GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → desec-io → desec-ns

desec-io / desec-ns

Licence: MIT License
Frontend nameserver for deSEC, implemented as docker-compose application

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects
Dockerfile
14818 projects

Labels

dnsdesec

Projects that are alternatives of or similar to desec-ns

dug
A global DNS propagation checker that gives pretty output. Written in dotnet core
Stars: ✭ 208 (+845.45%)
Mutual labels:  dns
DNS-Sinkhole-Lists-A2
A DNS Sinkhole List for testing purposes. (not for use in production systems) - UUID: 0f90ca2c-4b0a-4fbe-b659-449ab30c4284
Stars: ✭ 19 (-13.64%)
Mutual labels:  dns
dnsfwd
DNS forwarder over a (TCP) virtual circuit
Stars: ✭ 21 (-4.55%)
Mutual labels:  dns
gost
GO Simple Tunnel - a simple tunnel written in golang
Stars: ✭ 154 (+600%)
Mutual labels:  dns
SharpOffensiveShell
A sort of simple shell which support multiple protocols.
Stars: ✭ 71 (+222.73%)
Mutual labels:  dns
domfind
A Python DNS crawler to find identical domain names under different TLDs.
Stars: ✭ 22 (+0%)
Mutual labels:  dns
namecheapapi
Python Namecheap API wrapper. Supports domain registration/renewal/management, domain availability checks, DNS updates and more.
Stars: ✭ 22 (+0%)
Mutual labels:  dns
gost
GO Simple Tunnel - a simple tunnel written in golang
Stars: ✭ 8,395 (+38059.09%)
Mutual labels:  dns
DNS
Swift implementation of DNS Records / RR
Stars: ✭ 51 (+131.82%)
Mutual labels:  dns
dns
DNS client & server package for Go
Stars: ✭ 38 (+72.73%)
Mutual labels:  dns
aiodns
A All-In-One DNS Solution written in Go
Stars: ✭ 23 (+4.55%)
Mutual labels:  dns
rsdns
rackspace DNS tools
Stars: ✭ 55 (+150%)
Mutual labels:  dns
groot
Static verification tool for DNS zone files
Stars: ✭ 60 (+172.73%)
Mutual labels:  dns
zonemanager
Central DNS/DHCP database with replication to Amazon Route53, BIND, MikroTik routers and other services.
Stars: ✭ 29 (+31.82%)
Mutual labels:  dns
no-ip
Noip.com Dynamic DNS update client built in Node.js
Stars: ✭ 33 (+50%)
Mutual labels:  dns
go-multiaddr-dns
Go library and CLI tool for /dns4, /dns6, /dnsaddr multiaddr resolution
Stars: ✭ 24 (+9.09%)
Mutual labels:  dns
dns4s
Scala DNS implementation with Akka and Netty extension
Stars: ✭ 55 (+150%)
Mutual labels:  dns
route53-dynamic-dns
Update AWS Route53 hosted zone with current public IP address. Alternative to Dynamic DNS services such as Dyn, No-IP, etc
Stars: ✭ 29 (+31.82%)
Mutual labels:  dns
dist-detect
Try to determine what Linux/Unix distribution is running on a remote host and get a hint if security updates are applied.
Stars: ✭ 14 (-36.36%)
Mutual labels:  dns
dnspod-api-php-web
DNSPod API PHP Web Example
Stars: ✭ 88 (+300%)
Mutual labels:  dns
View All Similar Projects ➔

deSEC Nameserver

This is a docker-compose application to run a nameserver. Zone data is automatically provided to this application via database replication. The application consists of

  • dnsdist: Frontend DNS load balancer (dnsdist), currently forwarding to the ns container. It is mainly there to support more advanced features in the future.
  • ns: Actual DNS server (PowerDNS).
  • replicator: Python container running a replication loop.
  • openvpn-client: OpenVPN client container providing network services for ns and replicator.

Requirements

Although most configuration is contained in this repository, some external dependencies need to be met before the application can be run. Dependencies are:

  1. We run this software with the --userland-proxy=false flag of the dockerd daemon, and recommend you do the same.

  2. Set sensitive information and network topology using environment variables or an .env file. You need (you can use the env file as a template):

    • network
      • DESEC_NS_IPV6_SUBNET: IPv6 net, ideally /80
      • DESEC_NS_IPV6_ADDRESS: IPv6 address of frontend container
    • ns-related
      • DESEC_NS_APIKEY: ns API key needed for replication operations
      • DESEC_NS_CARBONSERVER: pdns carbon-server setting (optional)
      • DESEC_NS_CARBONOURNAME: pdns carbon-ourname setting (optional)
    • primary-related
      • DESECSTACK_VPN_SERVER: VPN server hostname

  3. Set up secrets for the VPN: Before setting up a deSEC nameserver, you will have to deploy the deSEC main stack so that the nameserver can connect to it in order to fetch DNS data. In the process of setting up the stack deployment, you will have created a PKI, for example using easy-rsa and this tutorial. Use this PKI now in order to create a new client.key and client.crt pair, and transfer these file securely to the nameserver, along with ca.crt and ta.key from the main stack deployment, and copy them into openvpn-client/secrets/. (You can also create client.key locally on the nameserver application and transfer a certificate signing request to the host at which your PKI is located.)

How to Run

$ docker-compose build
$ docker-compose up

This fires up the various services, connects to the VPN, starts replicating from the master, and fires up the nameserver.

LMDB Database Backups

Create backup

Given a nameserver of any freshness (may be up to date or stale or empty), do the following:

  1. Make sure the docker-compose application is not running.
  2. Run ./dump.sh. This fires up ns and replicator to perform a sync, waits until nothing is left to do, and then shuts everything down. Next, the script starts a lmdb-backup container which contains a manually built version of lmdb tooling, runs mdb_dump to export the database, creates a tar.gz file with everything, and puts it into ./lmdb-backup/backup/.

Caveat: Running such a dump nameserver on the stack host fails because that requires an OpenVPN client and server on the same machine, which does not work. In other words, the dump has to run somewhere else. This may be an OpenVPN limitation, so there may not even be a fix.

Restore Backup

Take a backup file created in the previous step and store it at ./lmdb-backup/backup/.

  1. Run ./load.sh $FILENAME, where $FILENAME is the name of one of the files in ./lmdb-backup/backup/. This starts a lmdb-backup container, extracts the file in it, runs mdb_load, and puts all files into the PowerDNS storage directory. The script aborts if that directory is not empty.
  2. Start nameserver normally to resume regular operation, including replication.

Notes on Networking

  • It is not necessary to start the Docker daemon with --ipv6 or --fixed-cidr-v6. However, it is recommended to run dockerd with --userland-proxy=false to avoid exposing ports on the host IPv6 address through docker-proxy.

  • This stack is IPv6-capable. To prevent evil people from abusing this app for DNS amplification attacks, it is highly recommended to rate limit requests by IP (or take some smarter precaution). In particular, consider using the iptables hashlimit module, or dnsdist's traffic policy settings.

    When using iptables, note that whenever you restart the docker daemon or this application (docker-compose down; docker-compose up), docker will insert its own rules at the top of the chain. You therefore have to make sure that these rules get re-applied whenever docker decides to jump the queue. See this issue for details and progress on this.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].