ripieces Posted December 23, 2023 Posted December 23, 2023 (edited) Further reading: https://blog.thelifeofkenneth.com/2019/09/using-catalog-zones-in-bind-to.html https://bind9.readthedocs.io/en/latest/chapter6.html#namedconf-statement-catalog-zones Since you probably will have multiple servers/ catalog zones, read about how collisions can be handled: https://bind9.readthedocs.io/en/latest/chapter6.html#change-of-ownership-coo (TODO: add support for change of owner ship to script, can be as simple as adding the entries to the end of the output for the catalog file on h2 by including another file) I want to share this idea as a thank you to the Froxlor community, maybe it helps someone in the future. Notes: 1. On a Froxlor server ("primary") (called h2) that already has DNS setup: 1.1. Create script that makes the catalog zone. touch /etc/example-bind/serial chmod 600 /etc/example-bind/serial chown root:root /etc/example-bind/serial nano -w /etc/example-bind/serial 0 touch /etc/example-bind/on_reload_bind9.sh chmod 700 /etc/example-bind/on_reload_bind9.sh chown root:root /etc/example-bind/on_reload_bind9.sh nano -w /etc/example-bind/on_reload_bind9.sh #!/bin/bash catalog_name="h2" #### catalog_file="/etc/bind/catalog.${catalog_name}.example.db" touch $catalog_file chown bind:0 $catalog_file chmod 0644 $catalog_file serial=$(($(cat /etc/example-bind/serial) + 1)) echo $serial > /etc/example-bind/serial echo "catalog.${catalog_name}.example. IN SOA . . $serial 172800 960 3600000 300 catalog.${catalog_name}.example. IN NS invalid. version.catalog.${catalog_name}.example. IN TXT \"2\" " > $catalog_file named-checkconf -l /etc/bind/froxlor_bind.conf | awk "{ printf \"%s.zones.catalog.%s.example. PTR %s.\n\",makeZoneEntry(\$1),\"$catalog_name\",\$1 } function makeZoneEntry( id, cmd, output ) { cmd = \"echo \\047\" id \"\\047 | sha1sum\" if ( (cmd | getline output) > 0 ) { sub(/ .*/,\"\",output) } else { print \"failed to hash \" id | \"cat>&2\" output = id } close( cmd ) return output }" >> $catalog_file # systemctl reload bind9 # TODO: hash catalog zone and update serial only when it changes 1.2. Run the script once /etc/example-bind/on_reload_serial.sh 1.3. Create a TSIG key: tsig-keygen -a hmac-sha256 catalog.h2.example This shoud look similar to: key "catalog.h2.example" { algorithm hmac-sha256; secret "<YOUR SECRET HERE>"; }; 1.4. Create zone file for catalog zone: touch /etc/bind/example_bind.conf chmod 760 /etc/bind/example_bind.conf chown root:bind /etc/bind/example_bind.conf nano -w /etc/bind/example_bind.conf key "catalog.h2.example." { algorithm hmac-sha256; secret "<YOUR SECRET HERE>"; }; zone "catalog.h2.example" { type master; file "/etc/bind/catalog.h2.example.db"; allow-transfer { key "catalog.h2.example."; }; also-notify { <A SECONADRY IP HERE>; }; # put IPS of your DNS secondaries here }; 1.5. edit /etc/bind/named.conf.local Add # ... include "/etc/bind/example_bind.conf"; bellow the froxlor one 1.6. Test config on primary: named-checkconf -p ONLY PROCEED if it doesn't complain about errors, otherwise fix or roll-back changes. 2. On a secondary DNS (could be made with Froxlor or at least Froxlor configs with DNS setup already) (called h3): 2.1 touch /etc/bind/example_bind.conf chmod 760 /etc/bind/example_bind.conf chown root:bind /etc/bind/example_bind.conf nano -w /etc/bind/example_bind.conf key "catalog.h2.example." { algorithm "hmac-sha256"; secret "<YOUR SECRET HERE>"; }; server <PRIMARY IP HERE> { keys { "catalog.h2.example."; }; }; zone "catalog.h2.example" { type slave; file "catalog.h2.example.db"; allow-transfer { none; }; # important masters { <PRIMARY IP HERE>; }; }; 2.2 Modify /etc/bind/named.conf.options # ... allow-transfer { none; }; # important catalog-zones { zone "catalog.h2.example" default-masters { <YOUR PRIMARY IP HERE>; }; }; }; 2.3. Append to /etc/bind/named.conf.local after froxlor one: # ... include "/etc/bind/example_bind.conf"; 2.4. Test config on secondary: named-checkconf -p ONLY PROCEED if it doesn't complain about errors, otherwise fix or rollback changes. 2.5 Restart bind9 on secondary: systemctl restart bind9 3. Update Settings » Nameserver settings on primary: DNS Server reload command: /etc/example-bind/on_reload_bind9.sh IMPORTANT: Either the secondaries must be listed in Nameservers, or their IP must be in AXFR servers (Froxlor has no option for TSIG keys) Edited December 31, 2023 by ripieces fixed information disclousure vulnerability
ripieces Posted December 31, 2023 Author Posted December 31, 2023 (edited) Important update thanks to security researcher Ronak Nahar ( https://www.linkedin.com/in/naharronak/ ) Step 2 on h3 (secondary DNS) needs to have allow-transfer { none; } in 2.1 /etc/bind/example_bind.conf on secondary NS (h3) zone "catalog.h2.example" { type slave; file "catalog.h2.example.db"; allow-transfer { none; }; # this is new masters { <PRIMARY IP HERE>; }; }; in 2.2 /etc/bind/named.conf.options on secondary NS (h3) # ... allow-transfer { none; }; # this is new catalog-zones { zone "catalog.h2.example" default-masters { <YOUR PRIMARY IP HERE>; }; }; }; in the config, I fixed the config above accordingly. Edited December 31, 2023 by ripieces fixed spelling of researcher name
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now