DNS

Reviewing /var/log/pflog contents

Leave a Comment / DNS, named, pf / By /

I use pf as my packet filter. Everything blocked gets logged to /var/log/pflog.conf Late last week, I noticed my rules were allowing everything in on one interface. I changed that. Overnight I see that my Let’s Encrypt certificate renewals failed. Nagios also tells me that the DNS servers are not in sync. I suspect firewall rules. Reviewing pflog It is because I use: block log all in /etc/pf.conf pflog_enable=”YES” in /etc/rc.conf that I […]

Reviewing /var/log/pflog contents Read More »

Service names vs host names

Leave a Comment / DNS / By /

Over the years, I have learned not to rely on hostnames for important services. Hosts go away, new ones come in. I want to rely on, what I refer to as, service names. For example, instead of relying on a hostname for my ntp server, I have: $ host time time.int.unixathome.org has address 10.55.0.1 This hostname, or service name, appears in /etc/ntp.conf on every physical host in my network. time.int.unixathome.org is not a

Service names vs host names Read More »

Adding new DNS zones when using nsupdate & bind

Leave a Comment / DNS, named, nsupdate / By /

Back in the good old days, I managed my DNS zones files by checking them into the repo, and then running svn up on the name servers. When I started using Let’s Encrypt, I stopped doing that because of the use of nsupdate. This post outlines how I added two new zones to my nameservers: vbsdcon.org vbsdcon.com The zone files Here is the zone I created. $ cat vbsdcon.org.db vbsdcon.org. 3600 IN SOA

Adding new DNS zones when using nsupdate & bind Read More »

Adjusting the TTL on domain records

Leave a Comment / DNS, nsupdate / By /

I am about to make changes to my mail servers. I am changing third-party providers. In anticipation of this change, I will drop the TTL on my DNS MX records. This should minimize the time it takes for this change to take effect. I say should because not all servers honor the specified TTL. I started with one of my lesser used domains, to make sure I had the nsupdate commands correct. Here

Adjusting the TTL on domain records Read More »

Collecting statistics from bind / named

3 Comments / FreeBSD, iocage, Jails, named / By /

I use bind (Berkeley Internet Name Domain) as my DNS server. I am currently running bind 9.11.5P1 on FreeBSD 11.2-RELEASE-p8 in a jail, with iocage as my jail manager. The OS, jail, and jail manager should play no part in how this works. I have been collecting statistics from bind for some time. I have configured LibreNMS to collect the details via snmpd and they are plotted in a lovely looking graph. The

Collecting statistics from bind / named Read More »

Using nsupdate to change NS servers

3 Comments / DNS, named, nsupdate / By /

You have an old DNS server: tallboy.example.org You have a new DNS server: ns1.example.org You have a domain, example.com, for which you want to swap the old DNS server with the new DNS using nsupdate. NOTE: the domain is example.com The NS servers are in example.org (different domains). These are the commands you issue: update delete example.com. IN NS tallboy.example.org. update add example.com. 3600 IN NS ns1.example.org. send Of note, you mention the

Using nsupdate to change NS servers Read More »

Adding IPv6 to an Nginx website on FreeBSD / FreshPorts

Leave a Comment / DNS, FreeBSD, iocage, nginx, nsupdate, pf, poudriere / By /

FreshPorts recently moved to an IPv6-capable server but until today, that capability has not been utilized. There were a number of things I had to configure, but this will not necessarily be an exhaustive list for you to follow. Some steps might be missing, and it might not apply to your situation. All of this took about 3 hours. We are using: FreeBSD 11.1 Bind 9.9.11 nginx 1.12.2 The server configuration This is

Adding IPv6 to an Nginx website on FreeBSD / FreshPorts Read More »

Moving FreshPorts

Leave a Comment / DNS, FreeBSD, FreshPorts, PostgreSQL / By /

Today I moved the FreshPorts website from one server to another. My goal is for nobody to notice. In preparation for this move, I have: DNS TTL reduced to 60s Posted to Twitter Updated the status page Put the website put in offline mode: Sorry, the website is offline from 2017-11-05 17:01, for approximately 3 hours. It is now 2017-11-05 17:01. That works for both http and https: [dan@air01:~] $ wget -S http://www.freshports.org

Moving FreshPorts Read More »

Getting acme.sh to renew certs via cronjob on FreeBSD

Leave a Comment / DNS, Let's Encrypt, Security / By /

In the past, I’ve written about using acme.sh to automatically generate SSL certificates and distribute them to the required locations. I do this in a single central location, and the websites and mail servers grab their new certs from a webserver. At the time of writing, I was using FreeBSD 11.1 and acme.sh 2.7.4, supplied by the FreeBSD port, in a jail. Nagios warned me that one of my Let’s Encrypt certificates was

Getting acme.sh to renew certs via cronjob on FreeBSD Read More »

acme.sh: getting free SSL certificates – installation configuration on FreeBSD

Leave a Comment / Let's Encrypt, named, nsupdate, OpenSSL, Security / By /

This blog post describes my Let’s Encrypt solution which uses acme.sh and dns-01 challenges to obtain SSL certificates. If you are using HTTP challenges, this post might still be useful, but your configuration will differ slightly. Let’s Encrypt is a certificate authority which has become wildly popular since it was launched in April 2016 (just a short 14 months ago). Why so popular? It provides a secure way to offer free SSL certificates.

acme.sh: getting free SSL certificates – installation configuration on FreeBSD Read More »

Scroll to Top