User Tools

Site Tools


system:dns

DNS

Note that this is not a DNS tutorial nor intended to be so.

It's mostly intended to attempt to reasonably cover documentation of some DNS infrastructure and maintenance thereof, and be reasonably accurate at least as of the time of this writing/updating (2020-05-19).

The BALUG host (balug-sf-lug-v2.balug.org) is not only DNS server for multiple [L]UG (and related) domains, but also DNS nameserver master for many such domains. At the present time, it includes these domains:
balug.org
berkeleylug.com
e.9.1.0.5.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa
sf-lug.com
sf-lug.net
sf-lug.org
sflug.com
sflug.net
sflug.org

At the present time, there are various person(s) that have access to edit the DNS data for one or more of those zones/domains … and/or sub-domains thereof. E.g. in additional to Michael Paoli having requisite (superuser / "root" / UID 0) access (and thus also being able to perform these tasks), the following folks have access to edit the zone(s)/domain(s)/data noted:

SF-LUG domains:
sf-lug.org
sflug.com
sflug.net
sflug.org
sf-lug.net
sf-lug.com
can be edited by:
Jim Stockford
Grant Bowman
Rick Moen
Al Whaley

Note also that there are person(s) who are or may become set up also to edit DNS data for the sub-domain pi.BerkeleyLUG.com (and any subdomains thereof).

DYNAMIC DNS

Note that all the domains/zones thus far mentioned on this wiki page, are set up with dynamic DNS enabled.
So, one can't merely edit and reload the zone file for changes to take effect.
If one is to do it the "old fashioned way", by editing of zone file, minimally (as system is currently using BIND9), one must first use
rndc freeze zone
and then after edits to the zone file are completed, use
rndc thaw zone
If one wants/needs to do it the "old fashioned way" (editing zone file(s)), to do additional checks and reduce errors, it is highly recommended to use the program:
/usr/local/bin/sudoeditzone
/usr/local/bin/sudoeditzones
(either link/name is same program)
The program takes argument(s) of the zone file(s) to be edited.
It handles the freeze/thaw, and uses sudo and sudoedit (presuming invoker has the requisite privileges) to accomplish the appropriate tasks.

One can also "of course", invoke:
sudo -l
to get a listing of what sudo access one has.

It may also be highly preferable (if not strongly recommended), that rather than edit the zone file, one uses dynamic update to make the DNS changes.

Below I give fair bit of example, and more general documentation/explanation (and with some correction(s)/clarification(s)):

Date: Wed, 11 Mar 2020 01:18:26 -0700
From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
Subject: (hostname &): Re: SF-LUG DNS editors: SF-LUG zones now using dynamic DNS
To: [REDACTED]

Oh, might help if I remind folks of the hostname:
balug-sf-lug-v2.balug.org
That's the canonical hostname for the host that's the master.
Expect that that can always get you to the host via DNS.

From: "Michael Paoli" <Michael.Paoli@cal.berkeley.edu>
To: [REDACTED]
Subject: SF-LUG DNS editors: SF-LUG zones now using dynamic DNS
Date: Wed, 11 Mar 2020 00:37:46 -0700

Dear SF-LUG DNS editors,

(You are among those having access to change SF-LUG's master DNS data.)
Please note that SF-LUG's DNS zones
(sf-lug.org sflug.com sflug.net sflug.org sf-lug.net sf-lug.com)
are now using/allowing dynamic DNS update to the zones,
so the procedures for editing DNS necessarily changes a bit.

Permissions/access via sudo(1) have also been adjusted accordingly.

One may make DNS changes, either by:
o dynamic DNS update, or
o editing zone file - with some additional pre/post steps

Using dynamic update.  The sudo access allows one to execute nsupdate as
group bind, and with that group bind access, access the requisite key
that can be used to edit those zones.

Editing zone file.  To be reasonably assured that will work properly,
(via sudo) use rndc freeze (on the specific zone) before editing the
zone file, and after successfully editing the zone file, likewise
use rndc thaw (on the specific zone, and again via sudo).
To make things easier, I also coded up:
/usr/local/bin/sudoeditzone
/usr/local/bin/sudoeditzones
(both those are same program and file)
Those programs take argument(s) of the requisite zone(s),
and handle the requisite pre/post steps, in addition to doing
relevant checks.  (They're world readable, so one may certainly review
them).
Also note, that comments generally are no longer preserved, as dynamic
DNS is in use - effectively comments will end up stripped, the data
reformatted, and BIND9 will add its standard commenting on (some select
bits of) the data.

Let's give some examples:

Using dynamic DNS update:
$ sudo -g bind /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG
[sudo] password for test:
>update add fjh21kni.sflug.net. 300 IN A 127.0.0.1
>update add fjh21kni.sflug.net. 300 IN A 127.0.0.2
>send
>$ 
(entered a ^D after send and <ENTER>)
$ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A
fjh21kni.sflug.net.     300     IN      A       127.0.0.2
fjh21kni.sflug.net.     300     IN      A       127.0.0.1
$ 

Using sudoeditzone to edit zone file (here we use ed rather that vi,
to make it easier to see exactly what we do).
Also, the zone serial numbers use (at least start with) seconds since
the epoch - Unix time - so (GNU's) date +%s is very handy for that
(and one added \ before % to prevent ed/vi/ex/vim/... from doing
interpretation/substitution on the %):
$ SUDO_EDITOR=ed sudoeditzone sflug.net
1018
/fjh21kni
fjh21kni                A       127.0.0.1
s/\.1/.111/p
fjh21kni                A       127.0.0.111

                        A       127.0.0.2
s/\.2/.222/p
                        A       127.0.0.222
1
$ORIGIN .
/serial
                                1583906526 ; serial
!date +\%s
1583909117
!
s/1583906526/1583909117/p
                                1583909117 ; serial
w
1022
q
A zone reload and thaw was started.
Check the logs to see the result.
$ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A
fjh21kni.sflug.net.     300     IN      A       127.0.0.222
fjh21kni.sflug.net.     300     IN      A       127.0.0.111
$ 

And lastly, we again use dynamic update to delete our temporary demo
records:
$ sudo -g bind /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG
>update delete fjh21kni.sflug.net. IN A 127.0.0.111
>update delete fjh21kni.sflug.net. IN A 127.0.0.222
>send
>$ 
(again we did a ^D following our send and <ENTER/RETURN>)
$ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A
$ 

Also, one may note, ~root/bin/Named-checkconf
It's essentially an "enhanced" version of (wrapper around) named-checkconf
and runs relevant checks, and with relevant options/arguments.  Note also
to be effective it needs to run as root (to be able to chroot and read
relevant data, etc.).  It's also world readable, so one may view/inspect
it to learn more.

Want to learn more about dynamic DNS?
In addition to relevant documentation, etc.,
later this month, and BALUG:
https://www.balug.org/#2020-03-17

Use of:
$ sudo -l
may also be useful to review the commands one has access to with
privilege.  I also give an example listing of that towards the end here
(temporarily giving the "test" account that same sudo access for
demonstration purposes).

$ sudo -l | sed -ne '/may run/,$p'
User test may run the following commands on balug-sf-lug-v2:
    (root) /bin/su - root -c bin/Named-checkconf, /usr/sbin/rndc sync sf-lug.org, /usr/sbin/rndc sync -clean sf-lug.org, /usr/sbin/rndc freeze sf-lug.org, sudoedit /etc/bind/master/sf-lug.org, /usr/sbin/rndc reload sf-lug.org, /usr/sbin/rndc thaw sf-lug.org, /usr/sbin/rndc zonestatus sf-lug.org, /usr/sbin/rndc notify sf-lug.org, /usr/sbin/rndc sync sflug.com, /usr/sbin/rndc sync -clean sflug.com, /usr/sbin/rndc freeze sflug.com, sudoedit /etc/bind/master/sflug.com, /usr/sbin/rndc reload sflug.com, /usr/sbin/rndc thaw sflug.com, /usr/sbin/rndc zonestatus sflug.com, /usr/sbin/rndc notify sflug.com, /usr/sbin/rndc sync sflug.net, /usr/sbin/rndc sync -clean sflug.net, /usr/sbin/rndc freeze sflug.net, sudoedit /etc/bind/master/sflug.net, /usr/sbin/rndc reload sflug.net, /usr/sbin/rndc thaw sflug.net, /usr/sbin/rndc zonestatus sflug.net, /usr/sbin/rndc notify sflug.net, /usr/sbin/rndc sync sflug.org, /usr/sbin/rndc sync -clean sflug.org, /usr/sbin/rndc freeze sflug.org, sudoedit /etc/bind/master/sflug.org, /usr/sbin/rndc reload sflug.org, /usr/sbin/rndc thaw sflug.org, /usr/sbin/rndc zonestatus sflug.org, /usr/sbin/rndc notify sflug.org, /usr/sbin/rndc sync sf-lug.net, /usr/sbin/rndc sync -clean sf-lug.net, /usr/sbin/rndc freeze sf-lug.net, sudoedit /etc/bind/master/sf-lug.net, /usr/sbin/rndc reload sf-lug.net, /usr/sbin/rndc thaw sf-lug.net, /usr/sbin/rndc zonestatus sf-lug.net, /usr/sbin/rndc notify sf-lug.net, /usr/sbin/rndc sync sf-lug.com, /usr/sbin/rndc sync -clean sf-lug.com, /usr/sbin/rndc freeze sf-lug.com, sudoedit /etc/bind/master/sf-lug.com, /usr/sbin/rndc reload sf-lug.com, /usr/sbin/rndc thaw sf-lug.com, /usr/sbin/rndc zonestatus sf-lug.com, /usr/sbin/rndc notify sf-lug.com
    (test : bind) /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG
$ 

See also: SF-LUG Resources, etc. Digital Resources

system/dns.txt · Last modified: 2020-09-07T19:29:25+0000 by michael_paoli