named

nsupdate – update failed: REFUSED

A while back, the https://www.freebsddiary.org/topics.php#opteron – the colo facility was purchased and the new owners are not interested in donating services to open source projects. That host also acted as a DNS host for all my domain. I pressed a small VPS into service. It handled the query services fine, but updates were sluggish. It …

nsupdate – update failed: REFUSED Read More »

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A …

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »

Creating a very specific TXT only nsupdate connection for Let’s Encrypt

In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include …

Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »

Using split DNS for websites hosted locally

The dev.freshports.org website is hosted on server in my basement. For you, that IP addresses resolves to a publicly available IP address. For me, that IP address resolves to an RFC 1918 address: $ host dev.freshports.org dev.freshports.org has address 10.55.0.24 Sometimes this is referred to as split dns, also known as split-horizon DNS, split-view DNS, …

Using split DNS for websites hosted locally Read More »

hostmask on an ip address can affect jail DNS

I encountered, and later solved, a DNS issue on a FreeBSD jail. The jail is my web proxy, of sorts. I have one public IP address, which is dynamic (not relevant, but mentioned only in passing) so all incoming web traffic goes to a single internal RFC-1918 IP address. From there, nginx does reverse proxies …

hostmask on an ip address can affect jail DNS Read More »

Reviewing /var/log/pflog contents

I use pf as my packet filter. Everything blocked gets logged to /var/log/pflog.conf Late last week, I noticed my rules were allowing everything in on one interface. I changed that. Overnight I see that my Let’s Encrypt certificate renewals failed. Nagios also tells me that the DNS servers are not in sync. I suspect firewall …

Reviewing /var/log/pflog contents Read More »

Using nsupdate to change NS servers

You have an old DNS server: tallboy.example.org You have a new DNS server: ns1.example.org You have a domain, example.com, for which you want to swap the old DNS server with the new DNS using nsupdate. NOTE: the domain is example.com The NS servers are in example.org (different domains). These are the commands you issue: update …

Using nsupdate to change NS servers Read More »