Versions Compared

Old Version 3

changes.mady.by.user Chris Franz

Saved on

compared with

New Version 4

changes.mady.by.user Chris Franz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Background

In order to test different CommIT environments, it is necessary to override the authoritative DNS

...

server(s)

...

for

...

the

...

commonidtrust.or

...

g

...

domain

...

with

...

one

...

that

...

directs

...

the

...

user

...

to

...

the

...

front

...

door

...

 (loadbalancer)

...

for

...

the

...

CPR

...

and

...

IDP

...

instances

...

in

...

the

...

desired

...

environment.

...

 To that end,

...

we

...

have

...

set

...

up

...

separate

...

DNS

...

servers

...

for

...

the

...

CommIT

...

VPC-Dev

...

and

...

VPC-Prod

...

environments.

...

 These are configured to serve up the A and/or

...

CNAME

...

records

...

for

...

account.commonidtrust.org

...

and

...

login.commonidtrust.org

...

for

...

the

...

specific

...

VPC

...

environment.

...

Currently,

...

the

...

DNS

...

server

...

for

...

VPC-Dev

...

runs

...

on

...

the

...

CommIT

...

VPC

...

Gitolite

...

server

...

in

...

the

...

VPC-Dev

...

public

...

subnet

...

and

...

is

...

accessible

...

at

...

EIP address 54.68.170.122.

...

 The DNS server for VPC-Prod

...

runs

...

on

...

a

...

t2.micro

...

instance

...

in

...

the

...

VPC-Prod

...

public

...

subnet

...

and

...

is

...

accessible

...

at

...

EIP address 54.149.84.152.

...

Installation

yum -y install bind

Configure /etc/named.conf

...

and

...

zone

...

files,

...

/var/named/masters/commonidtrust-dev.local

...

and

...

/var/named/masters/commonidtrust.org

...

(see

...

examples

...

for

...

VPC-Dev

...

attached).

...

chkconfig

...

named

...

on

Logging

named logs to /var/log/messages

...

Start/Stop

...

Commands

...

/etc/init.d/named

...

start

...

/etc/init.d/named stop

Open Nameserver Protection

Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere.  This is done by configuring:

No Format
 stop

h3. *Open Nameserver Protection*

Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere.  This is done by configuring:

{noformat}
allow-query { all; };
{noformat}

Furthermore,

...

once

...

a

...

client

...

is

...

configured

...

to

...

use

...

these

...

DNS

...

servers,

...

they

...

may

...

need

...

to

...

access

...

additional

...

name

...

servers,

...

for

...

example,

...

those

...

for

...

wisc.edu.

...

 We therefore configured:

{
No Format
}
recursion yes;
{noformat}

Of

...

course,

...

it

...

didn't

...

take

...

very

...

long

...

for

...

some

...

nefarious

...

outfit

...

to

...

realize

...

this

...

and

...

set

...

up

...

a

...

DNS

...

amplification

...

attack

...

(

...

see https://www.us-cert.gov/ncas/alerts/TA13-088A

...

)

...

ricocheting

...

off

...

of

...

our

...

open

...

DNS

...

server.

...

 To resolve this, we include the rate-limit option. 

No Format
* option. 

        rate-limit {
                responses-per-second 10;
        };

{noformat}
rate-limit {
       responses-per-second 10;
};
{noformat}