piyushxcoder
/
vps_from_scratch
mirror of https://github.com/PiyushXCoder/vps_from_scratch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleaned

This commit is contained in:
Piyush मिश्रः 2023-03-19 10:58:06 +05:30
parent 4a37e126e5
commit d17c4d89c1
1 changed files with 93 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

166
README.md
View File

@ -2,22 +2,22 @@
## Introduction ## Introduction
This manual describes way to setup bind as DNS with godaddy, This manual describes way to setup bind as DNS with godaddy, SSL certificate from certbot.
SSL certificate from certbot. The manual is written for `Ubuntu 20.4`. You will have to replace your server info in configs below.
The manual is written for Ubuntu 20.4 and is written for piyushxcoder.in domain name.
You need to replace piyushxcoder.in with your domain Replace `<Your server ip address>` with ip address(eg. 10.4.60.1) of your VPS server and `<Your domain name>` with your domain name(eg. piyushxcoder.in).
### Setting up Bind DNS with godaddy ### Setting up Bind DNS with godaddy
* To install bind you need to run #### Install bind
```sudo apt install bind9 bind9utils bind9-doc``` ```sudo apt install bind9 bind9utils bind9-doc```
* Modify ```/etc/default/named``` #### Modify `/etc/default/named`
```OPTIONS="-u bind -4"``` ```OPTIONS="-u bind -4"```
* Configure ```/etc/bind/named.conf.options``` #### Configure `/etc/bind/named.conf.options`
``` ```
options { options {
@ -53,7 +53,7 @@ options {
}; };
listen-on port 53 { listen-on port 53 {
103.190.242.178; <Your server ip address>;
localhost; localhost;
}; // listen on private network only }; // listen on private network only
@ -61,10 +61,11 @@ options {
allow-transfer { none; }; # disable zone transfers by default allow-transfer { none; }; # disable zone transfers by default
}; };
``` ```
Replace ```103.190.242.178``` with you own server ip
#### Configure `/etc/bind/named.conf.local`
Add Zone for every domain you are going to use.
* Configure ```sudo nano /etc/bind/named.conf.local```
``` ```
// Do any local configuration here // Do any local configuration here
// //
@ -75,64 +76,76 @@ Replace ```103.190.242.178``` with you own server ip
include "/etc/bind/named.conf.certbot"; include "/etc/bind/named.conf.certbot";
zone "piyushxcoder.in" { zone "<Your domain name>" {
type master; type master;
file "/etc/bind/db.piyushxcoder.in"; file "/etc/bind/db.<Your domain name>";
allow-transfer { 103.190.242.178; }; allow-transfer { <Your server ip address>; };
also-notify { 103.190.242.178; }; also-notify { <Your server ip address>; };
}; };
``` ```
Add Zone for every domain you gonna use. #### Create zone file as mentioned in `named.conf.local`
* Create zone file as mentioned in ```named.conf.local``` Example Zone file `db.<Your domain name>`
Example Zone file ```db.piyushxcoder.in```
``` ```
; BIND data file for local loopback interface ; BIND data file for local loopback interface
; ;
$TTL 604800 $TTL 604800
@ IN SOA ns1.piyushxcoder.in. admin.piyushxcoder.in. ( @ IN SOA ns1.<Your domain name>. admin.<Your domain name>. (
2 ; Serial 2 ; Serial
604800 ; Refresh 604800 ; Refresh
86400 ; Retry 86400 ; Retry
2419200 ; Expire 2419200 ; Expire
604800 ) ; Negative Cache TTL 604800 ) ; Negative Cache TTL
@ IN NS piyushxcoder.in. @ IN NS <Your domain name>.
@ IN A 103.190.242.178 @ IN A <Your server ip address>
IN NS ns2 IN NS ns1.<Your domain name>.
IN NS ns1 IN NS ns2.<Your domain name>.
ns1 IN A 103.190.242.178 ns1 IN A <Your server ip address>
ns2 IN A 103.190.242.178 ns2 IN A <Your server ip address>
# To redirect www handle it with ngnix
# www IN CNAME <Your server ip address>.
# For Certbot
# _acme-challenge IN NS <Your server ip address>.
``` ```
* Check Zone files and configuration with ```sudo named-checkconf```
* Restart bind server ```sudo service bind9 restart``` #### Check Zone files and configuration
* Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses ```
as specified in ["Add my custom host names"](https://in.godaddy.com/help/add-my-custom-host-names-12320). sudo named-checkconf
There after change nameservers for domain with ns1.piyushxcoder.in and ns2.piyushxcoder.in ```
#### Restart bind server
```
sudo service bind9 restart
```
#### Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses as specified in ["Add my custom host names"](https://in.godaddy.com/help/dd-my-custom-host-names-12320).
There after change nameservers for domain with `ns1.<Your domain name>` and `ns2.<Your domain name>`
Do it for every domain you want to point to your DNS Do it for every domain you want to point to your DNS
__Note:__ To check if dns is workin properly or not you may use ```dig @ns1.piyushxcoder.in blog.piyushxcoder.in```. It might be also helpful to trace route of dns from root server to yours. __Note:__ To check if dns is working properly or not you may use `dig @ns1.<Your domain name> <Your domain name>`. It might be also helpful to trace route of dns from root server to yours.
#### References #### References
* [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts) #### [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts)
* [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04) #### [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04)
### Setting up Certbot with Bind ### Setting up Certbot with Bind
* Install certbot #### Install certbot
```sudo apt install certbot python3-certbot-dns-rfc2136``` ```sudo apt install certbot python3-certbot-dns-rfc2136```
* Generate a key to secure the update process #### Generate a key to secure the update process
```sudo sh -c "tsig-keygen -a HMAC-SHA512 tsig-key > /etc/bind/tsig.key"``` ```sudo sh -c "tsig-keygen -a HMAC-SHA512 tsig-key > /etc/bind/tsig.key"```
* create ```/etc/bind/named.conf.certbot``` #### Create ```/etc/bind/named.conf.certbot```
``` ```
key "tsig-key" { key "tsig-key" {
@ -140,86 +153,92 @@ key "tsig-key" {
secret "private key"; secret "private key";
}; };
zone "_acme-challenge.piyushxcoder.in" { zone "_acme-challenge.<Your domain name>" {
type master; type master;
file "/var/lib/bind/db._acme-challenge.piyushxcoder.in"; file "/var/lib/bind/db._acme-challenge.<Your domain name>";
check-names warn; check-names warn;
update-policy { update-policy {
grant tsig-key name _acme-challenge.piyushxcoder.in. txt; grant tsig-key name _acme-challenge.<Your domain name>. txt;
}; };
}; };
``` ```
add private key and _achme-challenge zone for each domain. Change permission and ownership Add private key and _achme-challenge zone for each domain and Change permission and ownership
``` ```
$ sudo chown root:bind /etc/bind/named.conf.certbot $ sudo chown root:bind /etc/bind/named.conf.certbot
$ sudo chmod 640 /etc/bind/named.conf.certbot $ sudo chmod 640 /etc/bind/named.conf.certbot
``` ```
* Create zone file for each domain at ```/var/lib/bind``` #### Create zone file for each domain in `/var/lib/bind`
Example of ```/var/lib/bind/db._acme-challenge.piyushxcoder.in``` Example of ```/var/lib/bind/db._acme-challenge.<Your domain name>```
``` ```
$ORIGIN . $ORIGIN .
$TTL 43200 ; 12 hours $TTL 43200 ; 12 hours
_acme-challenge.piyushxcoder.in IN SOA piyushxcoder.in. admin.piyushxcoder.in. ( _acme-challenge.<Your domain name> IN SOA <Your domain name>. admin.<Your domain name>. (
2021010211 ; serial 2021010211 ; serial
28800 ; refresh (8 hours) 28800 ; refresh (8 hours)
7200 ; retry (2 hours) 7200 ; retry (2 hours)
604800 ; expire (1 week) 604800 ; expire (1 week)
86400 ; minimum (1 day) 86400 ; minimum (1 day)
) )
NS piyushxcoder.in. NS <Your domain name>.
$TTL 120 ; 2 minutes $TTL 120 ; 2 minutes
TXT "103.190.242.178" TXT "<Your server ip address>"
``` ```
Change permissikn and ownership
```
$ sudo chown root:bind /var/lib/bind/db._acme-challenge.piyushxcoder.in
$ sudo chmod 664 /var/lib/bind/db._acme-challenge.piyushxcoder.in
```
* Now you need to add ```_acme-challenge IN NS mydomain.com.``` in each domain file in ```/etc/bind```
* There after add ```include "/etc/bind/named.conf.certbot";``` in ```/etc/bind/named.local```
* Restart bind server ```sudo systemctl restart bind9```
* Testing Dynamic Update Change premission and ownership
```
$ sudo chown root:bind /var/lib/bind/db._acme-challenge.<Your domain name>
$ sudo chmod 664 /var/lib/bind/db._acme-challenge.<Your domain name>
```
#### Uncomment `_acme-challenge IN NS <Your domain name>.` in each Zone file `db.<Your domain name>` in `/etc/bind`
#### Add `include "/etc/bind/named.conf.certbot";` in `/etc/bind/named.local`
#### Restart bind server
```
sudo systemctl restart bind9
```
#### Testing Dynamic Update
Check configs Check configs
``` ```
sudo named-checkconf sudo named-checkconf
``` ```
To add Entry To add the Entry
``` ```
$ sudo nsupdate -k /etc/bind/tsig.key $ sudo nsupdate -k /etc/bind/tsig.key
> server piyushxcoder.in > server <Your domain name>
> update add _acme-challenge.piyushxcoder.in 86400 TXT 192.168.1.1 > update add _acme-challenge.<Your domain name> 86400 TXT 192.168.1.1
> send > send
``` ```
To list Entry To list the Entry
``` ```
dig @piyushxcoder.in _acme-challenge.piyushxcoder.in txt dig @<Your domain name> _acme-challenge.<Your domain name> txt
``` ```
You will see 192.168.1.1 in entries You will see 192.168.1.1 in entries. If not then that is a problem!
To delete Entry To delete the Entry
``` ```
$ sudo nsupdate -k /etc/bind/Kcertbot.+165+????? $ sudo nsupdate -k /etc/bind/Kcertbot.+165+?????
> server piyushxcoder.in > server <Your domain name>
> update delete _acme-challenge.piyushxcoder.in 86400 TXT 192.168.1.1 > update delete _acme-challenge.<Your domain name> 86400 TXT 192.168.1.1
> send > send
``` ```
* Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt``` #### Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt```
``` ```
# Target DNS server # Target DNS server
dns_rfc2136_server = 103.190.242.178 dns_rfc2136_server = <Your server ip address>
# Target DNS port # Target DNS port
dns_rfc2136_port = 53 dns_rfc2136_port = 53
# TSIG key name # TSIG key name
@ -229,12 +248,13 @@ dns_rfc2136_secret =
# TSIG key algorithm # TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512 dns_rfc2136_algorithm = HMAC-SHA512
``` ```
Add private key in secret and replace ip Add private key in secret
* Generate Certificate #### Generate Certificate
```sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d 'piyushxcoder.in' -d '*.piyushxcoder.in'```
```
sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d '<Your domain name>' -d '*.<Your domain name>'
```
#### References #### References
* [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.) #### [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.)