dns-server using FreeBSD static IP to TLD

M

max21

This is what I want to do and why I want to try it if its possible.

I’m doing this to learn how to do thing correctly the very first time I connect so not have to monk around blindly handing-over complete control at the click of a button to those who await!

My way of thinking may be incorrect -- I always wonder if I could do this with a full-blown DNS server in jail and a recursive server in another jail:: I registered a dummy domain-name to learn how to run my own dns server before attempting production with my real domain-names; as expected, in under a week, I’m get tons of emails and a few phone calls from people offering website assistants or to gather more personal info trojans at work, and I’m sure the only other interested parties would be hackers anticipating any mistakes to come. I'm happy to experience this in advance.

It’s OK :), I just want to see if I can make this silly-puddy PUBLIC domain-name and my website in another jail to be accessible by me only as it is on the WildWildWest and NOT just a full-blown dns-server serving a group on an internal network, I don’t have one and it would be no joy watching those who *should* be trusted in the first place. This way I’ll be in the mix around the world so hacking is apparent, as I learn how to hide and perform some tricks of my own to devour them all by production time. That’s what I want to see out of running my own authoritative service and/or the recursive one. I just started reading about Bind and it sounds like lot of fun to come, just like pf use to be. I even kind of understand some of the glory details but I CAN'T seem to perceive the meaning of the main headers in most DNS and Bind how-2’s.

All the ones I read only seems to talks about how to configure a dns-server(s) to serve an internal network; giving me the impression that that’s the cream of the crop of what it does.

How about:
1) Here is how to set up your computer so that it publishes your FreeBSD static IP address’s for your TLD.
Click to expand...
Instead of:
2) Here is how to set up your computer so that it publishes your IP addresses.
Click to expand...
Then it tell me to go get a static IP from my ISP provider or do it in your router. but It is weard that I read nothing that even came close to #1, or that I simply can't read between the lines and if so, why don't they just make it clear. Why have a cake when you can't taste it?

I’m not that smart of a guy but once I get past simplicity I can do the darn thing.

Could someone tell me what do #2 really mean and if #1 is even possible?

How do I make my FreeBSD jail host static IP or alliance IP point to my domain-name at the TLD registrar?

and/or

How do I make my FreeBSD jail host USE my TLD actual IP and point it my domain-name at the TLD registrar?

Should I mostly be concern about NS records and not CNAME?

Can it be as simple as that?
 
max21 said:
It’s OK :), I just want to see if I can make this silly-puddy PUBLIC domain-name and my website in another jail to be accessible by me only as it is on the WildWildWest and NOT just a full-blown dns-server serving a group on an internal network, I don’t have one and it would be no joy watching those who *should* be trusted in the first place.
Click to expand...
Why wouldn't that be fun? Better yet: what do you imagine the actual difference between those two scenarios to be?

You don't need a real domain name to learn how to set up a DNS server. In fact, it's probably best that you don't and instead start with a local domain using a private IP range in order to prevent any nasty side effects from possibly made mistakes. Another added bonus is that such a local setup would also allow you to set up (and use) a reverse DNS as well. Something which would otherwise be completely impossible without the help from your ISP.

I'm also not quite sure what you're asking. You share a bunch of quotes but I have no idea where you got those from nor do I understand what you're trying to ask.

max21 said:
Then it tell me to go get a static IP from my ISP provider or do it in your router. but It is weard that I read nothing that even came close to #1, or that I simply can't read between the lines and if so, why don't they just make it clear. Why have a cake when you can't taste it?

I’m not that smart of a guy but once I get past simplicity I can do the darn thing.

Could someone tell me what do #2 really mean and if #1 is even possible?
Click to expand...
I can't without a pointer to the original article so that I can read the whole thing within context.

But I assume that it basically boils down to the very essence of DNS which is nothing more but to "link" an IP address with a name, usually a host / domain name. In other words: when you try to look up www.freebsd.org you get the IP address of the server. One could describe that as "publishing an IP address" I suppose. It basically makes the IP address easier accessible, which is essentially all which DNS does.

max21 said:
How do I make my FreeBSD jail host static IP or alliance IP point to my domain-name at the TLD registrar?
Click to expand...
By assigning that IP address to your jail. See jail.conf(5), and chapter 14 of the FreeBSD handbook is also a good read.

max21 said:
How do I make my FreeBSD jail host USE my TLD actual IP and point it my domain-name at the TLD registrar?
Click to expand...
Define "use"? It heavily depends on what you're going to do with it. Basically this is nothing different than setting up whatever service it is you want to use. Running a website? Configure your webserver accordingly. Use the domain for e-mail? Then you should set up a mailserver aka MTA ("Mail Transfer Agent") and configure it accordingly.

Of course to me that wouldn't count as "using" it but more so as actually hosting it.

max21 said:
Should I mostly be concern about NS records and not CNAME?
Click to expand...
If you don't know the difference between those two records nor what they represent then I think you should give up on the idea of hosting your own DNS server for now and start by hosting a domain with a registrant which also provides some control over the DNS records. That will help you to become more familiar with those without any risk of the whole thing blowing up. In the mean time you can read up a bit more about DNS services (this could be a good read).

Hope this can give you some ideas.
 
Bind isn't particularly friendly for a noob to set up and configure. Maybe I'd suggest that you set up and run the unbound caching resolver on an internal network to enhance your DNS skills. Then graduate to Bind, using an internal network to practice with it. As ShelLuser mentioned, using an internal network to practice your configuration skills on a DNS server/daemon is a good idea. Just because your DNS daemon is running in a jail doesn't mean it cannot be exploited. You could have a pawned/poisoned DNS running happily along in a jail all day long, especially if the jail is mis-configured.

By "public IP," they probably mean that you in most cases want your public-side IP to be static, so that people can find it, unless you're using a dynamic DNS provider, in which case they'd handle the details anyway. Have you ever used unbound?
 
ShelLuser said:
Why wouldn't that be fun? Better yet: what do you imagine the actual difference between those two scenarios to be?
Click to expand...

I’m glad you ask!

Wired Staff told me how fun and educational DNS is; I said oh, I’m going to kick some butt! Then he boasted about this guy from the bottom of his heart. I followed every link and when I read what FreeBSD had to say about it. .. it blew my freaking mind.

Anyway, Thanks for all the info, but I'm still going to take it from the top. If it blow, it will never blow again. I did learn a few things. Creating dns-records and pointer are one of them. I just wanted an opinion and to let everybody know that I did seek some serious information before asking about DNS. The only problem in that article was the fact he did not say what I needed to hear; just like 50 others or so that never indicated any possibility. I believe not all things not said don’t mean it’s it can't be done. That is why I asked. I was trying to make the question as clear as possible but evidently, I fail. It's a silly domain-name so it's expendable.

This time I’ll reword it the best I can.

This is all I need to know:

1) As we know, it is said that in order to point to your domain-name at the registrar who you brought your domain.com name from you need a real (public) IP address, which is usually provided by your ISP at an outrageous cost. You have to open a business account. 2) Or you can get a Free Dynamic DNS at sites like noip.com. 3) And the final option would be to write your host or the jail IP and MAC address in your router and use that.

Number 3 really tells me something: The IP that you use in your router will be a regular private IP address, correct? DHCP can never change it. So it makes me think I already have a static IP that is as good as what one can put in a router. We have /etc/rc.conf:
Code: 
ifconfig_em0="inet 192.168.1.109 netmask 255.255.255.0"
cloned_interfaces="lo1 lo2 lo3"
ifconfig_lo1_alias0="inet 10.10.10.109/32"
However, I found no doc' or even clue here where someone asked about it. .. but we do find all over the WWW where everyone is talking about using the calls above to build internal networks. I gave up the search and concluded that if anyone knows - only a member here got to know for sure.

...............................................
It might be old but FreeBSD is older.

The DNS Bible: … Don’t miss a beat .. you might need to turn off js for this page.

https://www.wired.com/2010/02/set_up_a_dns_name_server/


Thanks ShelLuser

I'll be back guys. About dns-h*ll, bring it on so I can learn how to avoid it. That's why I want to take it from the top where I can learn to defend myself, with out hosting help. DNS is public but Bind or other can make my d.com private. That's the first thing to do so not to piss off my ISP.
 
ronaldlees said:
Bind isn't particularly friendly for a noob to set up and configure. Maybe I'd suggest that you set up and run the unbound caching resolver on an internal network to enhance your DNS skills. Then graduate to Bind, using an internal network to practice with it. As ShelLuser mentioned, using an internal network to practice your configuration skills on a DNS server/daemon is a good idea. Just because your DNS daemon is running in a jail doesn't mean it cannot be exploited. You could have a pawned/poisoned DNS running happily along in a jail all day long, especially if the jail is mis-configured.

By "public IP," they probably mean that you in most cases want your public-side IP to be static, so that people can find it, unless you're using a dynamic DNS provider, in which case they'd handle the details anyway. Have you ever used unbound?
Click to expand...
Hello ronaldlees,

I use to re-read some of your threads all night long. I have unbound and dnsCrypt running perfectly inside another FreeBSD Virtualbox. I remember now.. It was with in a few months after when I kelp referencing your post until I got it working.

https://forums.freebsd.org/threads/60475/

After all of that unbound h*ll, BIND and djbdns should be a piece of cake and if not, I’ll tar them up and use the djbdns setup that do both jobs. That is going to be easy because the understandable configurations are right there in his papers and here:

https://www.vultr.com/docs/how-to-configure-djbdns-on-freebsd

I like to talk tough but in reality it’s because I don’t think I have to worry about pawned/poisoned, amplification and DDoS attacks but I’m happy to know there are only a few to study. I have a INTEL machine that will be configured properly as a server at home now that I want to. All I have to do is ssh over those tiny jails. I build and test all in Virtualbox, The vBox host is my network to the jails. I think.

This machine is for development only and I will be using DNSSEC to give me something to know. No one will connect to mydomain but me and my sister in the end. After I learn DNS the half-hard-way, no way do I plan to run my own DNS server in production. FreeBSD and friends is enough. I’ll let OVH or whoever worry about all of that as ShelLuser suggested. I just want to gain some DNS experience, since I have to set it up anyway just to reach my dummy-domain. It would be more interesting then using noip.
 
ShelLuser said:
. . .
. . . .
You don't need a real domain name to learn how to set up a DNS server. In fact, it's probably best that you don't and instead start with a local domain using a private IP range in order to prevent any nasty side effects from possibly made mistakes. Another added bonus is that such a local setup would also allow you to set up (and use) a reverse DNS as well. Something which would otherwise be completely impossible without the help from your ISP.
. . .
. . . .

If you don't know the difference between those two records nor what they represent then I think you should give up on the idea of hosting your own DNS server for now and start by hosting a domain with a registrant which also provides some control over the DNS records. That will help you to become more familiar with those without any risk of the whole thing blowing up. In the mean time you can read up a bit more about DNS services (this could be a good read).

Hope this can give you some ideas.
Click to expand...


The solution to my problem is the one I was trying to avoid. My situation require 1) pay to play or 3) Dynamic DNS. So that makes my router statement is incorrect. See router setup in link below. This dDNS KISS*.

Another case where I learn about everything else that I don’t need.

Thanks guys. .. I see how DNS regulate the INTERNET!

https://freedns.afraid.org/
 
I'm not sure what you think you need but there's no reason to pay for anything or use dynamic DNS for an internal domain. I have an internal domain called dicelan.home. It does use DDNS, but this is mainly to be able to resolve DHCP clients. This is easily done by linking the DHCP server with BIND.

The Dynamic DNS you find on routers is mostly to be able to resolve your home IP address on the internet. So you can more easily connect to your home, it's not required or needed for an internal domain.
 
SirDice said:
I'm not sure what you think you need but there's no reason to pay for anything or use dynamic DNS for an internal domain. I have an internal domain called dicelan.home. It does use DDNS, but this is mainly to be able to resolve DHCP clients. This is easily done by linking the DHCP server with BIND.

The Dynamic DNS you find on routers is mostly to be able to resolve your home IP address on the internet. So you can more easily connect to your home, it's not required or needed for an internal domain.
Click to expand...


How did we go from: registered domain-name to internal domain?

EDIT -
Sorry I edited out too much. I also said Thanks for clearing DDNS up. It never made complete since to me either. Only the experienced could know. The rest of us only it’s back to the drawing board after wasting all that time. Anyway, I happy with all I hear here even if the original question goes astray. My over-explaining only find solutions to other issues which is still good. Also, I remove my statement below because before you know it be on Facebook or elsewhere in the negative way. Too much food for thought. I'm sure you would agree. I'll be drilling deep into your quote. You really made is so crystal-clear vs any other including Wiki. When the fat lady sing you will be the first to know.

Thank you

Now it's Datapanic time!

.
.
 
Hi Max, If I understand you correctly:
You can buy a certificate. I did that for testing the stuff back then to avoid the hassle with LetsEncrypt software which is quite fickle.
Nowadays there are plenty easier-to-use and more stable alternatives.
For example, try this to get a free certificate. (There are more alternatives to choose from, just look at the FreeBSD section on the LetsEncrypt website)
 
Snurg said:
Hi Max, If I understand you correctly:
You can buy a certificate. I did that for testing the stuff back then to avoid the hassle with LetsEncrypt software which is quite fickle.
Nowadays there are plenty easier-to-use and more stable alternatives.
For example, try this to get a free certificate. (There are more alternatives to choose from, just look at the FreeBSD section on the LetsEncrypt website)
Click to expand...


That's one down and the rest to go because I still want to connect my .com name to my machine at home if you know what I mean. It seems that I don't know how to explain thing any more. I got to learn to stay on topic only. Thanks Snurg
 
Datapanic said:
Have fun with DNS! Research split DNS = what I think you're looking for.
Click to expand...



I think you right.

I hear about Split horizon also and was trying to figure the difference, something has to do with unbound too. I felt it was something simple that's why I jump in to learn bind. I'M ON IT!
 
I asked the wrong question Guys.

It should have been something iike this:

Point Domain Name To Your Home Web Server

http://www.inopinion.org/howto/point-domain-name-home-web-server/

I google exactly this and more many time over many weeks - - (how do I point a registered domain name to my home server.) but it never turn up much other then you need Dynamic DNS or bind. So I choose bind so to learn.

That head-line turn-up in another link as the solution for the OP. Anyway, here is the detail walkthrough so others don’t stay confused. I’m beginning to think google know me so well that it got me on its prestige recommendation list, or whatever they call it. If so, please take me off.`

Accessing your home web server with your registered domain name is a cool idea. Isn’t it?
. . . .
But if are not going to start hosting business then your non-static ip address connection will do the job well.
Click to expand...

That’s all we need to know, and if that don’t work then I will master bind99 and dbjdns, then HAProxy, just like Packet Filter no matter how long it take.

Split-DNS RULE, I’m sure! I read about it all-day loooong.
 
TLDR; if you a have a registered domain your register is the is responsible to point the dns servers which resolve your address, what can be the register itself or other one you choose to that. You must update this information with them once you have set a dns server for your purpose.

If you have a fixed IP provided by your ISP it gets easier because you can simple configure it in any dns service you like, or even your own, and forget. If you do not have a fixed IP but a dynamic one you will need to use a dns service what does provide resources for dynamic dns updates. The already pointed Freedns is a quite decent one.

I guess cloudflare also do provide dynamic dns services.
 
Personally, I won't dare to set up a dns server myself. One mistake and I might become DDos helper.
I am satisfied with editing /etc/hosts for my few hosts.
This way I can easily play with https without needing to have my https test server being public. This way there is no need for a static ip, too.
The browser then can call the "trust authority" via internet and verify the connection to my private test host is "secure".
Maybe this is sort of "split DNS", too...
 
Snurg said:
I won't dare to set up a dns server myself. One mistake and I might become DDos helper.
Click to expand...

I run my own resolver using bind9. You don't have to make it an open resolver.

But yes, dealing with a distributed denial attack on an open resolver is a problem. I've dealt with that. It's quite easy to avoid making it worse by simply not responding (using iptables) however you cannot make it go away and will need the help of your provider to black hole the traffic, and that costs money after a while. In the end, it's not a big deal unless others are relying on that server too.
 
How much experience do you have as a DNS Admin? If you can have your registar provide the DNS for your domain, I'd strongly advise going with that. Even over at datapanic, I could have my domains point to my domain servers, but I don't want the extra hacker traffic hitting my stuff! So I let GoDaddy handle it.

In a nutshell,

1. go to your registar and either setup your domain's DNS NS flags or setup your domain's www (or whatever host) to point to the IP of your 'home web server'
2. firewall
2. remember to use SSL on your web server.
2. If you are setting up your own DNS server for the first time, it's going to take a lot more than asking 'how to' on this forum.
 
About freedns services, I would pay the 60 buck for the stealth before I jump inside a shared pool (I’m glad to learn that much). I don’t want to start paying for all these differences services that in the end I may not need. Since FreeBSD spoiled me; if it not too complicated I rather to do it myself. I looked into Let’s Encrypt paid cert, at $30 they more then deserver it, however after getting into http://my.dollardns.net it lead me to CAcert.org. As long as SNI is there I’ll be happy with either. Anyway, I have not tried the non-static thing yet but I have faith that it will work and if not, I still like them.
 
Datapanic said:
How much experience do you have as a DNS Admin?
Click to expand...
If you're speaking to me I have zip experience and now I want it. My new thing is buy domain (at $12 a pop) that I care nothing about. It’s only for learning purposes until I get it right. If it gets compromise, I’ll learn more and more from that.

Datapanic said:
. . .
. . . . .
If you can have your registar provide the DNS for your domain, I'd strongly advise going with that. Even over at datapanic, I could have my domains point to my domain servers, but I don't want the extra hacker traffic hitting my stuff! So I let GoDaddy handle it.
Click to expand...
I’m glad you mention that … It just so happen that http://my.dollardns.net got a thread about that. All of this is new to me but you helping to understand it all. I never cared about networking. I love only my FreeBSD desktop, PF and XP. Anything else was just a thought and the old ... someday I will.

Datapanic said:
. . .
. . . . .
In a nutshell,

1. go to your registar and either setup your domain's DNS NS flags or setup your domain's www (or whatever host) to point to the IP of your 'home web server'
2. firewall
2. remember to use SSL on your web server.
2. If you are setting up your own DNS server for the first time, it's going to take a lot more than asking 'how to' on this forum.
Click to expand...
If the non-static thing works and works securely, which I see no reason why it should not (so far I know how to keep Comcast IP pool at bay for my area.), I’ll go with it. If not, I most certainly will not over look this. Knowing myself, I test the best of every darn thing that people tell me or someone else no matter what. That is what I do; then I choose. I promise, I give the kernel the best I can, otherwise he will not release my sanity.

1- will be included. 2- I know. 2- I did not realize. 2- It's on the back-burner for now.
 
Snurg said:
umm that example is for static ip. Google for something like "dyndns setup web server"...
Click to expand...

Found it. It don’t get more simpler then that. If Individual Opinion solution works, it’s time to research the pros and cons of each. I guest they both should pass the smell test but there’s always something security-wise that someone has to say, now you back to trying to figure BIND, djbdns and split-dns. If I do, I would follow OJ lead since this is about development and not production. I know it would be no mistakes allowed every step of the way. That's the easy part.
OJ said:
I run my own resolver using bind9. You don't have to make it an open resolver.
Click to expand...

We’ll find out shortly.
 
The website tutor that shows how to use the ISP IP don’t work. If the IP block port 80 I sure they don’t want to see there IP on a domain-name server, unless I was doing it wrong all day. I wonder wonder did they have their words all cross-up. Maybe it probably use to work until the ISP’s caught it going on. All that free stuff; anybody can create sub-domains on your domain and there is nothing you can do about; and with DynDNS why would I need it when my IP never change anyway. So in most cases we back to needed a real static IP, because those system do have their shortcomings according to a few articles I read, but then again what don’t. I’m just going to get a the suggested hosting account so I can play with HAproxy and Let’s Encrypt. Some things should be left to the profession networking people as some of you have said already. I’ll try again someday but not too soon. But I do like what bind can do.
 
You must log in or register to reply here.
Back
Top