DNS Configuration

DNS Server configuration

You must configure access to DNS server by Sudo (the DNS server is on the same server as the Web server) or by SSH (for local or remote access to DNS server). Both can be used on differents servers.

Configuration with Sudo

To modify the zones files and reload the server, DomDNS can use sudo. You must configure the /etc/sudoers.d/domdns file with the parameters:

# Allow the user 'www-data' to reload bind and to write in the zones dir
# Don't forget to change the www-data user if your Web server don't work with it
www-data ALL = (domdns) NOPASSWD: /usr/sbin/rndc reload*
www-data ALL = (domdns) NOPASSWD: /usr/sbin/rndc reconfig
www-data ALL = (domdns) NOPASSWD: /bin/cp /tmp/[A-Za-z0-9-]* /etc/bind/zones/[A-Za-z0-9.-]*

The configuration file of DomDNS will contain :

$conf = array (
  "servers"=>array (
      "127.0.0.1"=>array (
          "type"=>"bind",          // Actually, only bind is allowed
          "methodCLI"=>"sudo",     // Can be ssh or sudo
          "methodFILE"=>"sudo",    // Can be scp or sudo
          "username"=>"domdns",    // The login used to connect by SSH or sudo
          "password"=>"",          // The password used to connect by SSH
          "fingerprint"=>FALSE,    // The SSH fingerprint
          "publickeyfile"=>FALSE,  // The public key used to connect by SSH
          "privatekeyfile"=>FALSE, // The private key used to connect by SSH
          "passphrase"=>FALSE,     // The passphrase used to open the private key
          "zonepath"=>"/etc/bind/zones", // The path of the zones
      ),
  ),
...

You must create the user domdns, with main group bind :

adduser --system --home /var/cache/bind --gecos "DomDNS user" \
            --ingroup bind --no-create-home \
            --disabled-password --quiet --shell /bin/sh domdns

Double check that /etc/bind/zones is writeable for group bind, or force it :

chmod 775 /etc/bind/zones

Configuration with SSH

If the DNS server is distant, it must accept SSH connections to domdns user. This user is used to modify the DNS zones and reload the DNS server.

You must configure the server to allow domdns connections on SSH server.

The configuration file of DomDNS will contain :

<?php
$conf = array (
  "servers"=>array (
      "192.168.56.110" => array (  // IP of DNS server
          "type"=>"bind",          // Actually, only bind is allowed
          "methodCLI"=>"ssh",      // Can be ssh or sudo
          "methodFILE"=>"scp",     // Can be scp or sudo
          "username"=>"domdns",    // The login used to connect by SSH or sudo
          "password"=>"Secret 1",  // The password used to connect by SSH
          "fingerprint"=>FALSE,    // The SSH fingerprint
          "publickeyfile"=>FALSE,  // The public key used to connect by SSH
          "privatekeyfile"=>FALSE, // The private key used to connect by SSH
          "passphrase"=>FALSE,     // The passphrase used to open the private key
          "zonepath"=>"/etc/bind/zones", // The path of the zones
      ),
  ),
...
adduser --system --home /var/cache/bind --gecos "DomDNS user" \
            --ingroup bind --no-create-home \
            --disabled-password --quiet --shell /bin/sh domdns

Double check that /etc/bind/zones is writeable for group bind, or force it :

chmod 775 /etc/bind/zones