Differences

This shows you the differences between two versions of the page.

--- computing:bind9dns [2025/12/28 05:42] – oemb1905
+++ computing:bind9dns [2025/12/28 08:43] (current) – oemb1905
@@ Line 29: / Line 29: @@
   * Configuring your Registrar's GLUE records, i.e., registering and pointing nameservers
-This tutorial presumes you already have a working and sufficiently hardened VM/VPS with a LAMP stack and access to PTR for three different external IPs. If you don't know what some or all of that is, take a step back and start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] before proceeding. If you feel comfortable so far, and you have three different VMs/VPSs setup and ready, well then carry on.
+This tutorial presumes you already have three working and sufficiently hardened VMs/VPSs with LAMP stacks and access to PTR for each of the three different external IPs they leverage, six if you include IPv6. If you don't know what some or all of that is, take a step back and start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] before proceeding. If you feel comfortable so far, and you have three different VMs/VPSs setup and ready, well then carry on.
 -------------------------------------------
@@ Line 186: / Line 186: @@
 </code>
-Now that the family and cat website zone is created, we need to establish its DNS records again as well:
+Now that the family and cat website zone is re-created, we can now establish its DNS records in the zone record file in ''/var/cache/bind/db.felinefantasy.club'' as follows:
 <code bash>$TTL 86400
@@ Line 240: / Line 240: @@
 At this point, we're still dealing strictly with bind9 and have not setup webmin or the automated clustering features. We will do that soon, but there's still one thing we need to cover how to do on the command line and that's DNSSEC. Below, let's create keys in the proper directory (mind this) and then sign them:
+<code bash>
 cd /var/cache/bind
 dnssec-keygen -a ED25519 -b 256 -n ZONE haacksnetworking.com
@@ Line 245: / Line 246: @@
 SALT=$(openssl rand -hex 8)
 dnssec-signzone -S -K /var/cache/bind -A -3 $SALT -N INCREMENT -o haacksnetworking.com -t db.haacksnetworking.com
+</code>
 You can of course just run the ''openssl'' salt generation command by itself and manually insert the value, but someone had this online and I thought it was cool to share, whereby it creates a variable called SALT and then populates it into the subsequent command. Hilarious, and entirely not needed, but super fun. Once this is done, you've built the keys, you've signed the domain with them, and now you need to change the ''named'' entry to reflect the signed zone instead, and then finally update your registrar with the key and key values that you chose. First, let's update ''nano /etc/bind/named.conf.local'' with the signed record file location, for which I am using the ''felinefantasy.club'' zone record as an example, but this would apply to whatever zone you signed:
@@ Line 254: / Line 256: @@
     allow-transfer { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; };
     also-notify { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; };
+    };
 </code>
@@ Line 457: / Line 460: @@
 {{ :computing:screenshot_from_2025-12-27_21-16-25.png?direct&800 |}}
-Of course, you could also shell into the slaves and remove those transfer rules via the CLI, this is just to show that both methods work and are dealing with the exact same bind9 underbelly.
+Of course, you could also shell into the slaves and remove those transfer rules via the CLI, this is just to show that both methods work and are dealing with the exact same bind9 underbelly. Once we do that, we can !!FINALLY!! create A, AAAA, dmarc, spf, and or any other records we need. Here's what the zone's landing page looks like and what the record pages within it look like:
-  image??
-Once we do that, we can create A, AAAA, dmarc, spf, and or any other records we need. Here's what the zone's landing page looks like and what the record pages within it look like:
 {{ :computing:screenshot_from_2025-12-27_22-37-52.png?direct&800 |}}
@@ Line 474: / Line 473: @@
   host cloudcommunity.club ns3.haacksnetworking.com
-Once that's working, let's setup DNSSEC using the webmin gui on master ns1.
+Once that's working, let's setup DNSSEC using the webmin gui on master ns1. To do that navigate to Bind9 DNS Server > Zone > Setup DNS Key:
-  image of that
+{{ :computing:screenshot_from_2025-12-27_22-50-57.png?direct&8800 |}}
+Once the DNSSEC key is created and the zone signed, you will, just like above, have to navigate over to your registrar and enter in the algorithm, digest, digest tag, and key tag. To see those values, just select Bind9 DNS Server > Zone > Setup DNS Key and instead of showing you the option to create it anew, it now shows the key you just created:
-Add section above to use dig in order to verify DNSSEC and then use that down here as well in the test section
+{{ :computing:screenshot_from_2025-12-27_22-55-45.png?direct&800 |}}
+As a final step, we can use the dig command to verify the record against all nodes:
-  dig command
+  dig cloudcommunity.club DNSKEY +dnssec @8.28.86.113
+  dig cloudcommunity.club DNSKEY +dnssec @8.28.86.114
+  dig cloudcommunity.club DNSKEY +dnssec @8.28.86.115
-Verify what webmin is doing under the hood. Show examples of the slave entries it makes in named on ns2 and ns3 on the CLI but via webmin. Similarly, show a screen shot of the zone record file for cloudcommunity.club that it created. Now that this is done, we can optionally secure each node with unbound DNS for added privacy and speed.
+Each node should report the following:
+<code bash>
+; <<>> DiG 9.20.15-1~deb13u1-Debian <<>> cloudcommunity.club DNSKEY +dnssec @8.28.86.113
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21022
+;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
+;; WARNING: recursion requested but not available
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags: do; udp: 1232
+; COOKIE: f9d0bef39e0c56da010000006950c6e270c6a99b26e97171 (good)
+;; QUESTION SECTION:
+;cloudcommunity.club.		IN	DNSKEY
+;; ANSWER SECTION:
+cloudcommunity.club.	3600	IN	DNSKEY	256 3 15 yCykkNhKUB0H3F7B+F1ydS6lmTaQAhRkVLgq6Fy6xWo=
+cloudcommunity.club.	3600	IN	DNSKEY	257 3 15 g61Yq+dJTUxZpQDvQfqqK59CUv3IsDXyO8Sy229YVic=
+cloudcommunity.club.	3600	IN	RRSIG	DNSKEY 15 2 3600 20260123020922 20251224020922 188 cloudcommunity.club. sbVDXR4RZpR0s2eXn3wyyJ4JGO2AZpX/81UiOp/6fv9BWlVhkGXnsr50 JMHTFiKTVRwPtfRFONdrU1VUhrScDQ==
+cloudcommunity.club.	3600	IN	RRSIG	DNSKEY 15 2 3600 20260123020922 20251224020922 30893 cloudcommunity.club. AjoUcCUneoXo/sTDgyfbAJV5wc/TxuJN50Uhs2WY6B8FfBV586ZCcell ztTYercorXsQf1mtHXpSh5bKZBscCg==
+;; Query time: 100 msec
+;; SERVER: 8.28.86.113#53(8.28.86.113) (UDP)
+;; WHEN: Sat Dec 27 22:57:54 MST 2025
+;; MSG SIZE  rcvd: 402
+</code>
+=== Part 4 - Optional Unbound Recursive Resolver ===
+Now that you can create any record you please and sign your zones/domains with DNSSEC using both the CLI and the webmin Bind9 DNS server GUI, we can optionally secure each node with unbound DNS for added privacy and speed.
   sudo apt install unbound
-The full unbound tutorial, including lan-side setups, can be found here. For this setup, a simple config such as this should work:
+The full unbound tutorial, including lan-side setups, can be found [[https://wiki.haacksnetworking.org/doku.php?id=computing:unbounddns|Unbound]]. For this setup, however, a simple config in ''/etc/unbound/unbound.conf'' such as this should work:
-  provide my public config
+  server:
+    # Bind to localhost only
+    interface: 127.0.0.1
+    interface: ::1
+    port: 5335
+    do-ip4: yes
+    do-ip6: yes
+    prefer-ip6: yes
+    access-control: 127.0.0.0/8 allow
+    access-control: 0.0.0.0/0 refuse
+    access-control: ::0/0 refuse
+    # Optimize for 8 cores
+    num-threads: 4
+    msg-cache-slabs: 4
+    rrset-cache-slabs: 4
+    infra-cache-slabs: 4
+    key-cache-slabs: 4
+    # Cache settings for high query volume
+    cache-max-ttl: 86400
+    cache-min-ttl: 3600
+    rrset-cache-size: 128m
+    msg-cache-size: 64m
+    key-cache-size: 32m
+    neg-cache-size: 8m
+    # Enable prefetch and expired responses
+    prefetch: yes
+    prefetch-key: yes
+    serve-expired: yes
+    serve-expired-ttl: 3600
+    # DNSSEC validation for DANE
+    #do-dnssec: yes
+    harden-dnssec-stripped: yes
+    harden-referral-path: yes
+    harden-below-nxdomain: yes
+    harden-algo-downgrade: no
+    # Performance tweaks
+    #so-rcvbuf: 4m
+    #so-sndbuf: 4m
+    edns-buffer-size: 1232
+    outgoing-range: 4096
+    num-queries-per-thread: 1024
+    jostle-timeout: 200
+    #low-resolver-mem: no
+    # Logging (minimal)
+    verbosity: 1
+    log-queries: no
+    log-replies: no
+    use-syslog: yes
+    # Security and privacy
+    hide-identity: yes
+    hide-version: yes
+    use-caps-for-id: yes
+    qname-minimisation: yes
+    harden-large-queries: yes
+    harden-glue: yes
+    aggressive-nsec: yes
+    # Protocol settings
+    do-tcp: yes
+    do-udp: yes
+    # Disable subnetcache
+    module-config: "validator iterator"
 It's crucial to bind unbound to 5335 since bind9 is already listening on 53. In order to have local recursive queries use unbound, we need to hijack all outbound resolver queries to ''/etc/resolv.conf'' to use 5335. To be clear, make sure ''/etc/resolv.conf'' has the following entries:
@@ Line 519: / Line 614: @@
 If you are interested in setting up one of these authoritative Bind9 DNS clusters that are configured to use either CLI or the convenient webmin interface, just hit me up on Matrix. I'm available here:
-  * [[https://matrix.to/#/@haacksnetworking:gnulinux.club|External Link]]
+  * [[https://matrix.to/#/@haacksnetworking:gnulinux.club|Haack's Networking on Matrix]]
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/28 04:50//
+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/28 08:26//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools