diff options
Diffstat (limited to 'gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.html')
| -rw-r--r-- | gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.html | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.html b/gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.html index 893f25c4..dfe52e25 100644 --- a/gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.html +++ b/gemfeed/2016-05-22-spinning-up-my-own-authoritative-dns-servers.html @@ -51,10 +51,10 @@ h2, h3 { <h1>Spinning up my own authoritative DNS servers</h1> <p class="quote"><i>Written by Paul Buetow 2016-05-22</i></p> <h2>Background</h2> -<p>Finally, I had time to deploy my own authoritative DNS servers (master and slave) for my domains "buetow.org" and "buetow.zone". My domain name provider is Schlund Technologies. They allow their customers to manually edit the DNS records (BIND files). And they also give you the opportunity to set your own authoritative DNS servers for your domains. From now, I am making use of that option.</p> +<p>Finally, I had time to deploy my authoritative DNS servers (master and slave) for my domains "buetow.org" and "buetow.zone". My domain name provider is Schlund Technologies. They allow their customers to edit the DNS records (BIND files) manually. And they also allow you to set your authoritative DNS servers for your domains. From now, I am making use of that option.</p> <a class="textlink" href="http://www.schlundtech.de">Schlund Technologies</a><br /> <h2>All FreeBSD Jails</h2> -<p>In order to set up my authoritative DNS servers I installed a FreeBSD Jail dedicated for DNS with Puppet on my root machine as follows:</p> +<p>To set up my authoritative DNS servers, I installed a FreeBSD Jail dedicated for DNS with Puppet on my root machine as follows:</p> <pre> include freebsd @@ -88,7 +88,7 @@ class { 'jail': } </pre> <h2>PF firewall</h2> -<p>Please note that "dns.ian.buetow.org" is just the Jail name of the master DNS server (and "caprica.ian.buetow.org" the name of the Jail for the slave DNS server) and that I am using the DNS names "dns1.buetow.org" (master) and "dns2.buetow.org" (slave) for the actual service names (these are the DNS servers visible to the public). Please also note that the IPv4 address is an internal one. I have a PF to use NAT and PAT. The DNS ports are being forwarded (TCP and UDP) to that Jail. By default, all ports are blocked, so I am adding an exception rule for the IPv6 address as well. These are the PF rules in use:</p> +<p>Please note that "dns.ian.buetow.org" is just the Jail name of the master DNS server (and "caprica.ian.buetow.org" the name of the Jail for the slave DNS server) and that I am using the DNS names "dns1.buetow.org" (master) and "dns2.buetow.org" (slave) for the actual service names (these are the DNS servers visible to the public). Please also note that the IPv4 address is an internal one. I have a PF to use NAT and PAT. The DNS ports are being forwarded (TCP and UDP) to that Jail. By default, all ports are blocked, so I am adding an exception rule for the IPv6 address. These are the PF rules in use:</p> <pre> % cat /etc/pf.conf . @@ -102,15 +102,15 @@ pass in on re0 inet6 proto udp from any to 2a01:4f8:120:30e8::15 port {53} flags . </pre> <h2>Puppet managed BIND zone files</h2> -<p>In "manifests/dns.pp" (the Puppet manifest for the Master DNS Jail itself) I configured the BIND DNS server this way:</p> +<p>In "manifests/dns.pp" (the Puppet manifest for the Master DNS Jail itself), I configured the BIND DNS server this way:</p> <pre> class { 'bind_freebsd': config => "puppet:///files/bind/named.${::hostname}.conf", dynamic_config => "puppet:///files/bind/dynamic.${::hostname}", } </pre> -<p>The Puppet module is actually a pretty simple one. It installs the file "/usr/local/etc/named/named.conf" and it populates the "/usr/local/etc/named/dynamicdb" directory with all my zone files.</p> -<p>Once (Puppet-) applied inside of the Jail I get this:</p> +<p>The Puppet module is a pretty simple one. It installs the file "/usr/local/etc/named/named.conf" and it populates the "/usr/local/etc/named/dynamicdb" directory with all my zone files.</p> +<p>Once (Puppet-) applied inside of the Jail, I get this:</p> <pre> paul uranus:~/git/blog/source [4268]% ssh admin@dns1.buetow.org.buetow.org pgrep -lf named 60748 /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf @@ -152,7 +152,7 @@ dns2 86400 IN AAAA 2a03:2500:1:6:20:: . . </pre> -<p>That is my master DNS server. My slave DNS server runs in another Jail on another bare metal machine. Everything is set up similar to the master DNS server. However, that server is located in a different DC and in different IP subnets. The only difference is the "named.conf". It's configured to be a slave and that means that the "dynamicdb" gets populated by BIND itself while doing zone transfers from the master.</p> +<p>That is my master DNS server. My slave DNS server runs in another Jail on another bare-metal machine. Everything is set up similar to the master DNS server. However, that server is located in a different DC and different IP subnets. The only difference is the "named.conf". It's configured to be a slave, and that means that the "dynamicdb" gets populated by BIND itself while doing zone transfers from the master.</p> <pre> paul uranus:~/git/blog/source [4279]% ssh admin@dns2.buetow.org tail -n 11 /usr/local/etc/namedb/named.conf zone "buetow.org" { @@ -167,8 +167,8 @@ zone "buetow.zone" { file "/usr/local/etc/namedb/dynamic/buetow.zone"; }; </pre> -<h2>The end result</h2> -<p>The end result looks like this now:</p> +<h2>The result</h2> +<p>The result looks like this now:</p> <pre> % dig -t ns buetow.org ; <<>> DiG 9.10.3-P4-RedHat-9.10.3-12.P4.fc23 <<>> -t ns buetow.org @@ -225,7 +225,7 @@ dns2.buetow.org. 86400 IN AAAA 2a03:2500:1:6:20:: ;; MSG SIZE rcvd: 322 </pre> <h2>Monitoring</h2> -<p>For monitoring I am using Icinga2 (I am operating two Icinga2 instances in two different DCs). I may have to post another blog article about Icinga2 but to get the idea these were the snippets added to my Icinga2 configuration:</p> +<p>For monitoring, I am using Icinga2 (I am operating two Icinga2 instances in two different DCs). I may have to post another blog article about Icinga2, but to get the idea, these were the snippets added to my Icinga2 configuration:</p> <pre> apply Service "dig" { import "generic-service" @@ -249,12 +249,12 @@ apply Service "dig6" { } </pre> <h2>DNS update workflow</h2> -<p>Whenever I have to change a DNS entry all have to do is:</p> +<p>Whenever I have to change a DNS entry, all I have to do is:</p> <ul> <li>Git clone or update the Puppet repository</li> <li>Update/commit and push the zone file (e.g. "buetow.org")</li> <li>Wait for Puppet. Puppet will deploy that updated zone file. And it will reload the BIND server.</li> -<li>The BIND server will notify all slave DNS servers (at the moment only one). And it will transfer the new version of the zone.</li> +<li>The BIND server will notify all slave DNS servers (at the moment, only one). And it will transfer the new version of the zone.</li> </ul> <p>That's much more comfortable now than manually clicking at some web UIs at Schlund Technologies.</p> <p>E-Mail me your thoughts at comments@mx.buetow.org!</p> |