Admin4 for BIND DNS Management on Ubuntu (19.04) & MacOS
Install admin4 via source on ubuntu 19.04
Admin4 is a more general purpose server / service adm tool. It supports: BIND, PostgreSQL, LDAP & IMAP (4 things). Implemented in python it can run on: MacOS, Windows and Linux and likely more.
Unlike NICTool is does not relie on a seperate external database for Zone data, rather it get this from the managed DNS Servers and also sends updates directly to DNS Server via DNS Update requests.
I will not cover Windows or MacOS installation, as these can be done easily via the pre-built packages.
Here is process of Ubuntu 19.04 Install:
From the Admin4 site:
> sudo apt update
> sudo apt upgrade
> sudo apt install python-requests python-crypto python-dnspython python-ldap python-psychopg2 python-wxgtk3.0
>
> fails due to python-psychopg2 package not found, so fix using:
>
> sudo apt install python-psycopg2
> git clone https://github.com/andreas-p/admin4.git
> cd admin4
> python admin4.py
As admin4 uses both bind statistics and dns update ports to get and put data from BIND you need to ensure you have configured BIND correctly. This includes adding your admin4 client's IP address into the zones "allow-transfer" list as it use Zone Transfer to get the zone RR records.
The following example snippet of BIND configuration (named.conf) highlights the items required to allow admin4 to get your statistics and update zone records. This assumes that the BIND and admin4 machines are running on the same subnet (== localnets == 192,168.1.0/24) :
# cat named.conf
// $FreeBSD: head/dns/bind914/files/named.conf.in 443607 2017-06-14 22:54:43Z mat $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
...
...
...
statistics-channels {
inet * port 8053 allow { localnets; };
};
...
...
...
options {
statistics-file "/var/stats/named.stats";
zone-statistics full;
};
...
...
...
include "/usr/local/etc/namedb/tsig-key.ZONE.KEY.key";
...
...
...
zone "YOUR.DOMAIN" {
type master;
file "/usr/local/etc/namedb/dynamic/db.YOUR.DOMAIN";
allow-transfer {
XXX.XXX.XXX.XXX
};
update-policy {
grant tsig-key.ZONE.KEY. subdomain YOUR.DOMAIN. SOA NS MX A TXT NAPTR SRV CNAME;
};
allow-query {
any;
};
};
...
...
...
zone "1.168.192.in-addr.arpa" {
type master;
file "/usr/local/etc/namedb/dynamic/db.1.168.192.in-addr.arpa";
allow-transfer {
XXX.XXX.XXX.XXX
};
update-policy {
grant tsig-key.ZONE.KEY. subdomain 1.168.192.in-addr.arpa. SOA NS A PTR;
};
};
The key file is generated using tsig-keygen utility.
Having generated tsig-key, add this to admin4 via its UI.
Results
I can get all the zone details from BIND via statistics interface (including all the internal prefined domains).
But when trying to update a Zone Resource Record (RR) I get an error:
This looks like a key failure (REFUSED). I have doubled checked key and it looks ok so reason for error is immediately apparent. Seems this DNS Management Software is a bit flacky...
References & Links
Admin4 - a simple admin tool...
nsupdate / tsig-gen / ddns-confgen - bind utilities
rfc2136 - Dynamic Updates in the Domain Name System (DNS UPDATE)