Enforcing correct DNS upstreams for internal zones

When you’re frequently working with internal DNS zones of a company whose DNS server sits behind a VPN, you’ll probably soon encounter DNS shenanigans where you’ll find that resolving internal domain names is a lot more tricky than it should be. I’ve found a way that works using dnsmasq, but I also found that you need to be careful to keep an overly-eager NetworkManager in check.

Read more…

Revisiting Samba RODC + Bind

Ok, so here’s another step in the evolution of my Samba4-RODC-based DNS setup. First steps were setting up a Samba4 Read-Only DC in my remote locations, so that DNS would be replicated to that location so that DNS doesn’t fail in case the VPN connection dies. Then we discovered that the SAMBA_INTERNAL DNS backend does not support caching, which unsurprisingly lead to performance problems, so we switched to Samba AD DC with Bind as DNS backend. This setup is quite a bit more complex though, and it seems a bit unstable in the sense that Samba lost its ability to update records in Bind for some reason and we have to “fix” that manually by re-joining the RODC to the domain. Rumor has it that the SAMBA_INTERNAL backend is a lot more stable. So, here’s step three in our evolution: Let’s allow Samba to use SAMBA_INTERNAL, but only run on 127.0.0.1, while communication with the outside world is handled by a bind instance that handles caching and forwards queries for the company domain records to Samba.

Read more…

LetsEncrypt DNS verification using a local BIND instance

I’ve been looking into Let’s Encrypt DNS verification for a while. Not only because you’re able to obtain wildcard certificates through this method, freeing you from the necessity to obtain an individual certificate for every single one of your subdomains: It also allows you to get a certificate for stuff running on your LAN, provided you’re running it on a subdomain that belongs to you. The problem is though, how do you enable Certbot to automate the DNS server update, without putting a credential in place that would allow full access to all your domains? And what to do if you’re running a server for a domain that doesn’t even belong to you: How can the owner delegate permissions for the verification TXT records to you, without having to give you full access to all their domains? Today I stumbled across a solution: Delegate the _acme-challenge subdomain to a local BIND instance and have Certbot update that. Here’s how.

Read more…

Monitoring DNS replication

Suppose you’re running a few DNS servers spread across multiple locations in your infrastructure, and you want to monitor DNS replication to make sure they’re all on the same page. Here’s an approach on how to do that using Prometheus and a bit of scripting.

Read more…

How to run an ARM VM on a x86 host

A few weeks ago, I wasted a lot of time (and hair) trying to run Raspbian in a VM, so that I could run it as part of my CI system and build software for it. I eventually managed to get something running that counts as good enough, both for 32 and 64 bit.

Read more…

Unit tests in bash

I yesterday ported the tear-down part of MicroFW from Python back to Bash. (It was just unhappy in Python.) In doing so, I tested it by uploading it to my server, running it and seeing what happens. This is obviously unsatisfactory, but since the script runs a bunch of iptables calls and the like, how am I supposed to test it? This integrates pretty deeply into the system, no way of mocking that, right?

Well, yes way: You just need to shamelessly abuse the function keyword…

Read more…

Awesome threading using nurseries

I wrote about a nice threading pattern using Queues for synchronization a while ago. In the meantime, I’ve stumbled across Trio and I loved their concept of nurseries, which is basically a wrapper around the threads-and-queues concept that also makes sure that threads are properly joined and do not run out of control.

So today I ran across a case where I’d have to query large chunks of data from two systems in parallel, that I would then have to compare and merge into a third data set. Thus I needed a way to start two threads, return stuff from them to the main thread, and join them back together. A nursery came to mind, because it does just that. So that’s what I used, and here’s the code for it!

Read more…

Obduction: Dive into the metastory

I want to try something new today: Write about philosophical topics, because those have been catching my interest for a while. I’ll start looking into the story of the game Obduction which has caught on to me, so I think it’s worth exploring. If you haven’t played the game yet, lots’a spoilers ahead, so probably go play it first.

Read more…