Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

nsdmin

nsdmin

sleddogsleddog Member
edited October 2012 in General

For the DIY DNS admin... an alpha preview:

http://demo.nsdmin.com Login: admin / demo

nsdmin is a PHP/SQLite web interface for dns administration.

  • Runs on same host as the master nameserver.
  • Supports nsd slave nameservers.

Test nameservers are active.

ns1.demo.nsdmin.com (master) ns2.demo.nsdmin.com (slave)

So you can add/modify a zone and then test with dig @ns1.demo.nsdmin.com ....

Notes:

  • It's single-user, no concept (yet) of multiple users and zone ownership.
  • Lots o' bugs, and not feature-complete.
  • New zones are available on the master (ns1) after activation.
  • New zones are available on the slave within 5 minutes (cron job).
  • Modifications to an existing zone are available immediately (upon activation) on the slave.
  • ns1 & ns2 are both 64MB LEBs, using ~12 MB RAM.

Comments, suggestions welcome.

«1

Comments

  • I very much like.

    One suggestion: you may want to add a pre-defined TTL dropdown, instead of just a textbox :)

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • TheGeekBoxTheGeekBox Member
    edited October 2012

    Looks very nice, I made a similar thing over the summer (although not nearly as featured) also using nsd only called it NSaDmin creepy... Anyway as I say even from the demo yours seems considerably more advanced than mine but the code is up on github if you want to have a look incase anything there will aid you development.

  • ZenZen Member

    Did you do the panel design (css) yourself?

  • I remember Linode's interface with this, great project! :)

    Rg Enzon, a User Interface Designer.
  • Found a bug with the radio buttons.

    My Mail Servers Gmail Servers None

    When I hover over Gmail and then to none, I notice that 2 of them will be highlighted at the same time instead of 1 no matter how I move the mouse.

    Internap VPS, Web Hosting and more - Cloud Shards | Need a VPS Upgrade?
    Query Foundry, LLC AS62638
  • Looks a nice job!

    Freedns Hosting - www.DNSbed.com

  • @joepie91 said: One suggestion: you may want to add a pre-defined TTL dropdown, instead of just a textbox :)

    Hmmm... perhaps :)

    @gbshouse said: Tip: replace empty record name with "@" char

    Will do, thanks.

    @Zen said: Did you do the panel design (css) yourself?

    Yes. it's kind of thrown together with bits and pieces from other projects. Needs more work :)

    @concerto49 said: When I hover over Gmail and then to none, I notice that 2 of them will be highlighted at the same time instead of 1

    HTML error, fixed & thanks.

  • I've been asked in a PM if this would be an open source project. The answer is yes.

    @gbshouse @DNSbed : I'd like to draw on your DNS expertise if that's OK. Particularly for error checking... for record submissions that are DNS-illegal. For example, I know that I shouldn't allow a CNAME or TXT record to be created with the same name as another record, e.g. an A record. If you'd care to point out other no-no's it would be appreciated. Yes, I'm reading the docs but human input helps :)

  • hmmm let me think - for A check valid IPv4 - for AAAA check valid IPv6, - record name, domain name, only [a-zA-Z0-9.-] - for TXT check no new lines, tabs etc. - for MX check for priority

    Take a look on this page and read all (or almost all) RFCs

  • @gbshouse said: hmmm let me think

    Thanks for that...

  • @sleddog Yeah I asked via PM because I feel like contributing to the project by doing the UI, if that's possible :)

    Rg Enzon, a User Interface Designer.
  • ZenZen Member
    edited October 2012

    @rgenzon

    How much do you charge for UI work and do you have much experience with panels? I've got a possible job for you coming up.

  • @sleddog - don't worry for us it took 6 months to write whole system (with 6 dedicated developers) but it included rewriting some parts of PowerDNS, custom control panel, cluster management and monitoring plus some elements of AI :)

  • ZenZen Member

    @gbshouse would you ever consider selling Rage4?

  • I've written some error-checking for invalid records (and zones), if anyone would like to try creating invalid entries.

    http://demo.nsdmin.com Login: admin / demo

  • @Zen I'll be sending you a PM shortly. Thanks

    Rg Enzon, a User Interface Designer.
  • @rgenzon said: @Zen I'll be sending you a PM shortly. Thanks

    $hijack = 'off'

    Thanked by 1klikli
  • ZenZen Member

    @sleddog said: $hijack = 'off';

    FTFY

  • @Zen said: @sleddog said: $hijack = 'off';

    FTFY

    :-)

    If anyone's interested in this project I can do a beta release this week. If not, well, eventually....

  • sleddogsleddog Member
    edited October 2012

    @gbshouse said: - record name, domain name, only [a-zA-Z0-9.-]

    What about TXT record names? Underscores are legal, anything else? I'm having a hard time finding definitive specs for this....

  • @sleddog - for TXT allow everything except new lines and tabs (\r\n\t)

  • @gbshouse said: @sleddog - for TXT allow everything except new lines and tabs (\r\n\t)

    Even for the record name?

  • @sleddog What about TXT record names?

    Apparently any single string isn't meant to be greater than 255 characters either. I also been interested to test this once you're ready.

  • @TheGeekBox said: Apparently any single string isn't meant to be greater than 255 characters either. I also been interested to test this once you're ready.

    Thanks for 255 char tip.

    I'm having a hard time deciding what I should or shouldn't include feature-wise for a test release. Right now the core functionality seems pretty stable, but there's lots of quirks (mostly with getting it setup & running correctly). Should put it out and let users guide it, or hone it more according to my ideas (I've got several things I want to do with it) ?

  • @sleddog said: Underscores are legal, anything else?

    Underscores are also legal in the names of SRV records.

  • @sleddog said: I'm having a hard time deciding what I should or shouldn't include feature-wise for a test release.

    I think anything that's a distributed system such a this is bound to be a pain to get working just straight away. Not sure if you are doing it the same way but I found giving PHP the permissions to write the zone files was quite awkward for a public release as it could be quite system dependant (given file locations and the user PHP was under). Personally I'd make it do what you want first, but it's your call. That said if you do want to see how it runs at this stage on a "fresh system" I'd still be more than happy to run it when ever.

  • Source available for this anywhere to test it?

  • Not yet, sorry.

  • @sleddog said: Not yet, sorry.

    Are you going to release the code? You might want to take a look at: http://99lime.com - is what I use for the visual side of projects, since I suck at that...

    Quis custodiet ipsos custodes?
    https://raymii.org - https://cipherli.st
  • Looks very nice and has a lot of potential. One suggestion I'd make is bootstrap or a modified bootstrap for the UI. Might make it a lot easier for you in terms of design modifying it.

  • @Raymii said: Are you going to release the code?

    Eventually, perhaps, maybe, I guess. I've kind of put an open source release on the backburner as there didn't seem to be a lot of interest, and it seems that anycast dns is the current buzz.

  • Any plans to support Bind?

  • I for one am interested, if the code was to be released. You've done a great job here, it's so simple, yet functional and powerful. I'd "dig" to see how it works behind the scenes :)

  • sleddogsleddog Member
    edited November 2012

    @SonicVPS said: Any plans to support Bind?

    I don't plan to, but I'm sure it could be modified... see below.

    @shaanl said: I'd "dig" to see how it works behind the scenes

    How it works...

    First we create a new system user, called 'nsdmin' (or whatever). This user is assign a standard shell, but does not have a password, so shell login is not possible.

    Web Interface

    The web interface runs as user 'nsdmin'. I do it with a dedicated php-fpm pool and nginx. There are other ways.

    The web interface does nothing more than manage data in a sqlite database. There are two tables: zones & records.

    I try to do error-detection to avoid entering dns-illegal values. But it's complex, at least for me :)

    The 'zones' sql table has a field called 'status'. status can be one of four values:

    0 - not modified / active 1 - new 2 - modified 9 - deleted

    When you add/delete zones, or modify a zone (by adding/deleting/modifying records) the zone status is updated appropriately.

    If there are any zones with status > 0, the 'Status' button at top lights up (changes color). Click it and you're taken to the status page which summarizes the changes and provides you with an 'Activate' button.

    Activate - Stage 1 (update.php)

    When you click 'Activate' you run a simple wrapper script (activate.php). This script looks for a running process called 'update.php'. update.php is written as a PHP CLI script.

    • If it's not running, update.php is started and sent to the background. update.php sends all its output (including errors) to a file 'results.txt'.
    • If update.php is running, results.txt is read and output to screen.
    • activate.php refreshes every 2 seconds, until the update.php process exits and disappears.

    update.php is written in PHP as it interacts with the sqlite database. It's done as a CLI script so that it can be backgrounded and separated from the refreshing web page.

    update.php has 3 functions:

    • generate an nsd-style zones config file called zones.conf
    • generate bind-style zone files for each new or modified zone
    • kick off sync.sh

    update.php runs as user 'nsdmin'. The generated zones.conf file and the bind zonefiles are stored in a temporary 'data' directory that user 'nsdmin' manages.

    If this all goes well (no detected errors) then update.php launches sync.sh with sudo permissions - "sudo sync.sh".

    Activatation - Stage 2 (sync.sh)

    sync.sh does two things:

    • Syncronizes files between the temporary 'data' directory and nsd's configuration directory.
    • Restarts or reloads nsd (depending and what was actually done).

    of course, visudo is used to configure user nsdmin to run sync.sh with sudo permissions.

    That's it. Simple....

  • Would love to get this open source @sleddog, would be great to look at.

  • @sleddog thank you for taking the time to explain how it works, and you're right, it's simple and like I said before functional! :)

  • Is it safe to have the web interface able to sudo? I'd put sync.sh on a directory that only /it/ can access, and only read+execute. Then chmod setuid on it and chown it to root, I think that's safer ;)

  • @kamalnasser said: Is it safe to have the web interface able to sudo? I'd put sync.sh on a directory that only /it/ can access, and only read+execute. Then chmod setuid on it and chown it to root, I think that's safer ;)

    Maybe yes, I don't know.

    Remember that the web interface is running as 'nsdmin', not 'www-data'. The sync.sh script is currently accessible only by user nsdmin. And user nsdmin is only allowed to sudo the sync.sh script:

    # Host alias specification
    
    # User alias specification
    nsdmin ALL = NOPASSWD: NSD
    
    # Cmnd alias specification
    Cmnd_Alias NSD = /usr/local/nsdmin/activate/sync.sh
    
    # User privilege specification
    root    ALL=(ALL) ALL
    
    # Allow members of group sudo to execute any command
    # (Note that later entries override this, so you might need to move
    # it further down)
    %sudo ALL=(ALL) ALL
  • @sleddog - maybe you can add cron job for sync.sh (executed every minute) to separate web interface from backend

  • @sleddog said: Remember that the web interface is running as 'nsdmin', not 'www-data'. with sudo it can become anything ;)

  • @gbshouse said: @sleddog - maybe you can add cron job for sync.sh (executed every minute) to separate web interface from backend

    I'd hate to have to do it that way, it destroys the flow and takes the decision of making changes live out of the admin's hands.

    @kamalnasser said: @sleddog said: Remember that the web interface is running as 'nsdmin', not 'www-data'. with sudo it can become anything ;)

    What I meant was user 'www-data' is not configured to sudo.

  • @sleddog said: What I meant was user 'www-data' is not configured to sudo.

    If php can do sudo, then if there is an exploit in your script it can ruin the whole server

  • @kamalnasser said: If php can do sudo, then if there is an exploit in your script it can ruin the whole server

    I'm struggling to understand how that could happen.

    User nsdmin can sudo ONLY the sync script. If there's a php script exploit, then any attempt to sudo other commands would fail (enforced by sudo).

  • @sleddog - yeah, but if it will be possible to switch the content of sync script (even using different attack type) to something nasty it will be dangerous

  • @gbshouse said: @sleddog - yeah, but if it will be possible to switch the content of sync script (even using different attack type) to something nasty it will be dangerous

    [root@dev:/usr/local/nsdmin/activate] ls -l
    total 16K
    -rwx------ 1 root root   1.5K Oct 24 10:35 sync.sh
    -rwxr-x--- 1 root nsdmin 9.9K Oct 28 10:07 update.php
  • sleddogsleddog Member
    edited November 2012

    I've been working on implementing support for dynamic DNS, and I'd like to run it by the eagle eyes here. Basically there's two tasks: (1) make it work, and (2) make it secure.

    The first isn't that hard. It's the second I'm looking for input on.

    Here's my current setup:

    On the client machine I run a bash script as a cronjob, which fetches the current public IP and compares it to the last POSTed one. If it's different, then it POSTs to the nsdmin server use the curl command. So something like:

    RESULT=`$CURL -s --connect-timeout 10 --max-time 30 -d name=$NAME -d zone=$ZONE -d ip=$myIP -d pass=$PASS $URL`

    $URL is a PHP script on the nsdmin server. The URL can of course be secure (https) so we're not POSTing in plain text.

    The PHP script that receives the POST is governed by a configuration, e.g.:

    // dyndns configuration for home.example.com
    
    $home_example_com = array (
        'enabled'    => 'yes',
        'allow_from' => '172.21, 172.23',
        'whois_ok'   => "Name of the ISP | Some Other String",
        'password'   => '4de1beba0afa662d85f951b4gfa2e00457ba3ce5'
    );
    

    Note that...

    • 'allow_from' is a comma-separated list of partial network addresses.
    • 'whois_ok' is a pipe-separated list of text strings to look for in 'whois $ip' output.

    The script will log an error and exit if either of the following conditions is true:

    • No configuration exists for the POSTed $name.$zone combo;
    • The POSTed IP is invalid according to the PHP filter_var() function;
    • The POSTed IP does not match the PHP $_SERVER['REMOTE_ADDR'] environmental variable;
    • None of the partial network addresses in $home_example_com['allow_from'] match the POSTed IP;
    • None of the strings in $home_example_com['whois_ok'] are found in the output of 'whois $ip';
    • The password does not match.

    Password is currently just SHA1, so yes that could be toughened up (maybe with salt?).

    So what do you think? Is there a glaring security hole?

    Comments appreciated, thanks :)

  • @sleddog said: So what do you think? Is there a glaring security hole?

    I don't think so, sanitization but since the PHP script can be set to be inaccessible by the public I think there isn't much of a need for that.

    This is pretty much exactly how I would make my app, though it is quick and dirty it works and isn't insecure (from what I can tell off the top of my head without looking at actual code).

Sign In or Register to comment.