1

I have a relatively simple Bind/DNS configuration, and would like to allow some of my users to be able to add their own configurations (eg A records and CNAMEs). Even though I trust my users, I want to restrict access to all configuration files to only myself and other admins. I also do not want my users to (have to) log in to a shell session on the DNS server.

Solutions I have considered:

  • Delegating zones: this won't work for me, because it adds significant complexity and overhead (each user would need to maintain a DNS server for their own zone). Also, a firewall that is outside of my control prevents me from setting up additional reachable DNS servers within my network.
  • User-editable "include" files: this is what I am aiming for now, but I am unable to find any existing solutions to allow authenticated/restricted access to a subset of configuration files. Thus I would have to create my own. I am not sure how I would approach this: git with hooks? A web application?

Have other admins encountered this problem, and if so how was it solved?

EdwardTeach
  • 622
  • 8
  • 20
  • The main issue with include files is that if your users screw up the config, they can crash your nameserver. Not ideal. You'll need to use something that at the minimum checks for proper formatting of the files. I haven't done this myself, but you could either script up something using named-checkzone or perhaps, set up one of the many dns management solutions. – malcolmpdx Jan 20 '12 at 21:01
  • Yes that is a concern. I was thinking maybe automatically running "dnslint" before accepting the changes. – EdwardTeach Jan 20 '12 at 21:15

3 Answers3

1

You could use a MySQL (or similar DB) for a backend, and develop a nice web front end for allowing record and zone changes.

I haven't tried the MySQL backend for bind, but the MyDNS and PowerDNS MySQL backends work great.

Tim
  • 2,997
  • 16
  • 15
  • If I'm going to develop a front end, I'd probably just have it directly edit a "staged" copy of the include file and then test/activate it. I was actually hoping someone else might have already created something like this. I looked, but couldn't find one; maybe it exists somewhere already though? – EdwardTeach Jan 20 '12 at 21:22
1

GOSa has quite extensive ACL settings allowing delegation of privileges, strong authentication, password policies and ageing. It's used primarily for LDAP administration and editing but it has plugins for DNS among other things. You may want to check it out.

And you can use it with either Bind or PowerDNS. There are patches for Bind to make it work with LDAP and scripts to regenerate zone files. PowerDNS has native support for LDAP backend.

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
1

One of my colleagues pointed out there is already a parallel utility to nslookup called nsupdate (see this short intro). This looks like an ideal solution for me because it has minimal setup requirements and maintenance. It requires more "technical" users due to the CLI, but in my case this is not a problem.

EdwardTeach
  • 622
  • 8
  • 20