NS service
1. About
The Domain Name System (DNS) is the naming system used to identify computers reachable through the network. It maps human-friendly domain names to the numerical IP addresses computers need to locate each other.
Note: The NS service consists of authoritative nameservers only, for recursive resolvers see DNS service instead.
2. Systems
2.2 Backend
Always use the frontend DNS record
Never use the backend nodes directly:
- backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
- backend has no legacy support or grace periods, changes are implemented instantly
- backend can be rebootet without notice at any time
- backend access will soon be restricted
| FQDN | IPv6 | IPv4 |
|---|---|---|
| node1.ns.bfh.info | 2a07:6b40::21 | 147.87.0.21 |
| node2.ns.bfh.info | 2a07:6b40::22 | 147.87.0.22 |
| node3.ns.bfh.info | 2a07:6b40::23 | 147.87.0.23 |
| node4.ns.bfh.info | 2a07:6b40::24 | 147.87.0.24 |
| FQDN | IPv6 | IPv4 |
|---|---|---|
| ns.bfh.info | 2a07:6b40::20 | 147.87.0.20 |
| node1.proxy.ns.bfh.info | 2a07:6b40::26 | 147.87.0.26 |
| node2.proxy.ns.bfh.info | 2a07:6b40::27 | 147.87.0.27 |
| node3.proxy.ns.bfh.info | 2a07:6b40::28 | 147.87.0.28 |
| node4.proxy.ns.bfh.info | 2a07:6b40::29 | 147.87.0.29 |
| FQDN | IPv6 | IPv4 |
|---|---|---|
| ns-static.bfh.info | 2a07:6b40::100 | 147.87.0.100 |
| node1.ns-static.bfh.info | 2a07:6b40::101 | 147.87.0.101 |
| node2.ns-static.bfh.info | 2a07:6b40::102 | 147.87.0.102 |
| FQDN | IPv6 | IPv4 |
|---|---|---|
| ns-dynamic.bfh.info | 2a07:6b40::110 | 147.87.0.110 |
| node1.ns-dynamic.bfh.info | 2a07:6b40::111 | 147.87.0.111 |
| node2.ns-dynamic.bfh.info | 2a07:6b40::112 | 147.87.0.112 |
3. Features
3.1 Protocols
DNS (UDP/TCP) on port 53 (frontend and backends)
DNS over TLS on port 853 (frontend only)
DNS over HTTPS on port 443 (frontend only)
3.2 ACLs
queries are accepted from everywhere
zone transfers for all local zones are accepted from 2a07:6b40::/29, 147.87.0.0/16 and 10.0.0.0/8 only, everything else is denied (!= drop)
DDNS is accepted from dhcp.bfh.info nodes and Microsoft Active Directory
3.3 TTL, Cache
global TTL of 1m for all zones
queries to frontend are not cached on purpose
queries to frontend for own zones are not cached on purpose and are directly forwarded to NS servers
4. Operations
4.1 Clear all zones on NS secondaries
ssh node1.ns.bfh.info sudo knot-zones-reset
ssh node2.ns.bfh.info sudo knot-zones-reset
ssh node3.ns.bfh.info sudo knot-zones-reset
ssh node4.ns.bfh.info sudo knot-zones-reset
6. Backlog
Legacy
resetup node{5,6}.ns.bfh.info (carrying all zones)
cleanup all zone data
review all zone authority
complete all reverse zones, use auto-reverse where applicable
verify zone inventory (autodns.com): all domains should have an active zone (automatic via API)
run zone checks in parallel
skip empty dynamic zones
lock deployment during a triggered run
verify/review HA-setup of the primaries
add server-side zone checks via git hooks
add client-side zone checks via pre-commit
include checks also for zone includes by creating temporary zone stubs to run checks on
allow Microsoft Active Directory to write its zones
provide static seeds for Microsoft Active Directory zones
Setup
regenerate containers with Debian 12
upgrade to current knot/dnsdist
autoincrement serial on ns-static.bfh.info
moving dnsdist webfrontend behind apache with ldap auth
restricting backend subnet access to frontend and management only
verify if enabling auto_reverse (#576) on primaries is a good idea
static rate limiting
document and cleanup zone inventory (autodns.com), enable users and MFA