Exercises related DNS server

In this part you'll transfer your current DNS configuration to a dedicated nameserver ns1.hdm-stuttgart.cloud. This one being connected to the global DNS system allows for publishing your records worldwide.

Figure 1035. Subdomain per group Slide presentation
  • Dedicated course related DNS server ns1.hdm-stuttgart.cloud.

  • One subdomain per group e.g. g3.sdi.hdm-stuttgart.cloud corresponding to Group 3.

  • Zone edits require a subdomain specific hmac secret key being provided as dnsupdate.sec file in your personal group entry below the SDI course:

    hmac-sha512:g3.key:I5sDDS3L1BU...

    Note

    The per zone secrets are being created using tsig-keygen.

  • Edits become globally visible. Mind the TTL setting: A higher value means you'll have to wait longer until updates become visible.


Figure 1036. Key file location Slide presentation

Key file available in your working group below 113475 Software defined Infrastructure.


Figure 1037. Querying DNS by zone transfer Slide presentation
$ export HMAC=hmac-sha512:g3.key:YXWSeh3l... 
$ dig @ns1.hdm-stuttgart.cloud -y $HMAC -t AXFR g3.sdi.hdm-stuttgart.cloud 
...
g3.sdi.hdm-stuttgart.cloud. 600	IN	SOA	ns1.hdm-stuttgart.cloud. ...
g3.sdi.hdm-stuttgart.cloud. 600	IN	NS	ns1.hdm-stuttgart.cloud.
g3.sdi.hdm-stuttgart.cloud. 600	IN	SOA	ns1.hdm-stuttgart.cloud. ...
g3.key.			0	ANY	TSIG	hmac-sha512. 1746433052 300 64 bak...
...

See AXFR for details.


Figure 1038. Creating an A record Slide presentation
export HMAC=hmac-sha512:g3.key:YXWSeh3l... 

$ nsupdate -y $HMAC
> server ns1.hdm-stuttgart.cloud
> update add www.g3.sdi.hdm-stuttgart.cloud 10 A 141.62.75.114 
> send
> quit
$ dig +noall +answer @ns1.hdm-stuttgart.cloud www.g3.sdi.hdm-stuttgart.cloud
www.g3.sdi.hdm-stuttgart.cloud. 10 IN  A       141.62.75.114
$ dig  +noall +answer @8.8.8.8  www.g3.sdi.hdm-stuttgart.cloud
www.g3.sdi.hdm-stuttgart.cloud. 10 IN  A       141.62.75.114

Figure 1039. Modify by delete/create Slide presentation
$ nsupdate -y $HMAC
> server ns1.hdm-stuttgart.cloud
> update delete www.g3.sdi.hdm-stuttgart.cloud. 10 IN  A       141.62.75.114
> send
> quit
>
$ dig  +noall +answer @8.8.8.8  www.g3.sdi.hdm-stuttgart.cloud
$ 

Note

Examples at DNS Updates with nsupdate


Due to caching it'll however take up to your SOA or record specific settings for this deletion to be reflected globally. The subsequent query result indicates another 7069 seconds to go before issuing the next update:

goik>dig +noall +answer  vm2.g03.sdi.hdm-stuttgart.cloud
vm2.g03.sdi.hdm-stuttgart.cloud. 7069 IN A	141.62.75.114

exercise No. 17

Enhancing your web server.

Q:

Enhance your web server from Improve your server's security! by:

  1. Providing a proper DNS name e.g. http://www.gXY.sdi.hdm-stuttgart.cloud.

  2. Configuring TLS allowing for e.g. https://www.gXY.sdi.hdm-stuttgart.cloud.

    Caution

    Avoid becoming a Letsencrypt rate limit victim. Letsencrypt's staging environment is far more lenient with respect to e.g. a failed validation limit of 60 per hour versus 5.

    After successfully creating and installing a Letsencrypt staging certificate you should then be able to create your »real« certificate without further problems.