Which DNS tool/service do you use (wanna get rid of bind9)

lemon

So,
i know, never change a running system, but I have an old debian 5(!) server which is running bind9 and managing the zones with vi is pain in the butt. also i want to relieve this server from it's hard work :^)

Is there any fancy dns management tool with webinterface, so I can get rid of this old system? (something like the webinterface cloudflare has)
I'm getting sick of changing serial and reloading bind everytime. and there's no syntax check.

There are about 200 zone files to manage.

Edit: I has to be self hosted.

JasperNL

Hurricane electric (dns.he.net) only limits the number of different sites, so that may be something to look into.

Also when using cloudflare, you can always turn off their "DDoS shield". If you do that, it's basically a DNS hosting service.

Maybe afraid.org is interesting for you. I've happily used it for years, and it seems that nothing has changed in the mean time.

nullnothere

I think you should migrate to nsd - you can still use vi (or vim and/or sed/awk etc.) and get the job done really fast and of course it also comes with tools to check the zone files. Unless of course you really want a web interface (etc.)

lemon

I want it to be self hosted, that old bind server is the registered nameserver for all the domains, so cloudflare wont do it, it was just a comparison.

mfs

The already suggested nsd should be pretty easy to implement if you're coming from BIND. Besides, if you're looking to "secure" your EOL installation and if you want a web server on top of it, you should really give a look at dnsdist (you can place it in front of any DNS server).

WSS

@nullnothere said:
I think you should migrate to nsd - you can still use vi (or vim and/or sed/awk etc.) and get the job done really fast and of course it also comes with tools to check the zone files. Unless of course you really want a web interface (etc.)

This.

nsd will even accept your old BIND file format, so other than configuring NSD itself, you can hit the ground running in minutes (and it's config file is a pile of piss- think of it like moving from sendmail to postfix/exim). The DNSSEC and private shared-key transfer between slave and master is trivial to configure.

@mfs, @nullnothere NSD bros.

NodePing

lemon said: no syntax check

named-checkzone is helpful for this. Never restart bind9 without running it first.

WSS

@NodePing said:

lemon said: no syntax check

named-checkzone is helpful for this. Never restart bind9 without running it first.

Who the fuck restarts their nameservice instead of just HUPping it? What bass-ackwards service doesn't reload zones and config with a hup (or nsd reload)?

lemon

@NodePing said:

lemon said: no syntax check

named-checkzone is helpful for this. Never restart bind9 without running it first.

this doesn't work since i can remember, it says every file has wrong syntax, and i'm not going to fix every single file for perfect syntax, because i'm very very veryyyy lazy

NodePing

WSS said: restarts

True dat - reload rather than restart unless you're changing config options (caching and the like).

lemon

@mfs said:
The already suggested nsd should be pretty easy to implement if you're coming from BIND. Besides, if you're looking to "secure" your EOL installation and if you want a web server on top of it, you should really give a look at dnsdist (you can place it in front of any DNS server).

i'll have a look into it, but it seems like much work.
is there nothing where i have to do the least?
maybe this is the wrong forum to ask, but it's ok if it is a commercial (paid) product

WSS

@NodePing said:

WSS said: restarts

True dat - reload rather than restart unless you're changing config options (caching and the like).

Now which one still shits when a config is broken rather than saying "Hey fuckpocket, I can't read this zone, so I'm not touching it"?

NodePing

lemon said: i'm very very veryyyy lazy

They you probably should be reconsidering your choice to run your own DNS service. If you can't be bothered with proper syntax to ensure you don't hose something on a reload.

lemon

@NodePing said:

lemon said: i'm very very veryyyy lazy

They you probably should be reconsidering your choice to run your own DNS service. If you can't be bothered with proper syntax to ensure you don't hose something on a reload.

This is an example config, please tell me whats wrong.

;
; The full zone file
;
@               1D IN SOA       ns1.nameserver.tld. hostmaster.nameserver.tld. (
                                2012010101      ; serial, todays date + todays serial #
                                5H              ; refresh, seconds
                                60M             ; retry seconds
                                1W              ; expire seconds
                                1D )            ; minimum, seconds
;
                1D      IN      NS              ns1.nameserver.tld. ; Inet Address of name server
                1D      IN      NS              ns2.nameserver.tld.
;
                1D      IN      MX      10      mx.example.org.
;
@               1D      IN      A       123.123.123.123
www             1D      IN      A       100.100.100.100

WSS

It was written for BIND 4, not BIND 8+. You haven't set an $ORIGIN, et al.

FrankZ

webmin will give you a interface to bind that auto increments serials and is self hosted.

rm_

lemon said: I'm getting sick of changing serial and reloading bind everytime. and there's no syntax check.

You couldn't write a little script which would autogenerate serial and put it into place where your source zonefile has %SERIAL% in it (or the like) -- and reload the nameserver for you?

lemon

@WSS said:
It was written for BIND 4, not BIND 8+. You haven't set an $ORIGIN, et al.

It was written for bind9, like the man page shows it: https://wiki.debian.org/Bind9#Files_in_var.2Fcache.2Fbind.2F

Just no global TTL.

$ORIGIN needed?

If an $ORIGIN directive is not defined - BIND synthesizes an $ORIGIN from the zone name in the named.conf file.

lemon

@rm_ said:

lemon said: I'm getting sick of changing serial and reloading bind everytime. and there's no syntax check.

You couldn't write a little script which would autogenerate serial and put it into place where your source zonefile has %SERIAL% in it (or the like) -- and reload the nameserver for you?

well, thats just a little aspect of the whole problem.
as i said, the system is very old, and shall be replaced by something nicer, if bind is top notch, i'll stay with it, just migrate to the latest debian.

WSS

@lemon said:

If an $ORIGIN directive is not defined - BIND synthesizes an $ORIGIN from the zone name in the named.conf file.

You're asking why it's angry; I answered you. Falling back on compatibility mode with a 20+ year old syntax is no excuse. I'm changing my vote to "Use whatever your registrar offers for free."

lemon

@WSS said:

@lemon said:

If an $ORIGIN directive is not defined - BIND synthesizes an $ORIGIN from the zone name in the named.conf file.

You're asking why it's angry; I answered you. Falling back on compatibility mode with a 20+ year old syntax is no excuse. I'm changing my vote to "Use whatever your registrar offers for free."

What if I'm the registrar or cannot use the registrars solution?

I still don't know whats wrong with the syntax, when did it change? And what does the syntax should look like nowdays? Everything I can find in the internet is exactly the same than my example. And why does it claims a bad syntax when theres no $ORIGIN, as it's pulling the value from the config?

WSS

@lemon said:
What if I'm the registrar

God forbid.

I still don't know whats wrong with the syntax, when did it change?

After BIND 4, as mentioned. With 9+ I'm pretty sure it went from deprecated to "warning" levels. O haven't used bind since there's been an OSS alternative, and that includes djbdns. Bind made my life hell for years, so I avoid it like the plague. That said, others which use their same zones make it much easier..

Here's a sample of whats' accepted by bind/nsd/compatibles. You'll notice that not only do I have short (5 minute) TTLs, but I use the numeric syntax so there's no late-night flubbing numbers.

$ORIGIN myzone.com.
myzone.com  3600    IN  SOA ns1.mydns.com. dns.myzone.com. (
        2017123001 3600 900 1209600 1800 )
    1800    IN  TXT "v=spf1 mx a:mail.mydns.com ... ~all"
;   3600    IN  CAA 128 issue   "letsencrypt.org"
    3600    IN  NS  ns1.mydns.com.
    3600    IN  NS  ns2.mydns.com.
    3600    IN  MX  10 mail.mydns.com.
    3600    IN  MX  20 relay.mydns.com.
    300 IN  A   x.x.x.x
    300 IN  AAAA    y:y:y:y:y::y
$ORIGIN myzone.com.
_dmarc      300 IN  TXT "v=DMARC1; p=none"
$ORIGIN myzone.com.
www     300 IN  A   x.x.x.x
        300 IN  AAAA    y:y:y:y:y::y
mail    300 IN  A   x.x.x.x

E: Technically, the second/third $ORIGIN isn't required here. I always do that for special records as a mental reference.

lemon

Call me a retard but I don't see major differences here.
Can't bind handle tabs anymore the way it was? Or is it because 1D, 5H etc.pp. ?

WSS

Your @ IN SOA is probably what's pissing it off. I don't use bind.

nik

I am using PowerDNS and erl-dns. PowerDNS is really flexible in regards to the backend, you could easily use a BIND backend and keep your zone files or migrate to a SQL backend and write a little script that communicates with the SQL backend. PowerDNS also does offer an API.

Erl-DNS is written by dnsimple and I really like the idea of having json files as zone files. Also it's written in Erlang, a language that is suited for these kind of things.

lemon

But does it have a webinterface? I'm searching for something with a graphic interface, otherwise switching from bind to another thing is unnecessary as bind runs fine.

nik

@lemon said:
But does it have a webinterface? I'm searching for something with a graphic interface, otherwise switching from bind to another thing is unnecessary as bind runs fine.

There are multiple tools:
https://github.com/PowerDNS/pdns/wiki/WebFrontends
https://github.com/ngoduykhanh/PowerDNS-Admin

sleddog

lemon said: Is there any fancy dns management tool with webinterface, so I can get rid of this old system?

I use nsd with an in-house web interface for about 150 domains.

You might have a look at https://github.com/msimerson/NicTool which is a DNS web interface that supports several backend DNS servers, including nsd.

Silvenga

How about dnscontrol?

DNSControl is a system for maintaining DNS zones. Editing zone files is error-prone. Clicking buttons on a web page is irreproducible. Synchronize your DNS to multiple providers from a simple DSL

I'm using it to manage 40 domain zones between DNSimple and Digital Ocean. It can output bind zones or push directly to something like Window DNS. Adding more providers is trivial.

Saragoldfarb

I'm using PowerDns with a galera cluster for replication of the DB + DNSdist for some load balancing and extra control. We have our own scripted panel but there's multiple webinterfaces available. PowerAdmin is a nice one. Not fancy looking but it gets the job done. Serving over 2K zones without issues.

lemon

@sleddog said:

I use nsd with an in-house web interface for about 150 domains.

You might have a look at https://github.com/msimerson/NicTool which is a DNS web interface that supports several backend DNS servers, including nsd.

looks promising, but holy moly, this desgin!
straight outta the 90s