New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Any plans to support Bind?
I for one am interested, if the code was to be released. You've done a great job here, it's so simple, yet functional and powerful. I'd "dig" to see how it works behind the scenes
I don't plan to, but I'm sure it could be modified... see below.
How it works...
First we create a new system user, called 'nsdmin' (or whatever). This user is assign a standard shell, but does not have a password, so shell login is not possible.
Web Interface
The web interface runs as user 'nsdmin'. I do it with a dedicated php-fpm pool and nginx. There are other ways.
The web interface does nothing more than manage data in a sqlite database. There are two tables: zones & records.
I try to do error-detection to avoid entering dns-illegal values. But it's complex, at least for me
The 'zones' sql table has a field called 'status'. status can be one of four values:
0 - not modified / active
1 - new
2 - modified
9 - deleted
When you add/delete zones, or modify a zone (by adding/deleting/modifying records) the zone status is updated appropriately.
If there are any zones with status > 0, the 'Status' button at top lights up (changes color). Click it and you're taken to the status page which summarizes the changes and provides you with an 'Activate' button.
Activate - Stage 1 (update.php)
When you click 'Activate' you run a simple wrapper script (activate.php). This script looks for a running process called 'update.php'. update.php is written as a PHP CLI script.
update.php is written in PHP as it interacts with the sqlite database. It's done as a CLI script so that it can be backgrounded and separated from the refreshing web page.
update.php has 3 functions:
update.php runs as user 'nsdmin'. The generated zones.conf file and the bind zonefiles are stored in a temporary 'data' directory that user 'nsdmin' manages.
If this all goes well (no detected errors) then update.php launches sync.sh with sudo permissions - "sudo sync.sh".
Activatation - Stage 2 (sync.sh)
sync.sh does two things:
of course, visudo is used to configure user nsdmin to run sync.sh with sudo permissions.
That's it. Simple....
@sleddog thank you for taking the time to explain how it works, and you're right, it's simple and like I said before functional!
Is it safe to have the web interface able to sudo?
I'd put sync.sh on a directory that only /it/ can access, and only read+execute.
Then chmod setuid on it and chown it to root, I think that's safer
I'd put sync.sh on a directory that only /it/ can access, and only read+execute.
Then chmod setuid on it and chown it to root, I think that's safer
Maybe yes, I don't know.
Remember that the web interface is running as 'nsdmin', not 'www-data'. The sync.sh script is currently accessible only by user nsdmin. And user nsdmin is only allowed to sudo the sync.sh script:
@sleddog - maybe you can add cron job for sync.sh (executed every minute) to separate web interface from backend
with sudo it can become anything
I'd hate to have to do it that way, it destroys the flow and takes the decision of making changes live out of the admin's hands.
with sudo it can become anything
What I meant was user 'www-data' is not configured to sudo.
If php can do sudo, then if there is an exploit in your script it can ruin the whole server
I'm struggling to understand how that could happen.
User nsdmin can sudo ONLY the sync script. If there's a php script exploit, then any attempt to sudo other commands would fail (enforced by sudo).
@sleddog - yeah, but if it will be possible to switch the content of sync script (even using different attack type) to something nasty it will be dangerous
I've been working on implementing support for dynamic DNS, and I'd like to run it by the eagle eyes here. Basically there's two tasks: (1) make it work, and (2) make it secure.
The first isn't that hard. It's the second I'm looking for input on.
Here's my current setup:
On the client machine I run a bash script as a cronjob, which fetches the current public IP and compares it to the last POSTed one. If it's different, then it POSTs to the nsdmin server use the curl command. So something like:
$URL is a PHP script on the nsdmin server. The URL can of course be secure (https) so we're not POSTing in plain text.
The PHP script that receives the POST is governed by a configuration, e.g.:
Note that...
The script will log an error and exit if either of the following conditions is true:
Password is currently just SHA1, so yes that could be toughened up (maybe with salt?).
So what do you think? Is there a glaring security hole?
Comments appreciated, thanks
Thanks...
Code will come I'm being slow because I want to release some that is at least relatively secure....
Gave the interface a bit of a facelift today See what you think of it...
Thinking about a failover implementation via api with uptimerobot or other service ?
Not at the present time. It would be like trying to run before learning to walk Once the basics are ironed out then yes, I'll certainly look at it.
Incidentally, I'm using nsdmin in production now. Migrated the last of my domains from dnsmadeeasy last weekend. I'm currently serving about 120 domains and 1,000 records. Was playing around with a bash script to access nsd's internal stats this morning.... here's the output when run on one of my 3 nameservers:
nsd clears its internal stats on a restart or reload. I added a new domain this afternoon, forcing a restart....
Not now of course but in the long run
Absolutely. I think the procedure would be similar to dynamic dns support, which I have working, but it needs further refinement. All in time
When the source will be available to play with ?
How much ram and cpu consume ?
Thank You again for open this path
How much ram and cpu consume ?
Source soon I hope. It's still rough in places, and I don't have much spare time lately to devote to it.
RAM & CPU? Bugger all maybe 12-16 MB with nginx, php 5.4 and nsd. Runs fine on a 32MB VPS if you know what you're doing. 128MB is luxury
Impressive , il wait paciently for the source and hope for failover ehehhehe
@sleddog did you ever release the source for this - I would be very interested in it, if you did.
thanks
Not yet, just too busy. Working for a living sucks....
No problems.
For anyone else interested in similar projects, I found this:
http://atomiadns.com
From initial look, it seems fairly complete - full api, docs and sandbox site with it all running.
Its used by Edis and if i remember well 256mb its the minimum.
nsadmin its way bellow that.
comeon... i need it to power my LEB with nsd
release pls..