| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| computing:bind9dns [2025/12/28 06:01] – oemb1905 | computing:bind9dns [2025/12/28 08:43] (current) – oemb1905 |
|---|
| * Configuring your Registrar's GLUE records, i.e., registering and pointing nameservers | * Configuring your Registrar's GLUE records, i.e., registering and pointing nameservers |
| |
| This tutorial presumes you already have a working and sufficiently hardened VM/VPS with a LAMP stack and access to PTR for three different external IPs. If you don't know what some or all of that is, take a step back and start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] before proceeding. If you feel comfortable so far, and you have three different VMs/VPSs setup and ready, well then carry on. | This tutorial presumes you already have three working and sufficiently hardened VMs/VPSs with LAMP stacks and access to PTR for each of the three different external IPs they leverage, six if you include IPv6. If you don't know what some or all of that is, take a step back and start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] before proceeding. If you feel comfortable so far, and you have three different VMs/VPSs setup and ready, well then carry on. |
| |
| ------------------------------------------- | ------------------------------------------- |
| </code> | </code> |
| |
| Now that the family and cat website zone is created, we need to establish its DNS records again as well: | Now that the family and cat website zone is re-created, we can now establish its DNS records in the zone record file in ''/var/cache/bind/db.felinefantasy.club'' as follows: |
| |
| <code bash>$TTL 86400 | <code bash>$TTL 86400 |
| At this point, we're still dealing strictly with bind9 and have not setup webmin or the automated clustering features. We will do that soon, but there's still one thing we need to cover how to do on the command line and that's DNSSEC. Below, let's create keys in the proper directory (mind this) and then sign them: | At this point, we're still dealing strictly with bind9 and have not setup webmin or the automated clustering features. We will do that soon, but there's still one thing we need to cover how to do on the command line and that's DNSSEC. Below, let's create keys in the proper directory (mind this) and then sign them: |
| |
| | <code bash> |
| cd /var/cache/bind | cd /var/cache/bind |
| dnssec-keygen -a ED25519 -b 256 -n ZONE haacksnetworking.com | dnssec-keygen -a ED25519 -b 256 -n ZONE haacksnetworking.com |
| SALT=$(openssl rand -hex 8) | SALT=$(openssl rand -hex 8) |
| dnssec-signzone -S -K /var/cache/bind -A -3 $SALT -N INCREMENT -o haacksnetworking.com -t db.haacksnetworking.com | dnssec-signzone -S -K /var/cache/bind -A -3 $SALT -N INCREMENT -o haacksnetworking.com -t db.haacksnetworking.com |
| | </code> |
| |
| You can of course just run the ''openssl'' salt generation command by itself and manually insert the value, but someone had this online and I thought it was cool to share, whereby it creates a variable called SALT and then populates it into the subsequent command. Hilarious, and entirely not needed, but super fun. Once this is done, you've built the keys, you've signed the domain with them, and now you need to change the ''named'' entry to reflect the signed zone instead, and then finally update your registrar with the key and key values that you chose. First, let's update ''nano /etc/bind/named.conf.local'' with the signed record file location, for which I am using the ''felinefantasy.club'' zone record as an example, but this would apply to whatever zone you signed: | You can of course just run the ''openssl'' salt generation command by itself and manually insert the value, but someone had this online and I thought it was cool to share, whereby it creates a variable called SALT and then populates it into the subsequent command. Hilarious, and entirely not needed, but super fun. Once this is done, you've built the keys, you've signed the domain with them, and now you need to change the ''named'' entry to reflect the signed zone instead, and then finally update your registrar with the key and key values that you chose. First, let's update ''nano /etc/bind/named.conf.local'' with the signed record file location, for which I am using the ''felinefantasy.club'' zone record as an example, but this would apply to whatever zone you signed: |
| allow-transfer { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; }; | allow-transfer { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; }; |
| also-notify { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; }; | also-notify { 8.28.86.114; 8.28.86.115; 2604:fa40:0:10::12; 2604:fa40:0:10::13; }; |
| | }; |
| </code> | </code> |
| |
| {{ :computing:screenshot_from_2025-12-27_21-16-25.png?direct&800 |}} | {{ :computing:screenshot_from_2025-12-27_21-16-25.png?direct&800 |}} |
| |
| Of course, you could also shell into the slaves and remove those transfer rules via the CLI, this is just to show that both methods work and are dealing with the exact same bind9 underbelly. | Of course, you could also shell into the slaves and remove those transfer rules via the CLI, this is just to show that both methods work and are dealing with the exact same bind9 underbelly. Once we do that, we can !!FINALLY!! create A, AAAA, dmarc, spf, and or any other records we need. Here's what the zone's landing page looks like and what the record pages within it look like: |
| | |
| image?? | |
| | |
| Once we do that, we can create A, AAAA, dmarc, spf, and or any other records we need. Here's what the zone's landing page looks like and what the record pages within it look like: | |
| |
| {{ :computing:screenshot_from_2025-12-27_22-37-52.png?direct&800 |}} | {{ :computing:screenshot_from_2025-12-27_22-37-52.png?direct&800 |}} |
| ;; MSG SIZE rcvd: 402 | ;; MSG SIZE rcvd: 402 |
| </code> | </code> |
| | |
| | === Part 4 - Optional Unbound Recursive Resolver === |
| |
| Now that you can create any record you please and sign your zones/domains with DNSSEC using both the CLI and the webmin Bind9 DNS server GUI, we can optionally secure each node with unbound DNS for added privacy and speed. | Now that you can create any record you please and sign your zones/domains with DNSSEC using both the CLI and the webmin Bind9 DNS server GUI, we can optionally secure each node with unbound DNS for added privacy and speed. |
| * [[https://matrix.to/#/@haacksnetworking:gnulinux.club|Haack's Networking on Matrix]] | * [[https://matrix.to/#/@haacksnetworking:gnulinux.club|Haack's Networking on Matrix]] |
| |
| --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/28 04:50// | --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/28 08:26// |
