Exercises related DNS server

In this part you'll define DNS records on a dedicated nameserver ns1.hdm-stuttgart.cloud. This one being connected to the global DNS system allows for publishing your records worldwide.

Figure 1048. Subdomain per group Slide presentation

  • Dedicated course related DNS server ns1.hdm-stuttgart.cloud.

  • One subdomain per group e.g. g3.sdi.hdm-stuttgart.cloud corresponding to Group 3.

  • Zone edits require a subdomain specific hmac secret key being provided as dnsupdate.sec file in your personal group entry below the SDI course: 

    hmac-sha512:g3.key:I5sDDS3L1BU...

    Note

    The per zone secrets have been created using tsig-keygen.

  • Edits become globally visible. Mind the TTL setting: A higher value means you'll have to wait longer until updates become visible.


Figure 1049. Key file location Slide presentation

Key file available in your working group below 113475 Software defined Infrastructure.


Figure 1050. Querying DNS by zone transfer Slide presentation 
$ export HMAC=hmac-sha512:g3.key:YXWSeh3l... 
$ dig @ns1.hdm-stuttgart.cloud -y $HMAC -t AXFR g3.sdi.hdm-stuttgart.cloud 
...
g3.sdi.hdm-stuttgart.cloud. 600	IN	SOA	ns1.hdm-stuttgart.cloud. ...
g3.sdi.hdm-stuttgart.cloud. 600	IN	NS	ns1.hdm-stuttgart.cloud.
g3.sdi.hdm-stuttgart.cloud. 600	IN	SOA	ns1.hdm-stuttgart.cloud. ...
g3.key.			0	ANY	TSIG	hmac-sha512. 1746433052 300 64 bak...
...

See AXFR for details.


Figure 1051. Creating an »A« record with TTL=10 Slide presentation 
export HMAC=hmac-sha512:g3.key:YXWSeh3l... 

$ nsupdate -y $HMAC
> server ns1.hdm-stuttgart.cloud
> update add www.g3.sdi.hdm-stuttgart.cloud 10 A 141.62.75.114 
> send
> quit
$ dig +noall +answer @ns1.hdm-stuttgart.cloud www.g3.sdi.hdm-stuttgart.cloud
www.g3.sdi.hdm-stuttgart.cloud. 9 IN  A       141.62.75.114
$ dig  +noall +answer @8.8.8.8  www.g3.sdi.hdm-stuttgart.cloud
www.g3.sdi.hdm-stuttgart.cloud. 3 IN  A       141.62.75.114

Figure 1052. Modify by delete/create Slide presentation 
$ nsupdate -y $HMAC
> server ns1.hdm-stuttgart.cloud
> update delete www.g3.sdi.hdm-stuttgart.cloud. 10 IN  A       141.62.75.114
> send
> quit
>
$ dig  +noall +answer @8.8.8.8  www.g3.sdi.hdm-stuttgart.cloud
$

Note

Examples at DNS Updates with nsupdate


Figure 1053. Mind record caching Slide presentation 
goik>dig +noall +answer  www.g3.sdi.hdm-stuttgart.cloud
www.g3.sdi.hdm-stuttgart.cloud. 9 IN A	141.62.75.114

  • DNS record caching.

  • Another 9 seconds to go before DNS cache invalidation.


exercise No. 18

Enhancing your web server.

Q:

Enhance your web server from Improve your server's security! by:

  1. Provide a DNS »A« record e.g., for http://www.gXY.sdi.hdm-stuttgart.cloud pointing to your server's IP address.

  2. Provide another DNS »A« record for http://gXY.sdi.hdm-stuttgart.cloud pointing to your very same server's IP address.

  3. Follow How To Secure Nginx with Let's Encrypt on Debian 11 and configure TLS allowing for access by both https://www.gXY.sdi.hdm-stuttgart.cloud and https://gXY.sdi.hdm-stuttgart.cloud to your server:

    • Omit the firewall related steps: You already have a Hetzner firewall rule set in place.

    • Avoid becoming a Letsencrypt rate limit victim. Letsencrypt's staging environment is far more lenient with respect to e.g., a failed validation limit of 60 per hour versus 5.

      The certbot command offers two related --staging and --test-cert options relating to https://acme-staging-v02.api.letsencrypt.org/directory and https://acme-v02.api.letsencrypt.org/directory respectively.

      After successfully creating, installing and testing your Letsencrypt staging certificate you should then be able to re-create your certificate omitting the --staging option and get a valid certificate.

Prev  Up  Next
Terraform modules  Home  Terraform loops