In Nethserver 7, the DNS module that we had was based on DNSMasq, and hypothetically speaking , DNSmasq is not a fully fledged DNS authoritative server, which si what everyone using DNS functions had wanted for a long time.
the challenge was presented in that, because DNSMAsq was so tightly interwoven into NS 7, it was not possible to disable it in favour of any other DNS solution.
MEmbers have geenrally wanted a DNS solution tha toffers A records, MX records, TXT records, NS rrecords among the many other TLD based records for managing and resolving a domain fully.
My query in relation to this is whether, the DNSMasq module, iwll work alongside a future implementation for a full DNS authoritative resolver, or of the options would be to disable one for the other one to work.
In relation to handling DHCP, and basic A records, it functions well, but as a full Authoritative DNS server, its cant be the solution, that why memebrs had proposed among PowerDNS, TEchnitium and others.
AFAIK, there will be no fully fledged DNS/DHCP solution for NS8
This is due the the shift of NethServer from an OS to a orchestrator. The features you look for are now available in NethSecurity which is a Firewall, makes sense that you need a more robust solution for that.
Cannot stress this enough, dnsmasq can easily manage all the feature you asked, even the authoritative part, the question is if the UI will support them and the answer is no in this moment.
There will be a configuration directory that will let you add additional configuration and allow you to edit whatever configuration you want to the container. (TXT, MX, whatever configuration supports)
For this on the other hand
My query in relation to this is whether, the DNSMasq module, iwll work alongside a future implementation for a full DNS authoritative resolver, or of the options would be to disable one for the other one to work.
The module will have a toggle to shut off the services that you don’t need (I.E. you only need DHCP and DNS is provided by samba) so you can actually add whatever you need for DNS or DHCP, they will not be mutual exclusive.
Wanna take this to the public so we can actually allow others to join the discussion? I’m currently writing the component so if Davide or Giacomo find some feedback useful we might be able to add them to the roadmap
No one operating a SME wants a fully fledged Authoritive DNS server like BIND.
No sane person who understands DNS would suggest Technitium as an authoritative DNS server. It just doesn’t cut it! And missing auth? No way this should EVER be a full public facing DNS server. Internal may be ok, but not the Internet! It’s ONLY advantage is it supports LE DNS verification, but no users / groups or ANY form of auth!
BIND and eg PowerDNS are easy to handle, but for MOST users here, DNS is far too complicated.
Martin here is interested as a hoster, not really as a SME, but a full DNS would only create problems for most SME.
This is the real reason Microsoft started suggesting the really stupid use of .local and .lan. And we have a lot of users from that generation.
A typical issue: Users forget to enter in the DNS ALL entries from their external hoster - their own website is not accessibkle, and usually external mail…
I for one would NOT want a fully fledged DNS server like BIND. I have compiled and used BIND on OpenBSD in the past. One Server = one DNS server service, nothing else!
The problem with DNSMASK (Specfically in NS7) was the fact that the GUI only allowed “A” Records, “CNAME” was only possible for NethServer itself (eg virtual hosts). So people created “A” records, instead of using CNAMES.
Each A record will get a reverse DNS record, known as Pointer “PTR” record. This means that NethServer 7 will reply wrong records to almost any query for PTR records.
That’s fine, most users will NOT notice. However, anyone using firewalls, proxy servers, statistics will get the wrong PTR record, making most statistics wrong, or even hiding dangerous errors / attacks. And I’m not even talking about AD integration.
The fact is that DNSMASK can handle this situation, only the implementation in NS7 WebGUI / Cockpit was not capable of handling PTR or CNAMES.
Anyone handling a public faced DNS server should know and understand what they are doing. The idea that a GUI will help if sometone doesn’t fully understand DNS is pure bullsh"t, and a security concern to most other denizens of the Internet.
Learn the correct use of DNS (I strongly suggest using Split brain!).
You still don’t seem to understand that Internal and External DNS should be on different systems. Mainly for security reasons, but also for NOT expoosing eg AD or internal only hosts to the Internet!
In a cloud, there are no printers for example. Yet every SME uses printers, mostly networked ones nowadays!
There is NO problem having whatever internal DNS server handling internal DNS, and a separate DNS for external queries, eg on the same or a different node. This is actually the correct way to handle split brain DNS - which is the proper term for using different subsets of entries for internal and external DNS.
Think of a VoIP system showing the wrong caller number, effectively making all CTI / Adressbooks absolutely worthless!
I do think the full CNAME, PTR, TXT capablities of DNSmask (or the similiar, also used in the past, Unbound) should be exposed to the GUI, but maybe in an “advanced mode” view, for those that need these features.
Note:
For those not aware: the major security advantage of using “Split Brain” strategy in DNS, also known as “need to know” basis:
A DNS server can contain “views” limiting what information will be released to a query, the response (answer) can depend on internal or external queries. All fine!
However, if hacked or compromised, this server has ALL entries, so every internal host and structure of the network is exposed to the hackers. Not Good!
A Public DNS servers has NO internal entries at all, and can’t expose any internal information, as there are none on this server!
The public (Internet) does not “need to know” this information, and does not get it!
No serious Business would consider OPENWRT as a full featured Firewall for their business,
But what Nethserver is doing for it with Nethsecurity would make it akin to being close to OpnSense, and therefore Useable for such scenarios.
The same thing Nethvoice is Doing with Asterix and FreePBX. The claim was never for it to be Used as it is, but use its features, and functions as a base line, since its opneosurce, Maybe it could also benefit from…
The reason why it was ever considered, i guess is because, going by this list its the most full featured DNS server out there Comparison of DNS server software - Wikipedia @NLS brought it up, i never even knew it existed before
YEt everyone who hosts a website uses them and has need for them, Businesses using Cpanel, Plesk and other variations use DNS, infact, its the first Authoritative DNS they use, CLoudflare is maybe more complicated for them, or they just want everything within the same host.
For whatever reason, they are.
Even if i am asking about it as a hoster, is it a problem?
Wouldnt an SMS just want to register a domain, Setup Nethserver DNS as the Nameserver, and come and manage everything within Nethserver,
They will have their DNS records, Within Nethserver, Mail server, within Nethserver, Nextcloud, within nethserver., WP Website within Nethserver
And for all these services, All they need to do is define the FQDN, and Nethserver will setup all the DNS records for them Automagically, and they don’t have to touch Sh#t
Actually it will Make it much more easier for an SME than any other larger size organisation
You wouldn’t, but others would, IS IT NOT that, the reason community members are asking for it, so that, if its implemented in Nethserver, and Especially Nethserver 8, it would be easy to work with; installing managing and using?
I dont think that was the only problem, going by the Over 30 Community post requesting DNS*(Not me*)
In regards to Above @Tbaile says at the moment, the UI to handle those, will still not be coming to NS8
So Do we still have the same issues in NS7 carried forward to NS8?
Equally, does it mean everyone who does not understand some concepts should never self host any software at all?
I beleive the reason even yourself Andy has the experience you do, is because some tools were availed for you to practise, test, and break, and over time, it was transalted to experience.
Since you have Experience, Why don’t we accord the younger generation the same(being young myself)
Assumptions again. and at what point does discussing a proper DNS module equate to these sentiments?
I never Host 2 Critical systems on the same Host, Not even the same location. I dont even have a single ISP in my Home. because i don’t put everything in one basket. Someone else might do it, not because they don’t understand security, But have you considered that budget can also be a constraint?
ATLEAST WE AGREE ON SOMETHING
NEthserver8 being a multi cloud solution, would actually serve pretty well in this regard.
Simple Rule of Thumbs, DO NOT OVERENGINEER for the Future
And that’s why you have a firewall before your network…
Its Ok having DNmasq if its properly implemented with interface in NS8
And its Seems DNSMAQ is more suited for the Internals
IF Not, then A Separate Full Featured DNS App Would definitely be required as well.
I understand you might be more experienced with DNSmasq than all other DNS solutions
IF properly Implemented, a Proper DNS module in Nethserver8 WOuld be Game over, Could support Multi Node SYnc and Support(Dual tenant)
Could in future with additions, Push DNS Entries into other DNS systems like Cloudflare,CloudNS and brothers
Would have a proper Cerbot Integration, DNS challenge integration for some hard nut Apps
The Main need and reson of DNSMASQ for now, i believe it to be DHCP, We could have Bind handle DNS and other Solutions handle DHCP.
Or rather, Make use of something like KEA DHCP for DHCP.Already has some interface, so, maybe less work
(These are just thoughts)
Overall, there are already many topics discussing DNS on the community that @Tbaile you could dig into, and where more experienced DNS users than myself have contributed their thoughts, so i do not see How i could pretent to be An authority on the Topic.
Just remember as we are implementing these fatures, We still have competitors like Zentyal, Uninvenction and ClearOS especially with the Orchestrator only Route NS8 has taken.
I fully do not agree with almost EVERY single DNS statement of yours!
And why?
You personally have proved to me in the several times in the past that you, as a hoster, do not understand DNS or AD and any security implications it has.
Anyone can jump out of a window in a tall building. It’s really easy, no instruction needed!
But is it advisble?
Is it a good idea?
Do you personally know someone who has done it and told you about their experience?
I don’t think so!
Making the Internet a worse place for everyone else is NOT a good idea nor something I would support.
Doing it out of ignorance just makes things worse.
That’s why I am NOT in the hosting business, a high capital, low profit segment.
In Switzerland, even the ex monopol Telco just (2 months ago!) announced shutting down the whole hosting dept., for losing money… They upset a HUGE client base…
If they can’t afford to play the game, why should I bother?
So handle this the way Cloudflare currently does when you add a domain–check, and copy over (or better yet, give an option to copy over), the existing DNS records from the current host. This can be automated, so it doesn’t have to rely on the user.
Postfix is far too complicated. That’s why e-smith/SME/NS6/NS7/presumably NS8/mailcow/redmail/etc. template and otherwise automate its configuration, and have been doing so for the last 25 years.
Nginx is far too complicated–worse than Apache, and that says something. But all those products template/automate the webserver config too–again, for the last 25 years or more.
Is it really so far-fetched that NS8 could similarly automate DNS configuration in such a way that it would have a sensible and secure configuration that would also automatically implement desired public DNS records?
The most obvious (to me) use of this feature, as I mentioned in the topic Martin linked to, is for email. These days, email takes dozens of DNS records–a variety of CNAMEs, at least one MX, SPF, DMARC, DKIM, etc. As it stands now, all of these have to be created manually, and where the user’s doing something manually, there’s always a chance of doing it wrong. If NS were the authoritative DNS, it could publish its own records automatically, greatly reducing the chance of errors. This is how Mail-in-a-Box does it (publishing over 50 DNS records in that case), which is where I got the idea.
Another obvious use of this is with virtual hosts–when you create a virtual host, there could be a switch, checkbox, or other UI element to create an appropriate CNAME record for that virtual host (and, of course, removes it when you remove that virtual host).
A third similarly-obvious use would be to provide DNS validation for Let’s Encrypt.
Is it necessary? Obviously it isn’t; NS and its ancestors have done fine without it for 25+ years. But they’ve also done fine without clustering, yet now we have that. They did fine without any UI control over TLS certificates for 15-20 years, and now we have that. I don’t see any real benefit in Active Directory support, but it’s there.
Now, under NS7 it wouldn’t have been possible to do this “right,” which would include a second authoritative DNS server in a different geographic area–but with NS8 supporting clustering it should be much more feasible. Just join a second node in a different area (which could be quite an inexpensive VPS–or maybe even a free one from Oracle/AWS/Google–if DNS is all it’s doing), install the as-yet-hypothetical DNS module on it, and then entries can sync from the master node to slave.
No, DNS validation for LE was never a major factor in requests for a public DNS server in NS–and to the extent it was a factor, I filled that need 4+ years ago. Nor was DNS validation stated as a factor in the suggestion of Technitium.
There’s a good reason almost everyone mentions Cloudflare and LE in the same post, they’re one of the very few doing it right.
How old is DNS itself? VERY old!
All hosters do / offer DNS. LE would be a bonus, even for hosters selling Certs, yet many don’t offer / do this right. As both of us are aware of, it’s not really difficult, so why aren’t more doing this like Cloudflare?
As most here know, I’m NOT an advocate for MS monocultures or it’s like. However, the law in several places restrict choice. As an example, the state of Zurich in Switzerland restricts ingeniural / architectural subimmision to a highly specific version of AutoCAD, created on the current version of Windows 11, even the build is specified.
So AD, even if not directly so specified, is still according to MS best practices (They want to sell a server license and CALs…) and in a lot of cases a must.
This is correct, some only “require” a “different subnet” (implying a different provider / hoster), but a different location / region is better and more correct to the intent.
The swiss removed this good requirement when they “privatised” the Domain registrar business a decade ago…
Claiming it’s good always sounds good, at least!
I’m sure it refers to the internal DNS, not to an authoritative domain name server, as has been the discussion so far regarding both NS7 and NS8. Even the fact that it is linked to Samba AD reveals this. It will only be used to resolve LAN hosts (LAN server names.). It has the same role as the DNS service in Windows Server, for the internal domain (LAN).
On the other hand, an authoritative domain name server has no connection to the internal domain (or should not). It should be placed in WAN or DMZ. (I use Zentyal - BIND9, as an authoritative domain name server, placed in the DMZ, and it works very well) and will resolve the names of the servers exposed in the WAN/Internet (www server, mail server, cloud server, ftp server, …), depending on the assigned public IP.
I noted that, and because the reason for not having a Fully featured Authoritativ DNS server in NS7 was DNSMasq, I had to ask, so that we dont not re-invent the same problems we had in NS7, instead of coming up with solutions. (Also on matters PORTS) as am told, the main reason NS can never support multi tenancy in email according to Andy is because ports(i know its not)
And someone says its dead because it does not have a free plan. huh!
@Andy_Wismer because you wont use a product for not having a free plan, others would.
DO you know how much the NS Enterprise plan costs… Expensive is relative, trust me, there are even very small companies in Kenya that can afford that and would actually Pay that ind of amount, so long as they see value, let alone other companies in Europe.
AutoCAD is extremely expensive, but i am sure even small companies in Europe using it, pay for License. Well, even large companies in Africa here use a pirated copy… but Pay for other software…
What Does anything have to do with hosting business.
You setup Promox for your clients, and host their infra in it, and manage it for them, is that not “HOSTING” as you’ve termed before?
Lots of hosters want an upcharge for SSL. On the Let’s Encrypt forums, we generally recommend people use less user-hostile providers, but GoDaddy has a huge marketing budget, so…
But as for DNS, acme.sh supports over 150 DNS hosts’ APIs, so it’s not like there aren’t options. Cloudflare often comes up because it has a decent API (which is needed for DNS validation with LE) and it’s free, and I’m not aware of an alternative that checks both of those boxes. But that has nothing to do with the reason I mentioned it, and there’s no reason that any other system (like the as-yet-hypothetical public DNS module for NS8) can’t copy existing DNS records in the same way. And if the module’s designed to do that, then your concern about the user failing to manually migrate all the necessary DNS entries goes away.
So there are cases you deal with which require AD. There aren’t for me. There are scenarios where I can see my own public DNS server with a nice management UI, integrated into the services I’m providing, as useful. Even if you don’t have a use for it, surely you can see how it can be helpful for others?
The relevant RFCs “require” (to the extent they can, which isn’t much) at least two DNS servers in different locations. Maybe certain TLDs try to enforce this, but it isn’t enforced as a general thing. But regardless of whether it’s required, it’s a good practice, and something that can be much more readily done under NS8 than it could have been under NS7 or earlier.