SFScon 22 - Dashamir Hoxha - Manage your own DNS.pdf
0 likes39 views
The document provides a detailed guide on managing DNS records for a purchased domain without relying on a domain seller's nameservers. It explains the process of setting up and configuring both primary and secondary nameservers, including how to modify records and troubleshoot issues. The presentation also covers migrating the primary nameserver and updating configurations for maintained domains.
![DNS Setup: Make sure that port 53 is free
The NSD container needs access to the port 53 of the host: lsof -i :53
We should prevent systemd-resolved from using port 53:
1. Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=8.8.8.8
DNSStubListener=no
. . . . .
2. Create a symbolic link:
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
3. Reboot the system
4. Check that port 53 is now free: lsof -i :53
5. Try again: ds make](https://image.slidesharecdn.com/dashamirhoxha-manageyourowndns-221117101652-6205422d/85/SFScon-22-Dashamir-Hoxha-Manage-your-own-DNS-pdf-8-320.jpg)
SFScon 22 - Dashamir Hoxha - Manage your own DNS.pdf
- 1. SFScon 2022 Manage your own DNS Dashamir Hoxha dashohoxha@gmail.com
- 2. How to manage your own DNS When you purchase a domain, the seller of the domain usually offers the possibility to manage the DNS records of this domain from a web interface. In this case you are using their nameservers. However it is also possible to manage your domains yourself, and it is not too difficult. In this presentation I will show how I do it.
- 3. How DNS works Let’s see how a client (browser) finds the IP for cloud.example.org ➢ Contact a root nameserver and ask it which servers are responsible for managing the top-level domain .org ➢ From the query on the first step the client gets a list of the servers responsible for the domain .org, it can ask any of them for the servers that are responsible for the subdomain example.org ➢ From the query on the previous step it will get a list of nameservers for the domain example.org, for example: ○ ns1.example.org ○ ns2.example.org ➢ Ask any of these nameservers for the IP of the server cloud.example.org
- 4. How DNS works Let’s try these steps manually for the domain ocw.fs.al 1. Get the root nameservers: dig NS . dig NS . +short m.root-servers.net. b.root-servers.net. c.root-servers.net. . . . . . 2. Get the nameservers of .al: dig NS al @m.root-servers.net. dig NS al +short rip.psg.com. nsx.nic.al. ns1.nic.al. munnari.oz.au. 3. Get the nameservers of .fs.al: dig NS fs.al @nsx.nic.al. dig NS fs.al +short puck.nether.net. ns0.1984.is. ns2.afraid.org. 4. Get the address of ocw.fs.al: dig A ocw.fs.al +short 5.45.111.246
- 5. Keeping nameservers synchronized ★ All the public nameservers get their records from the primary NS, which is hidden behind a firewall. ★ Only secondary NSs answer queries from the clients, not the primary. ★ When there are any changes on the records of the primary NS, it sends a notification to the secondary ones. ★ Secondary nameservers send a synchronization request (AXFR) to the primary one ★ Upon receiving the list of new records, they replace the old list of records with the new one.
- 6. DNS Setup: Find secondary NS services Instead of building and maintaining our own secondary nameservers, we can use services that are available either for free or for a small price. ● https://www.buddyns.com/activation/ ● https://1984hosting.com/product/freedns/ ● https://puck.nether.net/dns/ ● https://freedns.afraid.org/ Note: The "primary/secondary" nameservers are also called "master/slave".
- 7. DNS Setup: Install the primary nameserver The primary nameserver will be installed in an NSD container. 1. Install docker-scripts: apt install git make m4 highlight git clone https://gitlab.com/docker-scripts/ds /opt/docker-scripts/ds cd /opt/docker-scripts/ds/ make install 2. Install an NSD container: ds pull nsd ds init nsd @nsd cd /var/ds/nsd/ vim settings.sh ds make
- 8. DNS Setup: Make sure that port 53 is free The NSD container needs access to the port 53 of the host: lsof -i :53 We should prevent systemd-resolved from using port 53: 1. Edit /etc/systemd/resolved.conf: [Resolve] DNS=8.8.8.8 DNSStubListener=no . . . . . 2. Create a symbolic link: ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf 3. Reboot the system 4. Check that port 53 is now free: lsof -i :53 5. Try again: ds make
- 9. DNS Setup: Customize secondary nameservers On settings.sh, edit the constants SECONDARY_NS and AXFR_SERVERS. Then run again: ds make SECONDARY_NS=" ns0.1984.is puck.nether.net ns2.afraid.org " AXFR_SERVERS=" 93.95.224.6 204.42.254.5 69.65.50.192 108.61.224.67 116.203.6.3 . . . . . “
- 10. Manage domains: Add a domain Let’s say that we have purchased the domain example.org 1. Set the nameservers of the domain (what is on SECONDARY_NS): ns0.1984.is puck.nether.net ns2.afraid.org 2. Add the domain to each secondary NS service https://www.buddyns.com/ https://1984.hosting/product/freedns/ https://puck.nether.net/dns https://freedns.afraid.org/secondary/ 3. Add a zone on the primary nameserver: cd /var/ds/nsd/ ds zone add example.org
- 11. Manage domains: Modify DNS records 1. Edit zones/example.org.db and modify the records: cd /var/ds/nsd/ vim zones/example.org.db 2. Don’t forget to change the serial number too: 2022061901 ; serial 3. Notify the secondary nameservers that there are some updates: ds notify Alternatively, a ds restart will also reload the zones and send notifications to the secondary nameservers.
- 12. Manage domains: Remove a domain 1. Remove it from each secondary nameserver service. 2. Remove its configuration on the primary server: cd /var/ds/nsd/ ds zone rm example.org 3. Alternatively, disable its configuration: ds zone dis example.org
- 13. Troubleshooting 1. We can make some simple checks and tests like this: ds check --config ds check --zones 2. To check the AXFR response for a domain: ds zone test example.org It will actually list all the records that will be sent to a secondary nameserver. 3. For further troubleshooting, we can get a shell inside the container and try commands like these: systemctl restart nsd systemctl status nsd tail /var/log/syslog -n 30 dig @localhost AXFR example.org ufw status
- 14. Maintenance: Migrate the primary nameserver To migrate the container of the primary nameserver to another host: 1. Transfer (with scp or rsync) the content of /var/ds/nsd/ from the old host to the new one. 2. On the new host, rebuild the container: ds pull nsd cd /var/ds/nsd/ ds make 3. The public IP of the master nameserver has been changed (to the IP of the new host), so we should update it on the configuration of each secondary nameserver, for each domain. 4. Replace the old IP with the new one on each zone file as well, then update the serial numbers and notify the secondary nameservers.
- 15. Maintenance: Modify secondary nameservers If you need to modify the list of secondary nameservers, for example add ns1.1984.is on the list, or remove one from the list, you should also make sure to update these things: 1. For each domain that you manage, go to the website of the provider of the domain and update the list of the nameservers. 2. If you are adding a new secondary nameserver, go to the website of the nameserver and make sure that you add there all the domains that you manage, along with the public IP of the primary nameserver. 3. On the primary nameserver, update settings.sh accordingly and then run ds make to update the configuration files.
- 16. Thank you for your attention! Any questions or comments? ➔ Dashamir Hoxha (dashohoxha@gmail.com) ➔ https://docker-scripts.gitlab.io/dns.html (Tutorial) ➔ https://events.fs.al/event/8/registrations/ (Workshop) Tutorial: Workshop: