nsdmin
For the DIY DNS admin... an alpha preview:
http://demo.nsdmin.com Login: admin / demo
nsdmin is a PHP/SQLite web interface for dns administration.
- Runs on same host as the master nameserver.
- Supports nsd slave nameservers.
Test nameservers are active.
ns1.demo.nsdmin.com (master) ns2.demo.nsdmin.com (slave)
So you can add/modify a zone and then test with dig @ns1.demo.nsdmin.com ....
Notes:
- It's single-user, no concept (yet) of multiple users and zone ownership.
- Lots o' bugs, and not feature-complete.
- New zones are available on the master (ns1) after activation.
- New zones are available on the slave within 5 minutes (cron job).
- Modifications to an existing zone are available immediately (upon activation) on the slave.
- ns1 & ns2 are both 64MB LEBs, using ~12 MB RAM.
Comments, suggestions welcome.
Comments
I very much like.
One suggestion: you may want to add a pre-defined TTL dropdown, instead of just a textbox :)
Node.js code review, tutoring and advice | Custom Node.js module development | Donate
"professor 200 IQ" -YokedEgg
Looks very nice, I made a similar thing over the summer (although not nearly as featured) also using nsd only called it NSaDmin creepy... Anyway as I say even from the demo yours seems considerably more advanced than mine but the code is up on github if you want to have a look incase anything there will aid you development.
Tip: replace empty record name with "@" char
Did you do the panel design (css) yourself?
curl -L range.websiteI remember Linode's interface with this, great project! :)
Found a bug with the radio buttons.
My Mail Servers Gmail Servers None
When I hover over Gmail and then to none, I notice that 2 of them will be highlighted at the same time instead of 1 no matter how I move the mouse.
We operate the network AS62638 | Available in Syd AU and Dallas, Los Angeles and NYC USA
Looks a nice job!
Freedns Hosting - www.DNSbed.com
Hmmm... perhaps :)
Will do, thanks.
Yes. it's kind of thrown together with bits and pieces from other projects. Needs more work :)
HTML error, fixed & thanks.
I've been asked in a PM if this would be an open source project. The answer is yes.
@gbshouse @DNSbed : I'd like to draw on your DNS expertise if that's OK. Particularly for error checking... for record submissions that are DNS-illegal. For example, I know that I shouldn't allow a CNAME or TXT record to be created with the same name as another record, e.g. an A record. If you'd care to point out other no-no's it would be appreciated. Yes, I'm reading the docs but human input helps :)
hmmm let me think - for A check valid IPv4 - for AAAA check valid IPv6, - record name, domain name, only [a-zA-Z0-9.-] - for TXT check no new lines, tabs etc. - for MX check for priority
Take a look on this page and read all (or almost all) RFCs
Thanks for that...
@sleddog Yeah I asked via PM because I feel like contributing to the project by doing the UI, if that's possible :)
@rgenzon
How much do you charge for UI work and do you have much experience with panels? I've got a possible job for you coming up.
curl -L range.website@sleddog - don't worry for us it took 6 months to write whole system (with 6 dedicated developers) but it included rewriting some parts of PowerDNS, custom control panel, cluster management and monitoring plus some elements of AI :)
@gbshouse would you ever consider selling Rage4?
curl -L range.website@Zen - sure, why not?
I've written some error-checking for invalid records (and zones), if anyone would like to try creating invalid entries.
http://demo.nsdmin.com Login: admin / demo
@Zen I'll be sending you a PM shortly. Thanks
$hijack = 'off'
FTFY
curl -L range.website:-)
If anyone's interested in this project I can do a beta release this week. If not, well, eventually....
What about TXT record names? Underscores are legal, anything else? I'm having a hard time finding definitive specs for this....
@sleddog - for TXT allow everything except new lines and tabs (\r\n\t)
Even for the record name?
@sleddog - no for name a-z, 0-9, -, ., _
Apparently any single string isn't meant to be greater than 255 characters either. I also been interested to test this once you're ready.
Thanks for 255 char tip.
I'm having a hard time deciding what I should or shouldn't include feature-wise for a test release. Right now the core functionality seems pretty stable, but there's lots of quirks (mostly with getting it setup & running correctly). Should put it out and let users guide it, or hone it more according to my ideas (I've got several things I want to do with it) ?
Underscores are also legal in the names of SRV records.
I think anything that's a distributed system such a this is bound to be a pain to get working just straight away. Not sure if you are doing it the same way but I found giving PHP the permissions to write the zone files was quite awkward for a public release as it could be quite system dependant (given file locations and the user PHP was under). Personally I'd make it do what you want first, but it's your call. That said if you do want to see how it runs at this stage on a "fresh system" I'd still be more than happy to run it when ever.
Source available for this anywhere to test it?
Not yet, sorry.
Are you going to release the code? You might want to take a look at: http://99lime.com - is what I use for the visual side of projects, since I suck at that...
https://raymii.org - https://cipherli.st
Looks very nice and has a lot of potential. One suggestion I'd make is bootstrap or a modified bootstrap for the UI. Might make it a lot easier for you in terms of design modifying it.
Eventually, perhaps, maybe, I guess. I've kind of put an open source release on the backburner as there didn't seem to be a lot of interest, and it seems that anycast dns is the current buzz.
Any plans to support Bind?
I for one am interested, if the code was to be released. You've done a great job here, it's so simple, yet functional and powerful. I'd "dig" to see how it works behind the scenes :)
I don't plan to, but I'm sure it could be modified... see below.
How it works...
First we create a new system user, called 'nsdmin' (or whatever). This user is assign a standard shell, but does not have a password, so shell login is not possible.
Web Interface
The web interface runs as user 'nsdmin'. I do it with a dedicated php-fpm pool and nginx. There are other ways.
The web interface does nothing more than manage data in a sqlite database. There are two tables: zones & records.
I try to do error-detection to avoid entering dns-illegal values. But it's complex, at least for me :)
The 'zones' sql table has a field called 'status'. status can be one of four values:
0 - not modified / active 1 - new 2 - modified 9 - deleted
When you add/delete zones, or modify a zone (by adding/deleting/modifying records) the zone status is updated appropriately.
If there are any zones with status > 0, the 'Status' button at top lights up (changes color). Click it and you're taken to the status page which summarizes the changes and provides you with an 'Activate' button.
Activate - Stage 1 (update.php)
When you click 'Activate' you run a simple wrapper script (activate.php). This script looks for a running process called 'update.php'. update.php is written as a PHP CLI script.
update.php is written in PHP as it interacts with the sqlite database. It's done as a CLI script so that it can be backgrounded and separated from the refreshing web page.
update.php has 3 functions:
update.php runs as user 'nsdmin'. The generated zones.conf file and the bind zonefiles are stored in a temporary 'data' directory that user 'nsdmin' manages.
If this all goes well (no detected errors) then update.php launches sync.sh with sudo permissions - "sudo sync.sh".
Activatation - Stage 2 (sync.sh)
sync.sh does two things:
of course, visudo is used to configure user nsdmin to run sync.sh with sudo permissions.
That's it. Simple....
Would love to get this open source @sleddog, would be great to look at.
curl -L range.website@sleddog thank you for taking the time to explain how it works, and you're right, it's simple and like I said before functional! :)
Is it safe to have the web interface able to sudo? I'd put sync.sh on a directory that only /it/ can access, and only read+execute. Then chmod setuid on it and chown it to root, I think that's safer ;)
@KamalN7
Maybe yes, I don't know.
Remember that the web interface is running as 'nsdmin', not 'www-data'. The sync.sh script is currently accessible only by user nsdmin. And user nsdmin is only allowed to sudo the sync.sh script:
@sleddog - maybe you can add cron job for sync.sh (executed every minute) to separate web interface from backend
@KamalN7
I'd hate to have to do it that way, it destroys the flow and takes the decision of making changes live out of the admin's hands.
What I meant was user 'www-data' is not configured to sudo.
If php can do sudo, then if there is an exploit in your script it can ruin the whole server
@KamalN7
I'm struggling to understand how that could happen.
User nsdmin can sudo ONLY the sync script. If there's a php script exploit, then any attempt to sudo other commands would fail (enforced by sudo).
@sleddog - yeah, but if it will be possible to switch the content of sync script (even using different attack type) to something nasty it will be dangerous
I've been working on implementing support for dynamic DNS, and I'd like to run it by the eagle eyes here. Basically there's two tasks: (1) make it work, and (2) make it secure.
The first isn't that hard. It's the second I'm looking for input on.
Here's my current setup:
On the client machine I run a bash script as a cronjob, which fetches the current public IP and compares it to the last POSTed one. If it's different, then it POSTs to the nsdmin server use the curl command. So something like:
$URL is a PHP script on the nsdmin server. The URL can of course be secure (https) so we're not POSTing in plain text.
The PHP script that receives the POST is governed by a configuration, e.g.:
// dyndns configuration for home.example.com $home_example_com = array ( 'enabled' => 'yes', 'allow_from' => '172.21, 172.23', 'whois_ok' => "Name of the ISP | Some Other String", 'password' => '4de1beba0afa662d85f951b4gfa2e00457ba3ce5' );Note that...
The script will log an error and exit if either of the following conditions is true:
Password is currently just SHA1, so yes that could be toughened up (maybe with salt?).
So what do you think? Is there a glaring security hole?
Comments appreciated, thanks :)
I don't think so, sanitization but since the PHP script can be set to be inaccessible by the public I think there isn't much of a need for that.
This is pretty much exactly how I would make my app, though it is quick and dirty it works and isn't insecure (from what I can tell off the top of my head without looking at actual code).
curl -L range.website