Versions Compared

Old Version 6

changes.mady.by.user Chris Franz

Saved on

compared with

New Version 7

changes.mady.by.user Nate Klingenstein

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: just went ahead and did it

Background

In order to test different CommIT environments, it is necessary To make the development environment identical to the production environment, configure your client to override the authoritative DNS server(s) for the commonidtrust.org domain with one that directs the user to the front door  (loadbalancer) for the CPR and IDP instances in the desired environment.  To that end, we have set up separate DNS servers for the CommIT VPC-Dev and VPC-Prod environments.  These are configured to serve up the A and/or CNAME records for account.commonidtrust.org and login.commonidtrust.org for the specific VPC environment.to the development environment.

Currently, the DNS server for VPC-Dev runs on the CommIT VPC Gitolite server in the VPC-Dev public subnet and is accessible at EIP address 54.68.170.122.  The DNS server for VPC-Prod runs on a t2.micro instance in the VPC-Prod public subnet and is accessible at EIP address 54.149.84.152.

...

a personal, free t2.micro instance in EC2 and is accessible at 52.24.15.28.  You will need a secondary resolver for real addresses, such as 4.2.2.1, 4.2.2.2 (Level3), or 8.8.8.8, or 8.8.4.4(Google).

DNS Client Configuration:

Primary:  52.24.15.28
Secondary: 4.2.2.1 


 

Developer Docs

Installation 

yum -y install bind

Configure /etc/named.conf and zone files, /var/named/masters/commonidtrust-dev.local and the zone file /var/named/masters/commonidtrust.org (see examples for VPC-Dev attached).

chkconfig named on

Logging

...

/etc/init.d/named start

/etc/init.d/named stop

Open Nameserver Protection

Since users who need to leverage the VPC DNS servers are speckled around the internet and not accessing them from a well-defined IP address or CIDR block, we needed to leave the VPC DNS servers open to serve requests from anywhere.  This is done by configuring:

No Format

allow-query { all; };

Furthermore, once a client is configured to use these DNS servers, they may need to access additional name servers, for example, those for wisc.edu.  We therefore configured:

No Format

recursion yes;

Of course, it didn't take very long for some nefarious outfit to realize this and set up a DNS amplification attack (see https://www.us-cert.gov/ncas/alerts/TA13-088A) ricocheting off of our open DNS server.  To resolve this, we added the rate-limit option. 

...


This is configured to serve up the A and/or CNAME records for account.commonidtrust.org, helpdesk.commonidtrust.org, and login.commonidtrust.org for the specific VPC environment. 

Recursion is disabled and rate limiting is set at 5 per second.  Since there are a total of 3 records, this is basically impossible to use in any form of attack, ever, and it's in a personal account anyway.