Recent posts

#81
NicTool / Re: Has anyone installed NicTo...
Last post by matt - June 18, 2014, 05:43:33 PM
Quote from: rainer_d on June 18, 2014, 05:24:15 PM
I'd rather concentrate on getting the name servers locked-down properly...

That's good thinking. But if security (and performance) are your concerns (versus "support every DNS feature and install everywhere, at the cost of security") than that almost certainly means not using BIND in the first place. Just look at all them CVEs!  For performance and security, choose NSD, Knot, or tinydns instead.
#82
NicTool / Re: Has anyone installed NicTo...
Last post by rainer_d - June 18, 2014, 05:24:15 PM
From http://bhyve.org/faq/ I assume, one could run it on OpenBSD in a byhve-VM on FreeBSD10 - if one was inclined to do such a thing.
But one could probably create an absolutely minimal FreeBSD jail with just the dependencies for NicTool (and a separate one with just MySQL) and be done with it.

I'd rather concentrate on getting the name servers locked-down properly...

#83
NicTool / NicTool 2.24 released.
Last post by matt - June 18, 2014, 11:08:42 AM
Changes:

   • Export to DynECT Managed DNS service
   • Exports to BIND using nsupdate (thanks abeeson!)
   • Exports to Knot & NSD improved and documented
   • SQL: added nt_nameserver_export_type table
   • SQL: added nt_nameserver.address6 (IPv6 address)
   • SQL: added nt_nameserver.remote_login
   • BIND exports, don't delete zone file if zone deleted and re-added
   • more reliable imports of ip6.arpa zones
   • more reliable sql/upgrade.pl
   • more user-friendly sql/create_tables.pl
   • API: return nt_zone_id in edit_zone results

Much of the documentation has been improved and moved to the GitHub wiki.
#84
NicTool / Re: Has anyone installed NicTo...
Last post by matt - June 17, 2014, 10:07:41 PM
I just asked, "does OpenBSD have any decent virtualization tools" that might permit you to:


  • run BIND in one VM
  • run Apache/NicTool in a VM
  • run MySQL in a VM
  • run VPN thingy in a VM

Sort of like how I recommend here with FreeBSD jails. With jails, every "VM" gets a full unix host environment, which is tremendously easier to maintain, and more secure that dumping everything into one. Easily maintained systems are much more likely to be maintained, and therefore, more secure.

And then I read this stack exchange post.

Since OpenBSD sucks at virtualization, do could instead run it under VMware. Or Xen. Or ...
#85
NicTool / Re: Has anyone installed NicTo...
Last post by richmond - June 17, 2014, 09:53:26 PM
You ask reasonable questions. :)

Habit is my first answer and cheap clients is my second answer but separating out any other services (there was going to be client VPN termination on this box as well) will likely be the path of least pain/annoyance/time.  I will consider my options and strongly suggest isolating DNS from other services and a well audited off-site backup if they are worried about data loss.

Thanks Matt.  I had a sneaking suspicion that this would be the case and had kinda hoped someone bundled the modules for a chroot environment allowing me to be a bit lazier.
#86
NicTool / Re: Has anyone installed NicTo...
Last post by matt - June 17, 2014, 09:45:25 PM
I just installed OpenBSD 5.5 to have a look. I went along far enough to see where the issue would be:

https://github.com/msimerson/NicTool/wiki/Install-NicTool-on-OpenBSD

Digest version: Installing chrooted is going to be painful.

We aren't in the dark days of yore when hardware was expensive and we had to run as much as we could on it. This system will probably run only NicTool, right? Is chroot even sensible? What exists non that host, outside the chroot, that you are protecting? **

Matt

** besides the nictool data in mysql, which is already compromised if attackers own the chroot environment.
#87
NicTool / Has anyone installed NicTool o...
Last post by richmond - June 17, 2014, 07:37:52 PM
I seem to be hitting wall after wall with incorrect/missing perl dependencies on a current release of Openbsd (not -current).  Has anyone gone through the effort of making this work on this OS?

I would like to keep chroot enabled and as much security control in place as possible as I'm building this for a group known to not be very proactive with administrative duties.

-Apologies, forgot more context-
I'm looking for a client/server install with BIND on the same host as well as a second host running BIND only.
#88
NicTool / Re: Problem with Umlauts in co...
Last post by matt - June 15, 2014, 10:19:00 PM
I just checked on this, and UTF-8 characters are now tolerated just fine. It's likely that the SQL conversion of the tables to UTF8 a couple versions back fixed it.
#89
NicTool / Re: Using nictool to push dns ...
Last post by abeeson - June 03, 2014, 01:38:27 AM
Thanks to Matt's help this is now pulled into the main git for Nictool and should be in future installs as its own export option :)

For anybody interested, getting keys to encrypt the updates in requires a slight edit to add the key file, though i'll look at trying to get that somewhere more generic like the config etc.
#90
NicTool / Re: Issues installing 2.22
Last post by jwest - May 27, 2014, 04:53:07 PM
Blew away 2.22, did a fresh install of 2.23.... sql/create_tables.pl gives:

Otherwise, hit return to continue...

DBD::mysql::db do failed: Table 'nictool.nt_user' doesn't exist at sql/create_tables.pl line 95, <STDIN> line 10.
DBD::mysql::db do failed: Table 'nictool.nt_user_log' doesn't exist at sql/create_tables.pl line 98, <STDIN> line 10.
DBD::mysql::db do failed: Table 'nictool.nt_user_global_log' doesn't exist at sql/create_tables.pl line 102, <STDIN> line 10.

Bug or did I do something wrong?