Create an ipv6 site and connect to it

On Kimsufi, get the current ipv6 assigned address:

ifconfig
...
eth0      Link encap:Ethernet  HWaddr 00:22:4d:ad:aa:b7  
          inet addr:5.346.26.43  Bcast:5.346.26.43  Mask:255.255.255.0          
          inet6 addr: 4001:43d0:a:fa2b::1/128 Scope:Global
          inet6 addr: fe80::222:4dff:fead:aab7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21749596 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13397719 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18551028720 (17.2 GiB)  TX bytes:2813996773 (2.6 GiB)
          Interrupt:16 Memory:d0400000-d0420000 
...

So 4001:43d0:a:fa2b::1/128 denotes the first ipv6 assigned to us. Though it says only a /128 (one ipv6) is assigned, we actually have a whole /64 block. To assign another, add:

ip addr add 4001:43d0:a:fa2b::2/128 dev eth0

Check it has been added:

ifconfig
...
eth0      Link encap:Ethernet  HWaddr 00:22:4d:ad:aa:b7  
          inet addr:5.346.26.43  Bcast:5.346.26.43  Mask:255.255.255.0         
          inet6 addr: 4001:43d0:a:fa2b::2/128 Scope:Global 
          inet6 addr: 4001:43d0:a:fa2b::1/128 Scope:Global
          inet6 addr: fe80::222:4dff:fead:aab7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:21749596 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13397719 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18551028720 (17.2 GiB)  TX bytes:2813996773 (2.6 GiB)
          Interrupt:16 Memory:d0400000-d0420000 
...

If your network supports ipv6 ping to it and check (you need a ipv6 dns resolver):

ping6 4001:43d0:a:fa2b::1
PING 4001:43d0:a:fa2b::1(4001:43d0:a:fa2b::1) 56 data bytes
64 bytes from 4001:43d0:a:fa2b::1: icmp_seq=1 ttl=54 time=199 ms
64 bytes from 4001:43d0:a:fa2b::1: icmp_seq=2 ttl=54 time=218 ms
64 bytes from 4001:43d0:a:fa2b::1: icmp_seq=3 ttl=54 time=497 ms
64 bytes from 4001:43d0:a:fa2b::1: icmp_seq=4 ttl=54 time=775

ms

Add a AAAA record to point a DNS record to the ipv6 address.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Using cloudflare command line interface

You can easily change anything in your Cloudflare dashboard from the linux command line.

Install the cli

npm install -g cloudflare-cli

By default cfcli will look for “.cfcli.yml” in your home directory (you can also pass in a config file with -c). So create this:

emacs ~/.cfcli.yml
defaults:
    token: fcbe3cbb2894cb5f1871c89222851bf1
    email: [email protected]
    domain: oneofyourdomains.com

The token is actually the Cloudflare Global API key which you can retrieve from My Settings>Account>API Key menu.
All options:

NAME
    cfcli - Interact with cloudflare from the command line
 
SYNOPSIS
    cfcli [options] command [parameters]
 
OPTIONS:
    -c  --config    Path to yml file with config defaults (defaults to ~/.cfcli.yml
    -e  --email     Email of your cloudflare account
    -k  --token     Token for your cloudflare account
    -u  --account   Choose one of your named cloudflare accounts from .cfcli.yml
    -d  --domain    Domain to operate on
    -a  --activate  Activate cloudflare after creating record (for addrecord)
    -f  --format    Format when printing records (csv or table)
    -t  --type      Type of record (for dns record functions)
    -p  --priority  Set priority when adding a record (MX or SRV)
    -l  --ttl       Set ttl on add or edit (120 - 86400 seconds, or 1 for auto)
    -h  --help      Display help
 
COMMANDS:
    add <name> <content>
        Add a DNS record. Use -a to activate cf after creation
    devmode on|off
        Toggle development mode on/off
    disable <name> [content]
        Disable cloudflare caching for given record and optionally specific value
    edit <name> <content>
        Edit a DNS record.
    enable <name> [content]
        Enable cloudflare caching for given record and optionally specific value
    find <name> [content]
        Find a record with given name and optionally specific value
    ls
        List dns records for the domain
    purge [url]
        Purge file at given url or all files if no url given
    rm <name> [content]
        Remove record with given name and optionally specific value
    zones
        List domains in your cloudflare account

Provided examples:

Add a new A record (mail) and activate cloudflare (-a)

cfcli -a -t A add mail 8.8.8.8 
Edit a record (mail) and set the TTL

cfcli --ttl 120 edit  mail 8.8.8.8
Add an SRV record (then 3 numbers are priority, weight and port respectively)

cfcli -t SRV add _sip._tcp.example.com 1 1 1 example.com
Remove all records with the name test

cfcli rm test
Remove record with name test and value 1.1.1.1

cfcli rm test 1.1.1.1
Enable cloudflare for any records that match test

cfcli enable test
Enable cloudflare for a record test with the value test.com

cfcli enable test test.com
Export domain records for test.com to csv

cfcli -d test.com -f csv listrecords > test.csv
Purge a single file from cache

cfcli -d test.com purge http://test.com/script.js
Enable dev mode for test.com domain

cfcli -d test.com devmode on

My examples:

cfcli zones
┌──────────────────────────────────────────────────┬────────────────────┬──────────┬────────────────────────────────────────┐
│ Name                                             │ Plan               │ Active   │ ID                                     │
├──────────────────────────────────────────────────┼────────────────────┼──────────┼────────────────────────────────────────┤
│ mysite.com                                       │ Free Website       │ active   │ f81d72ad7d2a4af5e50060148389ede8       │
├──────────────────────────────────────────────────┼────────────────────┼──────────┼────────────────────────────────────────┤

Adding a CNAME record

cfcli -d eyrie.in -a -t CNAME add testrecord "joomla.com"
Explanation
-d : Work on this domain
-a : Activate the record
-t : type of DNS record
add : Add this record

Output:

Added CNAME record testrecord.eyrie.in -> joomla.com

Editing a DNS record:

cfcli -d eyrie.in -a -t CNAME edit testrecord "joomla.com"

List cloudflare records for a domain:

cfcli -d eyrie.in ls

Listing in comma seperated value (CSV) format:

cfcli -d eyrie.in ls -f csv

To export to text file:

cfcli -d eyrie.in ls -f csv > eyrie.in.csv

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Adding a letencrypt certificate for a server running seafile server

The regular letsencrypt certbot procedure fails due to reverse proxying-it essentially means that contrary to regular delivery of webpage content, where you type an address and apache serves the content from a specific folder, seafile runs a service as a reverse proxy. Apache binds to the particular port running seafile, and serves content provided by the seafile daemon (service). So obviously letsencrypt authorization doesnt work regularly. I struggled with a lot of apparent techniques for the reverse proxy, all of which threw up all kinds of errors while letsencrypt was authorizing in apache mode. Finally the solution is very simple-use letsencrypt certbot in manual DNS verification mode. It’s simple-you just add a particular TXT record to your DNS, and Cloudflare instantly verifies it and provides you the certificate, CSR and chain.

certbot -d yourdomain.com --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for cloud.yourdomain.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.cloud.yourdomain.com with the following value:

XNuYmalkADgddffvrcbO7p2Gsscff1nbTPk

Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/cloud.yourdomain.com/fullchain.pem. Your cert
   will expire on 2017-07-19. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I found that there was a problem with the path of the chain.
Copying to new location:

mkdir /home/you/domains/cloud.you.com/certs
cp /etc/letsencrypt/live/cloud.you.com/*pem /home/you/domains/cloud.you.com/certs/

Apache config:

<VirtualHost cloud.you.com:443>
ServerName cloud.you.com
DocumentRoot /var/www
ErrorLog /var/log/virtualmin/cloud.you.com_error_log
CustomLog /var/log/virtualmin/cloud.you.com_access_log combined
Alias /media  /home/user/haiwen/seafile-server-latest/seahub/media
RewriteEngine on
<Location /media>
          Require all granted
</Location>
#
# seafile fileserver
#
ProxyPass /seafhttp http://127.0.0.1:8082
ProxyPassReverse /seafhttp http://127.0.0.1:8082
RewriteRule ^/seafhttp - [QSA,L]
#
# seahub
#
SetEnvIf Request_URI . proxy-fcgi-pathinfo=unescape
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
ProxyPass / fcgi://127.0.0.1:8000/
ProxyPass /.well-known !
Alias /.well-known "/var/www/.well-known"
<Directory "/var/www/.well-known">
           Require all granted
           order allow,deny
           allow from all
           AllowOverride All
           AddDefaultCharset Off
</Directory>
SSLEngine on
SSLCertificateFile /home/you/domains/cloud.you.com/certs/cert.pem
SSLCertificateKeyFile /home/you/domains/cloud.you.com/certs/privkey.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/you/domains/cloud.you.com/certs/chain.pem
SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Setting up email with Webmin/Virtualmin

First create a user account (or use a builtin account):
Virtualmin>Edit users:
Add a user:
Email address: [email protected]
POP3 login username is automatically chosen for you. Set the password.
You can test mail sending by logging in at the webmail interface at https://gody.com:20000/?mail

Next add a mail server record:
Webmin>Servers>Bind DNS Servers>
Choose your domain by clicking on it:
Name is the website name typically.
Eg: I want to send mail to [email protected], fill in the following details:
Name gody.com
Mail Server: mail.gody.com
TTL: Default
Priority: 5

Now go to your DNS registrar (Eg Cloudflare) and setup the following records:
Add an MX record.
Name: gody.com
Value: mail.gody.com
TTL 2 minutes

Now test your settings in a POP3 program like Outlook:
Account type: POP3
Incoming mail server: mail.gody.com
Outgoing mail server: mail.gody.com
Username: joel.gody
Password: What you chose.


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Change nameservers for a domain in register.it

Domains and Products > yourdomain.com > Domains and Association > DNS Domain settings > Start the DNS modification > Change the DNS (accept the confirmation) > Custom configuration


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Install and configure samba on Ubuntu 15.10

If you had tried to install and failed, let’s first remove the failed settings and reinstall Samba:

sudo apt-get purge samba samba-common
sudo apt-get install -y samba samba-common python-glade2 system-config-samba

We’ll now create a brand new Samba configuration:
cp -pf /etc/samba/smb.conf /etc/samba/smb.conf.bak
sudo su
cat /dev/null > /etc/samba/smb.conf
exit
sudo gedit /etc/samba/smb.conf

And add the following to the file:

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = ubuntu
security = user
map to guest = bad user
dns proxy = no

#============================ Share Definitions ============================== 

[Anonymous]
path = /samba/anonymous
browsable =yes
writable = yes
guest ok = yes
read only = no
force user = nobody

Create a anonymous share, set permissions and restart samba daemon:

mkdir -p /samba/anonymous
chmod -R 0755 /samba/anonymous/
chown -R nobody:nogroup /samba/anonymous/
service smbd restart

Adding a removable drive, mounted at /media/joel/Ultra 2TB:
Add the following to smb.conf:

[tv]
	path = /media/joel/Ultra 2TB/tv
	writeable = yes
;	browseable = yes
	guest ok = yes
	force user = joel

joel is the actual username. Restart smbd.

In case the network is not visible, install the following:
sudo apt install smbclient

and check the status by running smbtree. It may report invalid entries:

smbtree
Unknown parameter encountered: "password level"
Ignoring unknown parameter "password level"
Unknown parameter encountered: "update encrypted"
Ignoring unknown parameter "update encrypted"

Fix those errors and restart the following:

sudo service nmbd restart
sudo service smbd restart

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Using resolvconf to resolve dns queries

I’m used to editing /etc/resolv.conf to add nameserver information. So when I recently faced an issue resolving dns queries,

# ping bitbucket.org
ping: unknown host bitbucket.org

I tried editing /etc/resolv.conf, but found the following in it:
# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Apparently the solution is to edit the file /etc/resolvconf/resolv.conf.d/head (Ignore the lines which say the file should not be edited) and add lines like these (Google Public DNS):

# cat /etc/resolvconf/resolv.conf.d/head
nameserver 8.8.8.8
nameserver 8.8.4.4

Now regenerate resolv.conf with the following command:

# resolvconf -u

Now check:

ping bitbucket.org
PING bitbucket.org (131.103.20.168) 56(84) bytes of data.
64 bytes from 131.103.20.168: icmp_req=1 ttl=54 time=45.9 ms

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Verbose dig of DNS records

The following query will return a detailed dig record:

dig any joelgm.me +trace +all

Result:

[[email protected]] ~ #dig any joelgm.me +trace +all

; <<>> DiG 9.7.3 <<>> any joelgm.me +trace +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24197
;; flags: qr ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       6494    IN      NS      b.root-servers.net.
.                       6494    IN      NS      e.root-servers.net.
.                       6494    IN      NS      h.root-servers.net.
.                       6494    IN      NS      d.root-servers.net.
.                       6494    IN      NS      k.root-servers.net.
.                       6494    IN      NS      a.root-servers.net.
.                       6494    IN      NS      i.root-servers.net.
.                       6494    IN      NS      c.root-servers.net.
.                       6494    IN      NS      l.root-servers.net.
.                       6494    IN      NS      j.root-servers.net.
.                       6494    IN      NS      g.root-servers.net.
.                       6494    IN      NS      m.root-servers.net.
.                       6494    IN      NS      f.root-servers.net.

;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 29 05:33:48 2013
;; MSG SIZE  rcvd: 228

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9280
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 13

;; QUESTION SECTION:
;joelgm.me.                     IN      ANY

;; AUTHORITY SECTION:
me.                     172800  IN      NS      a0.cctld.afilias-nst.info.
me.                     172800  IN      NS      a2.me.afilias-nst.info.
me.                     172800  IN      NS      b0.cctld.afilias-nst.org.
me.                     172800  IN      NS      b2.me.afilias-nst.org.
me.                     172800  IN      NS      c0.cctld.afilias-nst.info.
me.                     172800  IN      NS      d0.cctld.afilias-nst.org.
me.                     172800  IN      NS      ns.nic.me.
me.                     172800  IN      NS      ns2.nic.me.

;; ADDITIONAL SECTION:
a0.cctld.afilias-nst.info. 172800 IN    A       199.254.59.1
a2.me.afilias-nst.info. 172800  IN      A       199.249.119.1
b0.cctld.afilias-nst.org. 172800 IN     A       199.254.60.1
b2.me.afilias-nst.org.  172800  IN      A       199.249.127.1
c0.cctld.afilias-nst.info. 172800 IN    A       199.254.61.1
d0.cctld.afilias-nst.org. 172800 IN     A       199.254.62.1
ns.nic.me.              172800  IN      A       89.188.44.44
ns2.nic.me.             172800  IN      A       89.188.44.88
a0.cctld.afilias-nst.info. 172800 IN    AAAA    2001:500:25::1
a2.me.afilias-nst.info. 172800  IN      AAAA    2001:500:47::1
b0.cctld.afilias-nst.org. 172800 IN     AAAA    2001:500:26::1
b2.me.afilias-nst.org.  172800  IN      AAAA    2001:500:4f::1
c0.cctld.afilias-nst.info. 172800 IN    AAAA    2001:500:27::1

;; Query time: 62 msec
;; SERVER: 192.203.230.10#53(e.root-servers.net)
;; WHEN: Sat Jun 29 05:33:48 2013
;; MSG SIZE  rcvd: 485

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4370
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;joelgm.me.                     IN      ANY

;; AUTHORITY SECTION:
joelgm.me.              86400   IN      NS      ns2.joelns.com.
joelgm.me.              86400   IN      NS      ns1.joelns.com.
joelgm.me.              86400   IN      NS      ns3.joelns.com.

;; Query time: 56 msec
;; SERVER: 199.254.60.1#53(b0.cctld.afilias-nst.org)
;; WHEN: Sat Jun 29 05:33:48 2013
;; MSG SIZE  rcvd: 91

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41704
;; flags: qr aa; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;joelgm.me.                     IN      ANY

;; ANSWER SECTION:
joelgm.me.              30      IN      SOA     ns1.joelns.com. admin.joelgm.me. 2007010407 3600 600 1814400 600
joelgm.me.              30      IN      NS      ns1.joelns.com.
joelgm.me.              30      IN      NS      ns2.joelns.com.
joelgm.me.              30      IN      NS      ns3.joelns.com.
joelgm.me.              30      IN      MX      30 aspmx4.googlemail.com.
joelgm.me.              30      IN      MX      10 aspmx.l.google.com.
joelgm.me.              30      IN      MX      20 alt1.aspmx.l.google.com.
joelgm.me.              30      IN      MX      20 alt2.aspmx.l.google.com.
joelgm.me.              30      IN      MX      30 aspmx2.googlemail.com.
joelgm.me.              30      IN      MX      30 aspmx3.googlemail.com.
joelgm.me.              30      IN      A       198.23.228.223

;; ADDITIONAL SECTION:
ns1.joelns.com.         180     IN      A       199.188.75.23
ns2.joelns.com.         180     IN      A       38.114.103.106
ns3.joelns.com.         180     IN      A       38.127.98.233

;; Query time: 23 msec
;; SERVER: 199.188.75.23#53(ns1.joelns.com)
;; WHEN: Sat Jun 29 05:33:48 2013
;; MSG SIZE  rcvd: 350

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

How to set up private nameservers (DNS servers)

Requirements:

  • A VPS with Debian 6 64 bit minimal (Any distro should do, but the example uses Debian 6)

Steps:

Install bind9:

apt-get update
apt-get install bind9

Now, edit this file:

#cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

And:

# cat /etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// Domain Management drjoel.in

zone "drjoel.in" {
     type master;
     file "/var/lib/bind/db.drjoel.in";
     allow-update { key rndc-key; };
};
# This is the zone definition for reverse DNS. replace 31.167.199 with your network address in reverse notation - e.g my network address is 199.167.31
zone "31.167.199.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.14.31.167.199.in-addr.arpa";
};

You can check /etc/bind/named.conf.local for errors with:

#named-checkconf

If it finds errors, it will report like this:

 #named-checkconf
/etc/bind/named.conf.local:15: missing ';' before '}'

Now edit the master zone file for drjoel.in. This is the main zone record file (resource record file). No blank lines are permitted, except for a newline at the bottom. The latter is compulsory.

#cat "/var/lib/bind/db.drjoel.in"
drjoel.in.       IN      SOA     ns1.joel.co.in. admin.drjoel.in. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;
drjoel.in.      IN      NS      ns1.joel.co.in.
drjoel.in.      IN      NS      ns2.joel.co.in.
drjoel.in.      IN      MX      10 aspmx.l.google.com.
drjoel.in.      IN      MX      20 alt1.aspmx.l.google.com.
drjoel.in.      IN      MX      20 alt2.aspmx.l.google.com.
drjoel.in.      IN      MX      30 aspmx2.googlemail.com.
drjoel.in.      IN      MX      30 aspmx3.googlemail.com.
drjoel.in.      IN      MX      30 aspmx4.googlemail.
drjoel.in.      IN      A       198.23.228.223
ns1.            IN      A       199.167.31.14
ns2.            IN      A       38.114.103.106
*.drjoel.in.    3600    IN      CNAME   drjoel.in.

The main records to note are the first line:

drjoel.in.       IN      SOA     ns1.joel.co.in. admin.drjoel.in. (

Here, the first word is “drjoel.in.”. Note the period at the end. Note that all domain names have a period at the end. The fourth coloumn has the primary nameserver. The last coloumn “admin.drjoel.in.” actually denotes the email address “[email protected]”.

Now edit the file for reverse records:

#cat "/etc/bind/zones/rev.14.31.167.199.in-addr.arpa"
//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.
@ IN SOA ns1.drjoel.in. admin.drjoel.in. (
                        2006081401;
                        28800;
                        604800;
                        604800;
                        86400
)

                     IN    NS     ns1.drjoel.in
14                   IN    PTR    drjoel.in

Here, my server’s ipv4 address is 199.167.31.14. The last number 14 is what is typed in the last line on the file.

The resource record file too can be checked for errors. This is with:

named-checkzone

It is invoked as follows. A sample error message is shown:

#named-checkzone relsoft.in /var/lib/bind/db.relsoft.in
/var/lib/bind/db.relsoft.in:1: no TTL specified; using SOA MINTTL instead
/var/lib/bind/db.relsoft.in:17: ignoring out-of-zone data (www)
/var/lib/bind/db.relsoft.in:18: ignoring out-of-zone data (ns1)
/var/lib/bind/db.relsoft.in:19: ignoring out-of-zone data (ns2)
zone relsoft.in/IN: NS 'ns1.relsoft.in' is a CNAME (illegal)
zone relsoft.in/IN: NS 'ns2.relsoft.in' is a CNAME (illegal)
zone relsoft.in/IN: not loaded due to errors.

 

Now, I need to edit /etc/resolv.conf:

#cat /etc/resolv.conf
search drjoel.in
nameserver 199.167.31.14

Here, the nameserver is the ip of this server

Once done, restart bind9:

service bind9 restart

Adding a second domain to use the same nameserver. The zone files etc are created just like previously. The only difference is in the resolv.conf file, which now looks like:

cat /etc/resolv.conf
search drjoel.in relsoft.in
nameserver 199.167.31.14

Note that relsoft.in has been added.

Adding a vanity DNS server:

#cat /var/lib/bind/db.relsoft.in
relsoft.in.       IN      SOA     ns1.joel.co.in. admin.relsoft.in. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;
relsoft.in.     IN      NS      ns1.relsoft.in.
relsoft.in.      IN      NS      ns2.relsoft.in.
relsoft.in.      IN      MX      10 aspmx.l.google.com.
relsoft.in.      IN     MX      20 alt1.aspmx.l.google.com.
relsoft.in.      IN      MX      20 alt2.aspmx.l.google.com.
relsoft.in.      IN     MX      30 aspmx2.googlemail.com.
relsoft.in.      IN     MX      30 aspmx3.googlemail.com.
relsoft.in.      IN     MX      30 aspmx4.googlemail.com.
relsoft.in.     IN      A       198.23.228.223
www.            IN      A       198.23.228.223
ns1.relsoft.in.         IN      A       199.167.31.14
ns2.relsoft.in.         IN      A       38.114.103.106
mail.relsoft.in.        3600    IN      CNAME   ghs.google.com
*.relsoft.in.   3600    IN      CNAME   relsoft.in.

 

zone "relsoft.in" {
     type master;
     file "/var/lib/bind/db.drjoel.in";
     allow-update { key rndc-key; };
     allow-transfer { 199.167.31.14; };
};

Note the line:

allow-transfer { 199.167.31.14; };

Also note that the zone record for relsoft.in now has A records of ns1 and ns2 pointing to the ips of the actual nameservers (at ns1.joel.co.in, and ns2.joel.co.in), as did drjoel.in. But in addition, note that ns records now point to ns1.relsoft.in instead of ns1.joel.co.in. That’s a vanity DNS server. It looks like relsoft.in has its own nameserver, while in reality it is using the ns1.joel.co.in nameserver.

Before adding a Vanity server:

#dig ANY relsoft.in

; &lt;&lt;&gt;&gt; DiG 9.9.2-P1 &lt;&lt;&gt;&gt; ANY relsoft.in
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 20966
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;relsoft.in.                    IN      ANY

;; ANSWER SECTION:
relsoft.in.             600     IN      A       198.23.228.223
relsoft.in.             600     IN      MX      30 aspmx3.googlemail.com.
relsoft.in.             600     IN      MX      20 alt1.aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx4.googlemail.
relsoft.in.             600     IN      MX      10 aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx2.googlemail.com.
relsoft.in.             600     IN      MX      20 alt2.aspmx.l.google.com.
relsoft.in.             600     IN      SOA     ns1.joel.co.in. admin.relsoft.in. 2007010401 3600 600 86400 600
relsoft.in.             600     IN      NS      ns2.joel.co.in.
relsoft.in.             600     IN      NS      ns1.joel.co.in.

;; AUTHORITY SECTION:
relsoft.in.             600     IN      NS      ns1.joel.co.in.
relsoft.in.             600     IN      NS      ns2.joel.co.in.

;; ADDITIONAL SECTION:
alt2.aspmx.l.google.com. 42     IN      A       173.194.64.27
alt2.aspmx.l.google.com. 70     IN      AAAA    2607:f8b0:4003:c02::1a
aspmx3.googlemail.com.  100     IN      A       173.194.64.27
ns1.joel.co.in.         85648   IN      A       199.167.31.14
ns2.joel.co.in.         920     IN      A       38.114.103.106

;; Query time: 163 msec
;; SERVER: 89.233.43.71#53(89.233.43.71)
;; WHEN: Sun May  5 07:26:17 2013
;; MSG SIZE  rcvd: 427

After:

#dig ANY relsoft.in

; &lt;&lt;&gt;&gt; DiG 9.9.2-P1 &lt;&lt;&gt;&gt; ANY relsoft.in
;; global options: +cmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 55308
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;relsoft.in.                    IN      ANY

;; ANSWER SECTION:
relsoft.in.             600     IN      A       198.23.228.223
relsoft.in.             600     IN      MX      30 aspmx3.googlemail.com.
relsoft.in.             600     IN      MX      20 alt2.aspmx.l.google.com.
relsoft.in.             600     IN      MX      20 alt1.aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx2.googlemail.com.
relsoft.in.             600     IN      MX      10 aspmx.l.google.com.
relsoft.in.             600     IN      MX      30 aspmx4.googlemail.com.
relsoft.in.             600     IN      SOA     ns1.joel.co.in. admin.relsoft.in. 2007010401 3600 600 86400 600
relsoft.in.             600     IN      NS      ns1.relsoft.in.
relsoft.in.             600     IN      NS      ns2.relsoft.in.

;; AUTHORITY SECTION:
relsoft.in.             600     IN      NS      ns2.relsoft.in.
relsoft.in.             600     IN      NS      ns1.relsoft.in.

;; ADDITIONAL SECTION:
alt2.aspmx.l.google.com. 115    IN      AAAA    2607:f8b0:4003:c02::1a

;; Query time: 353 msec
;; SERVER: 89.233.43.71#53(89.233.43.71)
;; WHEN: Sun May  5 07:45:14 2013
;; MSG SIZE  rcvd: 357

Note that:

relsoft.in.             600     IN      NS      ns1.joel.co.in.
relsoft.in.             600     IN      NS      ns2.joel.co.in.

has been replaced by:

relsoft.in.             600     IN      NS      ns2.relsoft.in.
relsoft.in.             600     IN      NS      ns1.relsoft.in.

Troubleshooting

Immediately after editing records, you have to check for syntax errors with:

named-checkconf
named-checkzone kgimoa.com /var/lib/bind/db.kgimoa.com

 

Checking error logs:

Bind9 error logs on Debian are stored in /var/log/daemon.log

#tail -n 10 /var/log/daemon.log
May  5 07:41:21 ns1 named[5846]: zone drjoel.in/IN: loaded serial 2007010401
May  5 07:41:21 ns1 named[5846]: /var/lib/bind/db.relsoft.in:1: no TTL specified; using SOA MINTTL instead
May  5 07:41:21 ns1 named[5846]: /var/lib/bind/db.relsoft.in:17: ignoring out-of-zone data (www)
May  5 07:41:21 ns1 named[5846]: zone relsoft.in/IN: loaded serial 2007010401
May  5 07:41:21 ns1 named[5846]: zone localhost/IN: loaded serial 2
May  5 07:41:21 ns1 named[5846]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
May  5 07:41:21 ns1 named[5846]: managed-keys-zone ./IN: loaded serial 0
May  5 07:41:21 ns1 named[5846]: running
May  5 07:41:21 ns1 named[5846]: zone drjoel.in/IN: sending notifies (serial 2007010401)
May  5 07:41:21 ns1 named[5846]: zone relsoft.in/IN: sending notifies (serial 2007010401)

 Automating nameserver synchronization

You can use an rsync in cron:

Example on my primary nameserver:

#crontab -l
# m h  dom mon dow   command
*/5 * * * * /usr/bin/rsync -az /var/lib/bind [email protected]:/var/lib/bind
*/5 * * * * /usr/bin/rsync -az /etc/bind/named.conf.local [email protected]:/etc/bind/named.conf.local

Those two lines are enough to sync DNS entries between the two nameservers. In terms of redundancy, I’m not sure how right I am, since if one of the servers has wrong entries, both entries get corrupt. However, since nameserver records are supposed to be identical, this is the only way I can assure that they are in sync perfectly.

Summary of Creation of a new zonefile (Checklist)

  1. Create the zone file from scratch or a template
  2. Edit the zone file and add proper entries
  3. Check the zone file with named-checkzone
  4. Create the entries for the zone file in /etc/bind/named.conf.local
  5. Restart bind9 manually, or optionally create a cron job that restarts the job every x mins
  6. Optionally create a symbolic link to /home.

You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.

Some resources related to Bind and resource record files

Links:

Good file examples: http://www.omnisecu.com/gnu-linux/redhat-certified-engineer-rhce/domain-name-system-dns-zone-files.htm

Detailed explanation of each type of record: http://www.debianhelp.co.uk/dnsrecords.htm

File examples: http://www.skau.dk/index.php?option=com_content&view=article&id=2:dns

Full admin: http://computernetworkingnotes.com/network-administrations/dns-server.html

Other exhaustive descriptions:

http://support.f5.com/kb/en-us/archived_products/3-dns/manuals/product/3dns4_5_10ref/3dns_resourcerecs.html

http://pic.dhe.ibm.com/infocenter/aix/v7r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2FStandard.htm


You are reading this post on Joel G Mathew’s tech blog. Joel's personal blog is the Eyrie, hosted here.