opennic:setup:webminbind:debian9u0webmin1u9base

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-18T19:17:12Z] fouroh-llcopennic:setup:webminbind:debian9u0webmin1u9base [2020-03-27T11:44:12Z] (current) fouroh-llc
Line 1: Line 1:
-===== Debian 9 with Webmin 1.9xx Fresh Install ===== +===== Fresh Install ===== 
-Again, please make sure you install from within Webmin (Unused Modules) then Refresh Modules to move the BIND link under ServersThis is the default screen.+This page includes a very brief overview of Webmin module screens, before turning the instance into a Tier-2 service stackThe page is going to grow and expand as feedback comes in for better, more detailed explanationsIf you are already familiar with Webmin, or you do not wish to use it you may skip this page entirely. 
 {{:opennic:setup:webminbind:base-001.png|The newly installed Webmin BIND module}} {{:opennic:setup:webminbind:base-001.png|The newly installed Webmin BIND module}}
 +In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a "Play" button starts the service. When you configure RDC a "Refresh" button is added. Do not yet start it, but lets look at its home directory.
  
-In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a play button starts the service. Before we start, however, lets look at the //home// of bind9. 
 {{:opennic:setup:webminbind:base-002.png|The location and content of BIND's home}} {{:opennic:setup:webminbind:base-002.png|The location and content of BIND's home}}
 +The location and the list of files might be different on a different distribution (Red-Hat, Slackware, or from Enterprises like Oracle).
  
-Those which are going to be our concern are discussed below. The db.root file is a special casewhere the change from the InterNIC TLDs to the OpenNIC TLDS actually happenFor the record, the content of the db.root file, at the time of writing this, is listed [[db_root_file-content|here]]. On OpenNIC Tier-1 servers the file should read something like below+==== Backup and Archive==== 
-<code> +The difference between backup and archive is the location where they are stored - one is on-line, but going to be lost when the host is lost. The other is off-linebut remains availableThese are your choices for backup
-;       This file holds the information ...  +  manual snapshot by Linode, which you should use for milestones such as before distribution upgrades
-+  * Three automated backups by Linode, which you should use to recover from errors or attacks
-.                      3600000      NS    NS2.OPENNIC.GLUE. +  compressed archive by Webmin, which you should use to save parts of the filesystem 
-NS2.OPENNIC.GLUE.      3600000      A     161.97.219.84 +  download / upload utility by Webmin, to keep off-line copies of your archives.
-NS2.OPENNIC.GLUE.      3600000      AAAA  2001:470:4212:10:0:100:53:10 +
-+
-.                      3600000      NS    NS4.OPENNIC.GLUE. +
-NS4.OPENNIC.GLUE.      3600000          163.172.168.171 +
-+
-.                      3600000      NS    NS5.OPENNIC.GLUE. +
-NS5.OPENNIC.GLUE.      3600000      A     94.103.153.176 +
-NS5.OPENNIC.GLUE.      3600000      AAAA  2a02:990:219:1:ba:1337:cafe:+
-+
-.                      3600000      NS    NS6.OPENNIC.GLUE+
-NS6.OPENNIC.GLUE.      3600000      A     207.192.71.13 +
-+
-.                      3600000      NS    NS8.OPENNIC.GLUE. +
-NS8.OPENNIC.GLUE.      3600000      A     178.63.116.152 +
-NS8.OPENNIC.GLUE.      3600000      AAAA  2a01:4f8:141:4281::999 +
-+
-.                      3600000      NS    NS9.OPENNIC.GLUE. +
-NS9.OPENNIC.GLUE.      3600000          51.77.227.84 +
-+
-.                       3600000      NS    NS10.OPENNIC.GLUE. +
-NS10.OPENNIC.GLUE.      3600000      A     188.226.146.136 +
-NS10.OPENNIC.GLUE.      3600000      AAAA  2001:470:1f04:ebf::+
-+
-.                       3600000      NS    NS11.OPENNIC.GLUE. +
-NS11.OPENNIC.GLUE.      3600000          51.75.173.177 +
-+
-.                       3600000      NS    NS12.OPENNIC.GLUE. +
-NS12.OPENNIC.GLUE.      3600000      A     79.124.7.81 +
-+
-.                       3600000      NS    NS13.OPENNIC.GLUE. +
-NS13.OPENNIC.GLUE.      3600000      A     144.76.103.143 +
-NS13.OPENNIC.GLUE.      3600000      AAAA  2a01:4f8:192:43a5::+
-</code>+
  
-==== named.conf.default-zones ==== +Use the listed above to plan and test your capacity to recover from errors, attacks or even from ransomwareThese are very basic, simple measures to keep your service stacks functional.
-The content of this file not supposed to be changed by hand, and a new BIND instance has it as:  +
-<code> +
-// prime the server with knowledge of the root servers +
-zone "." { +
- type hint; +
- file "/etc/bind/db.root"; +
-};+
  
-// be authoritative for the localhost forward and reverse zonesand for +{{:opennic:setup:webminbind:base-010.png|Webmin Filesystem Backup with scheduling}} 
-// broadcast zones as per RFC 1912+Linode backups and restores never failbut they replace your ENTIRE instance.
  
-zone "localhost" { +{{:opennic:setup:webminbind:base-003.png|Webmin Filesystem Backup with scheduling}
- type master; +Webmin allows scheduling and creating compressed archives of targeted part of your instance.
- file "/etc/bind/db.local"; +
-};+
  
-zone "127.in-addr.arpa" { +{{:opennic:setup:webminbind:base-004.png|Save and restore copies of your on-line backup}} 
- type master; +Recover from off-line backup in case of sustained attack going back for weeks or months.
- file "/etc/bind/db.127"; +
-};+
  
-zone "0.in-addr.arpa" { +==== User Management ==== 
- type master; +User management from the shell is expanded by Webmin several waysThe most advanced is Usermin via LDAP, which is not really necessary on single instances. However, using the Webmin Users and Groups modules is necessary to allow login via Webmin otherwise the user is limited to ssh login onlyAlso - on production servers Webmin shall not be installed to reduce the number of software exploits
- file "/etc/bind/db.0"; +
-};+
  
-zone "255.in-addr.arpa" { +{{:opennic:setup:webminbind:base-005.png|Extended functionally for UNIX Users and Groups by Webmin}} 
- type master; +Webmin Users and Groups control access to Modules - but the UNIX user must also exist.
- file "/etc/bind/db.255"; +
-}; +
-</code>+
  
-As you see, the db.root file is included here, and the rest of the file content has to do with proper networking setup on the host. Later while adding / removing name servers the two most common directives added by Webmin going to be "also-notify" and "allow-transfer"+==== Module Management ==== 
- +These should be the IP4 addresses of the OpenNIC Tier-2sNormally you use Google'8.8.8.8 here, but if you enter only that this name-server is NOT going to functionAlso note - this is different from the settings of your VPS network, which SHOULD use Google's.
-==== named.conf ==== +
-This file should not be edited by hand, and it is not edited by Webmin: +
-<code> +
-// This is the primary configuration file for the BIND DNS server named. +
-// +
-// Please read /usr/share/doc/bind9/README.Debian.gz for information on the  +
-// structure of BIND configuration files in Debian, *BEFORE* you customize  +
-// this configuration file. +
-// +
-// If you are just adding zones, please do that in /etc/bind/named.conf.local +
- +
-include "/etc/bind/named.conf.options"; +
-include "/etc/bind/named.conf.local"; +
-include "/etc/bind/named.conf.default-zones"; +
-</code> +
- +
-The file //named.conf.default-zones// includes //db.root//, and the file //named.conf.options// holds the BIND daemon'operating parameters. +
- +
-The file //named.conf.local// going to hold our master and slave zones (called domains). Before we start up lets archive /etc/bind to save the original configuration. +
- +
-==== Backup and Archive==== +
-The difference between backup and archive is the location where they are stored one is on-line, but going to be lost when the host is lostThe other is off-line, but remains available. Linode provides a manual snapshot and three automated backups which are rotated - for the entire VPS. Webmin provides manual and scheduled backup on select part of the file system, which you may also download / push off-line. The screenshot shows the Webmin //tar// and //cron// interface. +
-{{:opennic:setup:webminbind:base-003.png|Webmin Filesystem Backup with scheduling}}+
  
-DNS is all about redundancy, so configuring email notification about backup or any other status - is rather pointlessIf your instance goes down for any reason it may stay down until you come around to visit and check on it (once week, maybe).+{{:opennic:setup:webminbind:base-006.png|The DNS Administrator login}} 
 +The DNS administrator has full access to the DNS module and a few others like backup/restore and download/upload.
  
-==== Start BIND  ==== +==== Network Security ==== 
-Once you create and RESTORE the backup, and manage to download the tar filereplace the content in db.root as shown aboveThen hit "play" on the upper right to start BIND.+Debian does not assume anything about the purpose of the system, it does not install or configure additional software, and it does not start services by default. //iptables// is an exception to thisit is installed by defaultHowever, it is not configured and it is not startedIf you have installed a firewall software such as FirewallD - iptables is going to be started and managed by that software.
  
-=== Setup RNDC === +{{:opennic:setup:webminbind:base-007.png|Firewall is not configured by default}} 
-This is going to fail if, for any reason, the loop-back interface (127.0.0.1) is blocked by the provider. There might be other reasons, but in most cases you are going to see a success message if you visit the same screen the second time. On the //DNS Keys// screen you should see the //rndc-key// as well. The file named.conf now contains the RNDC setup: +If you start iptables with a wrong configuration you might lose access to your instance!
-<code> +
-include "/etc/bind/named.conf.options"; +
-include "/etc/bind/named.conf.local"; +
-include "/etc/bind/named.conf.default-zones"; +
-key rndc-key { +
- algorithm hmac-md5; +
- secret "abcdefghifklmnopqrstuv=="; +
- }+
-controls { +
- inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; +
- }; +
-</code>+
  
-=== Zone Defaults === +==== Webmin Modules ==== 
-This configures the default options for master zones, and some of the defaults should be set as shown: +Some modules in Webmin are matured and well-rounded - the BIND module, for example. Some are obsolete, no longer maintained, and these days they are only included for backwards compatibility such as the Jabber IM ServerSome are mature and install from within Webmin, some needs to be installed from the shell and tell Webmin to look for them "Refresh Modules"
-{{:opennic:setup:webminbind:base-004.png|Default for Master Zones}}+
  
-What is not shown depends on your installation. The screenshot shows the current host name which you should ignore. Instead enter the FQDN of your name server, NSx.YOURDOMAIN.TLD or NSx.SUBDOMAIN.YOURDOMAIN.TLD. Consequently the //Default email address// should correspond the same way (admin@yourdomain.tld), although this is not a standards requirement by RFCs.+{{:opennic:setup:webminbind:base-008.png|Module installation}} 
 +Webmin has good support for FirewallD but it must be installed from the shell.
  
-The DNSSEC settings are set to the largest-size keys as all other are very much discounted these days. You may set it higherbut only if OpenNIC recommends it.+==== Logging ==== 
 +Webmin provides access to several logging facilitieswith management for logging added for BIND and for Webmin.
  
-leave the transfer and query settings to be managed by each zone and leave them here blank / default.+{{:opennic:setup:webminbind:base-009.png|The standard UNIX logs }} 
 +Security starts with these logs, as nearly all attacks leave some clues in these logs.
  
-=== Forwarding and Trasfers === +==== Conclusion ==== 
-These should be the IP4 addresses of the OpenNIC Tier-2s. Normally you use Google's 8.8.8.8 herebut if you enter only that your DNS is NOT going to function. Also note this is different from the settings of your VPS network. +You may write your own scripts and use a tool such as Ansible to do more, better than what Webmin doesHowever, Webmin makes your instances much friendlier inside an environment without Information Technology professionals expert with GNU/LinuxOn a factory floor, for exampleWebmin is able to serve engineers, managers, production workers with much less training than full-featured but more complex tools.
-=== DNSSEC Initialization === +
-Access both screens, and set as you wish.+
  
-=== Module Config === 
-Finally, click on the gear in the upper left corner, and change from the defaults: 
  
-{{:opennic:setup:webminbind:base-005.png|Module Configuration - Part 1}} 
-If you want to run under chroot set it here. 
-If reverse zone is REQUIRED leave it, otherwise set to NO. 
  
  
  • /wiki/data/attic/opennic/setup/webminbind/debian9u0webmin1u9base.1584559032.txt.gz
  • Last modified: 4 years ago
  • by fouroh-llc