CONFIGURATION TO SYNC BIND AND UNBOUND
257 views
Skip to first unread message
Edan
Apr 19, 2023, 1:28:22 PM4/19/23
to DNSControl-discuss
Hi,
I am new to DNScontrol. My objective is to have bind9 and unbound zones and records sync each other, which leads me to dnscontrol.
There is no zones or records yet, so it is a fresh start.
In my current setup I have bind9 running on port xxxx and unbound on port yyyy, both of these are running on the same server.
I tried having this dnsconfig.js configuration but it simply gives me error, which I know that I need a reference to fix this:
{
"providers": {
"named": {
"type": "named",
"server": "192.168.1.1",
"port": 9953,
"zones": {
"auto": {
"backend": {
"bind": {
"file-template": "/var/named/{{.Domain}}.zone"
}
}
}
}
},
"unbound": {
"type": "unbound",
"server": "192.168.1.1",
"port": 8853,
"zones": {
"auto": {
"backend": {
"unbound": {
"zone-template": "{{.Domain}}: /etc/unbound/zones/{{.Domain}}.zone"
}
}
}
}
}
}
}
"providers": {
"named": {
"type": "named",
"server": "192.168.1.1",
"port": 9953,
"zones": {
"auto": {
"backend": {
"bind": {
"file-template": "/var/named/{{.Domain}}.zone"
}
}
}
}
},
"unbound": {
"type": "unbound",
"server": "192.168.1.1",
"port": 8853,
"zones": {
"auto": {
"backend": {
"unbound": {
"zone-template": "{{.Domain}}: /etc/unbound/zones/{{.Domain}}.zone"
}
}
}
}
}
}
}
Tom Limoncelli
Apr 19, 2023, 1:44:14 PM4/19/23
to Edan, DNSControl-discuss
HI Edan!
Welcome to DNSControl! I hope you find it meets your needs.
The configuration you shared looks like JSON. The dnsconfig.js file should look more like JavaScript (The DNSControl language is very similar to JavaScript).
Please refer to the getting started doc (https://docs.dnscontrol.org/getting-started/getting-started) especially the section called "Create the initial
dnsconfig.j"Best,
Tom
--
You received this message because you are subscribed to the Google Groups "DNSControl-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dnscontrol-disc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dnscontrol-discuss/d0ca5105-f624-4dad-860a-c5f9adcae2a4n%40googlegroups.com.
my mailinglist
Apr 19, 2023, 9:44:08 PM4/19/23
to Tom Limoncelli, DNSControl-discuss
Hi Tom,
Thank you for the reply.
Yes I am aware of the said link, but I cannot find a reference to populate the provider information such as the IP address, port number and so on; I saw BIND as the supported provider, and I believe PowerDNS is also known as unbound provider.
I also need to know how to allow my BIND9 and unbound to allow access by DNScontrol, do I need to set some parameters in both of the configuration.
Sorry to ask a beginner question, perhaps I miss something here.
Regards
To unsubscribe from this group and stop receiving emails from it, send an email to dnscontrol-discuss+unsub...@googlegroups.com.
Tom Limoncelli
Apr 20, 2023, 12:18:50 PM4/20/23
to my mailinglist, DNSControl-discuss
Ah, I think I see the confusion.
dnscontrol's BIND support only generates the zone files. It is up to you to get those zone files to the right place for BIND/Unbound to be able to use them. Configuring BIND/Unbound is up to you. DNSControl does not generate those configurations either.
Think of DNSControl as a compiler that generates zone files. Let me make a comparison to GCC: GCC generates an executable but doesn't install them or determine how and when to run them. DNSControl generates zone files but doesn't install them or determine how to use them. You can, however, configure where the zone files are written by adding a "directory" setting to your creds.json file.
Hope that helps!
Tom
To unsubscribe from this group and stop receiving emails from it, send an email to dnscontrol-disc...@googlegroups.com.
my mailinglist
Apr 20, 2023, 1:44:26 PM4/20/23
to Tom Limoncelli, DNSControl-discuss
Hi Tom,
Thank you, I got your point.
Please share simple example references for the right configuration for the dnsconfig.js and the creds.json to create DNS zone and records for both bind9 and unbound.
Thank you
Tom Limoncelli
Apr 20, 2023, 2:00:47 PM4/20/23
to my mailinglist, DNSControl-discuss
On Thu, Apr 20, 2023 at 1:44 PM my mailinglist <my.su...@gmail.com> wrote:
Hi Tom,
Thank you, I got your point.Please share simple example references for the right configuration for the dnsconfig.js and the creds.json to create DNS zone and records for both bind9 and unbound.
I can't do that. However, there is a document that walks you through the process of creating your own files. Getting Started: https://docs.dnscontrol.org/getting-started/getting-started
Also, you'll find creds.json examples are on the page for each DNS provider. For example, BIND's examples are here: https://docs.dnscontrol.org/service-providers/providers/bind )
Please remember that DNSControl is a community-driven open source package. It has no official support. StackOverflow (my employer) sponsors the project but doesn't allocate much time for me to work on it. Their support is mostly paying for Github and the CI/CD pipeline. Most of my time on DNSControl is nights and weekends.
Tom
my mailinglist
Apr 20, 2023, 2:31:28 PM4/20/23
to Tom Limoncelli, DNSControl-discuss
Hi Tom,
Okay, I understand.
Correct me if I am wrong, I am not able to find unbound as one of the existing provider, does that mean that I need to custom create it?
Thanks
Tom Limoncelli
Apr 20, 2023, 2:33:02 PM4/20/23
to my mailinglist, DNSControl-discuss
On Thu, Apr 20, 2023 at 2:31 PM my mailinglist <my.su...@gmail.com> wrote:
Hi Tom,
Okay, I understand.Correct me if I am wrong, I am not able to find unbound as one of the existing provider, does that mean that I need to custom create it?
I have never used Unbound. Can someone else help Edan?
Tom
Faisal Misle
Apr 20, 2023, 3:32:39 PM4/20/23
to Tom Limoncelli, my mailinglist, DNSControl-discuss
If I recall correctly, unbound is a validating, recursive, and caching DNS resolver installed locally. I am not quite sure how you'd integrate it to dnscontrol. You'd likely need to have dnscontrol spit out a bind file and then have unbound read that zone file, but as Tom said, dnscontrol is mostly community powered.
Faisal Misle
Technical Lead, Customer Success | Red Sift
--
You received this message because you are subscribed to the Google Groups "DNSControl-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dnscontrol-disc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dnscontrol-discuss/CAOWqsAhf-GVTjb4maXewm-SMw6gCK2Vih5KbYducH8OXw1Ldaw%40mail.gmail.com.
Red Sift's Digital Resilience Platform solves for the greatest vulnerabilities across the complete attack surface. Products on the platform include OnDMARC, OnINBOX, OnDOMAIN and Hardenize, providing comprehensive coverage of an organization’s digital footprint through best-in-class discovery and monitoring and enabling users to proactively uncover threats within email, domains, brand, and the network perimeter.
Red Sift is a limited company registered in England and Wales. Registered number: 09240956. Registered office: 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT.
nemunaire
Apr 20, 2023, 3:43:45 PM4/20/23
to 'Tom Limoncelli' via DNSControl-discuss
Hi,
Unbound is a recursing-only name server. It can't take zone files to
serve them.
Either you'll need to use nsd (the authoritative name server developped
by the same team developping unbound), or just configure unbound as a
forwarder to your authoritative BIND.
But, before considering using dnscontrol to do the synchronization
between your 2 servers, did you consider the standard DNS feature of
primary/secondary authoritative name servers?
Regards,
--
nemunaire
serve them.
Either you'll need to use nsd (the authoritative name server developped
by the same team developping unbound), or just configure unbound as a
forwarder to your authoritative BIND.
But, before considering using dnscontrol to do the synchronization
between your 2 servers, did you consider the standard DNS feature of
primary/secondary authoritative name servers?
Regards,
--
nemunaire
my mailinglist
Apr 21, 2023, 3:30:37 AM4/21/23
to nemunaire, 'Tom Limoncelli' via DNSControl-discuss
Hi,
Sorry, I forgot to mention that I have NSD running behind Unbound, those authoritative records will be served by NSD; BIND9 files are more alike NSD files but need to be converted. So if dnscontrol has the file generator, it would be great.
So to correct the question it is NSD instead of Unbound.
--
You received this message because you are subscribed to the Google Groups "DNSControl-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dnscontrol-disc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dnscontrol-discuss/ZEGV7UE4wXEpkvgR%40nemunai.re.
nemunaire
Apr 21, 2023, 10:44:59 AM4/21/23
to dnscontro...@googlegroups.com
Hi,
The zone file format used by BIND and nsd are the same: the file format
is defined by the RFC 1035. It is also shared by most name servers.
Moreover, the zone file generated by dnscontrol is quite raw compared to
the myriad of possibilities offered by the real syntax, so this ensure
a good understanding whatever the parser implementation considered.
You can directly use the BIND provider to generate zone files for nsd
(or PowerDNS or knot, ...).
Regards,
nemunaire
The zone file format used by BIND and nsd are the same: the file format
is defined by the RFC 1035. It is also shared by most name servers.
Moreover, the zone file generated by dnscontrol is quite raw compared to
the myriad of possibilities offered by the real syntax, so this ensure
a good understanding whatever the parser implementation considered.
You can directly use the BIND provider to generate zone files for nsd
(or PowerDNS or knot, ...).
Regards,
Reply all
Reply to author
Forward
0 new messages