https://github.com/piyushxcoder/vps_from_scratch

https://github.com/piyushxcoder/vps_from_scratch

Last synced: 4 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/piyushxcoder/vps_from_scratch
• Owner: PiyushXCoder
• Created: 2023-02-25T09:25:18.000Z (over 3 years ago)
• Default Branch: master
• Last Pushed: 2023-03-19T05:32:05.000Z (over 3 years ago)
• Last Synced: 2025-09-25T18:26:58.465Z (9 months ago)
• Homepage: https://blog.piyushxcoder.in/vps_from_scratch
• Size: 3.91 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# VPS from Scratch

## Introduction

This manual describes way to setup bind as DNS with godaddy, SSL certificate from certbot.

The manual is written for `Ubuntu 20.4`. You will have to replace your server info in configs below.

Replace `` with ip address(eg. 10.4.60.1) of your VPS server and `` with your domain name(eg. piyushxcoder.in).

### Setting up Bind DNS with godaddy

#### Install bind

```

sudo apt install bind9 bind9utils bind9-doc

```

#### Modify `/etc/default/named`

```

OPTIONS="-u bind -4"

```

#### Configure `/etc/bind/named.conf.options`

```

options {

        version "Secured DNS server";

        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want

        // to talk to, you may need to fix the firewall to allow multiple

        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable

        // nameservers, you probably want to use them as forwarders.

        // Uncomment the following block, and insert the addresses replacing

        // the all-0's placeholder.

        forwarders {

                8.8.8.8;

                8.8.4.4;

        };

        //========================================================================

        // If BIND logs error messages about the root key being expired,

        // you will need to update your keys.  See https://www.isc.org/bind-keys

        //========================================================================

        dnssec-validation auto;

        //listen-on-v6 { any; };

        allow-query {

                localhost;

                any;

        };

        listen-on port 53 {

                ;

                localhost;

        };  // listen on private network only

        server-id none;

        allow-transfer { none; };      # disable zone transfers by default

};

```

#### Configure `/etc/bind/named.conf.local`

Add Zone for every domain you are going to use.

```

// Do any local configuration here

//

// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";

include "/etc/bind/named.conf.certbot";

zone "" {

        type master;

        file "/etc/bind/db.";

        allow-transfer { ; };

        also-notify { ; };

};

```

#### Create zone file as mentioned in `named.conf.local`

Example Zone file `db.`

```

; BIND data file for local loopback interface

;

$TTL    604800

@       IN      SOA     ns1.. admin.. (

                              2         ; Serial

                         604800         ; Refresh

                          86400         ; Retry

                        2419200         ; Expire

                         604800 )       ; Negative Cache TTL

@       IN      NS      .

@       IN      A       

        IN      NS      ns1..

        IN      NS      ns2..

ns1     IN      A       

ns2     IN      A       

# To redirect www handle it with ngnix

# www	IN	CNAME	.

# For Certbot

# _acme-challenge IN NS .

```

#### Check Zone files and configuration 

```

sudo named-checkconf

```

#### Restart bind server 

```

sudo service bind9 restart

```

#### Add custom host names with ns1 ns2 subdomain and pointing to your ip addresses as specified in ["Add my custom host names"](https://in.godaddy.com/help/dd-my-custom-host-names-12320).

There after change nameservers for domain with `ns1.` and `ns2.`

Do it for every domain you want to point to your DNS

__Note:__ To check if dns is working properly or not you may use `dig @ns1. `. It might be also helpful to trace route of dns from root server to yours.

#### References

#### [An Introduction to DNS Terminology, Components, and Concepts](https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts)

#### [How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04](https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04)

### Setting up Certbot with Bind

#### Install certbot

```

sudo apt install certbot python3-certbot-dns-rfc2136

```

#### Generate a key to secure the update process

```

sudo sh -c "tsig-keygen -a HMAC-SHA512 tsig-key > /etc/bind/tsig.key"

```

#### Create ```/etc/bind/named.conf.certbot```

```

key "tsig-key" {

        algorithm  "hmac-sha512";

        secret "private key";

};

zone "_acme-challenge." {

        type master;

        file "/var/lib/bind/db._acme-challenge.";

        check-names warn;

        update-policy {

                grant tsig-key name _acme-challenge.. txt;

        };

};

```

Add private key and _achme-challenge zone for each domain and Change permission and ownership

```

$ sudo chown root:bind /etc/bind/named.conf.certbot

$ sudo chmod 640 /etc/bind/named.conf.certbot

```

#### Create zone file for each domain in `/var/lib/bind`

Example of ```/var/lib/bind/db._acme-challenge.```

```

$ORIGIN .

$TTL 43200	; 12 hours

_acme-challenge.	IN SOA . admin.. (

				2021010211 ; serial

				28800      ; refresh (8 hours)

				7200       ; retry (2 hours)

				604800     ; expire (1 week)

				86400      ; minimum (1 day)

				)

			NS	.

$TTL 120	; 2 minutes

			TXT	""

```

Change premission and ownership

```

$ sudo chown root:bind /var/lib/bind/db._acme-challenge.

$ sudo chmod 664 /var/lib/bind/db._acme-challenge.

```

#### Uncomment `_acme-challenge IN NS .` in each Zone file `db.` in `/etc/bind`

#### Add `include "/etc/bind/named.conf.certbot";` in `/etc/bind/named.local`

#### Restart bind server 

```

sudo systemctl restart bind9

```

#### Testing Dynamic Update

Check configs

```

sudo named-checkconf

```

To add the Entry

```

$ sudo nsupdate -k /etc/bind/tsig.key

> server 

> update add _acme-challenge. 86400 TXT 192.168.1.1

> send

```

To list the Entry

```

dig @ _acme-challenge. txt

```

You will see 192.168.1.1 in entries. If not then that is a problem!

To delete the Entry

```

$ sudo nsupdate -k /etc/bind/Kcertbot.+165+?????

> server 

> update delete _acme-challenge. 86400 TXT 192.168.1.1

> send

```

#### Create ```/etc/letsencrypt/dns_rfc2136_credentials.txt```

```

# Target DNS server

dns_rfc2136_server = 

# Target DNS port

dns_rfc2136_port = 53

# TSIG key name

dns_rfc2136_name = tsig-key

# TSIG key secret

dns_rfc2136_secret =

# TSIG key algorithm

dns_rfc2136_algorithm = HMAC-SHA512

```

Add private key in secret

#### Generate Certificate

```

sudo /usr/bin/certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns_rfc2136_credentials.txt -d ''  -d '*.'

```

#### References

#### [Let's Encrypt Wildcard Certificates with certbot, BIND, apache and exim](https://john.daltons.info/home_server_documentation/lets_encrypt.html#:~:text=When%20asking%20for%20a%20wildcard,accept%20dynamic%20updates%20from%20certbot.&text=%24%20sudo%20dnssec%2Dkeygen%20%2Da,b%20512%20%2Dn%20HOST%20certbot.)