Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-18T20:06:34Z] – fouroh-llc | opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-26T15:19:49Z] – fouroh-llc | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Debian 9 with Webmin 1.9xx Fresh Install ===== | + | ===== Fresh Install ===== |
Again, please make sure you install from within Webmin (Un-used Modules) then Refresh Modules to move the BIND link under Servers. This is the default screen. | Again, please make sure you install from within Webmin (Un-used Modules) then Refresh Modules to move the BIND link under Servers. This is the default screen. | ||
{{: | {{: | ||
+ | In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a " | ||
- | In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a play button starts the service. Before we start, however, lets look at the //home// of bind9. | ||
{{: | {{: | ||
+ | The location and the list of files might be different on a different distribution (Red-Hat, Slackware, or from Enterprises like Oracle). | ||
- | The files which are going to be our concern are discussed below. The db.root file is a special case, where the change from the InterNIC TLDs to the OpenNIC TLDS actually happens. For the record, the content of the db.root file, at the time of writing this, is listed [[db_root_file-content|here]]. On OpenNIC Tier-1 servers the file should read something like below: | + | ==== Backup and Archive==== |
- | < | + | The difference between backup and archive is the location where they are stored - one is on-line, but going to be lost when the host is lost. The other is off-line, but remains available. These are your choices for backup: |
- | ; This file holds the information ... | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS2.OPENNIC.GLUE. | + | |
- | NS2.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS4.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS5.OPENNIC.GLUE. | + | |
- | NS5.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS6.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS8.OPENNIC.GLUE. | + | |
- | NS8.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS9.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS10.OPENNIC.GLUE. | + | |
- | NS10.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS11.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS12.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS13.OPENNIC.GLUE. | + | |
- | NS13.OPENNIC.GLUE. | + | |
- | </ | + | |
- | ==== named.conf.default-zones ==== | + | Use the listed above to plan and test your capacity to recover from errors, attacks or even from ransomware. These are very basic, simple measures to keep your service stacks functional. |
- | The content of this file not supposed | + | |
- | < | + | |
- | // prime the server with knowledge of the root servers | + | |
- | zone "." { | + | |
- | type hint; | + | |
- | file "/ | + | |
- | }; | + | |
- | // be authoritative for the localhost forward and reverse zones, and for | + | {{: |
- | // broadcast zones as per RFC 1912 | + | The Webmin screen to schedule and create compressed archives of the filesystem. |
- | zone " | + | {{: |
- | type master; | + | Recover from off-line backup in case of sustained attack going back for weeks or months. |
- | file "/ | + | |
- | }; | + | |
- | zone " | + | ==== User Management |
- | type master; | + | User management from the shell is expanded |
- | file "/ | + | |
- | }; | + | |
- | + | ||
- | zone " | + | |
- | type master; | + | |
- | file "/ | + | |
- | }; | + | |
- | + | ||
- | zone " | + | |
- | type master; | + | |
- | file "/ | + | |
- | }; | + | |
- | </ | + | |
- | + | ||
- | As you see, the db.root file is included here, and the rest of the file content has to do with proper networking setup on the host. Later while adding / removing name servers the two most common directives added by Webmin going to be " | + | |
- | + | ||
- | ==== named.conf | + | |
- | This file should not be edited by hand, but edited | + | |
- | < | + | |
- | // This is the primary configuration file for the BIND DNS server named. | + | |
- | // | + | |
- | // Please read / | + | |
- | // structure of BIND configuration files in Debian, *BEFORE* you customize | + | |
- | // this configuration file. | + | |
- | // | + | |
- | // If you are just adding zones, please do that in / | + | |
- | + | ||
- | include "/ | + | |
- | include "/ | + | |
- | include "/ | + | |
- | </ | + | |
- | + | ||
- | The file // | + | |
- | + | ||
- | The file // | + | |
- | + | ||
- | ==== Backup and Archive==== | + | |
- | The difference between backup and archive is the location where they are stored | + | |
- | {{: | + | |
- | DNS is all about redundancy, so configuring email notification about backup | + | {{: |
+ | Webmin Users and Groups control access to Modules - but the UNIX user must also exist. | ||
- | ==== Start BIND | + | ==== Module Management |
- | Once you create and RESTORE | + | These should be the IP4 addresses of the OpenNIC Tier-2s. Normally you use Google' |
- | === Setup RNDC === | + | {{: |
- | This is going to fail if, for any reason, the loop-back interface (127.0.0.1) is blocked by the provider. There might be other reasons, but in most cases you are going to see a success message if you visit the same screen the second time. On the //DNS Keys// screen you should see the // | + | The DNS administrator has full access |
- | < | + | |
- | include "/ | + | |
- | include "/ | + | |
- | include "/ | + | |
- | key rndc-key { | + | |
- | algorithm hmac-md5; | + | |
- | secret " | + | |
- | }; | + | |
- | controls { | + | |
- | inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; | + | |
- | }; | + | |
- | </ | + | |
- | === Zone Defaults | + | ==== Network Security ==== |
- | This configures | + | Debian does not assume anything about the purpose of the system, it does not install or configure additional software, and it does not start services by default. // |
- | {{: | + | |
- | What is not shown depends on your installation. The screenshot shows the current host name - which you should ignore. Instead enter the FQDN of your name server, NSx.YOURDOMAIN.TLD or NSx.SUBDOMAIN.YOURDOMAIN.TLD. Consequently the //Default email address// should correspond the same way (admin@yourdomain.tld), | + | {{: |
+ | If you start iptables with a wrong configuration you might lose access to your instance! | ||
- | The DNSSEC settings | + | ==== Webmin Modules ==== |
+ | Some modules in Webmin | ||
- | I leave the transfer and query settings to be managed by each zone and leave them here blank / default. | + | {{: |
+ | Webmin has good support for FirewallD - but it must be installed from the shell. | ||
- | === Forwarding and Transfers | + | ==== Logging |
- | These should be the IP4 addresses of the OpenNIC Tier-2s. Normally you use Google' | + | Webmin provides access to several logging facilities, with management for logging added for BIND and for Webmin. |
- | === DNSSEC Initialization | + | |
- | Access both screens, and set as you wish. | + | |
- | === Module Config === | + | {{: |
- | Finally, click on the gear in the upper left corner, and change from the defaults: | + | Security starts with these logs, as nearly all attacks leave some clues in these logs. |
- | {{: | + | ==== Conclusion ==== |
- | If you want to run under chroot set it here.\\ | + | You can write your own scripts and use a tool such as Ansible |
- | If reverse zone is REQUIRED leave it, otherwise set to NO.\\ | + | |
- | More to come later | + | |
- | {{: | ||
- | More to come later | ||
- | {{: | ||
- | More to come later | ||
- | //NOTE: Editing of this page is suspended until information for a production server becomes available.// | ||