I whant to make a web interface on a server that will manage a few dns servers on another servers.
How can i remotely manage a bind dns server programmaticly ?
I would like to add/edit/delete zones.
I see that there is rndc but that only allows reloading of zones and not adding/deleting.
I could NFS mount zones from dns servers and edit them but is there a better way?
If there isn't a hard requirement on writing something like this from scratch, why not simply use an already existing interface without having to reinvent the wheel? A simple Google search for the keywords bind dns web interface yields an entire list of good open source projects in the very first result link.
There is work at the IETF to define a standard for remote control of name servers based on the Netconf framework. See:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-name-server-management-reqs
https://datatracker.ietf.org/doc/html/draft-dickinson-dnsop-nameserver-control-00.txt
The requirements include the ability to add/remove zones, etc.
You could set up something that does remote SSH commands? That may be a bit insecure, though, unless the server running the commands themselves is pre-authenticated with an SSH key, and that's the only way you can access the server.
Related
I have programmed an application that users can use to process genome data. This application relies on a 10GB database file, that users have to download in order to run the application. At the moment, I have stored this file on Google Drive, but the download bandwith is limited, so if a number of users download the file on a certain day, it will not work for others and they will get errors running the application.
My solution would be to host the file on our research server, create a user that only has access rights to this folder and nothing else, and make the file downloadable from the server via scp within the application (which is open source) through that user.
My question now is, is this safe to do or are people potentially able to hack into our server? If this method would be a security risk, what would be a better way to provide this file?
Thank you in advance!
Aloha
You can setup something like free Seafile https://www.seafile.com/en/home/, or ask the admin to set it up for you which is pretty secure like a self hosted google drive with 2fa authentication.
Another nice and easy tool is Filebrowser on github (https://github.com/filebrowser/filebrowser)
I would not really advice giving people shell/scp access inside your network.
And hosting anything inside a company network is in general not wisest idea, there is a always a risk involved.
I would setup a Seafile/filebrowser solution at a cheap rented server outside your network and upload it there. Or if you have a small pc left set it up in a DMZ Zone, a zone that has special access restrictions inside your company.
You want to use SSH (scp) as a transportation and authentication method for file hosting. It's possible to keep this safe with caution. For example, GitHub uses SSH for transport when providing git access with the git+ssh protocol.
Now for the caution part, if you haven't done it before, it's not a trivial task.
The proper way to achieve this would be set up an isolated SSH server in a chroot environment, and set up an SSH user on this isolated SSH instance only (not a user in the system that is added by eg useradd). Then you can add the files that's absolutely necessary to the chroot, and provide SSH access to users.
(Nowadays you might want to consider using Linux filesystem namespaces, if applicable, to replace chroot, but I'm not sure on this.)
As for other options, setting up a simple Nginx server for static file hosting might be a lot easier, provided you have some understanding of HTTP and TLS. There're lots of writings on the Internet about this.
Both ways, if you are to expose your server to the Internet or Intranet, you need to make sure of firewalling. Consider to learn about nftables or firewalld or the like, if you haven't already.
SSH is reasonably safe. Always keep software up-to-date.
Set up an sftp-only user with chrooted directory. In /etc/ssh/sshd_config:
Match User MyUser
ChrootDirectory /var/ssh/chroot
ForceCommand internal-sftp
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
This user will not get a shell (because of internal-sftp), and cannot see files outside of /var/ssh/chroot.
Use a certificate client-side, additional to password.
Good description of the setup process for certificates:
https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
Your solution is moderately safe.
A better solution is to put it on a server accessible via sftp, behind a password, but also encrypt the file: in this way you introduce a double layer of protection.
On a Linux server you should be able to use a tool like gpg to encrypt your file.
Next you share the decryption key with your partners using a secure channel with e.g. an end2end encrypted messaging software.
I want to run several docker containers in different regions (asia, eu, us) which host a nginx server.
However, they should all have the same configuration because I need to updated hostnames at runtime dynamically (one domain for every new tenant).
So I guess it would be the easiest way to just share one config file among all containers and reload them...
So how can I share data/files among n containers on azure?
In general, unless you want to use proprietary solutions specific to the platform at hand, the best way to synchronise files between multiple systems is with the help of rsync.
For example, in DNS, there exists a specialised protocol for transferring domain zones directly within the DNS software, called AXFR; one of the authors of a newer DNS implementation suggests that this AXFR protocol is crap, and rsync over ssh works much better — http://cr.yp.to/djbdns/tcp.html — and the ssh part is a nice thing about rsync, in that it can work over plain old ssh protocol as far as interconnection between the hosts goes, not requiring any special firewall considerations.
Have you considered using the Azure file share.
I'm looking into wide area service discovery and bonjur / avahi seem to be really good.
However, I'm a bit confused about how all this works?
So:
I have a bunch of services running in a cloud.
I have clients which can be located anywhere in the world.
I want the clients to automatically discover the services in the cloud.
I need the clients to be absolutely zero conf, so they don't know IPs, ports, nothing.
If I understand it correctly, this can be done using the above mentioned dns-sd libs. I have full access to a DNS server, so I suppose, the services can register themselves on startup using these libs and then the data can be spread through DNS servers world wide.
The clients can obtain the advertised info by querying the DNS record of my domain using bonjur / avahi tech, right?
All I need to do is to link the client with bonjur / avahi libs, and tell it which domain it should use (query).
Is this correct?
Am I missing something here or is it how this works?
Thanks in advance!
Avahi does not currently support publishing to a wide-area server, though it can browse wide-area. So if you can dynamically update a DNS server somewhere with the appropriate records Avahi would be able to see it.
You do however potentially have more problems to solve here including port mapping/nat traversal which Avahi does not address at all.
I have a slight problem bit of the back story. recently ive been trying to test out univention which is a linux distribution with the goal of being able to replace Microsoft active directory.
I tested it locally and all went reasonably well after a few minor issues i then decided to test it remotely as the company wants to allow remote users to access this so i used myhyve.com to host it and its now been setup successfully and works reasonably well.
however
my main problem is DNS based as when trying to connect to the domain the only way windows will recognize it is by editing the network adapter and setting ip v4 dns server address to the ip address of the server hosting the univention active directory replacement. although this does allow every thing to work its not ideal and dns look up on the internet are considerably longer. i was wondering if any one had any ideas or have done something similar and encountered this problems before and know a work around. i want to avoid setting up a vpn if possible.
after initially registering the computer on the domain i am able to remove the dns server address and just use a couple of amendments to the HOST file to keep it running but this still leads to having issues connecting to the domain controller sometimes and is not ideal. any ideas and suggestions would be greatly received.
.Michael
For the HOST entries, the most likely issue is, that there are several service records a computer in the domain needs. I'm not sure, whether these can be provided via the HOST file or not but you'll definitely have authentication issues if they are missing. To see the records your domain is using issue the following commands on the UCS system.
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
For the slow resolution of the DNS records there are several points where you could start looking. My first test would be whether or not you are using a forwarder for the web DNS requests and whether or not the forwarder is having a decent speed. To check if you are using one, type
ucr search dns/forwarder
If you get a valid IP for either of the UCR Variables, dns/forwarder1, dns/forwarder2 or dns/forwarder3, you are forwarding your DNS requests to a different Server. If all of them are empty or not valid IPs then your server is doing the resolution itself.
Not using a forwarder is often slow, as the DNS servers caching is optimized for the AD operations, like the round robin load balancing. Likewise a number of ISPs require you to use a forwarder to minimize the DNS traffic. You can simply define a forwarder using ucr, I use Google on IPv4 for the example
ucr set dns/forwarder1='8.8.8.8'
The other scenario might be a slow forwarder. To check it try to query the forwarder directly using the following command
dig univention.com #(ucr get dns/forwarder1)
If it takes long, then there is nothing the UCS server can do, you'll simply have to choose a different forwarder from the ucr command above.
If neither of the above helps, the next step would be to check whether there are error messages for the named daemon in the syslog file. Normally these come when you are trying to manually remove software or if the firewall configuration got changed.
Kevin
Sponsored post, as I work for Univention North America, Inc.
i have a linux client which uses pppoe to connect to the internet and
everytime this client comes online I wanna bind his ipadress to a subdomain.
dyndns is not an option due to their TTL.
It looks like i have to setup my own nameserver on my root server to accomplish this task because I cannot create the keys needed to run an nsupdate on the client with a provider nameserver... am I correct?
If so is there a good Howto for setting up a bind server for this specific task?
I havent ever maintained pppoe but if it uses dhcp to provide the ip address to the client, you could do updates from the dhcp to the dns.
Instructions on how to do this for debian here: http://www.debian-administration.org/article/Configuring_Dynamic_DNS__DHCP_on_Debian_Stable
Do not thou that you can adapt these to other distros too. You can find the same software atleast on fedora and ubuntu, difference is only how you install the required software.
One posibility is to set their machine to register with somebody like DynDNS. They have all the software you need to automatically notify them when they come online/go offline. This will give them a domain name of something like whatever.homelinux.org (it does not really matter). You then put static CNAME entries in your DNS to point your nice domain names eg southern.company.com to point to whatever.homelinux.org.
When they come online the domain will start to resolve and stop when they go off line since DynDNS have low TTL for this very reason. You can use large TTL in your zone file since the CNAMEs will not change.
Well dont you just need to create an A-Record for this IP on your DNS Server?
If your domain is 'google.com' and you wanted your host to be called 'server1'. Create an A-Record for 'server1' and point it to your machines IP.
Unless I am misunderstanding what you are asking for help with.