Changes and bind setup

Since chasalin and I are stopping with our company (Sonad) I have had to make a lot of changes for my hosting and domainnames.

Luckily I could keep my VPS rented via Sonad but hosted by TransIP, this was a simple change of the person who hired it so I didn't have to move my website to a new location, I did however had to setup my own mailserver, backup mailserver and DNS servers. Of course this also meant I had to setup DKIM, DMARC, Backups, DNSSec, etc. At the same time I also had to setup Rhuagh (my private server at home) again because the raid array died and I needed new disks and a new casing for Rhuagh. I am planning on writing a few blogs about how I created my setup.

First of, I upgraded all my servers (both VPS servers and Rhuagh) to Ubuntu 22.04 LTS since they were a mix of Ubuntu 16 and 18. After this I slowly started moving several services from Sonad to my own systems, starting with the mail servers. I hope to find time to write about each individual setup in the coming weeks.

So first I moved my primary mailserver and kept Sonad as backup MX. After this I setup several DNS servers, a master which is not public and 2 slaves which are public accessible. The master is also DNS for my internal network and I managed to add a pihole like blacklist to this DNS server.

For the pihole like setup I used this guide although I didn't use the Python script, I wrote my own bash script for this.

#! /bin/bash

### Settings
zonefile="/var/lib/bind/db.blacklist";
serial="`date +%Y%m%d`00";
sourcehosts="https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts";
tmpzonefile="${zonefile}.tmp.$$";
zonename="rpz-adblock";
nameserver="your.local.dns.server";
nameservermail="mailaddress.for.soa";  # Replace @ for .

### Create header
echo "\$TTL 2w
@       IN SOA  ${nameserver}. ${nameservermail}. (
            ${serial}   ; serial
            3600        ; refresh
            1800        ; retry
            604800      ; expiry
            86400       ; minimum
        )

        IN NS ${nameserver}.

" >> ${tmpzonefile};

### Add hosts to zone
for host in `curl ${sourcehosts} 2>/dev/null | grep -v "0.0.0.0 0.0.0.0" | grep "0.0.0.0" | grep -v "^#" | cut -d " " -f 2`; do
    echo "${host} CNAME ." >> ${tmpzonefile};
    echo "*.${host} CNAME ." >> ${tmpzonefile};
done;

### Swap zone with old one
chown bind.bind ${tmpzonefile};
chmod 644 ${tmpzonefile};
mv ${tmpzonefile} ${zonefile};

### Reload zone in bind
/usr/sbin/rndc reload ${zonename};

### Exit with exit code of reloading
exit $?;

Feel free to use my script, replace the variables according to your setup.

After this I setup my internal DNS server as a master for my public domains, I then setup 2 slave servers on my 2 VPS servers and set these als primairy and secondary DNS servers in my domein info so people will have to use these instead of my homeserver. Since I've done this quite often before I didn't need any helpd with this but I think this is a nice guide for people who want to set this up for the first time
I have also added some extra logging options in bind, for this you can use this page as a reference.

I also setup bind with DNSSEC and auto signing, there are a lot of different tutorials for this, which makes it kind of confusing, after a lot of trail and error I noticed that actually all you have to do with the latest version of bind is add the following to you options:

dnssec-validation auto;

And this to your zone defenitions:

auto-dnssec maintain;

Bind will generate the keys (in /var/cache/bin) and take care fo the signing.

Note, I use the default bind install from Ubuntu 22.04 for this, I think there will not be a lot of difference with other distros but there will be differences with older versions of bind.

This is basically my bind setup, I will go in to this in more detail in following blogs when I write about other parts of my network.