Full, public, authoritative DNS support

Feature
,
1

I’ve seen other topics here in the past (e.g., Full DNS software, even via docker) asking for Neth to provide robust DNS configuration and public service, and I generally haven’t felt like it was something that would be worth the effort. And I still have concerns with the idea, mainly with the RFC’s “requirement” (i.e., suggestion) that DNS be hosted by at least two geographically-diverse hosts.

But I think I’ve encountered a good reason to do this: email. Email relies on DNS records, lots of them. And the way (at least) a couple of F/OSS projects (CyberPanel and Mail-in-a-Box) handle this is to have you set that system up as your authoritative DNS server, whereupon it publishes all the records you need–in the case of MiaB, over 50 of them for a single domain. Of course, it sets up A and MX. It sets up DMARC and SPF. Naturally, DKIM as well, and of course it supports DNSSEC. It creates the autoconfig. and autodiscover. records to allow clients to auto-configure, SRV records for CalDAV and CardDAV, etc.

Sure, a user can manually add all these records. But anything the user has to do manually is error-prone, and DNS is the blackest of black magic to many users. And a misplaced character in one of these records could result in broken email.

I’m guessing this isn’t going to happen for NS7, and maybe not even for NS8. But I think it’s worth some consideration.

Edit: Just for the information, here are the default records MiaB sets up for a single domain:

Records

QName Type Value
brown-family.xyz
brown-family.xyz A 134.209.71.11
Required. May have a different value. Sets the IP address that brown-family.xyz resolves to for web hosting and other services besides mail. The A record must be present but its value does not affect mail delivery.
brown-family.xyz MX 10 box.brown-family.xyz.
Required. Specifies the hostname (and priority) of the machine that handles @brown-family.xyz mail.
box.brown-family.xyz A 134.209.71.11
Required. Sets the IP address of the box.
box.brown-family.xyz MX 10 box.brown-family.xyz.
Required. Specifies the hostname (and priority) of the machine that handles @box.brown-family.xyz mail.
brown-family.xyz TXT v=spf1 mx -all
Recommended. Specifies that only the box is permitted to send @brown-family.xyz mail.
_dmarc.brown-family.xyz TXT v=DMARC1; p=quarantine
Recommended. Specifies that mail that does not originate from the box but claims to be from @brown-family.xyz or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient’s mail system.
mail._domainkey.brown-family.xyz TXT v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00RxC/e8l34dk6URKeKV7V9bzQ4x4WJoq3vB+RxlNabLD1zUKWRZp8r+WSCLElaYfBt9v/UjqM7CxlwYsM7wQ3t8X55O6MavOP5fRHpzNlFpYfA6owPKJi/CuTX0+gUfYqBNqq7Sfoo5tNjEkKDIhuv9/LWRsk+CMfh7AbxgC8IlMFvMqMqcsQUd3Dm2ceFJKNrGnEkND1U/MpGtlt1UYEvr6RygjLdP+LigzHa6/Mz5dSp/OlTrvQ5czAt6pltnJ8a1HhA7AG7AUXsnBHjZjK7UqXhPXbOY/AFIFqNvvkMSltPwA7QaKyGbrnqMXNElROfZIQrzt0g/rqNNilpHpQIDAQAB
Recommended. Provides a way for recipients to verify that this machine sent @brown-family.xyz mail.
_caldavs._tcp.brown-family.xyz SRV 0 0 443 box.brown-family.xyz.
Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain.
_carddavs._tcp.brown-family.xyz SRV 0 0 443 box.brown-family.xyz.
Recommended. Specifies the hostname of the server that handles CardDAV/CalDAV services for email addresses on this domain.
autoconfig.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @autoconfig.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
autoconfig.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.autoconfig.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @autoconfig.brown-family.xyz.
autodiscover.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @autodiscover.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
autodiscover.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.autodiscover.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @autodiscover.brown-family.xyz.
box.brown-family.xyz TXT v=spf1 mx -all
Recommended. Specifies that only the box is permitted to send @box.brown-family.xyz mail.
_dmarc.box.brown-family.xyz TXT v=DMARC1; p=quarantine
Recommended. Specifies that mail that does not originate from the box but claims to be from @box.brown-family.xyz or which does not have a valid DKIM signature is suspect and should be quarantined by the recipient’s mail system.
mail._domainkey.box.brown-family.xyz TXT v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00RxC/e8l34dk6URKeKV7V9bzQ4x4WJoq3vB+RxlNabLD1zUKWRZp8r+WSCLElaYfBt9v/UjqM7CxlwYsM7wQ3t8X55O6MavOP5fRHpzNlFpYfA6owPKJi/CuTX0+gUfYqBNqq7Sfoo5tNjEkKDIhuv9/LWRsk+CMfh7AbxgC8IlMFvMqMqcsQUd3Dm2ceFJKNrGnEkND1U/MpGtlt1UYEvr6RygjLdP+LigzHa6/Mz5dSp/OlTrvQ5czAt6pltnJ8a1HhA7AG7AUXsnBHjZjK7UqXhPXbOY/AFIFqNvvkMSltPwA7QaKyGbrnqMXNElROfZIQrzt0g/rqNNilpHpQIDAQAB
Recommended. Provides a way for recipients to verify that this machine sent @box.brown-family.xyz mail.
mta-sts.box.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @mta-sts.box.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
mta-sts.box.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.mta-sts.box.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @mta-sts.box.brown-family.xyz.
ns1.box.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @ns1.box.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
ns1.box.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.ns1.box.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @ns1.box.brown-family.xyz.
ns2.box.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @ns2.box.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
ns2.box.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.ns2.box.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @ns2.box.brown-family.xyz.
mta-sts.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @mta-sts.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
mta-sts.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.mta-sts.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @mta-sts.brown-family.xyz.
www.brown-family.xyz TXT v=spf1 -all
Recommended. Prevents use of this domain name for outbound mail by specifying that no servers are valid sources for mail from @www.brown-family.xyz. If you do send email from this domain name you should either override this record such that the SPF rule does allow the originating server, or, take the recommended approach and have the box handle mail for this domain (simply add any receiving alias at this domain name to make this machine treat the domain name as one of its mail domains).
www.brown-family.xyz MX 0 .
Recommended. Prevents use of this domain name for incoming mail.
_dmarc.www.brown-family.xyz TXT v=DMARC1; p=reject
Recommended. Prevents use of this domain name for outbound mail by specifying that the SPF rule should be honoured for mail from @www.brown-family.xyz.
_mta-sts.brown-family.xyz TXT v=STSv1; id=0F7kLsTWADOwD7EwIlBX
Optional. Part of the MTA-STS policy for incoming mail. If set, a MTA-STS policy must also be published.
autoconfig.brown-family.xyz A 134.209.71.11
Provides email configuration autodiscovery support for Thunderbird Autoconfig.
autodiscover.brown-family.xyz A 134.209.71.11
Provides email configuration autodiscovery support for Z-Push ActiveSync Autodiscover.
box.brown-family.xyz SSHFP 3 2 ( B98E8EEDC3769A03BDB22DBE8B64D7D98C8971A9D7D8011CCDBBACE0500D1CC1 )
Optional. Provides an out-of-band method for verifying an SSH key before connecting. Use ‘VerifyHostKeyDNS yes’ (or ‘VerifyHostKeyDNS ask’) when connecting with ssh.
box.brown-family.xyz SSHFP 4 2 ( B22402F1628F6AC921A7070F18947BDAFB18E8691382432B906F1872027C4DE8 )
Optional. Provides an out-of-band method for verifying an SSH key before connecting. Use ‘VerifyHostKeyDNS yes’ (or ‘VerifyHostKeyDNS ask’) when connecting with ssh.
box.brown-family.xyz SSHFP 1 2 ( 7B4262AEFE93FBD3D4BD25B06422C91A2711F6097CDEBD62CCB62FDC681DEBA1 )
Optional. Provides an out-of-band method for verifying an SSH key before connecting. Use ‘VerifyHostKeyDNS yes’ (or ‘VerifyHostKeyDNS ask’) when connecting with ssh.
_mta-sts.box.brown-family.xyz TXT v=STSv1; id=0F7kLsTWADOwD7EwIlBX
Optional. Part of the MTA-STS policy for incoming mail. If set, a MTA-STS policy must also be published.
_25._tcp.box.brown-family.xyz TLSA 3 1 1 fbc346255381f76918b27085c0a39ff36baea58a5461571eea5191d133ba9048
Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used.
_443._tcp.box.brown-family.xyz TLSA 3 1 1 fbc346255381f76918b27085c0a39ff36baea58a5461571eea5191d133ba9048
Optional. When DNSSEC is enabled, provides out-of-band HTTPS certificate validation for a few web clients that support it.
mta-sts.box.brown-family.xyz A 134.209.71.11
Optional. MTA-STS Policy Host serving /.well-known/mta-sts.txt.
mta-sts.brown-family.xyz A 134.209.71.11
Optional. MTA-STS Policy Host serving /.well-known/mta-sts.txt.
www.brown-family.xyz A 134.209.71.11
Optional. Sets the IP address that www.brown-family.xyz resolves to so that the box can provide a redirect to the parent domain.
5 Likes
2

I have been wanting this feature as at the moment I pay for an external DNS (not much about $20 P/year) but they don’t support certbot plus I like to do things in house

1 Like
3

Why not use Cloudflare? They’re free, and they have a robust API that certbot works well with.

1 Like
4

i thought they got rid of there free option i didn’t see the option under the plans when you sign up thanks for that

Edit: all up and running with CloudFlare now thanks @danb35

5

See:

1 Like
6

We hope to have an authoritative DNS server inside NS8, this is just an idea and we do not know what will be the implementation.

If you have experience with a well supported DNS implementation (container-based), let us know!

2 Likes
7

i think powerdns can be implemented using even the protainer module provided, from doing a quick roundup on the internet, this seems possible.

it even doesnt need to wait for Nethserver 8 to be implemented. unless you have another idea in Mind.

1 Like
8

@giacomo

Hi

I have experience with BIND - and it’s still the “reference” for DNS implementations and works well. With some templates, it’s fairly easy to handle…
I can help with such templates, easily implemented eg with e-smith templates…

My 2 cents
Andy

3 Likes
9

Advantages of BIND:

  • It’s “the” standard / reference implementation for DNS, since the first DNS server.
  • It’s low on resource usage
  • It’s fast
  • It does NOT need a database, only files / a folder for zones…
  • It can run easily native, or in a container
  • It can handle ALL needed DNS functions AFAIK… (Master / Slave, whatever).

Disadvantages:

  • No “web” Interface or even GUI Interface
  • File syntax are very strict, handling not easy

-> I’ve used BIND since before 2000. The best Web Interface I’ve found - and still works very well today is the PERL programmed Webmin by Jamie Cameron. I’ve even installed Webmin on SME-Server just to admin BIND, also installed in SME-Server… Webmin is programmed in PERL, and would be adaptable for use inside NethServer / Cockpit, if there no other good GUI/WebGUI alternatives available.

Google still recognized Master / Slave (whew!):

Bildschirmfoto 2021-07-26 um 09.32.24
Bildschirmfoto 2021-07-26 um 09.32.242866×1448 233 KB

NethServer could also use the already used (underused) Unbound, IMHO a better option than DNSmask…
It’s at least familiar to the dev crew and can handle all needed duties…

My 2 cents
Andy

3 Likes
10

yap, if going with Bind, then alot of work would need to Go into building a web GUI interface for the same, probably inside NEthserver cockpit interface.

The fact that it works well with Esmith, thats a plus overall. and can be implemented to work with the builtin user functions, but thats going to require quite alot. overall, yes its still the standard and alot of systems, including CWP , which i am a part of, uses the same.

1 Like
11

FWIW. I use PowerDNS as authoritative: https://www.powerdns.com/

The Admin GUI / Web interface to it is nice, simple and covers everything you would ever need: https://github.com/ngoduykhanh/PowerDNS-Admin

Klaus