Conversation

Notices

1. Embed this notice
   Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:28:03 JST Softwarewolf

   Since I'm off this week, today's project is to figure out my proxy server. I've already set it up to some degree, but I need to finish it out. Goal is to get it set up and finished by Wednesday, though I doubt it'll take that long. :blobfoxbongo:

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 16-Feb-2024 02:27:47 JST feld

     in reply to
     @faoluin > Okay, so I can't CNAME the root of my domain like I wanted to
     
     that's what the new ANME/ALIAS record is for but it is not a finalized standard yet. Some software and providers implement it.
   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:48 JST Softwarewolf

     in reply to

     Okay, so I can't CNAME the root of my domain like I wanted to, and I don't think I'll be able to get around handing control of the whole zone file over to BIND. The point of my struggle was to separate out the dynamic update (and BIND's gross auto-formatting) from the "static" stuff that I don't want changing automatically.

     I've settled on having a "static" file that I make updates to, manually push over to the path BIND uses, and forcing it to re-sync. I may script something smarter later, but this satisifies my OCD for now.

     Gonna go run (NOW FAO, NOT LATER) and work on setting up the secondary later. Also on the list: XoT and DNSSEC.

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:50 JST Softwarewolf

     in reply to

     Well, I think I have laid out almost everything I want to set up in BIND. Still trying to figure out a few things:

     1) Use a separate zone (or zones) subdomains that gets dynamically updated. I also want to CNAME my root domain to one of them (assuming I can? Basically I'm trying to use a dynamic IP for my root domain without letting BIND reformat my whole zone file).

     2) Set up my secondary server with zone transfer over TLS. I worked on this earlier, but I ran into difficulty in getting the certificate. I'm not even sure what domain to fetch the cert for. Does it even need to be issued by a CA? There's so little documentation on XoT in BIND, let alone examples.

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:51 JST Softwarewolf

     in reply to

     Nevermind, I'm an idiot, RFC 2136 is a thing. :blobfoxlaughsweat:

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:53 JST Softwarewolf

     in reply to

     Ah right... because my IP is dynamic, I will need a way to dynamically update my DNS servers with that IP at regular intervals.

     Just not sure what the best approach for this is, nothing really stands out to me that is self-hostable.

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:54 JST Softwarewolf

     in reply to

     Turns out I didn't have to do either. I can bypass the reverse proxy by using a separate subdomain. Not sure if I'd prefer it to go through the proxy... maybe it should. But for now, it works and I'm happy enough with it.

     Time to go run, and then I'll try tackling DNS. Whee~

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:56 JST Softwarewolf

     in reply to

     ...I lied. I haven't eaten or run yet. But I know what's going on. In short, it's a DNS issue, because of course it is.

     So I could still move the turnserver to its own backend, or I could try proxying the turnserver and see if that fixes it.

     But I have to do other things first.

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:58 JST Softwarewolf

     in reply to

     Coturn, more like Noturn. :blobfoxsad:

     Anyway, I haven't run or eaten lunch yet so Imma go do that.

     Afterwords I'll try putting the turnserver on its own backend and see what that does.

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:27:59 JST Softwarewolf

     in reply to

     So after getting my proxy going, I now have kind of a weird setup where my web server and turn server are hosted on the same backend, but the turn server isn't using the proxy. Like so:

     NAT (443) => Proxy => Backend server => Web service
     NAT (coturn port) => Backend server => Turn service

     And for some reason it doesn't work. But if I revert to the previous configuration without the proxy, it works.

   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:28:01 JST Softwarewolf

     in reply to

     Oh, I guess I should get my DNS servers set up too. I forgot about that. >.>

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 16-Feb-2024 02:41:14 JST feld

     in reply to
     @faoluin PowerDNS does
     
     https://doc.powerdns.com/authoritative/guides/alias.html?highlight=alias
   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:41:15 JST Softwarewolf

     in reply to

     • feld

     @feld BIND apparently does not. :/

   • Embed this notice
     feld (feld@bikeshed.party)'s status on Friday, 16-Feb-2024 02:44:34 JST feld

     in reply to
     @faoluin if you care about DNS security make sure you have 3 different NS running in 3 different AS running 3 different implementations of DNS (this is what Verisign does but at an even crazier level)
   • Embed this notice
     Softwarewolf (faoluin@chitter.xyz)'s status on Friday, 16-Feb-2024 02:44:35 JST Softwarewolf

     in reply to

     • feld

     @feld I considered PDNS, but stuck with BIND because I guess I'm a masochist. |3 Might keep PDNS in the back of my mind for when I get fed up with BIND though.