Discussion:
Using RNDC to control remote access to my BIND server
Greg Donohoe
2021-04-22 09:59:40 UTC
Permalink
Hello,
I have created a CI/CD pipeline in order to amend zone files using nsupdate
based on a front end user request. This portion of the pipeline is working
as expected so now I want to be able to connect from my pipeline runner to
my remote BIND staging server and update the zone files on there with my
newly updated zone file.
I initially thought about using ssh from the runner to the remote BIND
server but this may not be the most secure way of connecting.
So my question is: Is it possible to use RNDC to manage my connection from
host to remote server and if so, how can I ensure complete security?

All input greatly appreciated.
Thanks.
Greg.
Jim Popovitch via bind-users
2021-04-22 10:50:17 UTC
Permalink
Post by Greg Donohoe
Hello,
I have created a CI/CD pipeline in order to amend zone files using
nsupdate based on a front end user request. This portion of the
pipeline is working as expected so now I want to be able to connect
from my pipeline runner to my remote BIND staging server and update
the zone files on there with my newly updated zone file.
I initially thought about using ssh from the runner to the remote BIND
server but this may not be the most secure way of connecting.
So my question is: Is it possible to use RNDC to manage my connection
from host to remote server and if so, how can I ensure complete
security?
My suggestion is to install a runner on the staging server and register
that runner in your gitlab/github/git/bitbucket/etc. You'd still have to
setup the trust bits so that the runner docker/js/etc environment can
talk to the staging named.

There's 10,000 ways to do things in CI/CD, the 1 way that doesn't exist
is the only one you will recall in the middle of a weekend while you are
on vacation. :)

-Jim P.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Tony Finch
2021-04-22 19:38:40 UTC
Permalink
Post by Greg Donohoe
I have created a CI/CD pipeline in order to amend zone files using nsupdate
based on a front end user request. This portion of the pipeline is working
as expected so now I want to be able to connect from my pipeline runner to
my remote BIND staging server and update the zone files on there with my
newly updated zone file.
If you want to make the same change on the remote server that you made
locally, can't you use nsupdate again but point it at the remote server?
Or is there something more complicated going on?

Use ddns-keygen to create a TSIG authentication key and add the key to the
allow-update ACL on the remote server.

(You can also add your own TSIG keys to allow remote control with `rndc
-s`, but it sounds to me like rndc is a red herring.)

There's also my `nsdiff` program https://dotat.at/prog/nsdiff/
which can make a zone on a remote server look like a local zone
file using nsupdate.

Tony.
--
f.anthony.n.finch <***@dotat.at> https://dotat.at/
North Utsire, South Utsire: Northerly or northwesterly 4 to 6,
occasionally 7 at first in eastern South Utsire. Rough at first in
eastern South Utsire, otherwise moderate. Showers. Good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Greg Donohoe
2021-04-23 09:50:53 UTC
Permalink
Thank you for the suggestions. I am looking into those now.
Yes we can run nsupdate again on the remote server but I would still need
to connect to the remote server to do this.
We were thinking of using SSH to the remote server but we want to explore
any other option rather than SSH for the secure connection.
I was thinking that it may be possible to use RNDC or some other tool to
update the remote BIND server zone files (either by modifying the zone file
that is already there or replacing the zone file with the new one I created
locally).
RNDC looks like it is a non starter for what I want but nsdiff may be a
good option.

Rgds,
Greg.
Post by Greg Donohoe
Post by Greg Donohoe
I have created a CI/CD pipeline in order to amend zone files using
nsupdate
Post by Greg Donohoe
based on a front end user request. This portion of the pipeline is
working
Post by Greg Donohoe
as expected so now I want to be able to connect from my pipeline runner
to
Post by Greg Donohoe
my remote BIND staging server and update the zone files on there with my
newly updated zone file.
If you want to make the same change on the remote server that you made
locally, can't you use nsupdate again but point it at the remote server?
Or is there something more complicated going on?
Use ddns-keygen to create a TSIG authentication key and add the key to the
allow-update ACL on the remote server.
(You can also add your own TSIG keys to allow remote control with `rndc
-s`, but it sounds to me like rndc is a red herring.)
There's also my `nsdiff` program https://dotat.at/prog/nsdiff/
which can make a zone on a remote server look like a local zone
file using nsupdate.
Tony.
--
North Utsire, South Utsire: Northerly or northwesterly 4 to 6,
occasionally 7 at first in eastern South Utsire. Rough at first in
eastern South Utsire, otherwise moderate. Showers. Good.
Anand Buddhdev
2021-04-23 10:21:22 UTC
Permalink
Hi Greg,

You don't need to SSH into a remote server to do dynamic DNS updates!
The "nsupdate" tool can send the dynamic DNS updates directly to your
remote server over the DNS protocol.

You appear to be confused about what the various tools do, so here's a
summary:

1. ssh is used to log into a remote server, get a shell, and run
operating system commands.

2. rndc is for controlling a running BIND server. It can be used to
check the status of BIND, reload it, etc.

3. nsupdate is for modifying a zone directly (whether on the local
machine, or some remote machine) using the dynamic DNS protocol.

Having read your message, it seems that you need to use "nsupdate". You
don't need "ssh" or "rndc" for this.

Regards,
Anand
Post by Greg Donohoe
Thank you for the suggestions. I am looking into those now.
Yes we can run nsupdate again on the remote server but I would still need
to connect to the remote server to do this.
We were thinking of using SSH to the remote server but we want to explore
any other option rather than SSH for the secure connection.
I was thinking that it may be possible to use RNDC or some other tool to
update the remote BIND server zone files (either by modifying the zone file
that is already there or replacing the zone file with the new one I created
locally).
RNDC looks like it is a non starter for what I want but nsdiff may be a
good option.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Greg Donohoe
2021-04-23 12:24:47 UTC
Permalink
Thanks for the input Anand.
Yes there is still some confusion on my part as to which option to use to
best fir my current environment.
In regards to the nsupdate, what is the best way to secure the connection,
so to ensure that only my local server can make the amendments to the
remote server named & zone files?
I dont want anyone/anything else other than my local machine to make any
changes on my remote BIND server.

Rgds,
Greg.
Post by Anand Buddhdev
Hi Greg,
You don't need to SSH into a remote server to do dynamic DNS updates!
The "nsupdate" tool can send the dynamic DNS updates directly to your
remote server over the DNS protocol.
You appear to be confused about what the various tools do, so here's a
1. ssh is used to log into a remote server, get a shell, and run
operating system commands.
2. rndc is for controlling a running BIND server. It can be used to
check the status of BIND, reload it, etc.
3. nsupdate is for modifying a zone directly (whether on the local
machine, or some remote machine) using the dynamic DNS protocol.
Having read your message, it seems that you need to use "nsupdate". You
don't need "ssh" or "rndc" for this.
Regards,
Anand
Post by Greg Donohoe
Thank you for the suggestions. I am looking into those now.
Yes we can run nsupdate again on the remote server but I would still need
to connect to the remote server to do this.
We were thinking of using SSH to the remote server but we want to explore
any other option rather than SSH for the secure connection.
I was thinking that it may be possible to use RNDC or some other tool to
update the remote BIND server zone files (either by modifying the zone
file
Post by Greg Donohoe
that is already there or replacing the zone file with the new one I
created
Post by Greg Donohoe
locally).
RNDC looks like it is a non starter for what I want but nsdiff may be a
good option.
Anand Buddhdev
2021-04-23 13:21:41 UTC
Permalink
On 23/04/2021 14:24, Greg Donohoe wrote:

Hi Greg,
Post by Greg Donohoe
In regards to the nsupdate, what is the best way to secure the connection,
so to ensure that only my local server can make the amendments to the
remote server named & zone files?
I dont want anyone/anything else other than my local machine to make any
changes on my remote BIND server.
You should create a TSIG key, and configure the zones on the remote
server to only accept dynamic DNS updates signed by this key. And then
use this key with nsupdate when sending your updates. Check the man page
of nsupdate and look at the '-k' and '-y' options for using tsig keys.

You can additionally also configure your remote BIND to accept updates
only from certain IP addresses. For details on how to configure this,
please read the excellent documentation (especially section 4.2.29 and
the "allow-update" option):

https://bind9.readthedocs.io/en/v9_16/

Regards,
Anand Buddhdev
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Greg Donohoe
2021-04-26 14:04:27 UTC
Permalink
Thanks Anand.
When using this TSIG solution is the key visible (clear) within the DNS
packet being sent to the remote server or is it encrypted?
Is this communication secure? eg if someone is sitting on the wire sniffing
the packets, would they be able to extract the key ?
Or is the security of the communication done through the ACL and the key is
TSIG only used to allow me to make changes to the zone file?
The main reason why I was leaning towards SSH was to try to ensure that all
communication between local & remote was encrypted.

Rgds,
Greg.
Post by Anand Buddhdev
Hi Greg,
Post by Greg Donohoe
In regards to the nsupdate, what is the best way to secure the
connection,
Post by Greg Donohoe
so to ensure that only my local server can make the amendments to the
remote server named & zone files?
I dont want anyone/anything else other than my local machine to make any
changes on my remote BIND server.
You should create a TSIG key, and configure the zones on the remote
server to only accept dynamic DNS updates signed by this key. And then
use this key with nsupdate when sending your updates. Check the man page
of nsupdate and look at the '-k' and '-y' options for using tsig keys.
You can additionally also configure your remote BIND to accept updates
only from certain IP addresses. For details on how to configure this,
please read the excellent documentation (especially section 4.2.29 and
https://bind9.readthedocs.io/en/v9_16/
Regards,
Anand Buddhdev
Anand Buddhdev
2021-04-26 14:32:48 UTC
Permalink
Hi Greg,

a TSIG key is *never* transmitted. A sender uses a TSIG key to generate
a secure hash over the DNS content being sent, and sends the hash along
with the DNS content. A receiver configured with the same key can then
verify that hash. If it can, then it can apply the DNS content.

If someone is sniffing the wire between the client and server, they can
see the DNS content. This usually doesn't matter, because the DNS is
usually public anyway. However, if a man-in-the-middle tries to modify
the packet in any way, then the receiver will detect the change, because
the hash will not verify, and the receiver can reject that packet as
invalid.

DNS was NOT designed to be encrypted, because as I wrote above, it's
usually public data anyway.

If you want to encrypt your dynamic DNS update anyway (even though
there's good reason to do this), then you need to send your update over
an encrypted session of some kind. The DNS protocol itself has recently
been updated to allow for encryption, using DTLS (DNS-over-TLS). But
while DNS resolvers can use this to send queries to suitably configured
servers, I don't think "nsupdate" can use DTLS just yet (someone please
correct me if I'm wrong). So your only alternative is to use another
secure protocol, such as SSH, with port forwarding, to send your dynamic
updates to the server.

BUT AGAIN, there is usually no need for this. Do NOT overcomplicate your
design for no reason.

Regards,
Anand
Post by Greg Donohoe
Thanks Anand.
When using this TSIG solution is the key visible (clear) within the DNS
packet being sent to the remote server or is it encrypted?
Is this communication secure? eg if someone is sitting on the wire sniffing
the packets, would they be able to extract the key ?
Or is the security of the communication done through the ACL and the key is
TSIG only used to allow me to make changes to the zone file?
The main reason why I was leaning towards SSH was to try to ensure that all
communication between local & remote was encrypted.
Rgds,
Greg.
Post by Anand Buddhdev
Hi Greg,
Post by Greg Donohoe
In regards to the nsupdate, what is the best way to secure the
connection,
Post by Greg Donohoe
so to ensure that only my local server can make the amendments to the
remote server named & zone files?
I dont want anyone/anything else other than my local machine to make any
changes on my remote BIND server.
You should create a TSIG key, and configure the zones on the remote
server to only accept dynamic DNS updates signed by this key. And then
use this key with nsupdate when sending your updates. Check the man page
of nsupdate and look at the '-k' and '-y' options for using tsig keys.
You can additionally also configure your remote BIND to accept updates
only from certain IP addresses. For details on how to configure this,
please read the excellent documentation (especially section 4.2.29 and
https://bind9.readthedocs.io/en/v9_16/
Regards,
Anand Buddhdev
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Tony Finch
2021-04-26 15:16:46 UTC
Permalink
Anand Buddhdev <***@ripe.net> wrote:
Anand's advice is good, as usual :-)
The DNS protocol itself has recently been updated to allow for
encryption, using DTLS (DNS-over-TLS).
DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for
deploying it: DTLS combines all the disadvantages of UDP with all the
disadvantages of TLS. (Or worse: DTLS has a more complicated state machine
than normal TLS so there have been a bunch of DTLS-specific
vulnerabilities which makes me very reluctant to deploy it.)

There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and
DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC.

But right now, none of these are particularly easy to get working as
transports for UPDATE, and as Anand said, it usually isn't necessary.

I'm looking forward to zone transfers over TLS, because public key
authentication (with client certificates) is a bit easier to deploy
between different organizations than TSIG secret key authentication.
There's not such a clear benefit for UPDATE-over-TLS where I'm sitting,
apart from the neatness of having all authenticated traffic over TLS.

Tony.
--
f.anthony.n.finch <***@dotat.at> https://dotat.at/
Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Greg Donohoe
2021-04-27 09:27:12 UTC
Permalink
Thank you for the excellent advise, it is a lot clearer to me now.
I am checking the nsupdate & TSIG man pages for additional knowledge.
Outside of these man pages , are there any other references
(tutorials/videos) that you would recommend?
Particularly around the area of TSIG key generation & management best
practices?

Rgds,
Greg.
Post by Tony Finch
Anand's advice is good, as usual :-)
The DNS protocol itself has recently been updated to allow for
encryption, using DTLS (DNS-over-TLS).
DTLS usually means "datagram TLS", i.e. TLS-over-UDP (RFC 6347). There's a
spec for DNS-over-DTLS (RFC 8094) but I have not seen much enthusiasm for
deploying it: DTLS combines all the disadvantages of UDP with all the
disadvantages of TLS. (Or worse: DTLS has a more complicated state machine
than normal TLS so there have been a bunch of DTLS-specific
vulnerabilities which makes me very reluctant to deploy it.)
There is a lot more enthusiasm for DNS-over-TLS (aka DoT) and
DNS-over-HTTPS (aka DoH), and maybe in the future DNS-over-QUIC.
But right now, none of these are particularly easy to get working as
transports for UPDATE, and as Anand said, it usually isn't necessary.
I'm looking forward to zone transfers over TLS, because public key
authentication (with client certificates) is a bit easier to deploy
between different organizations than TSIG secret key authentication.
There's not such a clear benefit for UPDATE-over-TLS where I'm sitting,
apart from the neatness of having all authenticated traffic over TLS.
Tony.
--
Bailey: Northeast 5 to 7. Moderate or rough. Showers at first. Good.
Anand Buddhdev
2021-04-27 09:40:46 UTC
Permalink
Hi Greg,

Read the "ddns-confgen" man page. And then read all the material here:

https://bind9.readthedocs.io/en/v9_16_13/advanced.html

Regards,
Anand
Post by Greg Donohoe
Thank you for the excellent advise, it is a lot clearer to me now.
I am checking the nsupdate & TSIG man pages for additional knowledge.
Outside of these man pages , are there any other references
(tutorials/videos) that you would recommend?
Particularly around the area of TSIG key generation & management best
practices?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Paul Kosinski via bind-users
2021-04-24 00:10:52 UTC
Permalink
A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP) IP address for my very simple domain. It worked, except that it totally messed up the organization of the zone file. Since the file only has 44 active lines (which are organized logically), I maintain it by hand. After nsupdate made the one line change, the zone file became unmaintainable.

Was this a bug in nsupdate, or does nobody try to understand their zone files.

P.S. Now I use $INCLUDE and just overwrite the included file with the new A record (using a simple bash script via an encrypted connection).



On Fri, 23 Apr 2021 12:21:22 +0200
Post by Anand Buddhdev
Hi Greg,
You don't need to SSH into a remote server to do dynamic DNS updates!
The "nsupdate" tool can send the dynamic DNS updates directly to your
remote server over the DNS protocol.
You appear to be confused about what the various tools do, so here's a
1. ssh is used to log into a remote server, get a shell, and run
operating system commands.
2. rndc is for controlling a running BIND server. It can be used to
check the status of BIND, reload it, etc.
3. nsupdate is for modifying a zone directly (whether on the local
machine, or some remote machine) using the dynamic DNS protocol.
Having read your message, it seems that you need to use "nsupdate". You
don't need "ssh" or "rndc" for this.
Regards,
Anand
Post by Greg Donohoe
Thank you for the suggestions. I am looking into those now.
Yes we can run nsupdate again on the remote server but I would still need
to connect to the remote server to do this.
We were thinking of using SSH to the remote server but we want to explore
any other option rather than SSH for the secure connection.
I was thinking that it may be possible to use RNDC or some other tool to
update the remote BIND server zone files (either by modifying the zone file
that is already there or replacing the zone file with the new one I created
locally).
RNDC looks like it is a non starter for what I want but nsdiff may be a
good option.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Tony Finch
2021-04-25 14:36:36 UTC
Permalink
Post by Paul Kosinski via bind-users
A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP)
IP address for my very simple domain. It worked, except that it totally
messed up the organization of the zone file. Since the file only has 44
active lines (which are organized logically), I maintain it by hand.
After nsupdate made the one line change, the zone file became
unmaintainable.
Was this a bug in nsupdate, or does nobody try to understand their zone files.
When you have a zone that accepts dynamic updates, then its zone file is
owned by `named`, and `named` will rewrite the file to incorporate
updates, which (as you saw) also strips out comments and canonicalized the
formatting. This is often surprising and upsetting to people who are new
to dynamic updates - you are not alone!

Basically, if you are doing dynamic updates, then the source of truth for
your zone needs to be somewhere else, not the zone file used by `named`.
(For example, at my work our zones are stored in a database and edited
with a web front end.)

I have some scripts which allow you to maintain your zone file however you
want, and push any differences into `named` using `nsupdate`, so you never
need to touch the zone files that it owns. https://dotat.at/prog/nsdiff/

Tony.
--
f.anthony.n.finch <***@dotat.at> https://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: Easterly or
northeasterly 5 to 7, occasionally 4 in east. Moderate or rough. Fair.
Good.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Loading...