User Tools
сервис_dns
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_dns [2020/12/02 15:21] val [Настройка DNS view] |
сервис_dns [2025/11/27 09:25] (current) val [Автоматическое обновление сертификатов LetsEncrypt для внутренних сайтов] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| * [[http://ru.wikipedia.org/wiki/DNS|Domain Name System — система доменных имён]] | * [[http://ru.wikipedia.org/wiki/DNS|Domain Name System — система доменных имён]] | ||
| * [[http://xgu.ru/wiki/Настройка_DNS-сервера_BIND|Настройка DNS-сервера BIND]] | * [[http://xgu.ru/wiki/Настройка_DNS-сервера_BIND|Настройка DNS-сервера BIND]] | ||
| + | |||
| * [[Финальная настройка DNS сервера]] | * [[Финальная настройка DNS сервера]] | ||
| + | * [[https://nip.io/|Dead simple wildcard DNS for any IP Address]] | ||
| ===== Утилиты тестирования DNS ===== | ===== Утилиты тестирования DNS ===== | ||
| Line 19: | Line 21: | ||
| $ nslookup -q=NS bmstu.ru | $ nslookup -q=NS bmstu.ru | ||
| + | |||
| + | val@noc:~$ nslookup -q=AXFR bmstu.ru 195.19.32.2 | ||
| $ nslookup -q=MX bmstu.ru 195.19.32.2 | $ nslookup -q=MX bmstu.ru 195.19.32.2 | ||
| - | $ nslookup -q=AXFR bmstu.ru 195.19.32.2 | + | $ nslookup -q=SRV _xmpp-client._tcp.bmstu.ru |
| + | |||
| + | $ nslookup -q=SRV _kerberos._udp.bmstu.ru | ||
| - | # nslookup -q=SRV _xmpp-client._tcp.valtest.bmstu.ru | + | $ nslookup -q=SRV _sip._udp.bmstu.ru |
| </code> | </code> | ||
| Line 129: | Line 135: | ||
| root@server:~# cat /etc/bind/named.conf.options | root@server:~# cat /etc/bind/named.conf.options | ||
| </code><code> | </code><code> | ||
| + | options { | ||
| ... | ... | ||
| forwarders { | forwarders { | ||
| Line 188: | Line 195: | ||
| ;proxy A 172.16.1.X | ;proxy A 172.16.1.X | ||
| + | |||
| + | ;$GENERATE 1-100 node$ A 192.168.X.$ | ||
| + | ;$GENERATE 1-9 node$ A 192.168.X.20$ | ||
| + | ;$GENERATE 10-54 node$ A 192.168.X.2$ | ||
| + | ;$GENERATE 1-9 kube$ A 192.168.X.22$ | ||
| ;_sip._udp SRV 0 0 5060 server | ;_sip._udp SRV 0 0 5060 server | ||
| Line 386: | Line 398: | ||
| mail CNAME server | mail CNAME server | ||
| - | ... | + | ;... |
| </code> | </code> | ||
| Line 478: | Line 490: | ||
| </code> | </code> | ||
| + | ==== Автоматическое обновление сертификатов LetsEncrypt для внутренних сайтов ==== | ||
| + | |||
| + | * [[Let's Encrypt для внутренних сайтов]] | ||
| + | |||
| + | === Черновик 1 === | ||
| + | <code> | ||
| + | ns.domain1.mgtu.ru:~# vim /etc/bind/domain1.mgtu.ru | ||
| + | ... | ||
| + | site4 A 195.19.40.59 | ||
| + | *.site4 A 195.19.40.59 | ||
| + | _acme-challenge.site4 NS ns | ||
| + | ... | ||
| + | |||
| + | |||
| + | ns.domain1.mgtu.ru:~# rndc-confgen -a -A hmac-sha512 -k "certbot.site4" -c /etc/bind/certbot.site4.key | ||
| + | ns.domain1.mgtu.ru:~# chmod 640 /etc/bind/certbot.site4.key | ||
| + | |||
| + | ns.domain1.mgtu.ru:~# cat /etc/bind/named.conf | ||
| + | ... | ||
| + | include "/etc/bind/certbot.site4.key"; | ||
| + | ... | ||
| + | |||
| + | ns.domain1.mgtu.ru:~# cat /etc/bind/named.conf.local | ||
| + | ... | ||
| + | zone "_acme-challenge.site4.domain1.mgtu.ru" { | ||
| + | type master; | ||
| + | file "/var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru"; | ||
| + | update-policy { | ||
| + | grant certbot.site4 name _acme-challenge.site4.domain1.mgtu.ru. txt; | ||
| + | }; | ||
| + | }; | ||
| + | ... | ||
| + | |||
| + | ns.domain1.mgtu.ru:~# sudo -u bind vim /var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru | ||
| + | |||
| + | $TTL 30 ; 30 seconds | ||
| + | _acme-challenge.site4.domain1.mgtu.ru. IN SOA ns.domain1.mgtu.ru. noc.bmstu.ru. ( | ||
| + | 9 ; serial | ||
| + | 86400 ; refresh (1 day) | ||
| + | 43200 ; retry (12 hours) | ||
| + | 604800 ; expire (1 week) | ||
| + | 30 ; minimum (30 seconds) | ||
| + | ) | ||
| + | NS ns.domain1.mgtu.ru. | ||
| + | |||
| + | |||
| + | ns.domain1.mgtu.ru:~# nsupdate -k /etc/bind/certbot.key | ||
| + | site4.domain1.mgtu.ru:~# apt install bind9-dnsutils | ||
| + | site4.domain1.mgtu.ru:~# nsupdate -k certbot.key | ||
| + | > server 127.0.0.1 | ||
| + | > server 195.19.40.42 | ||
| + | > zone _acme-challenge.site4.domain1.mgtu.ru | ||
| + | > update add _acme-challenge.site4.domain1.mgtu.ru. 30 IN TXT "your_txt_record_data 2" | ||
| + | > update del _acme-challenge.site4.domain1.mgtu.ru. 30 IN TXT "your_txt_record_data 2" | ||
| + | > send | ||
| + | |||
| + | site4.domain1.mgtu.ru:~# dig TXT _acme-challenge.site4.domain1.mgtu.ru | ||
| + | |||
| + | |||
| + | ns.domain1.mgtu.ru:~# ###rndc freeze _acme-challenge.site4.domain1.mgtu.ru. | ||
| + | ns.domain1.mgtu.ru:~# ###sudo -u bind vim /var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru | ||
| + | ns.domain1.mgtu.ru:~# ###rndc thaw _acme-challenge.site4.domain1.mgtu.ru. | ||
| + | |||
| + | |||
| + | site4.domain1.mgtu.ru:~# apt install python3-certbot-dns-rfc2136 | ||
| + | |||
| + | site4.domain1.mgtu.ru:~# cat /etc/certbot-credentials.ini | ||
| + | dns_rfc2136_server = 195.19.40.42 | ||
| + | dns_rfc2136_port = 53 | ||
| + | dns_rfc2136_name = certbot.site4 | ||
| + | dns_rfc2136_secret = QV8VQ+B8wv+nj/fE7DoqUmFLZWeNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNzFE8TjiwfnxO5MNg== | ||
| + | dns_rfc2136_algorithm = HMAC-SHA512 | ||
| + | |||
| + | |||
| + | site4.domain1.mgtu.ru:~# chmod 640 /etc/certbot-credentials.ini | ||
| + | |||
| + | certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/certbot-credentials.ini -d 'site4.domain1.mgtu.ru' -d '*.site4.domain1.mgtu.ru' | ||
| + | </code> | ||
| + | === Черновик 2 === | ||
| + | <code> | ||
| + | rndc-confgen -a -A hmac-sha512 -k "certbot." -c /etc/bind/certbot.key | ||
| + | |||
| + | valtest:~# chmod 640 /etc/bind/certbot.key | ||
| + | |||
| + | more /etc/bind/certbot.key | ||
| + | |||
| + | valtest:~# cat /etc/bind/named.conf | ||
| + | ... | ||
| + | include "/etc/bind/certbot.key"; | ||
| + | |||
| + | sudo -u bind vim /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | valtest:~# cat /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | $TTL 300 ; 5 minutes | ||
| + | _acme-challenge.valtest.bmstu.ru. IN SOA valtest.bmstu.ru. val.bmstu.ru. ( | ||
| + | 2020050828 ; serial | ||
| + | 10800 ; refresh (3 hours) | ||
| + | 3600 ; retry (1 hour) | ||
| + | 86400 ; expire (1 week) | ||
| + | 86400 ; minimum (1 day) | ||
| + | ) | ||
| + | NS valtest.bmstu.ru. | ||
| + | NS ns.bmstu.ru. | ||
| + | $TTL 60 ; 1 minute | ||
| + | TXT "127.0.0.8" | ||
| + | |||
| + | |||
| + | valtest:~# cat /etc/bind/named.conf.local | ||
| + | ... | ||
| + | zone "_acme-challenge.valtest.bmstu.ru" { | ||
| + | type master; | ||
| + | file "/var/lib/bind/_acme-challenge.valtest.bmstu.ru"; | ||
| + | allow-transfer {195.19.32.2;}; | ||
| + | update-policy { | ||
| + | grant certbot. name _acme-challenge.valtest.bmstu.ru. txt; | ||
| + | }; | ||
| + | }; | ||
| + | |||
| + | valtest:~# nsupdate -k /etc/bind/certbot.key | ||
| + | > server 127.0.0.1 | ||
| + | > zone _acme-challenge.valtest.bmstu.ru | ||
| + | > update add _acme-challenge.valtest.bmstu.ru. 300 IN TXT "your_txt_record_data 1" | ||
| + | > send | ||
| + | |||
| + | valtest:~# dig TXT _acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | root@ns:~# named-compilezone -f raw -F text -o - _acme-challenge.valtest.bmstu.ru /var/cache/bind/ru/_acme-challenge.valtest.bmstu | ||
| + | |||
| + | valtest:~# rndc sync _acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | |||
| + | valtest:~# rndc freeze _acme-challenge.valtest.bmstu.ru. | ||
| + | valtest:~# sudo -u bind vim /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | valtest:~# rndc thaw _acme-challenge.valtest.bmstu.ru. | ||
| + | |||
| + | |||
| + | valtest:~# ###cat /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | |||
| + | |||
| + | Nov 19 14:51:06 ns named[213146]: zone _acme-challenge.valtest.bmstu.ru/IN/common: refresh: unexpected rcode (SERVFAIL) from primary 195.19.40.42#53 (source 0.0.0.0#0) | ||
| + | |||
| + | |||
| + | |||
| + | apt-get install python3-certbot-dns-rfc2136 | ||
| + | |||
| + | valtest:~# cat /etc/bind/certbot-credentials.ini | ||
| + | # Target DNS server | ||
| + | dns_rfc2136_server = 127.0.0.1 | ||
| + | # Target DNS port | ||
| + | dns_rfc2136_port = 53 | ||
| + | # TSIG key name | ||
| + | dns_rfc2136_name = certbot. | ||
| + | # TSIG key secret | ||
| + | dns_rfc2136_secret = Pba+bPbB8/fxhEl70BTgIz3ljrEPlq/msjkiaI7+X8gkQI7WwM6B4GQVifvkUIjd6TQFqc+x0rddefn1s8VgIA== | ||
| + | # TSIG key algorithm | ||
| + | dns_rfc2136_algorithm = HMAC-SHA512 | ||
| + | |||
| + | |||
| + | chmod 640 /etc/bind/certbot-credentials.ini | ||
| + | |||
| + | certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/certbot-credentials.ini -d 'valtest.bmstu.ru' -d '*.valtest.bmstu.ru' --dry-run | ||
| + | </code> | ||
| ==== Ограничение доступа к DNS серверу ==== | ==== Ограничение доступа к DNS серверу ==== | ||
сервис_dns.1606911666.txt.gz · Last modified: 2020/12/02 15:21 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
