Wednesday, 16 February 2011

Learning IPv6 part 3 - Apache and DNS

Another day, another IPv6 adventure. Debian works with IPv6 really easily, just need to add the details to /etc/network/interfaces as shown in Linux network address setup. I'm using manually configured IP addresses for now, at some point I'll look into DHCP for IPv6.

That got me on the internet, next step was apache which it turns out was already done - I spent a while looking into config files but all I needed to do was restart apache with the IPv6 address setup and it picked it up automatically. To configure specific virtual hosts etc the syntax hasn't really changed, you just need to put the IP address in square brackets in the /etc/apache2/sites-available/* file. Oh and to browse by IP address you also need to use square brackets so in the web browser address bar you should type http://[2001:470:1f09:12e9::123] or whatever the address is for you.

Next I need to create a fully authoritative DNS server and connect it to a domain so that it can be resolved from the net as 123-reg does not support IPv6 yet. This turned out to be very simple (although to be honest I just wanted to get it working, not optimise it, set internal/external views/etc so very basic) following the instructions here: http://www.cahilig.net/2008/07/04/how-setup-lan-dns-server-using-bind9-under-debian-and-ubuntu-linux. There is also a good followup guide for DDNS here: http://www.cahilig.net/2008/08/02/debian-and-ubuntu-ddns-bind9-and-dhcp but not much detail on IPv6, mainly IPv4. Securing the Bind instance with chroot is covered fairly well here: http://linux.justinhartman.com/DNS_Installation_and_Setup_using_BIND9 but I have not tried this yet.

Set the DNS server for my test domain to be the laptop (123-reg actually insists on at least 2 DNS servers so I just put dns1.domain.com and dns2.domain.com, and gave the same IP address for both. Obviously not a good idea for a real system unless you like to live dangerously but for this test its fine - all my IPv6 stuff so far is running from a single old dell laptop and Netscreen 5GT firewall appliance.

Allowed DNS (IPv4) and http (IPv6) through the firewall and outside hosts can browse the web server over IPv6. The DNS server is set to respond to queries over IPv6 too but since most things lookup DNS entries over IPv4 at the moment I've left it for now. I've also not yet explored the reverse zone file in IPv6 or DDNS updates linking to a DHCP service to automatically add new hosts to the zone files. To test that properly I might need to setup several virtual machines to play with how IPv6 addresses are allocated and have a seperate internal/external DNS server setup.

This has got me thinking about our DNS setup. At the moment internal DNS is handled by our MS Small Business Server 2003 and external DNS by our Registra. With IPv6 it might make a bit more sense to handle this ourselves as we are likely to make changes more often initially but we would need several DNS instances to be reliably redundant. Say 2 internal DNS servers auto updated with new hosts as they are added by dhcp, and two external DNS servers which only contain the IP addresses of the hosts we want external people to be able to connect to. One of those external DNS servers would need to be off site though (otherwise if we get a power cut and someone tries to email us their main server will be unable to resolve the address and may bounce the message. If they can resolve the address but the mail server does not respond then most servers keep trying for a few days). Virtual machines would make this pretty easy and low cost except for the external server but I'm sure I can arrange a reciprical deal with someone I know for something as low bandwidth as a DNS server. Added benefit in that if our main SBS server dies now we loose DNS and therfore web access. I can easily change a DNS entry to our ISP manually but don't fancy doing that on dozens of computers while trying to fix a domain controller... It is still 4 new servers to keep an eye on which is more work.

No comments:

Post a comment