From 4a37e126e59d4b711ea239a071ebbf450182e129 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piyush=20=E0=A4=AE=E0=A4=BF=E0=A4=B6=E0=A5=8D=E0=A4=B0?= Date: Sat, 25 Feb 2023 14:57:20 +0530 Subject: [PATCH] init --- README.md | 240 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..be974a6 --- /dev/null +++ b/README.md @@ -0,0 +1,240 @@ +# VPS from Scratch + +## Introduction + +This manual describes way to setup bind as DNS with godaddy, +SSL certificate from certbot. +The manual is written for Ubuntu 20.4 and is written for piyushxcoder.in domain name. +You need to replace piyushxcoder.in with your domain + +### Setting up Bind DNS with godaddy + +* To install bind you need to run + +```sudo apt install bind9 bind9utils bind9-doc``` + +* Modify ```/etc/default/named``` + +```OPTIONS="-u bind -4"``` + +* Configure ```/etc/bind/named.conf.options``` + +``` +options { + version "Secured DNS server"; + + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + forwarders { + 8.8.8.8; + 8.8.4.4; + }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + //listen-on-v6 { any; }; + + allow-query { + localhost; + any; + }; + + listen-on port 53 { + 103.190.242.178; + localhost; + }; // listen on private network only + + server-id none; + allow-transfer { none; }; # disable zone transfers by default +}; +``` +Replace ```103.190.242.178``` with you own server ip + + +* Configure ```sudo nano /etc/bind/named.conf.local``` +``` +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + +include "/etc/bind/named.conf.certbot"; + +zone "piyushxcoder.in" { + type master; + file "/etc/bind/db.piyushxcoder.in"; + allow-transfer { 103.190.242.178; }; + also-notify { 103.190.242.178; }; +}; +``` + +Add Zone for every domain you gonna use. + +* Create zone file as mentioned in ```named.conf.local``` + +Example Zone file ```db.piyushxcoder.in``` + +``` + +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA ns1.piyushxcoder.in. admin.piyushxcoder.in. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL + +@ IN NS piyushxcoder.in. +@ IN A 103.190.242.178 + + IN NS ns2 + IN NS ns1 +ns1 IN A 103.190.242.178 +ns2 IN A 103.190.242.178 +``` +* Check Zone files and configuration with ```sudo named-checkconf``` +* Restart bind server ```sudo service bind9 restart``` +* Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses +as specified in ["Add my custom host names"](https://in.godaddy.com/help/add-my-custom-host-names-12320). +There after change nameservers for domain with ns1.piyushxcoder.in and ns2.piyushxcoder.in + +Do it for every domain you want to point to your DNS + +__Note:__ To check if dns is workin properly or not you may use ```dig @ns1.piyushxcoder.in blog.piyushxcoder.in```. It might be also helpful to trace route of dns from root server to yours. + +#### References +* [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts) +* [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04) + +### Setting up Certbot with Bind +* Install certbot + +```sudo apt install certbot python3-certbot-dns-rfc2136``` + +* Generate a key to secure the update process + +```sudo sh -c "tsig-keygen -a HMAC-SHA512 tsig-key > /etc/bind/tsig.key"``` + +* create ```/etc/bind/named.conf.certbot``` + +``` +key "tsig-key" { + algorithm "hmac-sha512"; + secret "private key"; +}; + +zone "_acme-challenge.piyushxcoder.in" { + type master; + file "/var/lib/bind/db._acme-challenge.piyushxcoder.in"; + check-names warn; + update-policy { + grant tsig-key name _acme-challenge.piyushxcoder.in. txt; + }; +}; +``` + +add private key and _achme-challenge zone for each domain. Change permission and ownership + +``` +$ sudo chown root:bind /etc/bind/named.conf.certbot +$ sudo chmod 640 /etc/bind/named.conf.certbot + +``` + +* Create zone file for each domain at ```/var/lib/bind``` + +Example of ```/var/lib/bind/db._acme-challenge.piyushxcoder.in``` +``` +$ORIGIN . +$TTL 43200 ; 12 hours +_acme-challenge.piyushxcoder.in IN SOA piyushxcoder.in. admin.piyushxcoder.in. ( + 2021010211 ; serial + 28800 ; refresh (8 hours) + 7200 ; retry (2 hours) + 604800 ; expire (1 week) + 86400 ; minimum (1 day) + ) + NS piyushxcoder.in. +$TTL 120 ; 2 minutes + TXT "103.190.242.178" +``` +Change permissikn and ownership +``` +$ sudo chown root:bind /var/lib/bind/db._acme-challenge.piyushxcoder.in +$ sudo chmod 664 /var/lib/bind/db._acme-challenge.piyushxcoder.in +``` +* Now you need to add ```_acme-challenge IN NS mydomain.com.``` in each domain file in ```/etc/bind``` +* There after add ```include "/etc/bind/named.conf.certbot";``` in ```/etc/bind/named.local``` +* Restart bind server ```sudo systemctl restart bind9``` + +* Testing Dynamic Update +Check configs +``` +sudo named-checkconf +``` + +To add Entry + +``` +$ sudo nsupdate -k /etc/bind/tsig.key +> server piyushxcoder.in +> update add _acme-challenge.piyushxcoder.in 86400 TXT 192.168.1.1 +> send +``` + +To list Entry + +``` +dig @piyushxcoder.in _acme-challenge.piyushxcoder.in txt +``` +You will see 192.168.1.1 in entries + +To delete Entry +``` +$ sudo nsupdate -k /etc/bind/Kcertbot.+165+????? +> server piyushxcoder.in +> update delete _acme-challenge.piyushxcoder.in 86400 TXT 192.168.1.1 +> send +``` + +* Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt``` + +``` + +# Target DNS server +dns_rfc2136_server = 103.190.242.178 +# Target DNS port +dns_rfc2136_port = 53 +# TSIG key name +dns_rfc2136_name = tsig-key +# TSIG key secret +dns_rfc2136_secret = +# TSIG key algorithm +dns_rfc2136_algorithm = HMAC-SHA512 +``` +Add private key in secret and replace ip + +* Generate Certificate + +```sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d 'piyushxcoder.in' -d '*.piyushxcoder.in'``` + + +#### References +* [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.)