Yunohost as hidden primary nameserver

[renne]

Yunohost shows the necessary DNS configuration for Domains but DNS records have to be created manually on the nameservers.

I suggest an option to configure Dnsmasq as hidden primary nameserver. That way it synchronizes all necessary DNS records automagically with the secondary nameservers without being exposed to the public internet (firewall access limited to secondary nameservers, no NS record for hidden primary nameserver).

[zamentur]

Note we already have some work in progress to auto configure DNS records on various registrar

See https://github.com/YunoHost/yunohost/pull/1194

About your idea, how yunohost user could have access to this kind of public server that watch for hidden DNSmasq ? Is it really important that DNSmasq to be hidden ? Could you explain ?

I think if we open 53 port and keep dnsmasq configure as it is, we could have some DNS attack, but we probably could configure that in a better way.

[zamentur]

This ticket is a duplicate ticket of https://github.com/YunoHost/issues/issues/946

[renne]

Ticket #1194 uses proprietary APIs of DNS server providers. This limits support to DNS server providers supported by lexicon and it is a lot of work to add new provider APIs to lexicon. When a DNS server provider changes the API Yunohost services will fail until lexicon is updated. In my Opinion Ticket #1194 wastes person hours and is not reliable enough.

About your idea, how yunohost user could have access to this kind of public server that watch for hidden DNSmasq ?

In the DNS structure you configure your zone data on the primary nameserver. When a zone is updated the primary nameserver sends a notification to the secondary nameservers which pull the updated zone data from the primary nameserver. Most DNS server providers offer to use a custom primary nameserver as an alternative to their primary nameserver. Dnsmasq has to be configured in authoritative mode with SOA and NS records set in the zone data ("hostmaster@\" email address in the SOA record and NS records of the nameservers).

Is it really important that DNSmasq to be hidden ? Could you explain ?

I think if we open 53 port and keep dnsmasq configure as it is, we could have some DNS attack, but we probably could configure that in a better way.

A hidden primary nameserver is a standard primary nameserver with two changes:

1. access to port 53 is limited to the secondary nameservers by firewall
2. as port 53 cannot be accessed publicly by resolvers the NS record for the primary nameserver is omitted

This reduces the attack vector a lot and saves bandwidth. As long as the zone checks and the notification authorization system of the secondary DNS server provider allows to omit the NS record of the primary nameserver a hidden primary nameserver is just a standard primary nameserver. In most cases you can just use the secondary nameservers of your registrar with Yunohost as primary nameserver instead of the primary nameserver of the registrar.

In "https://\/yunohost/admin/#/domains/\" we need a checkbox to enable the primary nameserver mode. It needs to hide the "DNS configuration" button and show text fields for the secondary nameserver hostnames instead. When a secondary nameserver hostname is added it has to be added to the configuration in "/etc/dnsmasq.d/\" and an ACCEPT rule for that hostname with port 53 UDP+TCP has to be added in the firewall.

In "/etc/dnsmasq.d/\" the following records have to be added:

• SOA
• NS without the yunohost
• CAA
• wildcard A
• wildcard AAAA
• DMARC
• DKIM
• XMPP CNAMES

For the Dnsmasq syntax see Dnsmasq documentation - section "AUTHORITATIVE CONFIGURATION" Dnsmasq example configuration (comments in german)

FIY: ISC BIND offers more DNS record types than Dnsmasq.

[ppom0]

Hello @renne, as @MercierCorentin and I are finishing our work on YunoHost/yunohost#1194, I am interested in your solution to the non-automatic DNS records issue. For you, who would administer the secondary nameservers? Would it be the registrar? Also, something permitted by our PR is to have custom, not-managed-by-Yunohost DNS records in the DNS zone. Is it possible with the DNSmasq option?

[renne]

@aopom

For you, who would administer the secondary nameservers? Would it be the registrar?

Yes. Most registrars include primary and secondary nameserver services in the domain plans without additional costs. Alternatively a cheap/free secondary nameserver service can be used.

Also, something permitted by our PR is to have custom, not-managed-by-Yunohost DNS records in the DNS zone. Is it possible with the DNSmasq option?

Yes. You can add any DNS resource records supported by the DNSmasq authoritative mode in /etc/dnsmasq.d/<mydomain>. For syntax and supported record types see the Dnsmasq documentation and search for the keyword "authoritative".

[renne]

@aopom @Psycojoker @southerntofu @zamentur I just found Technitium DNS in the Yunohost App catalogue. It's a DNS server like BIND or PowerDNS with integrated DHCP like DNSmasq. :+1:

It would be great if Yunohost can use Technitium as (hidden) primary nameserver by creating the necessary DNS records in Technitium zones.

[renne]

@aopom @Psycojoker @southerntofu @zamentur I created an issue in the app repository, too.

Technitium API documentation

[renne]

@aopom @Psycojoker @southerntofu @zamentur

If the Yunohost team is in control of the namservers ns0.yunohost.org and ns1.yunohost.org (OVH Anycast DNS servers?) these can be used as secondary nameservers for primary nameservers on local Yunohost instances.

[zamentur]

Indeed, but it increases the centralization on our infrastructure (could be a problem when we have big outage https://forum.yunohost.org/t/2023-02-18-major-maintenance-of-yunohost-services-like-diagnosis/23652)

However for me the main issue for activating dnsmasq (or technitium) as primary standard DNS server is the difficulties to find the public interfaces of the server and to apply firewall rules on it. If we apply the ruels on all interfaces, we probably broke some apps like hotspot_ynh or pihole.