Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
linux_router:dns_dhcp [2023-07-08 Sat wk27 10:55] – [Bind9 Control Nomenclature] baumkplinux_router:dns_dhcp [2024-07-21 Sun wk29 08:58] (current) – [isc-dhcp-server log file comments] baumkp
Line 6: Line 6:
 I have moved my DNS and DHCP servers to Docker, [[https://wiki.kptree.net/doku.php?id=docker_notes:docker-dns#docker_-_dns_server|Docker-DNS Server]].  I am still using ISC_Bind9, but am now using ISC_Kea for DHCP as ISC_Bind is no longer supported as of 2022. I have moved my DNS and DHCP servers to Docker, [[https://wiki.kptree.net/doku.php?id=docker_notes:docker-dns#docker_-_dns_server|Docker-DNS Server]].  I am still using ISC_Bind9, but am now using ISC_Kea for DHCP as ISC_Bind is no longer supported as of 2022.
  
-Further to this I am no looking at backups for both these services on my local area network.  Whilst these services worked reliably well, when ever I shutdown the the router with DNS/DHCP servers my LAN would stop working. Hence the need for back-up DNS. +++++tl;dr;
 +Further to this I am no looking at backups for both these services on my local area network.  Whilst these services worked reliably well, when ever I shutdown the the router with DNS/DHCP servers my LAN would stop working. Hence the need for back-up DNS.  Many of my home server applications now are set up to operate via https via Traefik and this also relies upon correct local DNS resolution.  Hence DNS is even more critical.  The DHCP server is less critical, however all the IT equipment that relies upon DHCP will not function without this service.  Most my critical services have static IP address.
  
 These notes still have some utility.  I will presumably archive (tl;dr; roll-up) eventually. These notes still have some utility.  I will presumably archive (tl;dr; roll-up) eventually.
  
-Actually my router that I was running these services was totally lost when upgrading from Debian 11 to Debian 12, circa June 2023. So I had to rebuild from scratch using these various notes.+Actually my router that I was running these services was totally lost when upgrading from Debian 11 to Debian 12, circa June 2023. So I had to rebuild from scratch using these various notes.  This went reasonably well as the notes seemed suitable for purpose.
  
-This setup was primarily written in 2017 and is based upon ISC Bind9 and ISC DHCP, which are the main internet backbone software used for DNS and DHCP.  +This setup was primarily written in 2017 and is based upon ISC Bind9 and ISC DHCP, which are the main internet backbone software used for DNS and DHCP.    I no longer use ISC DHCP as this has been formally replaced by ISC Kea.
  
 (2022) ISC has a newer DHCP software called Kea that is designed to replace ISC DHCP. Kea was primarily developed around 2014-2020. They also are currently developing a monitor for Kea and Bind9 called Stork.  A future plan would be to review and replace ISC DHCP with Kea and also implement Stork. (2022) ISC has a newer DHCP software called Kea that is designed to replace ISC DHCP. Kea was primarily developed around 2014-2020. They also are currently developing a monitor for Kea and Bind9 called Stork.  A future plan would be to review and replace ISC DHCP with Kea and also implement Stork.
 +++++
 ===Main references used (2017)=== ===Main references used (2017)===
 An interesting older resource is BigDinosaur Blog [[https://blog.bigdinosaur.org/running-bind9-and-isc-dhcp/|Running BIND9 and ISC-DHCP]]. ++Unfortunately, no longer readily available, Kill-9 Ubuntu 16.04 based Router, Part 2 - DHCP| does not seem to be saved on [[https://web.archive.org/|Wayback Machine Internet Archive]], but [[https://web.archive.org/web/20190410000003/https://killtacknine.com/building-an-ubuntu-16-04-router-part-5-dns/|Part 5 - DNS]] is. (As are [[https://web.archive.org/web/20190410005152/https://killtacknine.com/building-an-ubuntu-16-04-router-part-6-remote-access/|Building an Ubuntu 16.04 Router Part 6: Remote Access]], [[https://web.archive.org/web/20190410001839/https://killtacknine.com/building-an-ubuntu-16-04-router-part-7-proxies-and-caching//|Building an Ubuntu 16.04 Router Part 7: Proxies and Caching]] & [[https://web.archive.org/web/20190410000841/https://killtacknine.com/building-an-ubuntu-16-04-router-part-8-monitoring/|Building an Ubuntu 16.04 Router Part 8: Monitoring]].  It looks like parts 2 and 3 are missing only.)++ An interesting older resource is BigDinosaur Blog [[https://blog.bigdinosaur.org/running-bind9-and-isc-dhcp/|Running BIND9 and ISC-DHCP]]. ++Unfortunately, no longer readily available, Kill-9 Ubuntu 16.04 based Router, Part 2 - DHCP| does not seem to be saved on [[https://web.archive.org/|Wayback Machine Internet Archive]], but [[https://web.archive.org/web/20190410000003/https://killtacknine.com/building-an-ubuntu-16-04-router-part-5-dns/|Part 5 - DNS]] is. (As are [[https://web.archive.org/web/20190410005152/https://killtacknine.com/building-an-ubuntu-16-04-router-part-6-remote-access/|Building an Ubuntu 16.04 Router Part 6: Remote Access]], [[https://web.archive.org/web/20190410001839/https://killtacknine.com/building-an-ubuntu-16-04-router-part-7-proxies-and-caching//|Building an Ubuntu 16.04 Router Part 7: Proxies and Caching]] & [[https://web.archive.org/web/20190410000841/https://killtacknine.com/building-an-ubuntu-16-04-router-part-8-monitoring/|Building an Ubuntu 16.04 Router Part 8: Monitoring]].  It looks like parts 2 and 3 are missing only.)++
Line 38: Line 39:
 ====Bind9 Control Nomenclature==== ====Bind9 Control Nomenclature====
 There are a number of "names" that are used with bind9 dns. There are a number of "names" that are used with bind9 dns.
-  * "bind9" is the DNS software is known as isc_bind9, and systemctl in some Linux refers to the service as bind.service.+  * "bind9" is the DNS software is known as isc_bind9, and systemctl in some Linux refers to the service as bind9.service.
   * "named" is the normal name of the isc-bind9 code that is call to start the application    * "named" is the normal name of the isc-bind9 code that is call to start the application 
   * "rndc" is an application used to control a running bind9 instance, e.g. ''rndc reload'' to reload the configuration   * "rndc" is an application used to control a running bind9 instance, e.g. ''rndc reload'' to reload the configuration
Line 268: Line 269:
   * [[https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04|How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04]]   * [[https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04|How To Configure Bind as a Caching or Forwarding DNS Server on Ubuntu 14.04]]
 =====DHCP Setup===== =====DHCP Setup=====
 +This section is outdated, ISC DHCP was replaced by ISC Kea, and ISC DHCP is no longer formally supported as of 2022.
  
 +++++Outdated tl;dr;|
 First install or ensure already installed the ISC DHCP server software: ''sudo apt install isc-dhcp-server'' First install or ensure already installed the ISC DHCP server software: ''sudo apt install isc-dhcp-server''
  
-Next edit the dhcp configuration file: ''sudo vim /etc/dhcp/dhcpd.conf''+Next edit the dhcp configuration file: ''sudo vim /etc/dhcp/dhcpd.conf'' ++++ 
 ++++dhcp.conf| ++++dhcp.conf|
 <code> <code>
Line 482: Line 486:
  
 ISC has stopped supporting ISC-DHCP client and relay versions as of 2022 and indicated that they plan to eventually stop support of server version.  They seem to recommend migration to ISC-Kea, the ISC-DHCP replacement. ISC has stopped supporting ISC-DHCP client and relay versions as of 2022 and indicated that they plan to eventually stop support of server version.  They seem to recommend migration to ISC-Kea, the ISC-DHCP replacement.
 +
 +
 ====isc-dhcp-server defaults file==== ====isc-dhcp-server defaults file====
 The default isc-dhcp-server configuration files is: ''sudo vim /etc/default/isc-dhcp-server''. Ensure the interface(s) that the DHCP server is to server requests upon is indicated, for example: The default isc-dhcp-server configuration files is: ''sudo vim /etc/default/isc-dhcp-server''. Ensure the interface(s) that the DHCP server is to server requests upon is indicated, for example:
Line 495: Line 501:
    in your dhcpd.conf file for the network segment    in your dhcpd.conf file for the network segment
    to which interface eno4 is attached. **    to which interface eno4 is attached. **
-</code>++++ +</code> 
 +++++
 ======ipv6====== ======ipv6======
 =====radvd===== =====radvd=====
Line 584: Line 590:
   * ''nslookup -type=mx mail.kptree.net'' for mail server information   * ''nslookup -type=mx mail.kptree.net'' for mail server information
   * ''nslookup -type=mx -debug mail.kptree.net'' more verbose    * ''nslookup -type=mx -debug mail.kptree.net'' more verbose 
 +
 +====secure DNS====
 +
 +  *''echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64'' to query current SPKI pin for Quad9
 +    *This also seems to work for other DNS resolvers, 1.1.1.1 (Cloudflare), 8.8.8.8 (Google)
 +
 +  *Stackexchange.com:
 +    *[[https://unix.stackexchange.com/questions/735368/how-to-use-dns-over-tls-with-bind9-forwarders|how-to-use-dns-over-tls-with-bind9-forwarders]]
 +    *[[https://unix.stackexchange.com/questions/755905/how-to-test-if-dns-over-tls-dot-with-bind9-forwarders-is-actually-working|how-to-test-if-dns-over-tls-dot-with-bind9-forwarders-is-actually-working]]
 +    *[[https://unix.stackexchange.com/questions/756994/enable-tls-on-bind9|Enable TLS on BIND9]]
 +  *[[https://engineering.fb.com/2018/12/21/security/dns-over-tls/|DNS over TLS: Encrypting DNS end-to-end]]
 +  *[[https://www.b1c1l1.com/blog/2018/04/23/encrypted-recursive-dns-with-dns-over-tls-unbound-and-cloudflare/|Encrypted Recursive DNS with DNS over TLS, Unbound, and Cloudflare]]
 +  *[[https://medium.com/nlnetlabs/privacy-using-dns-over-tls-with-the-new-quad9-dns-service-1ff2d2b687c5|Privacy: Using DNS-over-TLS with the Quad9 DNS Service]]
 +  *[[https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en|ICANN - DNSSEC – What Is It and Why Is It Important?]]
 +  *[[https://quad9.net/support/faq/|QUAD9 FAQ]]
 +  *[[https://www.linuxbabe.com/ubuntu/dns-over-tls-resolver-nginx|How to Easily Set Up a DNS over TLS Resolver with Nginx on Ubuntu]]
 +  *[[https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/|DNSSEC with BIND 9 A Beginner's Guide to DNSSEC with BIND 9]]
 +  *Some online DNSSEC analysers:
 +    *[[https://dnssec-analyzer.verisignlabs.com/|VERISIGN DNSSEC Analyzer]]
 +    *[[https://dnsviz.net/|dnsviz.net]]
 +  *Bind9 read the docs:
 +    *[[https://bind9.readthedocs.io/en/latest/chapter5.html|DNSSEC]]
 +    *[[https://bind9.readthedocs.io/en/latest/dnssec-guide.html|dnssec-guide]]
 +  *[[https://dnsprivacy.org/dns_privacy_clients/|DNS Privacy Project - DNS Privacy Clients]] Says Bind9 does not not natively support TLS.
 =====ipv6 links===== =====ipv6 links=====
   *[[https://jochen.kirstaetter.name/enabling-dns-for-ipv6-infrastructure/|Enabling DNS for IPv6 infrastructure]]   *[[https://jochen.kirstaetter.name/enabling-dns-for-ipv6-infrastructure/|Enabling DNS for IPv6 infrastructure]]