# VPS from Scratch ## Introduction This manual describes way to setup bind as DNS with godaddy, SSL certificate from certbot. The manual is written for `Ubuntu 20.4`. You will have to replace your server info in configs below. Replace `` with ip address(eg. 10.4.60.1) of your VPS server and `` with your domain name(eg. piyushxcoder.in). ### Setting up Bind DNS with godaddy #### Install bind ```sudo apt install bind9 bind9utils bind9-doc``` #### Modify `/etc/default/named` ```OPTIONS="-u bind -4"``` #### Configure `/etc/bind/named.conf.options` ``` options { version "Secured DNS server"; directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; 8.8.4.4; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; //listen-on-v6 { any; }; allow-query { localhost; any; }; listen-on port 53 { ; localhost; }; // listen on private network only server-id none; allow-transfer { none; }; # disable zone transfers by default }; ``` #### Configure `/etc/bind/named.conf.local` Add Zone for every domain you are going to use. ``` // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; include "/etc/bind/named.conf.certbot"; zone "" { type master; file "/etc/bind/db."; allow-transfer { ; }; also-notify { ; }; }; ``` #### Create zone file as mentioned in `named.conf.local` Example Zone file `db.` ``` ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA ns1.. admin.. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS . @ IN A IN NS ns1.. IN NS ns2.. ns1 IN A ns2 IN A # To redirect www handle it with ngnix # www IN CNAME . # For Certbot # _acme-challenge IN NS . ``` #### Check Zone files and configuration ``` sudo named-checkconf ``` #### Restart bind server ``` sudo service bind9 restart ``` #### Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses as specified in ["Add my custom host names"](https://in.godaddy.com/help/dd-my-custom-host-names-12320). There after change nameservers for domain with `ns1.` and `ns2.` Do it for every domain you want to point to your DNS __Note:__ To check if dns is working properly or not you may use `dig @ns1. `. It might be also helpful to trace route of dns from root server to yours. #### References #### [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts) #### [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04) ### Setting up Certbot with Bind #### Install certbot ```sudo apt install certbot python3-certbot-dns-rfc2136``` #### Generate a key to secure the update process ```sudo sh -c "tsig-keygen -a HMAC-SHA512 tsig-key > /etc/bind/tsig.key"``` #### Create ```/etc/bind/named.conf.certbot``` ``` key "tsig-key" { algorithm "hmac-sha512"; secret "private key"; }; zone "_acme-challenge." { type master; file "/var/lib/bind/db._acme-challenge."; check-names warn; update-policy { grant tsig-key name _acme-challenge.. txt; }; }; ``` Add private key and _achme-challenge zone for each domain and Change permission and ownership ``` $ sudo chown root:bind /etc/bind/named.conf.certbot $ sudo chmod 640 /etc/bind/named.conf.certbot ``` #### Create zone file for each domain in `/var/lib/bind` Example of ```/var/lib/bind/db._acme-challenge.``` ``` $ORIGIN . $TTL 43200 ; 12 hours _acme-challenge. IN SOA . admin.. ( 2021010211 ; serial 28800 ; refresh (8 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS . $TTL 120 ; 2 minutes TXT "" ``` Change premission and ownership ``` $ sudo chown root:bind /var/lib/bind/db._acme-challenge. $ sudo chmod 664 /var/lib/bind/db._acme-challenge. ``` #### Uncomment `_acme-challenge IN NS .` in each Zone file `db.` in `/etc/bind` #### Add `include "/etc/bind/named.conf.certbot";` in `/etc/bind/named.local` #### Restart bind server ``` sudo systemctl restart bind9 ``` #### Testing Dynamic Update Check configs ``` sudo named-checkconf ``` To add the Entry ``` $ sudo nsupdate -k /etc/bind/tsig.key > server > update add _acme-challenge. 86400 TXT 192.168.1.1 > send ``` To list the Entry ``` dig @ _acme-challenge. txt ``` You will see 192.168.1.1 in entries. If not then that is a problem! To delete the Entry ``` $ sudo nsupdate -k /etc/bind/Kcertbot.+165+????? > server > update delete _acme-challenge. 86400 TXT 192.168.1.1 > send ``` #### Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt``` ``` # Target DNS server dns_rfc2136_server = # Target DNS port dns_rfc2136_port = 53 # TSIG key name dns_rfc2136_name = tsig-key # TSIG key secret dns_rfc2136_secret = # TSIG key algorithm dns_rfc2136_algorithm = HMAC-SHA512 ``` Add private key in secret #### Generate Certificate ``` sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d '' -d '*.' ``` #### References #### [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.)