Difference between revisions of "DNS"

From CSCWiki
Jump to navigation Jump to search
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== IST DNS ==
 
== IST DNS ==
  
The University of Waterloo's DNS is managed through [http://maintain.uwaterloo.ca Maintain].
+
The University of Waterloo's DNS is managed through [https://nsbuild.uwaterloo.ca Infoblox].
  
People who have access to Maintain:
+
People who have access to Infoblox:
* mspang
+
 
 +
* ztseguin
 +
* jxpryde
 +
* mtrberzi
 +
* API account located in the standard syscom place
  
 
== CSC DNS ==
 
== CSC DNS ==
  
[http://www.isc.org/software/bind BIND9] is running on [[Machine_List#caffeine|caffeine]] (master) and [[Machine_List#taurine|taurine]] (slave). We do not currently have ns1.csclub.uwaterloo.ca or similar hostnames, so refer to them by either these names or their IP addresses (129.97.134.17 and 129.97.134.34, respectively).
+
CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20).
  
At present, we do not host any subzones of uwaterloo.ca (IST's nameservers continue to be used for csclub.uwaterloo.ca etc.). If we wanted to do this, we would have to ask IST.
+
Current authoritative domains:
  
As with Apache vhosts, zone changes must be made by syscom. The following instructions assume that caffeine will be the primary (master) DNS server. If this is not the case, adjust the configuration directives as appropriate.
+
* csclub.cloud
 +
* uwaterloo.club
 +
* csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the Infoblox records.
 +
* Any zone added to Designate DNS service on CSC Cloud
  
To create a new zone, an entry should be added in <tt>/etc/bind/named.conf.local</tt> on caffeine:
 
  
// Calum's site (ctdalek)
 
zone "ctdalek.net" {
 
      type master;
 
      file "/etc/bind/zones/ctdalek.net";
 
};
 
  
A brief comment including the username of the member to whom the zone belongs would be appreciated. Additional configuration directives could be added, but sensible defaults are used. If the settings for zone transfers are changed, taurine must be among the allowed hosts so that it can mirror caffeine correctly. Create a corresponding entry in taurine's <tt>named.conf.local</tt> file.
+
Those DNS servers are also recursive for machines located on the University network.
  
// Calum's site (ctdalek)
+
=== Infoblox ===
zone "ctdalek.net" {
 
      type slave;
 
      file "/etc/bind/zones/ctdalek.net";
 
      masters { 129.97.134.17; };
 
};
 
  
Make sure that caffeine's IP is specified as the master. Finally, create the actual zone on caffeine (e.g. <tt>/etc/bind/zones/ctdalek.net</tt>). For example:
+
The main DNS zone for the club (csclub.uwaterloo.ca) is managed using the University's Infoblox system.
  
$TTL 1h
+
To add a new record:
@ IN SOA caffeine.csclub.uwaterloo.ca. ctdalek.csclub.uwaterloo.ca. (
 
        1      ; Serial
 
        24h    ; Refresh
 
        30m    ; Retry
 
        30d    ; Expire
 
        1h      ; Minimum
 
)
 
 
@      IN      NS      caffeine.csclub.uwaterloo.ca.
 
@      IN      NS      taurine.csclub.uwaterloo.ca.
 
 
@      IN      A      129.97.134.17
 
@      IN      MX      10 aspmx.l.google.com.
 
mail    IN      CNAME  ghs.google.com.
 
  
A few things to note here. caffeine should be specified as the primary nameserver in the SOA record, and the member's csclub email address (with @ replaced by .) should be used as the contact. The serial can be any unsigned 32-bit integer, but it must increase when the zone is updated. The two most common conventions are to simply count upwards, or to use the current date (in yyyymmdd format). We can have a long refresh time because caffeine will notify taurine when the zone has changed (long before the refresh timeout). Finally, the nameservers should include caffeine and taurine at a minimum.
+
# Visit [https://nsbuild.uwaterloo.ca Infoblox]
 +
# Locate the desired network
 +
# Find a free IP address (ping and reverse DNS it to make sure it's unused)
 +
# Click add host (+)
 +
# Set the zone to csclub.uwaterloo.ca
 +
# Set the name
 +
# Add the IPv4 address, if it is not set
 +
# Add the IPv6 address, typically in the format of (2620:101:f000:$SUBNET:c5c::$LAST_OCTET_OF_V4_ADDRESS)
 +
# Click "Next"
 +
# Set Pol8 Classification to "Public"
 +
# Set Primary OU to "CS"
 +
# Set Technical Contact to "syscom@csclub.uwaterloo.ca"
 +
# Click "Save & Close"
  
To have BIND9 reload all configuration, run <tt>sudo rndc reload</tt> on caffeine (and on taurine, if you've modified configuration there).
+
The CSC DNS servers will update within 10 minutes with the new information.
  
If you've modified a zone, run <tt>sudo rndc reload ctdalek.net</tt> (or whatever the zone is). This does not shutdown the DNS server, so this helps minimize service interruptions. Finally, reloading the zone on caffeine causes it to automatically notify taurine to initiate a zone transfer. As a result, modifying a zone on caffeine does not require any action to be taken on taurine.
+
=== Updating records ===
 +
If you manually update a record in the dns1 container (somewhere in /etc/bind), make sure you also update the serial number for the SOA record for the corresponding zone. Then, run <code>rndc reload</code>.
  
 
== Miscellaneous ==
 
== Miscellaneous ==
Line 63: Line 58:
 
=== SSHFP ===
 
=== SSHFP ===
  
We should look into [http://tools.ietf.org/html/rfc4255 SSHFP] records. Apparently OpenSSH supports these.
+
We could look into [http://tools.ietf.org/html/rfc4255 SSHFP] records. Apparently OpenSSH supports these. (Discussion moved to [[Talk:DNS]].)
  
 
[[Category:Systems]]
 
[[Category:Systems]]

Latest revision as of 15:01, 14 May 2021

IST DNS

The University of Waterloo's DNS is managed through Infoblox.

People who have access to Infoblox:

  • ztseguin
  • jxpryde
  • mtrberzi
  • API account located in the standard syscom place

CSC DNS

CSC hosts some authoritative dns services on ext-dns1.csclub.uwaterloo.ca (129.97.134.4/2620:101:f000:4901:c5c::4) and ext-dns2.csclub.uwaterloo.ca (129.97.18.20/2620:101:f000:7300:c5c::20).

Current authoritative domains:

  • csclub.cloud
  • uwaterloo.club
  • csclub.uwaterloo.ca: A script (/opt/bindify/update-dns on dns1) runs every 10 minutes to populate this zone from the Infoblox records.
  • Any zone added to Designate DNS service on CSC Cloud


Those DNS servers are also recursive for machines located on the University network.

Infoblox

The main DNS zone for the club (csclub.uwaterloo.ca) is managed using the University's Infoblox system.

To add a new record:

  1. Visit Infoblox
  2. Locate the desired network
  3. Find a free IP address (ping and reverse DNS it to make sure it's unused)
  4. Click add host (+)
  5. Set the zone to csclub.uwaterloo.ca
  6. Set the name
  7. Add the IPv4 address, if it is not set
  8. Add the IPv6 address, typically in the format of (2620:101:f000:$SUBNET:c5c::$LAST_OCTET_OF_V4_ADDRESS)
  9. Click "Next"
  10. Set Pol8 Classification to "Public"
  11. Set Primary OU to "CS"
  12. Set Technical Contact to "syscom@csclub.uwaterloo.ca"
  13. Click "Save & Close"

The CSC DNS servers will update within 10 minutes with the new information.

Updating records

If you manually update a record in the dns1 container (somewhere in /etc/bind), make sure you also update the serial number for the SOA record for the corresponding zone. Then, run rndc reload.

Miscellaneous

LOC Records

If we really cared, we might add a LOC record for csclub.uwaterloo.ca.

SSHFP

We could look into SSHFP records. Apparently OpenSSH supports these. (Discussion moved to Talk:DNS.)