diff --git a/README.md b/README.md index be974a6..dec9bd1 100644 --- a/README.md +++ b/README.md @@ -2,22 +2,22 @@ ## Introduction -This manual describes way to setup bind as DNS with godaddy, -SSL certificate from certbot. -The manual is written for Ubuntu 20.4 and is written for piyushxcoder.in domain name. -You need to replace piyushxcoder.in with your domain +This manual describes way to setup bind as DNS with godaddy, SSL certificate from certbot. +The manual is written for `Ubuntu 20.4`. You will have to replace your server info in configs below. + +Replace `` with ip address(eg. 10.4.60.1) of your VPS server and `` with your domain name(eg. piyushxcoder.in). ### Setting up Bind DNS with godaddy -* To install bind you need to run +#### Install bind ```sudo apt install bind9 bind9utils bind9-doc``` -* Modify ```/etc/default/named``` +#### Modify `/etc/default/named` ```OPTIONS="-u bind -4"``` -* Configure ```/etc/bind/named.conf.options``` +#### Configure `/etc/bind/named.conf.options` ``` options { @@ -53,7 +53,7 @@ options { }; listen-on port 53 { - 103.190.242.178; + ; localhost; }; // listen on private network only @@ -61,10 +61,11 @@ options { allow-transfer { none; }; # disable zone transfers by default }; ``` -Replace ```103.190.242.178``` with you own server ip +#### Configure `/etc/bind/named.conf.local` + +Add Zone for every domain you are going to use. -* Configure ```sudo nano /etc/bind/named.conf.local``` ``` // Do any local configuration here // @@ -75,64 +76,76 @@ Replace ```103.190.242.178``` with you own server ip include "/etc/bind/named.conf.certbot"; -zone "piyushxcoder.in" { +zone "" { type master; - file "/etc/bind/db.piyushxcoder.in"; - allow-transfer { 103.190.242.178; }; - also-notify { 103.190.242.178; }; + file "/etc/bind/db."; + allow-transfer { ; }; + also-notify { ; }; }; ``` -Add Zone for every domain you gonna use. +#### Create zone file as mentioned in `named.conf.local` -* Create zone file as mentioned in ```named.conf.local``` - -Example Zone file ```db.piyushxcoder.in``` +Example Zone file `db.` ``` - ; BIND data file for local loopback interface ; $TTL 604800 -@ IN SOA ns1.piyushxcoder.in. admin.piyushxcoder.in. ( +@ IN SOA ns1.. admin.. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL -@ IN NS piyushxcoder.in. -@ IN A 103.190.242.178 +@ IN NS . +@ IN A - IN NS ns2 - IN NS ns1 -ns1 IN A 103.190.242.178 -ns2 IN A 103.190.242.178 + IN NS ns1.. + IN NS ns2.. +ns1 IN A +ns2 IN A + +# To redirect www handle it with ngnix +# www IN CNAME . + +# For Certbot +# _acme-challenge IN NS . ``` -* Check Zone files and configuration with ```sudo named-checkconf``` -* Restart bind server ```sudo service bind9 restart``` -* Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses -as specified in ["Add my custom host names"](https://in.godaddy.com/help/add-my-custom-host-names-12320). -There after change nameservers for domain with ns1.piyushxcoder.in and ns2.piyushxcoder.in + +#### Check Zone files and configuration +``` +sudo named-checkconf +``` + +#### Restart bind server +``` +sudo service bind9 restart +``` + +#### Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses as specified in ["Add my custom host names"](https://in.godaddy.com/help/dd-my-custom-host-names-12320). + +There after change nameservers for domain with `ns1.` and `ns2.` Do it for every domain you want to point to your DNS -__Note:__ To check if dns is workin properly or not you may use ```dig @ns1.piyushxcoder.in blog.piyushxcoder.in```. It might be also helpful to trace route of dns from root server to yours. +__Note:__ To check if dns is working properly or not you may use `dig @ns1. `. It might be also helpful to trace route of dns from root server to yours. #### References -* [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts) -* [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04) +#### [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts) +#### [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04) ### Setting up Certbot with Bind -* Install certbot +#### Install certbot ```sudo apt install certbot python3-certbot-dns-rfc2136``` -* Generate a key to secure the update process +#### Generate a key to secure the update process ```sudo sh -c "tsig-keygen -a HMAC-SHA512 tsig-key > /etc/bind/tsig.key"``` -* create ```/etc/bind/named.conf.certbot``` +#### Create ```/etc/bind/named.conf.certbot``` ``` key "tsig-key" { @@ -140,86 +153,92 @@ key "tsig-key" { secret "private key"; }; -zone "_acme-challenge.piyushxcoder.in" { +zone "_acme-challenge." { type master; - file "/var/lib/bind/db._acme-challenge.piyushxcoder.in"; + file "/var/lib/bind/db._acme-challenge."; check-names warn; update-policy { - grant tsig-key name _acme-challenge.piyushxcoder.in. txt; + grant tsig-key name _acme-challenge.. txt; }; }; ``` -add private key and _achme-challenge zone for each domain. Change permission and ownership +Add private key and _achme-challenge zone for each domain and Change permission and ownership ``` $ sudo chown root:bind /etc/bind/named.conf.certbot $ sudo chmod 640 /etc/bind/named.conf.certbot - ``` -* Create zone file for each domain at ```/var/lib/bind``` +#### Create zone file for each domain in `/var/lib/bind` -Example of ```/var/lib/bind/db._acme-challenge.piyushxcoder.in``` +Example of ```/var/lib/bind/db._acme-challenge.``` ``` $ORIGIN . $TTL 43200 ; 12 hours -_acme-challenge.piyushxcoder.in IN SOA piyushxcoder.in. admin.piyushxcoder.in. ( +_acme-challenge. IN SOA . admin.. ( 2021010211 ; serial 28800 ; refresh (8 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) - NS piyushxcoder.in. + NS . $TTL 120 ; 2 minutes - TXT "103.190.242.178" + TXT "" ``` -Change permissikn and ownership -``` -$ sudo chown root:bind /var/lib/bind/db._acme-challenge.piyushxcoder.in -$ sudo chmod 664 /var/lib/bind/db._acme-challenge.piyushxcoder.in -``` -* Now you need to add ```_acme-challenge IN NS mydomain.com.``` in each domain file in ```/etc/bind``` -* There after add ```include "/etc/bind/named.conf.certbot";``` in ```/etc/bind/named.local``` -* Restart bind server ```sudo systemctl restart bind9``` -* Testing Dynamic Update +Change premission and ownership + +``` +$ sudo chown root:bind /var/lib/bind/db._acme-challenge. +$ sudo chmod 664 /var/lib/bind/db._acme-challenge. +``` + +#### Uncomment `_acme-challenge IN NS .` in each Zone file `db.` in `/etc/bind` + +#### Add `include "/etc/bind/named.conf.certbot";` in `/etc/bind/named.local` + +#### Restart bind server +``` +sudo systemctl restart bind9 +``` + +#### Testing Dynamic Update Check configs ``` sudo named-checkconf ``` -To add Entry +To add the Entry ``` $ sudo nsupdate -k /etc/bind/tsig.key -> server piyushxcoder.in -> update add _acme-challenge.piyushxcoder.in 86400 TXT 192.168.1.1 +> server +> update add _acme-challenge. 86400 TXT 192.168.1.1 > send ``` -To list Entry +To list the Entry ``` -dig @piyushxcoder.in _acme-challenge.piyushxcoder.in txt +dig @ _acme-challenge. txt ``` -You will see 192.168.1.1 in entries +You will see 192.168.1.1 in entries. If not then that is a problem! -To delete Entry +To delete the Entry ``` $ sudo nsupdate -k /etc/bind/Kcertbot.+165+????? -> server piyushxcoder.in -> update delete _acme-challenge.piyushxcoder.in 86400 TXT 192.168.1.1 +> server +> update delete _acme-challenge. 86400 TXT 192.168.1.1 > send ``` -* Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt``` +#### Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt``` ``` - # Target DNS server -dns_rfc2136_server = 103.190.242.178 +dns_rfc2136_server = # Target DNS port dns_rfc2136_port = 53 # TSIG key name @@ -229,12 +248,13 @@ dns_rfc2136_secret = # TSIG key algorithm dns_rfc2136_algorithm = HMAC-SHA512 ``` -Add private key in secret and replace ip +Add private key in secret -* Generate Certificate - -```sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d 'piyushxcoder.in' -d '*.piyushxcoder.in'``` +#### Generate Certificate +``` +sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d '' -d '*.' +``` #### References -* [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.) +#### [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.)