hi list,
I have a small home domain (linuxlighthouse.com) running on fedora 32. I am trying to set up network services for DNS & HTTPS
I have only the one server that I'm trying to provide all these services from, a single host using a static ip from att. i have a cascaded router config connecting my external ip, 108.220.213.121 to it's internal 10.0.0.101.
I have tried at length to get bind 9 to support proper a split horizon configuration without success.
I came across two very informative articles about systemD-resolveD and their future implementation on F33 as standard routing/resolution for DNS.
the second article added focus on systemD-resolveD split DNS and VPN configuration.
This was looking like a good solution until I got down to the end of the second article where it said, if I understand this correctly, the systemD-resolveD is not appropriate for the primary DNS server of a domain.
that in fact you need dns domain server to use bind instead.
so I am confused about how to jam all these related services on a single host??
My question to this group is, at this point in time, where is the best place for me to post queries on this set up?
a future goal is to use wireguard vpn once the above issues are resolved.
suggestions? should queries be sent to this mailing list or is there a more appropriate list?
thank you in advance for your consideration, Thx, jackc...
Am 08.04.2021 um 22:37 schrieb Jack Craig jack.craig.aptos@gmail.com:
This was looking like a good solution until I got down to the end of the second article where it said, if I understand this correctly, the systemD-resolveD is not appropriate for the primary DNS server of a domain.
Indeed, systems-resolved is a name resolver, as the name suggest, and it queries a DNS server to get needed Informations. It is not a DNS server at all.
so I am confused about how to jam all these related services on a single host??
Bind may be an overkill for your home network. Usually you would activate the NetworkManager dnsmasq plugin on your server. It is its task to resolve the addresses of your local network(s) and delegates anything else to your providers DNS. It is quite easy so setup
My question to this group is, at this point in time, where is the best place for me to post queries on this set up?
If you use Fedora Server, there is a server list {server@lists.fedoraproject.org). But this list should be fine as well.
Peter
hi Peter,
thx very much for your time & expertise.
very much appreciated, jackc...
On Thu, Apr 8, 2021 at 4:11 PM Peter Boy pboy@uni-bremen.de wrote:
Am 08.04.2021 um 22:37 schrieb Jack Craig jack.craig.aptos@gmail.com:
This was looking like a good solution until I got down to the end of the
second article
where it said, if I understand this correctly, the systemD-resolveD is
not appropriate for the primary DNS server of a domain.
Indeed, systems-resolved is a name resolver, as the name suggest, and it queries a DNS server to get needed Informations. It is not a DNS server at all.
so I am confused about how to jam all these related services on a single
host??
Bind may be an overkill for your home network. Usually you would activate the NetworkManager dnsmasq plugin on your server. It is its task to resolve the addresses of your local network(s) and delegates anything else to your providers DNS. It is quite easy so setup
My question to this group is, at this point in time, where is the best
place
for me to post queries on this set up?
If you use Fedora Server, there is a server list { server@lists.fedoraproject.org). But this list should be fine as well.
Peter
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Thu, 2021-04-08 at 13:37 -0700, Jack Craig wrote:
I have tried at length to get bind 9 to support proper a split horizon configuration without success.
I remember going through that with you last year. It definitely works, as I did it on my system as I went through it with you.
Do you have something unusual about your system? Is it running in a virtual machine, or is it an ordinary installation? Are you going through a VPN?
Does your machine really need to resolve outside addresses? For me, my local DNS just resolves all my domain names to internal IPs, and my domain name is resolved for the rest of the world by other DNS servers (in the usual way).
On Sat, Apr 10, 2021 at 1:20 AM Tim via users users@lists.fedoraproject.org wrote:
On Thu, 2021-04-08 at 13:37 -0700, Jack Craig wrote:
I have tried at length to get bind 9 to support proper a split horizon configuration without success.
I remember going through that with you last year. It definitely works, as I did it on my system as I went through it with you.
Yes tim, you did and your help was wonderful I got in my DNS working 90% of the time with your assistance. however it's the last 10% it's got me ; perhaps it's because I'm misunderstanding my goals
I think I understand that the primary name server for domain must be in my case this home server that I'm using and that I need to be able to resolve my service name to my service public IP based on a mechanism that I expected I provide through find
what seems to be happening is that I am not getting external and internal resolutions for internal and external look ups
AT&T my ISP has agreed to secondary my DNS server but I'm expecting to set up the primary so it is setting up that primary and coordinating it with the external IP look up's from the world that I am stumbling on at the moment
Do you have something unusual about your system? Is it running in a virtual machine, or is it an ordinary installation?
it's a workstation config, no nothing special it's just trying to synchronize the name Dns/HTTPD/httpds and the certification from letsencrypt that I need to get organized at this later
Are you going
through a VPN?
Not yet, my intention was to get this networking up and working correctly and then put a wireguard VPN between me and the world . but I've not looked at that until I get the current DNS configuration set up procareerperly
OK time to share the real problem here ,it is me. that is to say after several decades of computer work I got Parkinson's and that forced me to stop working commercially. I didn't want to give up my networking all the way so I keep this home network has a constant challenge to keep my brain moving.
sadly Parkinson's symptoms are not limited to muscle jerking around it also includes 'Swiss cheese'ing in my brain so I'm working at a disadvantage. still I'm not giving up
Does your machine really need to resolve outside addresses? For me, my local DNS just resolves all my domain names to internal IPs, and my domain name is resolved for the rest of the world by other DNS servers (in the usual way).
Perhaps you could elaborate on this comment above? I need to be able to provide a primary DNS server to look up between my external IP and my fully qualified domain name but your description here makes it sound like I'm doing way too much work I just need to be able to correlate external and internal views
Perhaps you could expand on this a little bit because I think this is maybe why I'm getting off in the weeds
Thanks again, ...
--
uname -rsvp Linux 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC 2021 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Sat, 2021-04-10 at 12:03 -0700, Jack Craig wrote:
OK time to share the real problem here ,it is me. that is to say after several decades of computer work I got Parkinson's and that forced me to stop working commercially. I didn't want to give up my networking all the way so I keep this home network has a constant challenge to keep my brain moving.
sadly Parkinson's symptoms are not limited to muscle jerking around it also includes 'Swiss cheese'ing in my brain so I'm working at a disadvantage. still I'm not giving up
Do other techniques help in understanding? e.g. If you doodle diagrams with pen and paper as to what bits go where.
Tim:
Does your machine really need to resolve outside addresses? For me, my local DNS just resolves all my domain names to internal IPs, and my domain name is resolved for the rest of the world by other DNS servers (in the usual way).
Perhaps you could elaborate on this comment above? I need to be able to provide a primary DNS server to look up between my external IP and my fully qualified domain name but your description here makes it sound like I'm doing way too much work I just need to be able to correlate external and internal views
Perhaps you could expand on this a little bit because I think this is maybe why I'm getting off in the weeds
Does this approach seem a feasible solution for you:
Okay, let's say that I own the domain name "example.com" (it's a real domain, specifically meant for everyone to make use of in examples, without messing up real websites, but it's not really mine). And I have a website at www.example.com, an email address of tim@example.com, all the usual gubbins.
I'm paying a service provider $20 a month for them to host my website, handle my mail. And, for $20 a year, they're the registrar for my domain name. There are cheaper services, but this price point provides reasonable service.
When I register my domain name with them, its details are put into public DNS servers (the domain name, the IP address, and all the other administrative details about who owns it, etc). The website is hosted by their webserver. My mail is handled by their mail server. All of this is external to me, and completely independent. I don't need to do anything on my computers, nor even my ISP. My hosting service provider is not the same as my internet service provider.
I could, technically, run all of this on my own computer, but many ISPs forbid it. Many will stuff it up through the cockeyed way they run their networks. And I'd have to deal with all the daily hack attempts that are inflicted upon public web services.
I could run it using my ISP to provide the facilities, but some are crap at it, often overpriced, and if you ever decide you want to change ISPs, you've got to move all of your things somewhere else. That inconvenience is used to tie you down to staying with them.
What I *also* do, just for my own benefit, is run my own webservers, mailservers, DNS servers, etc., on my own computer. This allows me to test things before they go public. It allows me to learn how the software works without messing things up on the internet.
Since I own example.com, I create a sub-domain of lan.example.com to use within my network. The rest of the world doesn't know about this, it's not in my public DNS records, I only do it on my local DNS and web servers. If I want to test out things to go on my website, first they're done on lan.example.com. Then, when I'm happy, I upload the changes to www.example.com. I can easily distinguish one from the other by the different domain names. But I don't have to do this. I could just directly do everything on the external webserver.
Running my own DNS server has other benefits, but they only affect me, the outside world doesn't make any use of it. I have internal address resolution without horsing around with hosts files, Avahi or MDNS. I can block unwanted things in websites by forbidding them in my DNS server. Again, I don't have to do this. There's no obligation on anyone to run their own DNS server if they want a public domain name.
I'm answering this with a separate response because it goes off in a different direction. You can decide which way to go without mixing up all the information together.
On Sat, 2021-04-10 at 12:03 -0700, Jack Craig wrote:
I think I understand that the primary name server for domain must be in my case this home server that I'm using and that I need to be able to resolve my service name to my service public IP based on a mechanism that I expected I provide through find
what seems to be happening is that I am not getting external and internal resolutions for internal and external look ups
AT&T my ISP has agreed to secondary my DNS server but I'm expecting to set up the primary so it is setting up that primary and coordinating it with the external IP look up's from the world that I am stumbling on at the moment
In very few cases the primary name server for a public DNS record will be on a home computer. It'll usually be done where you register your domain name. Though you can shift it elsewhere. You can renew a domain name and host it with a different company. You can have a company host your website, and they can also host your DNS records.
For what it's worth, if they do your mail and website through something like cpanel, they'll probably want to host your DNS records, too, so their cpanel software can control any changes the DNS records.
You can run your own slave name server, that follows what the public one does. This can be handy, but not essential, to keep an eye out for anything that goes wrong.
If you want to run dynamic DNS, so you can log into your home computer from somewhere else on the net without having to know your IP, that's a different thing, again.
But, if you want to be your DNS server for the whole world, they have to be able to connect to you. Traffic has to be able to get through. And you will need a fixed IP.
Oh so now I have learned something new.
I thought that because I was a Domain owner, I had to do the translation from my public IP to my local DNS name
in as much as networksolutions.com, my domain registrar provider, has already the IP and host name then
I don't need to provide that so let me trim off that external. zone I'm assuming that I still need to provide service for the 10.0.0.0 internal addresses, but that could just be covered by my /etc/hosts file right?
With this new bit of information, I should be able to run a minimal configuration as you earlier outlined I was trying to throw in everything plus the kitchen sink. I'll start ripping the plumbing out of named.conf; see how little I can get away with.
Once again thanks for your time!!
On Sat, Apr 10, 2021 at 11:39 PM Tim via users < users@lists.fedoraproject.org> wrote:
I'm answering this with a separate response because it goes off in a different direction. You can decide which way to go without mixing up all the information together.
On Sat, 2021-04-10 at 12:03 -0700, Jack Craig wrote:
I think I understand that the primary name server for domain must be in my case this home server that I'm using and that I need to be able to resolve my service name to my service public IP based on a mechanism that I expected I provide through find
what seems to be happening is that I am not getting external and internal resolutions for internal and external look ups
AT&T my ISP has agreed to secondary my DNS server but I'm expecting to set up the primary so it is setting up that primary and coordinating it with the external IP look up's from the world that I am stumbling on at the moment
In very few cases the primary name server for a public DNS record will be on a home computer. It'll usually be done where you register your domain name. Though you can shift it elsewhere. You can renew a domain name and host it with a different company. You can have a company host your website, and they can also host your DNS records.
For what it's worth, if they do your mail and website through something like cpanel, they'll probably want to host your DNS records, too, so their cpanel software can control any changes the DNS records.
You can run your own slave name server, that follows what the public one does. This can be handy, but not essential, to keep an eye out for anything that goes wrong.
If you want to run dynamic DNS, so you can log into your home computer from somewhere else on the net without having to know your IP, that's a different thing, again.
But, if you want to be your DNS server for the whole world, they have to be able to connect to you. Traffic has to be able to get through. And you will need a fixed IP.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Mon, 2021-04-12 at 12:06 -0700, Jack Craig wrote:
Oh so now I have learned something new.
I thought that because I was a Domain owner, I had to do the translation from my public IP to my local DNS name
Just to be clear:
By "your public IP" do mean the IP for your server that the world is going to view pages on?
Or do you mean the public IP that your computer is currently located at (which will probably change often, if you don't pay for a fixed IP)?
And are they one and the same thing? Are you serving from your own PC? Is is an external computer serving your files to the public.
If your website server isn't your own computer on your own network, there's no need for any public DNS records to have your own network addresses in them.
Whatever the answers are to the above, you don't have to provide the DNS records for that on your own equipment. Any DNS server can provide answers to DNS queries. But for the general public to be able to use your domain name, your records have to discoverable on public DNS servers. Normally, when you register a domain and have it hosted, that's all taken care of for you. They put the records in their domain server, and their domain server feeds info upstream to higher up servers (it's all like a family tree).
You can see that sort of thing with the "dig" tool. If you do a "dig example.com" you'll get a collection of responses. The "answer" section is the domain name and numerical IP address for it, that you queried. The "authority" section will be the authoritative name servers for those records (the master host for them). An "additional" section which can provide info about those authoritative servers. And in the last bit will be the "SERVER" that directly answered your query.
in as much as networksolutions.com, my domain registrar provider, has already the IP and host name then
I don't need to provide that so let me trim off that external. zone I'm assuming that I still need to provide service for the 10.0.0.0 internal addresses, but that could just be covered by my /etc/hosts file right?
Your own internal address resolution is done within your own computer network. That can be a hosts file, it can be your own name server.
On 13/04/2021 18:52, Tim via users wrote:
You can see that sort of thing with the "dig" tool. If you do a "dig example.com" you'll get a collection of responses. The "answer" section is the domain name and numerical IP address for it, that you queried. The "authority" section will be the authoritative name servers for those records (the master host for them). An "additional" section which can provide info about those authoritative servers. And in the last bit will be the "SERVER" that directly answered your query.
One has to be somewhat careful as to the actual dig command used.
By default the type searched are A records. So, if your domain name is also the name of a host then you'd need to use "dig -tany domainname"
example:
[egreshko@meimei ~]$ dig ibm.com ibm.com. 19 IN A 104.115.95.17
[egreshko@meimei ~]$ dig -tany ibm.com ibm.com. 20 IN AAAA 2600:1417:1800:289::3831 ibm.com. 20 IN AAAA 2600:1417:1800:286::3831 ibm.com. 3600 IN MX 5 mx0b-001b2d01.pphosted.com. ibm.com. 3600 IN MX 5 mx0a-001b2d01.pphosted.com. ibm.com. 86061 IN SOA asia3.akam.net. dnsadm.us.ibm.com. 1564134810 43200 7200 604800 3600 etc.....
Also, if you are running a DNS server to for "local" addresses in your domain and your system's configuration points to the local server you would most likely want to add the @server parameter to make sure you get the "external" information.
[egreshko@meimei ~]$ dig -tany meimei.greshko.com meimei.greshko.com. 86400 IN A 192.168.1.18 meimei.greshko.com. 86400 IN AAAA 2001:b030:112f::140e
[egreshko@meimei ~]$ dig @8.8.8.8 -tany meimei.greshko.com meimei.greshko.com. 1199 IN A 211.75.128.214 meimei.greshko.com. 1199 IN AAAA 2001:b030:112f::140e
On Tue, Apr 13, 2021 at 3:52 AM Tim via users users@lists.fedoraproject.org wrote:
On Mon, 2021-04-12 at 12:06 -0700, Jack Craig wrote:
Oh so now I have learned something new.
I thought that because I was a Domain owner, I had to do the translation from my public IP to my local DNS name
Just to be clear:
By "your public IP" do mean the IP for your server that the world is going to view pages on?
yes, 1008.220.1`3.1 yes 108.220.213.121
Or do you mean the public IP that your computer is currently located at (which will probably change often, if you don't pay for a fixed IP)?
Static IP
And are they one and the same thing? Are you serving from your own PC? Is is an external computer serving your files to the public.
Internally my IP is 10.0.0.101
If your website server isn't your own computer on your own network, there's no need for any public DNS records to have your own network addresses in them.
Whatever the answers are to the above, you don't have to provide the DNS records for that on your own equipment. Any DNS server can provide answers to DNS queries. But for the general public to be able to use your domain name, your records have to discoverable on public DNS servers. Normally, when you register a domain and have it hosted, that's all taken care of for you. They put the records in their domain server, and their domain server feeds info upstream to higher up servers (it's all like a family tree).
You can see that sort of thing with the "dig" tool. If you do a "dig example.com" you'll get a collection of responses. The "answer" section is the domain name and numerical IP address for it, that you queried. The "authority" section will be the authoritative name servers for those records (the master host for them). An "additional" section which can provide info about those authoritative servers. And in the last bit will be the "SERVER" that directly answered your query.
Mostly dns seem my DNS seems right however I'm having a challenge trying to get let's encrypt certification renewed.
So I'm going to back up and take another run at this...
thanks again gentlemen,...
in as much as networksolutions.com, my domain registrar provider, has already the IP and host name then
I don't need to provide that so let me trim off that external. zone I'm assuming that I still need to provide service for the 10.0.0.0 internal addresses, but that could just be covered by my /etc/hosts file right?
Your own internal address resolution is done within your own computer network. That can be a hosts file, it can be your own name server.
--
uname -rsvp Linux 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC 2021 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list.
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 14/04/2021 02:38, Jack Craig wrote:
On Tue, Apr 13, 2021 at 3:52 AM Tim via users <users@lists.fedoraproject.org mailto:users@lists.fedoraproject.org> wrote:
On Mon, 2021-04-12 at 12:06 -0700, Jack Craig wrote: > Oh so now I have learned something new. > > I thought that because I was a Domain owner, I had to do the > translation from my public IP to my local DNS name Just to be clear: By "your public IP" do mean the IP for your server that the world is going to view pages on?yes, 1008.220.1`3.1 yes 108.220.213.121
I believe I'm looking at the correct record. If so,
IPv6 address fe80::15ef:5535
is not a routeable IPv6 address. It is akin to setting 10.0.0.101 as your public IPv4 address.
It may render a host unreachable for those in the world with IPv6 connectivity only.
-
Ed Greshko -
Jack Craig -
Peter Boy -
Tim