DNS

BIND sd_notify chroot

Newer BIND versions support Type=notify process supervision using systemd which requires additional configuration steps for chrooted setups. We will rebind some of the systemd sockets using a drop-in: /etc/systemd/system/named.service.d/override.conf [Service] ExecStartPre=/usr/bin/mount –bind /run/systemd/journal/socket /var/named/run/systemd/journal/socket ExecStartPre=/usr/bin/mount –bind /run/systemd/journal/stdout /var/named/run/systemd/journal/stdout ExecStartPre=/usr/bin/mount –bind /run/systemd/notify /var/named/run/systemd/notify ExecStopPost=/usr/bin/umount /var/named/run/systemd/journal/socket /var/named/run/systemd/journal/stdout /var/named/run/systemd/notify To make this work, we need to manually create […]

DNS over TLS using BIND and Nginx

Since our BIND server currently does not support TLS secured queries natively, we will be using Nginx rather than Stunnel to provide a secured endpoint. Not only is Nginx already part of our system, it also allows more granular configuration. We will proxy the requests to our┬álocal BIND instance. The Nginx stream module needs to […]

BIND views for internal and external requests (Split DNS)

We will be using a BIND Server that will allow recursive and authoritative requests for our clients. This way all devices will be utilizing the same cache and zone definitions. First let’s define who can access our server. acl internal_hosts { 127.0.0.1; ::1; }; acl trusted_hosts { somehost1; somehost2; }; BIND will answer the requests […]

Securing transaction signatures using ACLs

Dynamic updates using TSIGs are relatively easy to setup in BIND. The mechanism to limit keys to specific hosts and their IPs┬ámay not be apparent per se on the other hand. TSIGs provide point-to-point authentication and integrity between servers, they do not provide encryption on the transport layer. First we’ll create a secret key which […]