deSEC Nameserver
This is a docker-compose application to run a nameserver. Zone data is automatically provided to this application via database replication. The application consists of
dnsdist
: Frontend DNS load balancer (dnsdist), currently forwarding to thens
container. It is mainly there to support more advanced features in the future.ns
: Actual DNS server (PowerDNS).replicator
: Python container running a replication loop.openvpn-client
: OpenVPN client container providing network services forns
andreplicator
.
Requirements
Although most configuration is contained in this repository, some external dependencies need to be met before the application can be run. Dependencies are:
-
We run this software with the
--userland-proxy=false
flag of thedockerd
daemon, and recommend you do the same. -
Set sensitive information and network topology using environment variables or an
.env
file. You need (you can use theenv
file as a template):- network
DESEC_NS_IPV6_SUBNET
: IPv6 net, ideally /80DESEC_NS_IPV6_ADDRESS
: IPv6 address of frontend container
- ns-related
DESEC_NS_APIKEY
:ns
API key needed for replication operationsDESEC_NS_CARBONSERVER
: pdnscarbon-server
setting (optional)DESEC_NS_CARBONOURNAME
: pdnscarbon-ourname
setting (optional)
- primary-related
DESECSTACK_VPN_SERVER
: VPN server hostname
- network
-
Set up secrets for the VPN: Before setting up a deSEC nameserver, you will have to deploy the deSEC main stack so that the nameserver can connect to it in order to fetch DNS data. In the process of setting up the stack deployment, you will have created a PKI, for example using easy-rsa and this tutorial. Use this PKI now in order to create a new
client.key
andclient.crt
pair, and transfer these file securely to the nameserver, along withca.crt
andta.key
from the main stack deployment, and copy them intoopenvpn-client/secrets/
. (You can also createclient.key
locally on the nameserver application and transfer a certificate signing request to the host at which your PKI is located.)
How to Run
$ docker-compose build
$ docker-compose up
This fires up the various services, connects to the VPN, starts replicating from the master, and fires up the nameserver.
LMDB Database Backups
Create backup
Given a nameserver of any freshness (may be up to date or stale or empty), do the following:
- Make sure the docker-compose application is not running.
- Run
./dump.sh
. This fires upns
andreplicator
to perform a sync, waits until nothing is left to do, and then shuts everything down. Next, the script starts almdb-backup
container which contains a manually built version of lmdb tooling, runsmdb_dump
to export the database, creates a tar.gz file with everything, and puts it into./lmdb-backup/backup/
.
Caveat: Running such a dump nameserver on the stack host fails because that requires an OpenVPN client and server on the same machine, which does not work. In other words, the dump has to run somewhere else. This may be an OpenVPN limitation, so there may not even be a fix.
Restore Backup
Take a backup file created in the previous step and store it at ./lmdb-backup/backup/
.
- Run
./load.sh $FILENAME
, where$FILENAME
is the name of one of the files in./lmdb-backup/backup/
. This starts almdb-backup
container, extracts the file in it, runsmdb_load
, and puts all files into the PowerDNS storage directory. The script aborts if that directory is not empty. - Start nameserver normally to resume regular operation, including replication.
Notes on Networking
-
It is not necessary to start the Docker daemon with
--ipv6
or--fixed-cidr-v6
. However, it is recommended to rundockerd
with--userland-proxy=false
to avoid exposing ports on the host IPv6 address throughdocker-proxy
. -
This stack is IPv6-capable. To prevent evil people from abusing this app for DNS amplification attacks, it is highly recommended to rate limit requests by IP (or take some smarter precaution). In particular, consider using the iptables hashlimit module, or dnsdist's traffic policy settings.
When using iptables, note that whenever you restart the docker daemon or this application (
docker-compose down; docker-compose up
), docker will insert its own rules at the top of the chain. You therefore have to make sure that these rules get re-applied whenever docker decides to jump the queue. See this issue for details and progress on this.