====== DNS ====== Note that this is //not// a DNS tutorial nor intended to be so. It's mostly intended to attempt to reasonably cover documentation of some DNS infrastructure and maintenance thereof, and be reasonably accurate at least as of the time of this writing/updating (2020-05-19). The BALUG host (balug-sf-lug-v2.balug.org) is not only DNS server for multiple [L]UG (and related) domains, but also DNS nameserver master for many such domains. At the present time, it includes these domains:\\ balug.org\\ berkeleylug.com\\ e.9.1.0.5.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa\\ sf-lug.com\\ sf-lug.net\\ sf-lug.org\\ sflug.com\\ sflug.net\\ sflug.org At the present time, there are various person(s) that have access to edit the DNS data for one or more of those zones/domains ... and/or sub-domains thereof. E.g. in additional to Michael Paoli having requisite (superuser / "root" / UID 0) access (and thus also being able to perform these tasks), the following folks have access to edit the zone(s)/domain(s)/data noted:\\ SF-LUG domains:\\ sf-lug.org\\ sflug.com\\ sflug.net\\ sflug.org\\ sf-lug.net\\ sf-lug.com\\ can be edited by:\\ Jim Stockford\\ Grant Bowman\\ Rick Moen\\ Al Whaley\\ Note also that there are person(s) who are or may become set up also to edit DNS data for the sub-domain pi.BerkeleyLUG.com (and any subdomains thereof). ===== DYNAMIC DNS ===== Note that //all// the domains/zones thus far mentioned on this wiki page, are set up with dynamic DNS enabled.\\ So, one can't merely edit and reload the zone file for changes to take effect.\\ If one is to do it the "old fashioned way", by editing of zone file, minimally (as system is currently using BIND9), one must first use\\ rndc freeze //zone//\\ and then after edits to the zone file are completed, use\\ rndc thaw //zone//\\ If one wants/needs to do it the "old fashioned way" (editing zone file(s)), to do additional checks and reduce errors, it is //highly recommended// to use the program:\\ /usr/local/bin/sudoeditzone\\ /usr/local/bin/sudoeditzones\\ (either link/name is same program)\\ The program takes argument(s) of the zone file(s) to be edited.\\ It handles the freeze/thaw, and uses sudo and sudoedit (presuming invoker has the requisite privileges) to accomplish the appropriate tasks.\\ One can also "of course", invoke:\\ sudo -l\\ to get a listing of what sudo access one has. It may also be highly preferable (if not strongly recommended), that rather than edit the zone file, one uses dynamic update to make the DNS changes. Below I give fair bit of example, and more general documentation/explanation (and with some correction(s)/clarification(s)):\\ Date: Wed, 11 Mar 2020 01:18:26 -0700 From: "Michael Paoli" Subject: (hostname &): Re: SF-LUG DNS editors: SF-LUG zones now using dynamic DNS To: [REDACTED] Oh, might help if I remind folks of the hostname: balug-sf-lug-v2.balug.org That's the canonical hostname for the host that's the master. Expect that that can always get you to the host via DNS. From: "Michael Paoli" To: [REDACTED] Subject: SF-LUG DNS editors: SF-LUG zones now using dynamic DNS Date: Wed, 11 Mar 2020 00:37:46 -0700 Dear SF-LUG DNS editors, (You are among those having access to change SF-LUG's master DNS data.) Please note that SF-LUG's DNS zones (sf-lug.org sflug.com sflug.net sflug.org sf-lug.net sf-lug.com) are now using/allowing dynamic DNS update to the zones, so the procedures for editing DNS necessarily changes a bit. Permissions/access via sudo(1) have also been adjusted accordingly. One may make DNS changes, either by: o dynamic DNS update, or o editing zone file - with some additional pre/post steps Using dynamic update. The sudo access allows one to execute nsupdate as group bind, and with that group bind access, access the requisite key that can be used to edit those zones. Editing zone file. To be reasonably assured that will work properly, (via sudo) use rndc freeze (on the specific zone) before editing the zone file, and after successfully editing the zone file, likewise use rndc thaw (on the specific zone, and again via sudo). To make things easier, I also coded up: /usr/local/bin/sudoeditzone /usr/local/bin/sudoeditzones (both those are same program and file) Those programs take argument(s) of the requisite zone(s), and handle the requisite pre/post steps, in addition to doing relevant checks. (They're world readable, so one may certainly review them). Also note, that comments generally are no longer preserved, as dynamic DNS is in use - effectively comments will end up stripped, the data reformatted, and BIND9 will add its standard commenting on (some select bits of) the data. Let's give some examples: Using dynamic DNS update: $ sudo -g bind /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG [sudo] password for test: >update add fjh21kni.sflug.net. 300 IN A 127.0.0.1 >update add fjh21kni.sflug.net. 300 IN A 127.0.0.2 >send >$ (entered a ^D after send and ) $ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A fjh21kni.sflug.net. 300 IN A 127.0.0.2 fjh21kni.sflug.net. 300 IN A 127.0.0.1 $ Using sudoeditzone to edit zone file (here we use ed rather that vi, to make it easier to see exactly what we do). Also, the zone serial numbers use (at least start with) seconds since the epoch - Unix time - so (GNU's) date +%s is very handy for that (and one added \ before % to prevent ed/vi/ex/vim/... from doing interpretation/substitution on the %): $ SUDO_EDITOR=ed sudoeditzone sflug.net 1018 /fjh21kni fjh21kni A 127.0.0.1 s/\.1/.111/p fjh21kni A 127.0.0.111 A 127.0.0.2 s/\.2/.222/p A 127.0.0.222 1 $ORIGIN . /serial 1583906526 ; serial !date +\%s 1583909117 ! s/1583906526/1583909117/p 1583909117 ; serial w 1022 q A zone reload and thaw was started. Check the logs to see the result. $ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A fjh21kni.sflug.net. 300 IN A 127.0.0.222 fjh21kni.sflug.net. 300 IN A 127.0.0.111 $ And lastly, we again use dynamic update to delete our temporary demo records: $ sudo -g bind /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG >update delete fjh21kni.sflug.net. IN A 127.0.0.111 >update delete fjh21kni.sflug.net. IN A 127.0.0.222 >send >$ (again we did a ^D following our send and ) $ dig @127.0.0.1 +norecurse +noall +answer fjh21kni.sflug.net. A $ Also, one may note, ~root/bin/Named-checkconf It's essentially an "enhanced" version of (wrapper around) named-checkconf and runs relevant checks, and with relevant options/arguments. Note also to be effective it needs to run as root (to be able to chroot and read relevant data, etc.). It's also world readable, so one may view/inspect it to learn more. Want to learn more about dynamic DNS? In addition to relevant documentation, etc., later this month, and BALUG: https://www.balug.org/#2020-03-17 Use of: $ sudo -l may also be useful to review the commands one has access to with privilege. I also give an example listing of that towards the end here (temporarily giving the "test" account that same sudo access for demonstration purposes). $ sudo -l | sed -ne '/may run/,$p' User test may run the following commands on balug-sf-lug-v2: (root) /bin/su - root -c bin/Named-checkconf, /usr/sbin/rndc sync sf-lug.org, /usr/sbin/rndc sync -clean sf-lug.org, /usr/sbin/rndc freeze sf-lug.org, sudoedit /etc/bind/master/sf-lug.org, /usr/sbin/rndc reload sf-lug.org, /usr/sbin/rndc thaw sf-lug.org, /usr/sbin/rndc zonestatus sf-lug.org, /usr/sbin/rndc notify sf-lug.org, /usr/sbin/rndc sync sflug.com, /usr/sbin/rndc sync -clean sflug.com, /usr/sbin/rndc freeze sflug.com, sudoedit /etc/bind/master/sflug.com, /usr/sbin/rndc reload sflug.com, /usr/sbin/rndc thaw sflug.com, /usr/sbin/rndc zonestatus sflug.com, /usr/sbin/rndc notify sflug.com, /usr/sbin/rndc sync sflug.net, /usr/sbin/rndc sync -clean sflug.net, /usr/sbin/rndc freeze sflug.net, sudoedit /etc/bind/master/sflug.net, /usr/sbin/rndc reload sflug.net, /usr/sbin/rndc thaw sflug.net, /usr/sbin/rndc zonestatus sflug.net, /usr/sbin/rndc notify sflug.net, /usr/sbin/rndc sync sflug.org, /usr/sbin/rndc sync -clean sflug.org, /usr/sbin/rndc freeze sflug.org, sudoedit /etc/bind/master/sflug.org, /usr/sbin/rndc reload sflug.org, /usr/sbin/rndc thaw sflug.org, /usr/sbin/rndc zonestatus sflug.org, /usr/sbin/rndc notify sflug.org, /usr/sbin/rndc sync sf-lug.net, /usr/sbin/rndc sync -clean sf-lug.net, /usr/sbin/rndc freeze sf-lug.net, sudoedit /etc/bind/master/sf-lug.net, /usr/sbin/rndc reload sf-lug.net, /usr/sbin/rndc thaw sf-lug.net, /usr/sbin/rndc zonestatus sf-lug.net, /usr/sbin/rndc notify sf-lug.net, /usr/sbin/rndc sync sf-lug.com, /usr/sbin/rndc sync -clean sf-lug.com, /usr/sbin/rndc freeze sf-lug.com, sudoedit /etc/bind/master/sf-lug.com, /usr/sbin/rndc reload sf-lug.com, /usr/sbin/rndc thaw sf-lug.com, /usr/sbin/rndc zonestatus sf-lug.com, /usr/sbin/rndc notify sf-lug.com (test : bind) /usr/bin/nsupdate -l -k /var/cache/bind/keys/ddns-key.SF-LUG $ See also: [[sf-lug:resources_etc|SF-LUG Resources, etc.]] [[berkeleylug:digital_resources|Digital Resources]]