Background
In order to test different CommIT environments, it is necessary to override the authoritative DNS
...
server(s)
...
for
...
the
...
commonidtrust.or
...
g
...
domain
...
with
...
one
...
that
...
directs
...
the
...
user
...
to
...
the
...
front
...
door
...
(loadbalancer)
...
for
...
the
...
CPR
...
and
...
IDP
...
instances
...
in
...
the
...
desired
...
environment.
...
To that end,
...
we
...
have
...
set
...
up
...
separate
...
DNS
...
servers
...
for
...
the
...
CommIT
...
VPC-Dev
...
and
...
VPC-Prod
...
environments.
...
These are configured to serve up the A and/or
...
CNAME
...
records
...
for
...
account.commonidtrust.org
...
and
...
login.commonidtrust.org
...
for
...
the
...
specific
...
VPC
...
environment.
...
Currently,
...
the
...
DNS
...
server
...
for
...
VPC-Dev
...
runs
...
on
...
the
...
CommIT
...
VPC
...
Gitolite
...
server
...
in
...
the
...
VPC-Dev
...
public
...
subnet
...
and
...
is
...
accessible
...
at
...
EIP address 54.68.170.122.
...
The DNS server for VPC-Prod
...
runs
...
on
...
a
...
t2.micro
...
instance
...
in
...
the
...
VPC-Prod
...
public
...
subnet
...
and
...
is
...
accessible
...
at
...
EIP address 54.149.84.152.
...
Installation
yum -y install bind
Configure /etc/named.conf
...
and
...
zone
...
files,
...
/var/named/masters/commonidtrust-dev.local
...
and
...
/var/named/masters/commonidtrust.org
...
(see
...
examples
...
for
...
VPC-Dev
...
attached).
...
chkconfig
...
named
...
on
Logging
named logs to /var/log/messages
...
Start/Stop
...
Commands
...
/etc/init.d/named
...
start
...
/etc/init.d/named stop
Open Nameserver Protection
Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere. This is done by configuring:
No Format |
---|
stop h3. *Open Nameserver Protection* Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere. This is done by configuring: {noformat} allow-query { all; }; {noformat} |
Furthermore,
...
once
...
a
...
client
...
is
...
configured
...
to
...
use
...
these
...
DNS
...
servers,
...
they
...
may
...
need
...
to
...
access
...
additional
...
name
...
servers,
...
for
...
example,
...
those
...
for
...
wisc.edu.
...
We therefore configured:
No Format |
---|
} recursion yes; {noformat} |
Of
...
course,
...
it
...
didn't
...
take
...
very
...
long
...
for
...
some
...
nefarious
...
outfit
...
to
...
realize
...
this
...
and
...
set
...
up
...
a
...
DNS
...
amplification
...
attack
...
(
...
see https://www.us-cert.gov/ncas/alerts/TA13-088A
...
)
...
ricocheting
...
off
...
of
...
our
...
open
...
DNS
...
server.
...
To resolve this, we include the rate-limit option.
No Format |
---|
* option. rate-limit { responses-per-second 10; }; {noformat} rate-limit { responses-per-second 10; }; {noformat} |