Current NethServer services rely heavily on dnsmasq. Wouldn’t it be a lot less invasive if you just install Cockpit-Machines addon and fire up a VM and use that as Pi-Hole or Technitions DNS Server?
We already have cockpit and it is a 1 line install (something like yum install cockpit-machines )
If you ask me personally, I don’t have the need to do this Robb, as my Neth is already a VM in my unRAID server. In unRAID server there is already a plugin (I suspect a container) that implements Technitium.
Makes more sense though that my Neth setup would also be my GW and DNS. I see dnsmasq as a real limitation to make Neth a full Win Srv replacement (I migrated to above setup from SBS2011 at home but would also consider it for work), I believe T is a very nice (and admin friendly) DNS/DHCP server.
Also my point (see reply to myself above) is to implement it “properly” (as part of Neth) and take over ALL DNS/DHCP functionality both from Neth itself (dnsmasq) and Samba container (that also implements DNS, but needs Windows tools to actually manage it) - otherwise this will not be the case (and we need to make manual entries and maintain them),.
Indeed ad blocking is secondary (but welcome) functionality. A bonus.
I really think Technitium should become an “app” for Neth.
I wake up this topic… I was forced to add a Technitium container on my unRAID server (which is an out-of-place choice for the DNS), because NS (that should provide a real DNS server) doesn’t actually provide a real DNS…
NethServer has Threat Shield and Pi-Hole which seems an alternative to Technitium, see AlternativeTo.
AFAIK none of the two is a fully fledged DNS server.
It blocks and forwards the rest.
Technitium is a nice, fully fledged, DNS (and DHCP) server, with web interface, plugins, beautiful graphs etc.
@NLS can this be of help to you too, since it also provides s full fledged DNS server.
if it can be gotten to work effectively.Full DNS software, even via docker - #5 by oneitonitram
I actually installed and successfully use Technitium on a docker container I use in my unRAID server. where Nethserver is a VM.
But if you ask me, this is a “hit” to what Nethserver supposedly is.
Right now the only part of NS I actively use is the mail server, antispam (and similar) and webtop.
All the rest where taken over by stand-alone containers on my host machine.
But that of course is my own case scenario. Your mileage may vary.
That said, NS needs a real update, but that is a different topic.
Have you been unable to isntall technitium on NEthserver using the available Nethserver-docker?
I haven’t tried.
There is no point enabling NS docker module, when NS in itself is a VM running on a host that in turn already runs other containers.
My point is that NS should have an integrated full DNS solution (like Technetium) instead of the one they integrate now.
1 Like
and as you have been informed before, Nethserver in its current form, is tightly intertwined with dnsmasq so doing a direct integration of technitium would be next to impossible, if not pseudo-engeneering.
In that case, if you yourself, who is the user of the software solution you are proposing are not willing to get it working, or even try to get it working using the available method, so that other implementation scenario s can be looked into.
Why should anyone else be bothered in this community?
2 Likes
how really does sone create a vm using cockpit machines, especially loading iso images or
EDIT:
i get this erro:
ERROR internal error: process exited while connecting to monitor: 2021-10-22T14:48:53.915662Z qemu-kvm: -drive file=/home/vboxweb/CentOS-7-x86_64-DVD-2009.iso,format=raw,if=none,id=drive-ide0-0-0,readonly=on: could not open disk image /home/vboxweb/CentOS-7-x86_64-DVD-2009.iso: Could not open '/home/vboxweb/CentOS-7-x86_64-DVD-2009.iso': Permission denied Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///system start tcc otherwise, please restart your installation.
edit fixed by chmod =rwx /home/vboxweb/CentOS-7-x86_64-DVD-2009.iso
I wonder if this might be easier to integrate with NS8, given its all-container architecture. I’m seeing more value in it than I once did (see Full, public, authoritative DNS support), but with the current architecture, I think it’d be near-impossible to replace dnsmasq in NS7. But it’d sure be nice for NS to be able to automagically handle all the dozens of DNS records that are used for email…
4 Likes
But they really aren’t. Technitium states as their headline feature that it’s DNS-based ad blocking, but it’s apparently a full-featured DNS server. Pi-Hole has improved since this topic was started; it now allows local DNS entries (so I can configure local hostnames on my LAN–which I can also do with NS, of course), but I’m not aware of any supported way for it to handle, say, TXT or SRV records.
4 Likes
While we are on the subject of “make a wish”… I would also very much appreciate a full DNS server. But for me it would only be full-fledged if the integration with Nethserver would allow to automatically generate and apply the current TLSA-Record at every LE-certificate renewal.
Currently, I have to manually generate a TLSA record every time I change my LE certificate, and then file it with my DNS provider. This is more than just annoying, but creates an interruption in the DANE state when the LE certificate is renewed automatically (certbot renew).
https://ssl-tools.net/mailservers/dargels.de
https://dane.sys4.de/smtp/dargels.de
But I’m not sure how many mail server administrators value DANE.
Seems like there are two possible solutions to this:
- Since the TLSA record is tied to the public key, not the certificate, instruct whichever ACME client you’re using to reuse the keys. For
acme.sh, that’s the default behavior; forcertbot, you’d use the--reuse-keyflag. If the public key doesn’t change, the TLSA record doesn’t need to change. - If your DNS host supports automation (and if it doesn’t, consider changing to one that does–I continue to like and recommend Cloudflare), automate the update to the DNS record. This script (and its comments) should point you in the right direction for Cloudflare: A bash script to update a Cloudflare DNS A record with the external IP of the source machine · GitHub
- Edit: a possible third. In the day of HPKP, it was recommended to pin a CA cert, not the leaf cert. If TLSA also allows (or recommends) this, do so.
Not to say this wouldn’t be a nice feature to automate into Neth’s hypothetical built-in authoritative DNS server, but I think it can be handled now with less difficulty than what you’re doing.
2 Likes
Sorry for hijacking the thread…
I’ve thought about that, too. But I am not at all sure if I can manage the migration in such a way that I can guarantee an uninterrupted operation of my DNS zones and the server installations that depend on them.
I have not found a guide that I fully trust. So far I have only found this one and halfway understood it.
https://community.cloudflare.com/t/recommended-practice-for-migrating-dns/161092/4
I have the impression that all these guides assume that you are familiar with the specialties with Cloudflare.
I noticed when I migrated my last domain to Cloudflare that they’d greatly streamlined the process–they query your current authoritative servers and duplicate all the records. So the process really is as simple as “register for Cloudflare, add the domain, (confirm that the records are transferred properly, making any desired changes), change nameservers at your registrar.” But until you take that last step, that of changing the nameservers at your domain registrar, you can mess around with the DNS records all you want, with no impact to the rest of the world.
You don’t need to use the Cloudflare CDN at all. You can, of course, and use it (to a degree) for no cost too, but you don’t need to use that feature at all.
1 Like
I have tested the first steps, but it doesn’t look so simple. But I think discussing that is not the real place here. I will open a new thread for this once.
1 Like
Overall it would be interesting to see Technitium installed Via docker
Docker is a supported installation method for Technitium, so that would be straightforward enough–just install docker-compose, edit docker-compose.yml, docker-compose up -d, and you’re up and running. The problem on Neth is that there’s something else already using port 53, so you’d need to either remove that (and break the rest of the system) or have Technitium listen on some other port (and thus be pretty much useless).
Edit: I wonder how this would work: Go ahead and set up Technitium, but rather than listening on port 53, have it listen on, say 5335. Then tell the system its DNS server is 127.0.0.1#5335. This is pretty much how you set up Unbound on a Pi-Hole…