error, it probably means that the dns bind server does not have permissions to edit files in /etc/bind/, and rather has access to /var/lib/bind, so let's make those changes:</p>
<pre><code class="nim">
root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
zone "void.yt" {
type master;
file "/var/lib/bind/db.void.yt";
allow-transfer { 45.76.133.0; };
also-notify { 45.76.133.0; };
update-policy {
grant ddns-key.void.yt name void.yt ANY;
};
};
root@Temple:/etc/bind# mv /etc/bind/db.void.yt /var/lib/bind/
root@Temple:/etc/bind# systemctl restart bind9
</code></pre>
<p>Now that's done, let's also do it on the secondary dns:</p>
<pre><code class="nim">
root@mail:~# vim /etc/bind/zones.rfc1918
root@mail:~# mv /etc/bind/db.void.yt /var/lib/bind/
root@mail:~# mv /etc/bind/db._domainkey.void.yt /var/lib/bind/
root@mail:~# systemctl restart bind9
</code></pre>
<p>Now that's done, let's test our dynamic dns script: </p>
<pre><code class="nim">
root@home:/var/www/void.yt# ./dyndns.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 14 100 14 0 0 72 0 --:--:-- --:--:-- --:--:-- 72
root@home:/var/www/void.yt#
</code></pre>
<p>No error messages, so let's check if our script updated the the zone file as intended:</p>
<pre><code class="nim">
root@Temple:/etc/bind# cat /var/lib/bind/db.void.yt
$ORIGIN .
$TTL 604800 ; 1 week
void.yt IN SOA ns1.void.yt. void.yt. (
10 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
$TTL 3600 ; 1 hour
NS ns1.void.yt.
NS ns2.void.yt.
<b>$TTL 30 ; 30 seconds
A 92.148.147.119</b>
$ORIGIN void.yt.
$TTL 3600 ; 1 hour
_dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
asciinema CNAME void.yt.
[...]
</code></pre>
<p>And it did! Now let's make sure our dynamic dns script runs every minute:</p>
<pre><code class="nim">
root@home:/var/www/void.yt# crontab -e
* * * * * "/var/www/void.yt/dyndns.sh"
root@home:/var/www/void.yt# cronitor select
✔ "/var/www/void.yt/dyndns.sh"
----► Running command: "/var/www/void.yt/dyndns.sh"
[+] updating ns1.void.yt:
----► ✔ Command successful Elapsed time 0.353s
</code></pre>
<p>Looks good! Now don't forget to edit the options file for your secondary dns server:</p>
<pre><code class="nim">
root@mail:~# vim /etc/bind/named.conf.options
root@mail:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
dnssec-validation auto;
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
forwarders {
1.1.1.1;
1.0.0.1;
};
};
root@mail:~# systemctl restart bind9
</code></pre>
<p>And that's it! We managed to setup 2 DNS servers using bind9 with a master-slave configuration along with dynamic DNS. Now if you want your DNS servers to propagate, you will have to wait:</p>
<img src="1.png" class="imgRz">
<p>You can check the status of the DNS propagation on <a href="https://www.dnstester.net/">this</a> website:</p>
<img src="2.png" class="imgRz">
<p>As you can see, none of the major DNS servers around the world are aware of my ns1.void.yt record, therefore i need to wait for my dns record to propagate (by setting the DNS server as the DNS servers for a particular domain, on a registrar):</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>DNSSEC Setup</b></h2> </br> </br>
<p>Once your dns records have propagated we can setup DNSSEC:</p>
<pre><code class="nim">
root@mail-gw:~# vim /etc/bind/named.conf.options
root@mail-gw:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
//dnssec-validation yes;
//dnssec-enable yes;
//dnssec-lookaside auto; //since debian 12 these are no longer needed
listen-on-v6 { any; };
listen-on { any; };
allow-query { any; };
forwarders {
1.1.1.1;
1.0.0.1;
};
};
</code></pre>
<p>Then generate the DNS keys for your domain:</p>
<pre><code class="nim">
root@mail-gw:~# cd /var/cache/bind
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE nowhere.moe
2024-07-25 12:23:36 +02:00
Generating key pair...................+++++ ..................................................................................................................+++++
2024-08-12 23:22:38 +02:00
Knowhere.moe.+007+54398
root@mail-gw:/var/cache/bind# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nowhere.moe
2024-07-25 12:23:36 +02:00
Generating key pair........................................................................++++ .....................++++
2024-08-12 23:22:38 +02:00
Knowhere.moe.+007+44145
2024-07-25 12:23:36 +02:00
</code></pre>
<p>then create the zone file:</p>
<pre><code class="nim">
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone
$INCLUDE Knowhere.moe.+007+44145.key
$INCLUDE Knowhere.moe.+007+54398.key
2024-07-25 12:23:36 +02:00
</code></pre>
<p>Then sign the zone with the dnssec-signzone command:</p>
<pre><code class="nim">
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone
$INCLUDE Knowhere.moe.+007+44145.key
$INCLUDE Knowhere.moe.+007+54398.key
root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t nowhere.moe.zone
<!--root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t nowhere.moe.zone-->
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
dnssec-signzone: warning: Knowhere.moe.+007+44145.key:5: no TTL specified; zone rejected
dnssec-signzone: fatal: failed loading zone from 'nowhere.moe.zone': no ttl
2024-07-25 12:23:36 +02:00
</code></pre>
<p>if you get the no ttl error like me, regen the keys with the TTL thanks to the -L flag:</p>
<pre><code class="nim">
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE nowhere.moe
2024-07-25 12:23:36 +02:00
Generating key pair.........................................+++++ .......+++++
2024-08-12 23:22:38 +02:00
Knowhere.moe.+007+35034
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nowhere.moe
2024-07-25 12:23:36 +02:00
Generating key pair......++++ ..................................................................................................................................................................++++
2024-08-12 23:22:38 +02:00
Knowhere.moe.+007+23388
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
$INCLUDE Knowhere.moe.+007+23388.key
$INCLUDE Knowhere.moe.+007+35034.key
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600)
2024-07-25 12:23:36 +02:00
dnssec-signzone: fatal: No signing keys specified or found.
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone >> db.nowhere.moe
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
<!--root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe-->
root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600)
2024-07-25 12:23:36 +02:00
Verifying the zone using the following algorithms:
- NSEC3RSASHA1
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
2024-08-12 23:22:38 +02:00
db.nowhere.moe.signed
2024-07-25 12:23:36 +02:00
Signatures generated: 51
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.068
Signatures per second: 750.000
Runtime in seconds: 0.076
</code></pre>
2024-08-12 23:22:38 +02:00
<p>If it gives you further errors, debug it here https://dnsviz.net/d/nowhere.moe/dnssec/:</p>
2024-07-25 12:23:36 +02:00
<p>Then we continue:</p>
<pre><code class="nim">
root@mail-gw:/var/cache/bind# vim /etc/bind/named.conf.local
root@mail-gw:/var/cache/bind# cat /etc/bind/named.conf.local
2024-08-12 23:22:38 +02:00
zone "nowhere.moe" {
2024-07-25 12:23:36 +02:00
type master;
2024-08-12 23:22:38 +02:00
file "db.nowhere.moe.signed";
2024-07-25 12:23:36 +02:00
allow-update { none; };
};
</code></pre>
<p>Then restart bind9:</p>
<pre><code class="nim">
root@mail-gw:/var/cache/bind# systemctl restart bind9
root@mail-gw:/var/cache/bind# systemctl status bind9
* named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-09-30 19:58:12 CEST; 3s ago
Docs: man:named(8)
Main PID: 42611 (named)
Tasks: 4 (limit: 507)
Memory: 7.8M
CPU: 19ms
CGroup: /system.slice/named.service
`-42611 /usr/sbin/named -f -u bind
Sep 30 19:58:12 mail-gw named[42611]: zone 127.in-addr.arpa/IN: loaded serial 1
Sep 30 19:58:12 mail-gw named[42611]: zone localhost/IN: loaded serial 2
2024-08-12 23:22:38 +02:00
Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: sig-re-signing-interval less than 3 * refresh.
Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: loaded serial 18 (DNSSEC signed)
2024-07-25 12:23:36 +02:00
Sep 30 19:58:12 mail-gw named[42611]: all zones loaded
Sep 30 19:58:12 mail-gw named[42611]: running
2024-08-12 23:22:38 +02:00
Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: sending notifies (serial 18)
Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': IXFR version not in journal, falling back to AXFR
Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': AXFR-style IXFR started (serial 18)
Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': AXFR-style IXFR ended: 2 messages, 104 records, 19335 bytes, 0.001 secs (19335000 bytes/sec) (serial 18)
2024-07-25 12:23:36 +02:00
</code></pre>
<!--<p>https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 next is a DS record to add to the registrar ???</p>-->
<p>So from now on when you want to edit your zone, you will need to first edit the db file and then run the dnssign command: </p>
<pre><code class="nim">
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# vim db.nowhere.moe
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
<!--root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe-->
dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600)
2024-07-25 12:23:36 +02:00
Verifying the zone using the following algorithms:
- NSEC3RSASHA1
Zone fully signed:
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
2024-08-12 23:22:38 +02:00
db.nowhere.moe.signed
2024-07-25 12:23:36 +02:00
Signatures generated: 53
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.068
Signatures per second: 779.411
Runtime in seconds: 0.080
root@mail-gw:/var/cache/bind# systemctl restart bind9
root@mail-gw:/var/cache/bind# systemctl status bind9
* named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-10-01 10:37:34 CEST; 1s ago
Docs: man:named(8)
Main PID: 45909 (named)
Tasks: 4 (limit: 507)
Memory: 7.8M
CPU: 21ms
CGroup: /system.slice/named.service
`-45909 /usr/sbin/named -f -u bind
</code></pre>
<p>Now when we test the dnssec to our bindserver we see the following:</p>
<pre><code class="nim">
[ 10.0.0.10/16 ] [ nowhere ] [~]
2024-08-12 23:22:38 +02:00
→ dig @23.137.250.140 stream.nowhere.moe. A +dnssec +multiline
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
; <<>> DiG 9.18.4-2-Debian <<>> @23.137.250.140 stream.nowhere.moe. A +dnssec +multiline
2024-07-25 12:23:36 +02:00
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<<b></b>- opcode: QUERY, status: NOERROR, id: 52175
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: bb834e65ec1896a601000000633c65914ff2b9c6c7b43b1d (good)
;; QUESTION SECTION:
2024-08-12 23:22:38 +02:00
;stream.nowhere.moe. IN A
2024-07-25 12:23:36 +02:00
;; ANSWER SECTION:
2024-08-12 23:22:38 +02:00
stream.nowhere.moe. 604800 IN CNAME web-gw.nowhere.moe.
stream.nowhere.moe. 604800 IN RRSIG CNAME 7 3 604800 (
20221103152726 20221004152726 35034 nowhere.moe.
2024-07-25 12:23:36 +02:00
qIu/a2pi8e52tLqNBmCbeFHGK3TkQLquJNcziCoCYlQY
qOOFiXisOz7sg05uWxvX04kKofQyuUb9X/+e20r28WUe
gAhS1LJWE9BfBHfq/iQBXX4yWLTTYMqyjDyW56RUX7Z9
zJs46TJB983ggZ1VwAJOifDGvl4vYSld/XeFy0EQy62G
3Etq9GZe+O5ZEKsuYA+9RGockq/TwwLn6ibZfst172xt
B/uKxmX+J3gcBzeGp1wwGd07UdlxaLyniQ41DSYmdTdD
jECbxVQRvMnC1MhD8nYsmhm/YroKXeQpMX7ugJD1ZomY
A7/ofGO6asXTGY2V3JxiITop0nKlfSlLbA== )
2024-08-12 23:22:38 +02:00
web-gw.nowhere.moe. 604800 IN A 23.137.250.141
web-gw.nowhere.moe. 604800 IN RRSIG A 7 3 604800 (
20221103152726 20221004152726 35034 nowhere.moe.
2024-07-25 12:23:36 +02:00
hlE0hXZiU9/LnSKghK3OKMxIbrrimFqF0HfHJubzQ50U
f9g3m9bZJeANu4iJHCmPR1TVJUp0qYxUTRb815kWGKIq
DHUNErDN+WhZoTBMT8jzdX8kntKFnd8+N/d/gjQ91Oxp
MOGf2V1fAu0wnvVZGzn6PGmQfb1vsZ3pskmTd5bz/A1g
nPoT3MXYWQol8x8h9bYdBwwz/cmbHbeZ2s8NIgFj/F46
cciq3lIs6HDmmYzE50TQ5YApCyHDYSM7gu/u/O/4pxAP
55Fo5qtkZQCMoRtcRJh+GG5X7W2onoi4zICAZXpD5L6z
IaBl++bwjDaSIOiAsV2j+gRGETtUQ4Ef4w== )
;; Query time: 23 msec
;; SERVER: 23.137.250.140#53(23.137.250.140) (UDP)
;; WHEN: Tue Oct 04 18:56:01 CEST 2022
;; MSG SIZE rcvd: 725
</pre></code>
<p>for simplicity sake i have this script to automate the signing of the dns zone file, the checking of it and the restarting of the service in one script:</p>
<pre><code class="nim">
root@mail-gw:/var/cache/bind# cat restartdns.sh
#!/bin/bash
# check the zone for errors:
2024-08-12 23:22:38 +02:00
named-checkzone nowhere.moe db.nowhere.moe
2024-07-25 12:23:36 +02:00
# sign it:
2024-08-12 23:22:38 +02:00
dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
2024-07-25 12:23:36 +02:00
#restart bind9
systemctl restart bind9
#check bind9 status
systemctl status bind9
</pre></code>
<p>updated restartdns.sh script: (thanks to Notorious from notlean.net)</p>
<pre><code class="nim">
2024-08-12 23:22:38 +02:00
1) updated algorythms to avoid errors <b>https://dnsviz.net/d/nowhere.moe/dnssec/ </b>
2024-07-25 12:23:36 +02:00
dnssec-keygen -L 3600 -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
dnssec-keygen -L 3600 -f KSK -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
for key in `ls Knotlean.net*.key`; do echo "\$INCLUDE $key">> notlean.net.zone; done
cat notlean.net.zone >> forward.notlean.net.db
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o notlean.net -t forward.notlean.net.db
rndc reload
systemctl status named
2) cat restartdns.sh
#!/bin/bash
set -eu
# Bnd Path
ZONE_PATH="/var/cache/bind/notorious"
# Domain name
ZONE_NAME="notlean.net"
# Bind zone file name
ZONE_FILE="forward.notlean.net.db"
# Generate NSEC3 salt
NSEC3_SALT=$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16)
# Go to zone path
pushd $ZONE_PATH
# Verify zone and check for errors
echo "Chcking zone errors for $ZONE_NAME ..."
if ! named-checkzone $ZONE_NAME $ZONE_FILE; then
echo "Error during zonbe checking. Verify the file."
exit 1
fi
# Signing zone DNSSEC
echo "Signing zone file for $ZONE_NAME..."
dnssec-signzone -A -3 $NSEC3_SALT -N INCREMENT -o $ZONE_NAME -t $ZONE_FILE
# Restart BIND9
echo "Restart BIND9..."
rndc reload
# Check bind status
echo "Vérification du statut de BIND9..."
systemctl status bind9
# Back to local dir
popd
echo "Execution end"
</pre></code>
<!--<p>However when we test it on another dns server it is supposed to propagate we see the following error:</p>
<pre><code class="nim">
[ 10.0.0.10/16 ] [ nowhere ] [~]
2024-08-12 23:22:38 +02:00
→ dig @1.1.1.1 stream.nowhere.moe. A +dnssec +multiline
2024-07-25 12:23:36 +02:00
2024-08-12 23:22:38 +02:00
; <<>> DiG 9.18.4-2-Debian <<>> @1.1.1.1 stream.nowhere.moe. A +dnssec +multiline
2024-07-25 12:23:36 +02:00
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<<b></b>- opcode: QUERY, status: SERVFAIL, id: 9695
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
2024-08-12 23:22:38 +02:00
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for nowhere.moe.)
2024-07-25 12:23:36 +02:00
;; QUESTION SECTION:
2024-08-12 23:22:38 +02:00
;stream.nowhere.moe. IN A
2024-07-25 12:23:36 +02:00
;; Query time: 243 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Oct 04 18:56:08 CEST 2022
;; MSG SIZE rcvd: 108
</pre></code>-->
<!-- https://www.fatalerrors.org/a/0dVy0zo.html#dnssec to complete dnssec-->
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: No Rights Reserved</br><img src="\CC0.png">
2024-07-25 12:23:36 +02:00
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
2024-10-03 21:57:20 +02:00
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
2024-07-25 12:23:36 +02:00
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
2024-08-28 20:13:19 +02:00
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
2024-07-25 12:23:36 +02:00
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>