forked from nihilist/blog-contributions
1166 lines
43 KiB
HTML
1166 lines
43 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="description" content="">
|
|
<meta name="author" content="">
|
|
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
|
|
|
|
<title>bind9 DNS setup</title>
|
|
|
|
<!-- Bootstrap core CSS -->
|
|
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
|
|
<link href="../../assets/css/xt256.css" rel="stylesheet">
|
|
|
|
|
|
|
|
<!-- Custom styles for this template -->
|
|
<link href="../../assets/css/main.css" rel="stylesheet">
|
|
|
|
|
|
|
|
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
|
|
<!--[if lt IE 9]>
|
|
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
|
|
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
|
|
<![endif]-->
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<!-- Static navbar -->
|
|
<div class="navbar navbar-inverse-anon navbar-static-top">
|
|
<div class="container">
|
|
<div class="navbar-header">
|
|
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
</button>
|
|
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
|
|
</div>
|
|
<div class="navbar-collapse collapse">
|
|
<ul class="nav navbar-nav navbar-right">
|
|
|
|
<li><a href="/about.html">About</a></li>
|
|
<li><a href="/blog.html">Categories</a></li>
|
|
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
|
|
<li><a href="/contact.html">Contact</a></li>
|
|
</ul>
|
|
</div><!--/.nav-collapse -->
|
|
|
|
</div>
|
|
</div>
|
|
|
|
<!-- +++++ Posts Lists +++++ -->
|
|
<!-- +++++ First Post +++++ -->
|
|
<div id="anon2">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nothing@nowhere - 2024-05-28</ba></p>
|
|
<h1>bind9 DNS setup </h1>
|
|
<img src="0.png" style="width:200px">
|
|
<p>In this tutorial we're going to take a look at how to setup DNS servers using bind9. </p>
|
|
<p><u>Disclaimer:</u> If you want this service to remain anonymous, make sure you at least keep <a href="../sensitiveremotevshome/index.html">TOR between you and the service</a> from the <a href="../anonymousremoteserver/index.html">VPS acquisition</a> to actual service usage. </p>
|
|
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /grey -->
|
|
|
|
<!-- +++++ Second Post +++++ -->
|
|
<div id="anon3">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>Initial Setup </b></h2>
|
|
<p>First install the requirements:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:~# apt update -y ; apt upgrade -y ; apt install bind9 -y
|
|
root@Temple:~# systemctl disable --now ufw
|
|
|
|
</code></pre>
|
|
|
|
<p>Next we edit the /etc/bind/named.conf.options file to define which ip the dns server will serve:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:~# vim /etc/bind/named.conf.options
|
|
listen-on {
|
|
10.10.10.0/24;
|
|
10.1.0.0/16;
|
|
...
|
|
};
|
|
|
|
#OR
|
|
listen-on { any; };
|
|
listen-on-v6 { any; };
|
|
|
|
</code></pre>
|
|
|
|
<p>Next, we allow the queries to come from any sources (not just local)</p>
|
|
<pre><code class="nim">
|
|
allow-query { any; };
|
|
|
|
</code></pre>
|
|
<p>and lastly, we add the forwarders which are the dns servers that bind9 will ask if it can't find the domain names, we can put cloudflare's dns servers for example:</p>
|
|
<pre><code class="nim">
|
|
forwarders {
|
|
1.1.1.1;
|
|
1.0.0.1;
|
|
};
|
|
|
|
</code></pre>
|
|
<p>Here's the result, save it with :wq</p>
|
|
<pre><code class="nim">
|
|
options {
|
|
directory "/var/cache/bind";
|
|
dnssec-validation auto;
|
|
|
|
listen-on-v6 { any; };
|
|
listen-on { any; };
|
|
allow-query { any; };
|
|
forwarders {
|
|
1.1.1.1;
|
|
1.0.0.1;
|
|
};
|
|
};
|
|
|
|
</code></pre>
|
|
<p>Then restart bind9:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:~# systemctl restart bind9
|
|
root@Temple:~# systemctl status bind9
|
|
● named.service - BIND Domain Name Server
|
|
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Tue 2021-11-02 20:37:26 UTC; 4s ago
|
|
Docs: man:named(8)
|
|
Main PID: 2863095 (named)
|
|
Tasks: 8 (limit: 4584)
|
|
Memory: 30.0M
|
|
CGroup: /system.slice/named.service
|
|
└─2863095 /usr/sbin/named -f -u bind
|
|
|
|
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
|
|
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
|
|
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:7fd::1#53
|
|
Nov 02 20:37:26 Temple named[2863095]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
|
|
Nov 02 20:37:26 Temple named[2863095]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
|
|
Nov 02 20:37:26 Temple named[2863095]: resolver priming query complete
|
|
Nov 02 20:37:30 Temple named[2863095]: listening on IPv4 interface tun0, 10.8.0.1#53
|
|
Nov 02 20:37:30 Temple named[2863095]: listening on IPv6 interface tun0, fe80::5822:e1cd:a277:e3e3%124941#53
|
|
Nov 02 20:37:30 Temple named[2863095]: no longer listening on 10.8.0.1#53
|
|
Nov 02 20:37:30 Temple named[2863095]: no longer listening on fe80::5822:e1cd:a277:e3e3%124941#53
|
|
|
|
</code></pre>
|
|
<p>and then finally we test if the dns works, let's ask our dns server for the ip address of google:</p>
|
|
<pre><code class="nim">
|
|
[ 10.66.66.2/32 ] [ /dev/pts/20 ] [Nextcloud/blog]
|
|
→ nslookup google.com temple.void.yt
|
|
Server: temple.void.yt
|
|
Address: 78.141.239.68#53
|
|
|
|
Non-authoritative answer:
|
|
Name: google.com
|
|
Address: 172.217.169.14
|
|
Name: google.com
|
|
Address: 2a00:1450:4009:81d::200e
|
|
|
|
</code></pre>
|
|
<p>And it worked ! Now let's setup an A record on our DNS server, for itself. To do that we need to specify the zones we're going to manage:</p>
|
|
<pre><code class="nim">
|
|
|
|
root@Temple:/etc/bind# vim named.conf.local
|
|
root@Temple:/etc/bind# cat named.conf.local
|
|
//
|
|
// Do any local configuration here
|
|
//
|
|
|
|
// Consider adding the 1918 zones here, if they are not used in your
|
|
// organization
|
|
include "/etc/bind/zones.rfc1918";
|
|
|
|
root@Temple:~# vim /etc/bind/zones.rfc1918
|
|
root@Temple:~# cat /etc/bind/zones.rfc1918
|
|
zone "void.yt" {
|
|
type master;
|
|
file "db.void.yt";
|
|
allow-update { none; };
|
|
};
|
|
|
|
</code></pre>
|
|
<p>Here we want to setup a subdomain of void.yt so let's do it in the db.void.yt file:</p>
|
|
<pre><code class="nim">
|
|
$TTL 604800
|
|
@ IN SOA ns1.void.yt. void.yt. (
|
|
3 ; Serial
|
|
604800 ; Refresh
|
|
86400 ; Retry
|
|
2419200 ; Expire
|
|
604800 ) ; Negative Cache TTL
|
|
;
|
|
; name servers - NS records
|
|
3600 IN NS ns1.void.yt.
|
|
3600 IN NS ns2.void.yt.
|
|
|
|
; name servers - A records
|
|
ns1.void.yt. IN A 78.141.239.68
|
|
ns2.void.yt. IN A 45.76.133.0
|
|
|
|
; other hosts - A records
|
|
host1.void.yt. IN A 1.1.1.1
|
|
host2.void.yt. IN A 1.0.0.1
|
|
|
|
</code></pre>
|
|
<p>And now we restart the bind9 service, and test if we can resolve the host1.void.yt domain:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# systemctl restart bind9
|
|
root@Temple:/etc/bind# systemctl status bind9
|
|
● bind9.service - BIND Domain Name Server
|
|
Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Sun 2021-11-14 10:28:16 UTC; 51s ago
|
|
Docs: man:named(8)
|
|
Main PID: 3710 (named)
|
|
Tasks: 8 (limit: 4582)
|
|
Memory: 29.7M
|
|
CGroup: /system.slice/bind9.service
|
|
└─3710 /usr/sbin/named -f -u bind
|
|
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:7fd::1#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:1::53#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:dc3::35#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:500:2::c#53
|
|
Nov 14 10:28:16 Temple named[3710]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
|
|
Nov 14 10:28:16 Temple named[3710]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
|
|
Nov 14 10:28:16 Temple named[3710]: resolver priming query complete
|
|
|
|
</code></pre>
|
|
<p>To do that we use nslookup:</p>
|
|
<pre><code class="nim">
|
|
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
|
|
→ nslookup host1.void.yt temple.void.yt
|
|
Server: temple.void.yt
|
|
Address: 78.141.239.68#53
|
|
|
|
Name: host1.void.yt
|
|
Address: 1.1.1.1
|
|
|
|
</code></pre>
|
|
<p>Now we fill in the db file for the rest of the hosts we need, i'll post my complete config just for reference:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# vim db.void.yt
|
|
root@Temple:/etc/bind# cat db.void.yt
|
|
$TTL 604800
|
|
@ IN SOA ns1.void.yt. void.yt. (
|
|
7 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
|
|
604800 ; Refresh
|
|
86400 ; Retry
|
|
2419200 ; Expire
|
|
604800 ) ; Negative Cache TTL
|
|
;
|
|
; name servers - NS records
|
|
3600 IN NS ns1.void.yt.
|
|
3600 IN NS ns2.void.yt.
|
|
|
|
; name servers - A records
|
|
ns1.void.yt. IN A 78.141.239.68
|
|
ns2.void.yt. IN A 45.76.133.0
|
|
|
|
; A records, public IPs
|
|
temple 3600 IN A 78.141.239.68
|
|
mail 3600 IN A 45.76.133.0
|
|
mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
|
|
;void.yt
|
|
|
|
|
|
3600 IN MX 10 mail.void.yt.
|
|
3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
|
|
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
|
|
|
|
autoconfig 3600 IN CNAME void.yt.
|
|
autodiscover 3600 IN CNAME void.yt.
|
|
|
|
asciinema 3600 IN CNAME void.yt.
|
|
blog 3600 IN CNAME void.yt.
|
|
chat 3600 IN CNAME void.yt.
|
|
cloud 3600 IN CNAME void.yt.
|
|
codimd 3600 IN CNAME void.yt.
|
|
cryptpad 3600 IN CNAME void.yt.
|
|
cyberchef 3600 IN CNAME void.yt.
|
|
ghostblog 3600 IN CNAME void.yt.
|
|
git 3600 IN CNAME void.yt.
|
|
gomez 3600 IN CNAME void.yt.
|
|
haste 3600 IN CNAME void.yt.
|
|
img 3600 IN CNAME void.yt.
|
|
irc 3600 IN CNAME void.yt.
|
|
jitsi 3600 IN CNAME void.yt.
|
|
kb 3600 IN CNAME void.yt.
|
|
kutt 3600 IN CNAME void.yt.
|
|
lady 3600 IN CNAME void.yt.
|
|
lain 3600 IN CNAME void.yt.
|
|
latex 3600 IN CNAME void.yt.
|
|
mind 3600 IN CNAME void.yt.
|
|
notes 3600 IN CNAME void.yt.
|
|
openproject 3600 IN CNAME void.yt.
|
|
pad 3600 IN CNAME void.yt.
|
|
privatebin 3600 IN CNAME void.yt.
|
|
pve 3600 IN CNAME void.yt.
|
|
routeur 3600 IN CNAME void.yt.
|
|
safe 3600 IN CNAME void.yt.
|
|
shells 3600 IN CNAME void.yt.
|
|
status 3600 IN CNAME void.yt.
|
|
sx 3600 IN CNAME void.yt.
|
|
test 3600 IN CNAME void.yt.
|
|
tube 3600 IN CNAME void.yt.
|
|
u 3600 IN CNAME void.yt.
|
|
www 3600 IN CNAME void.yt.
|
|
zabbix 3600 IN CNAME void.yt.
|
|
|
|
root@Temple:/etc/bind# systemctl restart bind9
|
|
root@Temple:/etc/bind# systemctl status bind9
|
|
● bind9.service - BIND Domain Name Server
|
|
Loaded: loaded (/etc/systemd/system/bind9.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Sun 2021-11-14 11:37:30 UTC; 2s ago
|
|
Docs: man:named(8)
|
|
Main PID: 18839 (named)
|
|
Tasks: 8 (limit: 4582)
|
|
Memory: 29.3M
|
|
CGroup: /system.slice/bind9.service
|
|
└─18839 /usr/sbin/named -f -u bind
|
|
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:1::53#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:500:200::b#53
|
|
Nov 14 11:37:30 Temple named[18839]: network unreachable resolving './NS/IN': 2001:7fd::1#53
|
|
Nov 14 11:37:30 Temple named[18839]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
|
|
Nov 14 11:37:30 Temple named[18839]: resolver priming query complete
|
|
|
|
</code></pre>
|
|
<p>Now, let's setup our secondary DNS server, first let's update the primary DNS server's zones.rfc1918 file as follows:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
|
|
root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
|
|
zone "void.yt" IN {
|
|
type master;
|
|
file "/etc/bind/db.void.yt";
|
|
allow-update { none; };
|
|
|
|
allow-transfer { 45.76.133.0; };
|
|
also-notify { 45.76.133.0; };
|
|
};
|
|
|
|
root@Temple:/etc/bind# systemctl restart bind9
|
|
|
|
</code></pre>
|
|
<p>In the allow-transfer and allow-notify parameters we put the public IP of our second DNS server. Next we restart bind9, and setup bind9 on the second server as a slave to our first server:</p>
|
|
<pre><code class="nim">
|
|
root@mail:~# apt install bind9 -y
|
|
root@mail:~# vim /etc/bind/named.conf.local
|
|
root@mail:~# cat /etc/bind/named.conf.local
|
|
//
|
|
// Do any local configuration here
|
|
//
|
|
|
|
// Consider adding the 1918 zones here, if they are not used in your
|
|
// organization
|
|
include "/etc/bind/zones.rfc1918";
|
|
|
|
root@mail:~# vim /etc/bind/zones.rfc1918
|
|
root@mail:~# cat /etc/bind/zones.rfc1918
|
|
zone "void.yt" {
|
|
type slave;
|
|
file "/etc/bind/db.void.yt";
|
|
masters {78.141.239.68;};
|
|
};
|
|
|
|
root@mail:~# vim /etc/bind/db.void.yt
|
|
root@mail:~# cat /etc/bind/db.void.yt
|
|
$TTL 604800
|
|
@ IN SOA ns2.void.yt void.yt. (
|
|
8 ; Serial INCREMENT THIS EVERYTIME YOU EDIT THE FILE !!!!!!!!
|
|
604800 ; Refresh
|
|
86400 ; Retry
|
|
2419200 ; Expire
|
|
604800 ) ; Negative Cache TTL
|
|
;
|
|
; name servers - NS records
|
|
IN NS ns1.void.yt.
|
|
IN NS ns2.void.yt.
|
|
|
|
; name servers - A records
|
|
ns1.void.yt. IN A 78.141.239.68
|
|
ns2.void.yt. IN A 45.76.133.0
|
|
|
|
; A records, public IPs
|
|
temple 3600 IN A 78.141.239.68
|
|
mail 3600 IN A 45.76.133.0
|
|
mail 3600 IN AAAA 2001:19f0:7402:2c6:5400:3ff:fea7:22a3
|
|
;void.yt
|
|
|
|
|
|
3600 IN MX 10 mail.void.yt.
|
|
3600 IN TXT "v=spf1 mx a:mail.void.yt -all"
|
|
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
|
|
|
|
autoconfig 3600 IN CNAME void.yt.
|
|
autodiscover 3600 IN CNAME void.yt.
|
|
|
|
asciinema 3600 IN CNAME void.yt.
|
|
blog 3600 IN CNAME void.yt.
|
|
chat 3600 IN CNAME void.yt.
|
|
cloud 3600 IN CNAME void.yt.
|
|
codimd 3600 IN CNAME void.yt.
|
|
cryptpad 3600 IN CNAME void.yt.
|
|
cyberchef 3600 IN CNAME void.yt.
|
|
ghostblog 3600 IN CNAME void.yt.
|
|
git 3600 IN CNAME void.yt.
|
|
gomez 3600 IN CNAME void.yt.
|
|
haste 3600 IN CNAME void.yt.
|
|
img 3600 IN CNAME void.yt.
|
|
irc 3600 IN CNAME void.yt.
|
|
jitsi 3600 IN CNAME void.yt.
|
|
kb 3600 IN CNAME void.yt.
|
|
kutt 3600 IN CNAME void.yt.
|
|
lady 3600 IN CNAME void.yt.
|
|
lain 3600 IN CNAME void.yt.
|
|
latex 3600 IN CNAME void.yt.
|
|
mind 3600 IN CNAME void.yt.
|
|
notes 3600 IN CNAME void.yt.
|
|
openproject 3600 IN CNAME void.yt.
|
|
pad 3600 IN CNAME void.yt.
|
|
privatebin 3600 IN CNAME void.yt.
|
|
pve 3600 IN CNAME void.yt.
|
|
routeur 3600 IN CNAME void.yt.
|
|
safe 3600 IN CNAME void.yt.
|
|
shells 3600 IN CNAME void.yt.
|
|
status 3600 IN CNAME void.yt.
|
|
sx 3600 IN CNAME void.yt.
|
|
test 3600 IN CNAME void.yt.
|
|
tube 3600 IN CNAME void.yt.
|
|
u 3600 IN CNAME void.yt.
|
|
|
|
www 3600 IN CNAME void.yt.
|
|
zabbix 3600 IN CNAME void.yt.
|
|
|
|
</code></pre>
|
|
<p></p>
|
|
<pre><code class="nim">
|
|
root@mail:/etc/bind# systemctl restart bind9
|
|
|
|
root@mail:/etc/bind# systemctl status bind9
|
|
● named.service - BIND Domain Name Server
|
|
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Sun 2021-11-14 14:34:38 UTC; 1min 17s ago
|
|
Docs: man:named(8)
|
|
Main PID: 94005 (named)
|
|
Tasks: 5 (limit: 2340)
|
|
Memory: 17.8M
|
|
CPU: 46ms
|
|
CGroup: /system.slice/named.service
|
|
└─94005 /usr/sbin/named -f -u bind
|
|
|
|
Nov 14 14:34:38 mail named[94005]: running
|
|
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: Transfer started.
|
|
Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#53677
|
|
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transferred serial 9
|
|
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: transfer: could not set file modification time of '/etc/bind/db.void.yt': permission denied
|
|
Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
|
|
Nov 14 14:34:38 mail named[94005]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.001 secs (1118000 bytes/sec) (serial 9)
|
|
Nov 14 14:34:38 mail named[94005]: zone void.yt/IN: sending notifies (serial 9)
|
|
Nov 14 14:34:38 mail named[94005]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
|
|
Nov 14 14:34:38 mail named[94005]: resolver priming query complete
|
|
|
|
root@mail:/etc/bind# systemctl disable --now apparmor
|
|
root@mail:/etc/bind# chown bind:bind -R /etc/bind
|
|
|
|
root@mail:/etc/bind# systemctl restart bind9
|
|
root@mail:/etc/bind# systemctl status bind9
|
|
● named.service - BIND Domain Name Server
|
|
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Sun 2021-11-14 14:39:17 UTC; 1s ago
|
|
Docs: man:named(8)
|
|
Main PID: 94210 (named)
|
|
Tasks: 4 (limit: 2340)
|
|
Memory: 14.1M
|
|
CPU: 29ms
|
|
CGroup: /system.slice/named.service
|
|
└─94210 /usr/sbin/named -f -u bind
|
|
|
|
Nov 14 14:39:17 mail named[94210]: running
|
|
Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: Transfer started.
|
|
Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: connected using 45.76.133.0#51509
|
|
Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: transferred serial 9
|
|
Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer status: success
|
|
Nov 14 14:39:17 mail named[94210]: transfer of 'void.yt/IN' from 78.141.239.68#53: Transfer completed: 1 messages, 49 records, 1118 bytes, 0.004 secs (279500 bytes/sec) (serial 9)
|
|
Nov 14 14:39:17 mail named[94210]: zone void.yt/IN: sending notifies (serial 9)
|
|
Nov 14 14:39:17 mail named[94210]: dumping master file: /etc/bind/tmp-PF5Ud0HF2G: open: permission denied
|
|
Nov 14 14:39:17 mail named[94210]: resolver priming query complete
|
|
Nov 14 14:39:17 mail named[94210]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
|
|
|
|
</code></pre>
|
|
<p>And from there let's check if the domain name resolution works:</p>
|
|
<pre><code class="nim">
|
|
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
|
|
→ nslookup ns1.void.yt temple.void.yt
|
|
Server: temple.void.yt
|
|
Address: 78.141.239.68#53
|
|
|
|
Name: ns1.void.yt
|
|
Address: 78.141.239.68
|
|
|
|
|
|
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
|
|
→ nslookup ns2.void.yt temple.void.yt
|
|
Server: temple.void.yt
|
|
Address: 78.141.239.68#53
|
|
|
|
Name: ns2.void.yt
|
|
Address: 45.76.133.0
|
|
|
|
|
|
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
|
|
→ nslookup ns2.void.yt mail.void.yt
|
|
Server: mail.void.yt
|
|
Address: 45.76.133.0#53
|
|
|
|
Name: ns2.void.yt
|
|
Address: 45.76.133.0
|
|
|
|
|
|
[ 10.66.66.2/32 ] [ /dev/pts/115 ] [~]
|
|
→ nslookup ns1.void.yt mail.void.yt
|
|
Server: mail.void.yt
|
|
Address: 45.76.133.0#53
|
|
|
|
Name: ns1.void.yt
|
|
Address: 78.141.239.68
|
|
|
|
</code></pre>
|
|
<p>Everything looks good, we can resolve domain names on both the master and slave DNS servers</p>
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
<div id="anon2">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>Dynamic bind9 DNS setup</b></h2> </br> </br>
|
|
<p>Now for my current setup, i need my void.yt domain name to resolve a public IP that often changes, therefore i need a dynamic bind9 DNS setup for the A record of my void.yt domain. It is possible to set it up with bind9, so let's do it:</p>
|
|
<pre><code class="nim">
|
|
oot@Temple:/etc/bind# apt install bind9utils
|
|
root@Temple:/etc/bind# which ddns-confgen
|
|
/usr/sbin/ddns-confgen
|
|
|
|
|
|
root@Temple:/etc/bind# ddns-confgen -s void.yt
|
|
# To activate this key, place the following in named.conf, and
|
|
# in a separate keyfile on the system or systems from which nsupdate
|
|
# will be run:
|
|
key "ddns-key.void.yt" {
|
|
algorithm hmac-sha256;
|
|
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
|
|
};
|
|
|
|
# Then, in the "zone" statement for the zone containing the
|
|
# name "void.yt", place an "update-policy" statement
|
|
# like this one, adjusted as needed for your preferred permissions:
|
|
update-policy {
|
|
grant ddns-key.void.yt name void.yt ANY;
|
|
};
|
|
|
|
# After the keyfile has been placed, the following command will
|
|
# execute nsupdate using this key:
|
|
nsupdate -k <<b></b>keyfile>
|
|
|
|
|
|
</code></pre>
|
|
|
|
<p>Now that's done, we follow the instructions that the command just output for us, starting with named.conf.local edit:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# vim /etc/bind/named.conf.local
|
|
root@Temple:/etc/bind# cat /etc/bind/named.conf.local
|
|
//
|
|
// Do any local configuration here
|
|
//
|
|
|
|
// Consider adding the 1918 zones here, if they are not used in your
|
|
// organization
|
|
include "/etc/bind/zones.rfc1918";
|
|
key "ddns-key.void.yt" {
|
|
algorithm hmac-sha256;
|
|
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
|
|
};
|
|
|
|
</code></pre>
|
|
<p>Next, we setup the update-policy for our void.yt zone:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# vim zones.rfc1918
|
|
root@Temple:/etc/bind# cat zones.rfc1918
|
|
zone "void.yt" {
|
|
type master;
|
|
file "/etc/bind/db.void.yt";
|
|
|
|
allow-transfer { 45.76.133.0; };
|
|
also-notify { 45.76.133.0; };
|
|
|
|
update-policy {
|
|
grant ddns-key.void.yt name void.yt ANY;
|
|
};
|
|
};
|
|
|
|
root@Temple:/etc/bind# systemctl restart bind9
|
|
|
|
</code></pre>
|
|
<p>Now that's done, we're going to setup the dynamic DNS script on our client whose public IP is changing often:</p>
|
|
<pre><code class="nim">
|
|
root@home:~# which nsupdate
|
|
/usr/bin/nsupdate
|
|
|
|
root@home:~# vim /etc/ddnssupdate.key
|
|
root@home:~# cat /etc/ddnssupdate.key
|
|
key "ddns-key.void.yt" {
|
|
algorithm hmac-sha256;
|
|
secret "Rq7gXz4Hu0AZYun6iX/ypbGRcS9W6GHqJiqksEvM8Nw=";
|
|
};
|
|
|
|
root@home:~# cd /var/www/void.yt/
|
|
root@home:/var/www/void.yt# vim dyndns.sh
|
|
root@home:/var/www/void.yt# cat dyndns.sh
|
|
#!/bin/bash
|
|
|
|
#MYIP=$(dig +short myip.opendns.com @resolver1.opendns.com)
|
|
MYIP=$(curl ifconfig.me)
|
|
|
|
KEY=/etc/ddnsupdate.key
|
|
NS=ns1.void.yt
|
|
DOMAIN=void.yt.
|
|
ZONE=void.yt.
|
|
|
|
nsupdate -k $KEY -v <<b></b><<b></b> EOF
|
|
server $NS
|
|
zone $ZONE
|
|
update delete $DOMAIN A
|
|
update add $DOMAIN 30 A $MYIP
|
|
send
|
|
EOF
|
|
|
|
</code></pre>
|
|
<p>Now let's test it:</p>
|
|
<pre><code class="nim">
|
|
root@home:/var/www/void.yt# chattr -i /etc/resolv.conf
|
|
root@home:/var/www/void.yt# vim /etc/resolv.conf
|
|
root@home:/var/www/void.yt# cat /etc/resolv.conf
|
|
#nameserver 1.1.1.1
|
|
#nameserver 1.0.0.1
|
|
nameserver 78.141.239.68
|
|
nameserver 45.76.133.0
|
|
root@home:/var/www/void.yt# chattr +i /etc/resolv.conf
|
|
|
|
root@home:/var/www/void.yt# chmod +x dyndns.sh
|
|
root@home:/var/www/void.yt# ./dyndns.sh
|
|
% Total % Received % Xferd Average Speed Time Time Time Current
|
|
Dload Upload Total Spent Left Speed
|
|
100 14 100 14 0 0 89 0 --:--:-- --:--:-- --:--:-- 89
|
|
update failed: SERVFAIL
|
|
|
|
</code></pre>
|
|
<p>Now if you get this error, it probably means that the dns bind server does not have permissions to edit files in /etc/bind/, and rather has access to /var/lib/bind, so let's make those changes:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# vim /etc/bind/zones.rfc1918
|
|
root@Temple:/etc/bind# cat /etc/bind/zones.rfc1918
|
|
zone "void.yt" {
|
|
type master;
|
|
file "/var/lib/bind/db.void.yt";
|
|
|
|
allow-transfer { 45.76.133.0; };
|
|
also-notify { 45.76.133.0; };
|
|
|
|
update-policy {
|
|
grant ddns-key.void.yt name void.yt ANY;
|
|
};
|
|
};
|
|
|
|
root@Temple:/etc/bind# mv /etc/bind/db.void.yt /var/lib/bind/
|
|
root@Temple:/etc/bind# systemctl restart bind9
|
|
|
|
</code></pre>
|
|
<p>Now that's done, let's also do it on the secondary dns:</p>
|
|
<pre><code class="nim">
|
|
root@mail:~# vim /etc/bind/zones.rfc1918
|
|
root@mail:~# mv /etc/bind/db.void.yt /var/lib/bind/
|
|
root@mail:~# mv /etc/bind/db._domainkey.void.yt /var/lib/bind/
|
|
root@mail:~# systemctl restart bind9
|
|
|
|
</code></pre>
|
|
<p>Now that's done, let's test our dynamic dns script: </p>
|
|
<pre><code class="nim">
|
|
root@home:/var/www/void.yt# ./dyndns.sh
|
|
% Total % Received % Xferd Average Speed Time Time Time Current
|
|
Dload Upload Total Spent Left Speed
|
|
100 14 100 14 0 0 72 0 --:--:-- --:--:-- --:--:-- 72
|
|
root@home:/var/www/void.yt#
|
|
|
|
</code></pre>
|
|
<p>No error messages, so let's check if our script updated the the zone file as intended:</p>
|
|
<pre><code class="nim">
|
|
root@Temple:/etc/bind# cat /var/lib/bind/db.void.yt
|
|
$ORIGIN .
|
|
$TTL 604800 ; 1 week
|
|
void.yt IN SOA ns1.void.yt. void.yt. (
|
|
10 ; serial
|
|
604800 ; refresh (1 week)
|
|
86400 ; retry (1 day)
|
|
2419200 ; expire (4 weeks)
|
|
604800 ; minimum (1 week)
|
|
)
|
|
$TTL 3600 ; 1 hour
|
|
NS ns1.void.yt.
|
|
NS ns2.void.yt.
|
|
<b>$TTL 30 ; 30 seconds
|
|
A 92.148.147.119</b>
|
|
$ORIGIN void.yt.
|
|
$TTL 3600 ; 1 hour
|
|
_dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@void.yt; fo=1"
|
|
asciinema CNAME void.yt.
|
|
|
|
[...]
|
|
|
|
</code></pre>
|
|
<p>And it did! Now let's make sure our dynamic dns script runs every minute:</p>
|
|
<pre><code class="nim">
|
|
root@home:/var/www/void.yt# crontab -e
|
|
* * * * * "/var/www/void.yt/dyndns.sh"
|
|
|
|
root@home:/var/www/void.yt# cronitor select
|
|
|
|
✔ "/var/www/void.yt/dyndns.sh"
|
|
----► Running command: "/var/www/void.yt/dyndns.sh"
|
|
|
|
[+] updating ns1.void.yt:
|
|
|
|
----► ✔ Command successful Elapsed time 0.353s
|
|
|
|
</code></pre>
|
|
<p>Looks good! Now don't forget to edit the options file for your secondary dns server:</p>
|
|
<pre><code class="nim">
|
|
root@mail:~# vim /etc/bind/named.conf.options
|
|
root@mail:~# cat /etc/bind/named.conf.options
|
|
|
|
options {
|
|
directory "/var/cache/bind";
|
|
dnssec-validation auto;
|
|
|
|
listen-on-v6 { any; };
|
|
listen-on { any; };
|
|
|
|
allow-query { any; };
|
|
|
|
forwarders {
|
|
1.1.1.1;
|
|
1.0.0.1;
|
|
};
|
|
};
|
|
root@mail:~# systemctl restart bind9
|
|
|
|
</code></pre>
|
|
<p>And that's it! We managed to setup 2 DNS servers using bind9 with a master-slave configuration along with dynamic DNS. Now if you want your DNS servers to propagate, you will have to wait:</p>
|
|
<img src="1.png" class="imgRz">
|
|
<p>You can check the status of the DNS propagation on <a href="https://www.dnstester.net/">this</a> website:</p>
|
|
<img src="2.png" class="imgRz">
|
|
<p>As you can see, none of the major DNS servers around the world are aware of my ns1.void.yt record, therefore i need to wait for my dns record to propagate (by setting the DNS server as the DNS servers for a particular domain, on a registrar):</p>
|
|
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
|
|
<!-- +++++ Second Post +++++ -->
|
|
<div id="anon1">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>DNSSEC Setup</b></h2> </br> </br>
|
|
<p>Once your dns records have propagated we can setup DNSSEC:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:~# vim /etc/bind/named.conf.options
|
|
root@mail-gw:~# cat /etc/bind/named.conf.options
|
|
options {
|
|
directory "/var/cache/bind";
|
|
|
|
//dnssec-validation yes;
|
|
//dnssec-enable yes;
|
|
//dnssec-lookaside auto; //since debian 12 these are no longer needed
|
|
|
|
listen-on-v6 { any; };
|
|
listen-on { any; };
|
|
allow-query { any; };
|
|
forwarders {
|
|
1.1.1.1;
|
|
1.0.0.1;
|
|
};
|
|
};
|
|
|
|
</code></pre>
|
|
<p>Then generate the DNS keys for your domain:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:~# cd /var/cache/bind
|
|
root@mail-gw:/var/cache/bind# dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE nowhere.moe
|
|
Generating key pair...................+++++ ..................................................................................................................+++++
|
|
Knowhere.moe.+007+54398
|
|
root@mail-gw:/var/cache/bind# dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nowhere.moe
|
|
Generating key pair........................................................................++++ .....................++++
|
|
Knowhere.moe.+007+44145
|
|
|
|
</code></pre>
|
|
<p>then create the zone file:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done
|
|
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone
|
|
$INCLUDE Knowhere.moe.+007+44145.key
|
|
$INCLUDE Knowhere.moe.+007+54398.key
|
|
|
|
</code></pre>
|
|
<p>Then sign the zone with the dnssec-signzone command:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done
|
|
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone
|
|
$INCLUDE Knowhere.moe.+007+44145.key
|
|
$INCLUDE Knowhere.moe.+007+54398.key
|
|
root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t nowhere.moe.zone
|
|
<!--root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t nowhere.moe.zone-->
|
|
|
|
dnssec-signzone: warning: Knowhere.moe.+007+44145.key:5: no TTL specified; zone rejected
|
|
dnssec-signzone: fatal: failed loading zone from 'nowhere.moe.zone': no ttl
|
|
|
|
</code></pre>
|
|
<p>if you get the no ttl error like me, regen the keys with the TTL thanks to the -L flag:</p>
|
|
<pre><code class="nim">
|
|
|
|
root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -a NSEC3RSASHA1 -b 2048 -n ZONE nowhere.moe
|
|
Generating key pair.........................................+++++ .......+++++
|
|
Knowhere.moe.+007+35034
|
|
|
|
root@mail-gw:/var/cache/bind# dnssec-keygen -L 3600 -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE nowhere.moe
|
|
Generating key pair......++++ ..................................................................................................................................................................++++
|
|
Knowhere.moe.+007+23388
|
|
|
|
root@mail-gw:/var/cache/bind# for key in `ls Knowhere.moe*.key`; do echo "\$INCLUDE $key">> nowhere.moe.zone; done
|
|
|
|
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone
|
|
|
|
$INCLUDE Knowhere.moe.+007+23388.key
|
|
$INCLUDE Knowhere.moe.+007+35034.key
|
|
|
|
root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
|
|
dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600)
|
|
dnssec-signzone: fatal: No signing keys specified or found.
|
|
|
|
root@mail-gw:/var/cache/bind# cat nowhere.moe.zone >> db.nowhere.moe
|
|
|
|
<!--root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe-->
|
|
root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
|
|
|
|
dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600)
|
|
Verifying the zone using the following algorithms:
|
|
- NSEC3RSASHA1
|
|
Zone fully signed:
|
|
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
|
|
ZSKs: 1 active, 0 stand-by, 0 revoked
|
|
db.nowhere.moe.signed
|
|
Signatures generated: 51
|
|
Signatures retained: 0
|
|
Signatures dropped: 0
|
|
Signatures successfully verified: 0
|
|
Signatures unsuccessfully verified: 0
|
|
Signing time in seconds: 0.068
|
|
Signatures per second: 750.000
|
|
Runtime in seconds: 0.076
|
|
|
|
</code></pre>
|
|
<p>If it gives you further errors, debug it here https://dnsviz.net/d/nowhere.moe/dnssec/:</p>
|
|
<p>Then we continue:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:/var/cache/bind# vim /etc/bind/named.conf.local
|
|
root@mail-gw:/var/cache/bind# cat /etc/bind/named.conf.local
|
|
zone "nowhere.moe" {
|
|
type master;
|
|
file "db.nowhere.moe.signed";
|
|
allow-update { none; };
|
|
};
|
|
|
|
</code></pre>
|
|
<p>Then restart bind9:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:/var/cache/bind# systemctl restart bind9
|
|
root@mail-gw:/var/cache/bind# systemctl status bind9
|
|
* named.service - BIND Domain Name Server
|
|
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Fri 2022-09-30 19:58:12 CEST; 3s ago
|
|
Docs: man:named(8)
|
|
Main PID: 42611 (named)
|
|
Tasks: 4 (limit: 507)
|
|
Memory: 7.8M
|
|
CPU: 19ms
|
|
CGroup: /system.slice/named.service
|
|
`-42611 /usr/sbin/named -f -u bind
|
|
|
|
Sep 30 19:58:12 mail-gw named[42611]: zone 127.in-addr.arpa/IN: loaded serial 1
|
|
Sep 30 19:58:12 mail-gw named[42611]: zone localhost/IN: loaded serial 2
|
|
Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: sig-re-signing-interval less than 3 * refresh.
|
|
Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: loaded serial 18 (DNSSEC signed)
|
|
Sep 30 19:58:12 mail-gw named[42611]: all zones loaded
|
|
Sep 30 19:58:12 mail-gw named[42611]: running
|
|
Sep 30 19:58:12 mail-gw named[42611]: zone nowhere.moe/IN: sending notifies (serial 18)
|
|
Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': IXFR version not in journal, falling back to AXFR
|
|
Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': AXFR-style IXFR started (serial 18)
|
|
Sep 30 19:58:12 mail-gw named[42611]: client @0x7fad306d5130 23.137.250.141#48501 (nowhere.moe): transfer of 'nowhere.moe/IN': AXFR-style IXFR ended: 2 messages, 104 records, 19335 bytes, 0.001 secs (19335000 bytes/sec) (serial 18)
|
|
</code></pre>
|
|
<!--<p>https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2 next is a DS record to add to the registrar ???</p>-->
|
|
<p>So from now on when you want to edit your zone, you will need to first edit the db file and then run the dnssign command: </p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:/var/cache/bind# vim db.nowhere.moe
|
|
|
|
root@mail-gw:/var/cache/bind# dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
|
|
<!--root@mail-gw:/var/cache/bind# dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe-->
|
|
dnssec-signzone: warning: db.nowhere.moe:17: TTL set to prior TTL (3600)
|
|
Verifying the zone using the following algorithms:
|
|
- NSEC3RSASHA1
|
|
Zone fully signed:
|
|
Algorithm: NSEC3RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
|
|
ZSKs: 1 active, 0 stand-by, 0 revoked
|
|
db.nowhere.moe.signed
|
|
Signatures generated: 53
|
|
Signatures retained: 0
|
|
Signatures dropped: 0
|
|
Signatures successfully verified: 0
|
|
Signatures unsuccessfully verified: 0
|
|
Signing time in seconds: 0.068
|
|
Signatures per second: 779.411
|
|
Runtime in seconds: 0.080
|
|
|
|
root@mail-gw:/var/cache/bind# systemctl restart bind9
|
|
|
|
root@mail-gw:/var/cache/bind# systemctl status bind9
|
|
* named.service - BIND Domain Name Server
|
|
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
|
|
Active: active (running) since Sat 2022-10-01 10:37:34 CEST; 1s ago
|
|
Docs: man:named(8)
|
|
Main PID: 45909 (named)
|
|
Tasks: 4 (limit: 507)
|
|
Memory: 7.8M
|
|
CPU: 21ms
|
|
CGroup: /system.slice/named.service
|
|
`-45909 /usr/sbin/named -f -u bind
|
|
|
|
</code></pre>
|
|
<p>Now when we test the dnssec to our bindserver we see the following:</p>
|
|
<pre><code class="nim">
|
|
[ 10.0.0.10/16 ] [ nowhere ] [~]
|
|
→ dig @23.137.250.140 stream.nowhere.moe. A +dnssec +multiline
|
|
|
|
; <<>> DiG 9.18.4-2-Debian <<>> @23.137.250.140 stream.nowhere.moe. A +dnssec +multiline
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<<b></b>- opcode: QUERY, status: NOERROR, id: 52175
|
|
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
|
|
|
|
;; OPT PSEUDOSECTION:
|
|
; EDNS: version: 0, flags: do; udp: 1232
|
|
; COOKIE: bb834e65ec1896a601000000633c65914ff2b9c6c7b43b1d (good)
|
|
;; QUESTION SECTION:
|
|
;stream.nowhere.moe. IN A
|
|
|
|
;; ANSWER SECTION:
|
|
stream.nowhere.moe. 604800 IN CNAME web-gw.nowhere.moe.
|
|
stream.nowhere.moe. 604800 IN RRSIG CNAME 7 3 604800 (
|
|
20221103152726 20221004152726 35034 nowhere.moe.
|
|
qIu/a2pi8e52tLqNBmCbeFHGK3TkQLquJNcziCoCYlQY
|
|
qOOFiXisOz7sg05uWxvX04kKofQyuUb9X/+e20r28WUe
|
|
gAhS1LJWE9BfBHfq/iQBXX4yWLTTYMqyjDyW56RUX7Z9
|
|
zJs46TJB983ggZ1VwAJOifDGvl4vYSld/XeFy0EQy62G
|
|
3Etq9GZe+O5ZEKsuYA+9RGockq/TwwLn6ibZfst172xt
|
|
B/uKxmX+J3gcBzeGp1wwGd07UdlxaLyniQ41DSYmdTdD
|
|
jECbxVQRvMnC1MhD8nYsmhm/YroKXeQpMX7ugJD1ZomY
|
|
A7/ofGO6asXTGY2V3JxiITop0nKlfSlLbA== )
|
|
web-gw.nowhere.moe. 604800 IN A 23.137.250.141
|
|
web-gw.nowhere.moe. 604800 IN RRSIG A 7 3 604800 (
|
|
20221103152726 20221004152726 35034 nowhere.moe.
|
|
hlE0hXZiU9/LnSKghK3OKMxIbrrimFqF0HfHJubzQ50U
|
|
f9g3m9bZJeANu4iJHCmPR1TVJUp0qYxUTRb815kWGKIq
|
|
DHUNErDN+WhZoTBMT8jzdX8kntKFnd8+N/d/gjQ91Oxp
|
|
MOGf2V1fAu0wnvVZGzn6PGmQfb1vsZ3pskmTd5bz/A1g
|
|
nPoT3MXYWQol8x8h9bYdBwwz/cmbHbeZ2s8NIgFj/F46
|
|
cciq3lIs6HDmmYzE50TQ5YApCyHDYSM7gu/u/O/4pxAP
|
|
55Fo5qtkZQCMoRtcRJh+GG5X7W2onoi4zICAZXpD5L6z
|
|
IaBl++bwjDaSIOiAsV2j+gRGETtUQ4Ef4w== )
|
|
|
|
;; Query time: 23 msec
|
|
;; SERVER: 23.137.250.140#53(23.137.250.140) (UDP)
|
|
;; WHEN: Tue Oct 04 18:56:01 CEST 2022
|
|
;; MSG SIZE rcvd: 725
|
|
|
|
</pre></code>
|
|
<p>for simplicity sake i have this script to automate the signing of the dns zone file, the checking of it and the restarting of the service in one script:</p>
|
|
<pre><code class="nim">
|
|
root@mail-gw:/var/cache/bind# cat restartdns.sh
|
|
|
|
#!/bin/bash
|
|
|
|
# check the zone for errors:
|
|
named-checkzone nowhere.moe db.nowhere.moe
|
|
|
|
# sign it:
|
|
dnssec-signzone -AA -n 3 -3 $(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16) -N INCREMENT -o nowhere.moe -t db.nowhere.moe
|
|
|
|
#restart bind9
|
|
systemctl restart bind9
|
|
|
|
#check bind9 status
|
|
systemctl status bind9
|
|
|
|
</pre></code>
|
|
<p>updated restartdns.sh script: (thanks to Notorious from notlean.net)</p>
|
|
<pre><code class="nim">
|
|
|
|
1) updated algorythms to avoid errors <b>https://dnsviz.net/d/nowhere.moe/dnssec/ </b>
|
|
|
|
dnssec-keygen -L 3600 -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
|
|
dnssec-keygen -L 3600 -f KSK -a ECDSAP256SHA256 -b 2048 -n ZONE notlean.net
|
|
for key in `ls Knotlean.net*.key`; do echo "\$INCLUDE $key">> notlean.net.zone; done
|
|
cat notlean.net.zone >> forward.notlean.net.db
|
|
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o notlean.net -t forward.notlean.net.db
|
|
rndc reload
|
|
systemctl status named
|
|
|
|
|
|
2) cat restartdns.sh
|
|
|
|
#!/bin/bash
|
|
|
|
set -eu
|
|
|
|
# Bnd Path
|
|
ZONE_PATH="/var/cache/bind/notorious"
|
|
|
|
# Domain name
|
|
ZONE_NAME="notlean.net"
|
|
|
|
# Bind zone file name
|
|
ZONE_FILE="forward.notlean.net.db"
|
|
|
|
# Generate NSEC3 salt
|
|
NSEC3_SALT=$(head -c 1000 /dev/urandom | sha1sum | cut -b 1-16)
|
|
|
|
# Go to zone path
|
|
pushd $ZONE_PATH
|
|
|
|
# Verify zone and check for errors
|
|
echo "Chcking zone errors for $ZONE_NAME ..."
|
|
if ! named-checkzone $ZONE_NAME $ZONE_FILE; then
|
|
echo "Error during zonbe checking. Verify the file."
|
|
exit 1
|
|
fi
|
|
|
|
# Signing zone DNSSEC
|
|
echo "Signing zone file for $ZONE_NAME..."
|
|
dnssec-signzone -A -3 $NSEC3_SALT -N INCREMENT -o $ZONE_NAME -t $ZONE_FILE
|
|
|
|
# Restart BIND9
|
|
echo "Restart BIND9..."
|
|
rndc reload
|
|
|
|
# Check bind status
|
|
echo "Vérification du statut de BIND9..."
|
|
systemctl status bind9
|
|
|
|
# Back to local dir
|
|
popd
|
|
|
|
echo "Execution end"
|
|
|
|
</pre></code>
|
|
<!--<p>However when we test it on another dns server it is supposed to propagate we see the following error:</p>
|
|
<pre><code class="nim">
|
|
[ 10.0.0.10/16 ] [ nowhere ] [~]
|
|
→ dig @1.1.1.1 stream.nowhere.moe. A +dnssec +multiline
|
|
|
|
; <<>> DiG 9.18.4-2-Debian <<>> @1.1.1.1 stream.nowhere.moe. A +dnssec +multiline
|
|
; (1 server found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<<b></b>- opcode: QUERY, status: SERVFAIL, id: 9695
|
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
|
|
|
|
;; OPT PSEUDOSECTION:
|
|
; EDNS: version: 0, flags: do; udp: 1232
|
|
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for nowhere.moe.)
|
|
;; QUESTION SECTION:
|
|
;stream.nowhere.moe. IN A
|
|
|
|
;; Query time: 243 msec
|
|
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
|
|
;; WHEN: Tue Oct 04 18:56:08 CEST 2022
|
|
;; MSG SIZE rcvd: 108
|
|
|
|
</pre></code>-->
|
|
<!-- https://www.fatalerrors.org/a/0dVy0zo.html#dnssec to complete dnssec-->
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
<!-- +++++ Footer Section +++++ -->
|
|
|
|
<div id="anonb">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-4">
|
|
<h4>Nihilism</h4>
|
|
<p>
|
|
Until there is Nothing left.
|
|
|
|
</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
<div class="col-lg-4">
|
|
<h4>My Links</h4>
|
|
<p>
|
|
|
|
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://matrix.to/#/#nowheremoe:nowhere.moe">Matrix Chat</a><br/>
|
|
|
|
</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
<div class="col-lg-4">
|
|
<h4>About nihilist</h4>
|
|
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
</div>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<!-- Bootstrap core JavaScript
|
|
================================================== -->
|
|
<!-- Placed at the end of the document so the pages load faster -->
|
|
|
|
</body>
|
|
</html>
|