CyberMind-FR
0e0749ed08
New packages: - secubox-threat-analyst: AI-powered threat analysis with CrowdSec integration - luci-app-threat-analyst: LuCI dashboard for threat intelligence - secubox-dns-guard: DNS security monitoring and blocking - secubox-mcp-server: Model Context Protocol server for AI assistant integration Enhancements: - dns-provider: Add DynDNS support (dyndns, get, update, domains commands) - gandi.sh: Full DynDNS with WAN IP detection and record updates - luci-app-dnsguard: Upgrade to v1.1.0 with improved dashboard Infrastructure: - BIND9 DNS setup for secubox.in with CAA records - Wildcard SSL certificates via DNS-01 challenge - HAProxy config fixes for secubox.in subdomains - Mail server setup with Roundcube webmail Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
13 KiB
13 KiB
DNS Setup Guide: Register secubox.in as Master on secubox.maegia.tv
Table of Contents
- Overview
- Prerequisites
- Architecture
- Step-by-Step Configuration
- Configuration Files
- Verification and Testing
- Troubleshooting
- Security Best Practices
- Maintenance
Overview
This guide provides comprehensive instructions for setting up secubox.in as a master DNS zone with secubox.maegia.tv configured as a slave/peer server. This setup enables redundant DNS service and load balancing between the two servers.
Key Features
- Master-Slave DNS Replication: Automatic zone transfers from master to slave
- High Availability: Redundant DNS service across two servers
- Automatic Updates: Slave server receives updates when master zone changes
- Load Balancing: DNS queries can be distributed between servers
Prerequisites
Software Requirements
- BIND 9.x DNS server installed on both servers
- OpenWrt/LuCI environment (for SecuBox integration)
- Network connectivity between servers
- Root/administrative access to both servers
Network Requirements
- Static IP addresses for both DNS servers
- Port 53 (TCP and UDP) open between servers
- Proper firewall configuration
- Network time synchronization (NTP)
DNS Requirements
- Registered domain name (secubox.in)
- Authority to configure DNS for the domain
- Valid name server records registered with domain registrar
Architecture
┌─────────────────────────────────────────────────────────────────────┐
│ DNS MASTER-SLAVE ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ MASTER SERVER │ │ SLAVE SERVER │ │
│ │ (Primary) │ │ (Secondary) │ │
│ │ │ │ │ │
│ │ ┌───────────┐ │ │ ┌───────────┐ │ │
│ │ │ BIND DNS │ │ │ │ BIND DNS │ │ │
│ │ └───────────┘ │ │ └───────────┘ │ │
│ │ │ │ │ │
│ │ Zone File: │ │ Zone File: │ │
│ │ /etc/bind/ │ │ /etc/bind/ │ │
│ │ zones/master │ │ zones/slave │ │
│ └─────────────────┘ └─────────────────┘ │
│ │ │ │
│ │ Zone Transfer (AXFR) │ │
│ │─────────────────────────────────────>│ │
│ │ │ │
│ │ DNS NOTIFY (on changes) │ │
│ │<─────────────────────────────────────│ │
│ │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ CLIENT REQUESTS │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ DNS Queries │ │ DNS Queries │ │
│ │ (Port 53 UDP) │ │ (Port 53 UDP) │ │
│ └─────────────────┘ └─────────────────┘ │
└─────────────────────────────────────────────────────────────────────┘
Step-by-Step Configuration
Step 1: Install Required Packages
On both servers, ensure BIND DNS is installed:
# On OpenWrt/SecuBox:
opkg update
opkg install bind-server bind-tools
# Enable and start BIND service:
/etc/init.d/named enable
/etc/init.d/named start
Step 2: Configure Master Server
2.1. Create Zone Directory
mkdir -p /etc/bind/zones
chown -R bind:bind /etc/bind/zones
2.2. Add Zone Configuration to named.conf.local
Edit /etc/bind/named.conf.local and add:
zone "secubox.in" {
type master;
file "/etc/bind/zones/secubox.in.db";
allow-transfer {
192.168.1.0/24;
10.0.0.0/8;
# Add specific peer IP for secubox.maegia.tv
};
also-notify {
# Add secubox.maegia.tv IP here
};
};
2.3. Create Zone File
Create /etc/bind/zones/secubox.in.db with the content from the configuration file.
Step 3: Configure Slave Server (secubox.maegia.tv)
3.1. Create Zone Directory
mkdir -p /etc/bind/zones
chown -R bind:bind /etc/bind/zones
3.2. Add Slave Zone Configuration
Edit /etc/bind/named.conf.local and add:
zone "secubox.in" {
type slave;
masters { 192.168.1.100; }; # Master server IP
file "/etc/bind/zones/secubox.in.slave";
};
Step 4: Configure Firewall
Add these rules to /etc/config/firewall:
config rule
option name 'Allow-DNS-Peers'
option src 'lan'
option dest 'lan'
option proto 'tcp udp'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-Zone-Transfers'
option src 'lan'
option dest 'lan'
option proto 'tcp'
option dest_port '53'
option target 'ACCEPT'
Step 5: Restart Services
# Restart BIND on both servers
/etc/init.d/named restart
# Restart firewall
/etc/init.d/firewall restart
Configuration Files
Master Server Files
- /etc/bind/named.conf.local - Main BIND configuration
- /etc/bind/zones/secubox.in.db - Zone file with all DNS records
- /etc/config/firewall - Firewall rules
Slave Server Files
- /etc/bind/named.conf.local - Slave BIND configuration
- /etc/bind/zones/secubox.in.slave - Transferred zone file (auto-created)
- /etc/config/firewall - Firewall rules
Zone File Structure
The zone file contains:
- SOA Record: Start of Authority with serial number
- NS Records: Name server definitions
- A Records: IP address mappings
- MX Records: Mail server definitions
- CNAME Records: Aliases
- TXT Records: Text records for verification
Verification and Testing
Basic DNS Tests
# Test DNS resolution from master
dig @localhost secubox.in
dig @localhost www.secubox.in
dig @localhost mx secubox.in
# Test from slave
dig @secubox.maegia.tv secubox.in
# Test zone transfer
dig @localhost secubox.in AXFR
Expected Results
- DNS queries should return correct IP addresses
- Zone transfer should show all records
- Slave should have identical records to master
- Both servers should respond to queries
Monitoring Commands
# Check BIND status
/etc/init.d/named status
# Check DNS logs
tail -f /var/log/syslog | grep named
# Check zone loading
rndc status
Troubleshooting
Common Issues and Solutions
| Issue | Possible Cause | Solution |
|---|---|---|
| Zone transfer fails | Firewall blocking | Check firewall rules, allow port 53 TCP |
| Slave not updating | No NOTIFY sent | Check also-notify configuration |
| DNS timeout | BIND not running | Check service status, restart BIND |
| Serial conflicts | Manual edit error | Increment serial number in SOA |
| Permission denied | Wrong file ownership | chown bind:bind /etc/bind/zones |
| Zone not loading | Syntax error | Check BIND logs, validate zone file |
Debugging Commands
# Test zone file syntax
named-checkzone secubox.in /etc/bind/zones/secubox.in.db
# Test configuration syntax
named-checkconf
# Manual zone transfer test
rndc reload secubox.in
# Check zone status
rndc status
Security Best Practices
Zone Transfer Security
- Restrict allow-transfer: Only allow transfers to trusted peers
- Use TSIG: Implement Transaction SIGnatures for secure transfers
- IP Restrictions: Use specific IPs instead of broad network ranges
DNS Server Security
- Keep Updated: Regularly update BIND software
- Chroot: Run BIND in a chroot environment
- Minimal Privileges: Run as non-root user
- Rate Limiting: Implement query rate limiting
Monitoring
- Log Monitoring: Monitor /var/log/syslog for DNS errors
- Query Monitoring: Track unusual query patterns
- Zone Change Alerts: Monitor for unauthorized changes
- Service Monitoring: Ensure DNS service availability
Maintenance
Updating DNS Records
- Edit the zone file on the master server
- Increment the serial number in SOA record
- Reload the zone:
rndc reload secubox.in - Verify changes propagated to slave
Serial Number Format
Use YYYYMMDDNN format:
- YYYY: Year (2024)
- MM: Month (02)
- DD: Day (05)
- NN: Revision number (01)
Example: 2024020501
Backup Strategy
# Backup zone files regularly
cp /etc/bind/zones/secubox.in.db /backup/dns/secubox.in.db.$(date +%Y%m%d)
# Backup BIND configuration
cp /etc/bind/named.conf* /backup/dns/
Integration with SecuBox
DNS Provider Module
The SecuBox DNS Provider module can be used to manage this configuration:
- Navigate to: Network → DNS Providers
- Add new provider configuration
- Select "BIND" as provider type
- Enter zone details and server information
- Save and apply configuration
Monitoring in SecuBox
Use the System Hub to monitor DNS service status:
- System Hub → Services: Check BIND service status
- System Hub → Health: Monitor DNS-related metrics
- System Hub → Logs: View DNS service logs
Advanced Configuration
TSIG Configuration
For secure zone transfers:
# Generate TSIG key
dnssec-keygen -a HMAC-SHA256 -b 256 -n USER dns-transfer
# Add to named.conf on both servers
key "dns-transfer" {
algorithm hmac-sha256;
secret "base64-key-from-K*.key-file";
};
# Update zone configuration
server 192.168.1.50 {
keys { dns-transfer; };
};
DNSSEC Implementation
For signed zones:
# Generate keys
dnssec-keygen -a RSASHA256 -b 2048 secubox.in
dnssec-keygen -f KSK -a RSASHA256 -b 4096 secubox.in
# Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o secubox.in -t secubox.in.db
Conclusion
This setup provides a robust, redundant DNS infrastructure for secubox.in with automatic synchronization between the master server and secubox.maegia.tv peer. The configuration follows DNS best practices and integrates well with the SecuBox ecosystem.
For production use, remember to:
- Replace example IP addresses with actual server IPs
- Implement proper security measures (TSIG, DNSSEC)
- Set up monitoring and alerting
- Regularly update and maintain the configuration
- Test failover scenarios