3
1
Original
I have a complex DNS set-up on my home router that's running Ubuntu servers. My objective is to be able to,
- Query my local ISP's DNS for geo leocation sensitive lookups that I care about
dnscrypt-proxy
for the majority of look-ups. For certain domains (a few I know), many that I don't and as such other than specific domains, my ISP poisons the lookups with false addresses to blackhole traffic. I wish this to be the default DNS lookup server- Minimize internet DNS lookups. My internet connection isn't reliable and at certain times during the day I have as low as a 50/50 chance of having DNS lookups out of country succeed
- Have my own internal domain, predominantly for reverse lookups to work.
The solution I've had to implement to achieve these objectives is,
unbound
as my LAN's primary DNS server for caching lookups, aggressively retaining that cache, and forwarding addresses to the relevant DNS server for cache missesdnscrypt-proxy
on127.0.2.1:53
as theforward-addr
for"."
in unboundbind
on192.168.1.1:40
authoritative for my local domain onlyisc-dhcp-server
for handing out IP addresses and inserting forward and reverse lookups.
I've managed to achieve the majority of my objectives. So reticent to change things significantly except for having forward/reverse look-ups for non-static hosts on my LAN.
My suspicion is isc-dhcp-server
is sending DDNS updates to unbound
that doesn't have any idea what to do with it. How do I ask isc-dhcp-server
to send it to 192.168.1.1:40
, bind
even though I want the DNS server for my clients to be 192.168.1.1:53
, unbound
or enable unbound
to know how to forward DDNS updates to bind
?
Example error message
Sep 29 08:01:10 ubuntu dhcpd[7057]: DHCPREQUEST for 192.168.1.101 from 28:18:78:7c:d5:a1 (Xbox-SystemOS) via enp2s0
Sep 29 08:01:10 ubuntu dhcpd[7057]: DHCPACK on 192.168.1.101 to 28:18:78:7c:d5:a1 (Xbox-SystemOS) via enp2s0
Sep 29 08:01:22 ubuntu dhcpd[7057]: Unable to add forward map from Xbox-SystemOS.mydomain.ddns.net. to 192.168.1.101: timed out
Relevant lines in dhcpd.conf
ddns-updates on;
ddns-update-style interim;
key rndc-key { algorithm hmac-md5; secret MIND_YOUR_BUSINESS; }
subnet ...... {
....
option domain-name-servers 192.168.1.1;
...
ddns-domainname "mydomain.ddns.net.";
ddns-rev-domainname "in-addr.arpa.";
}
Relevant lines from /etc/bind/named.conf.local
zone "mydomain.ddns.net" {
type master;
file "/etc/bind/zones/db.mydomain.ddns.net"; # Zone file path
allow-update { key rndc-key; }; # allow for dynamic updates
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168"; # 192.168.0.0/16 subnet
allow-update { key rndc-key; }; # allow for dynamic updates
};
Update 1
After digging through dhcpd.conf
I arrived to the conclusion that I cannot specify a port number for the bind server in it. There is however a magic option named ddns-local-address4
which allowed me to specify a different server IP address for DDNS from the domain-name-server option
.
I changed bind to listen to 127.0.0.1
and this largely works (at least bind is now receiving the update). However it is tripping up on permissions.
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: signer "rndc-key" approved
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: updating zone 'mydomain.ddns.net/IN': adding an RR at 'iPhone.mydomain.ddns.net' A 192.168.1.104
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: updating zone 'mydomain.ddns.net/IN': adding an RR at 'iPhone.mydomain.ddns.net' TXT "316a52934f2adcaf4c95004e870a4c0f70"
Sep 29 19:21:40 ubuntu named[31415]: /etc/bind/zones/db.mydomain.ddns.net.jnl: open: permission denied
Sep 29 19:21:40 ubuntu named[31415]: client 127.0.0.1#2824/key rndc-key: updating zone 'mydomain.ddns.net/IN': error: journal open failed: unexpected error
Sep 29 19:21:40 ubuntu kernel: [212079.779512] audit: type=1400 audit(1475148100.710:25): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/etc/bind/zones/db.mydomain.ddns.net.jnl" pid=31419 comm="named" requested_mask="w" denied_mask="w" fsuid=110 ouid=0
My best attempts however at giving bind sufficient permission to update that file isn't working. What gives?
ps aux | grep named
bind 31415 0.0 0.2 429564 19572 ? Ssl 19:10 0:00 /usr/sbin/named -f -u bind
ls -la /etc/bind/zones
total 16
drwxrwsr-x 2 root bind 4096 Sep 29 19:21 .
drwxr-sr-x 3 root bind 4096 Sep 29 19:07 ..
-rw-r--r-- 1 root bind 340 Sep 28 08:01 db.192.168
-rw-r--r-- 1 root bind 514 Sep 27 07:40 db.mydomain.ddns.net
-rw-rw-r-- 1 bind bind 0 Sep 29 19:21 db.mydomain.ddns.net.jnl
Update 2
I modified my apparmor profile for named and I am no longer getting the permission errors.
When I query bind
directly on 127.0.0.1, everything works.
However, when I query it via ubuntu
, it's not forwarding the look-ups to bind
correctly.
What am I doing wrong now?
From unbound.conf
local-zone: "1.168.192.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
stub-zone:
name: "168.192.inaddr.arpa."
stub-addr: 127.0.0.1
stub-zone:
name: "1.168.192.inaddr.arpa."
stub-addr: 127.0.0.1
stub-zone:
name: "mydomain.ddns.net."
stub-addr: 127.0.0.1
BIND has to have write access to the directory /etc/bind/zones/ to create journal files. Usually
chown bind:bind /etc/bind/zones
is sufficient (make the BIND user the owner of the directory). – milli – 2016-12-20T00:33:00.727