fxbox / dns-server Goto Github PK
View Code? Open in Web Editor NEWServer that helps the Box to announce its local IP address without relying on mDNS, and to register its LetsEncrypt cert for use on its local IP address.
Server that helps the Box to announce its local IP address without relying on mDNS, and to register its LetsEncrypt cert for use on its local IP address.
Yesterday, the E2E test started to fail for no obvious reasons. Locally, I noticed that sometimes 2 boxes are visible from http://fxbox.github.io/app/ . I'm suspecting Travis to share the same internal IP address on many VMs.
I got the live logs on the knilxof (ssh login then pm2 logs $APP_NAME
- thanks @samgiles
cc @isabelrios @npark-mozilla
As we will be generating TLS certs on the Box anyway, authentication via TLS client certs seems like an appropriate option. This server should be configured with the root cert to trust, and the Box should have a signing certificate signed with that same root cert, and a TLS certificate signed with the Box's own signing certificate.
Additionally, the Box should only be allowed to set records under /v1/dns/org/knilxof/<hash>
, where <hash>
is the first 32 hex chars of the sha256 of its signing cert.
Maybe have a special API end-point that sets all subdomains of format ip-ip-ip-ip at once.
Although at this point I don't see a reason why we need this, the Box can just explicitly set each record it needs.
When changing DNS_PORT from 53 to 5353 in both src/server.js and src/client.js. the tests start failing. Have to figure out whether this is a server- or a client-problem.
By way of documentation, it would be good to add an API client to this repo, with some documented examples of how to set the server up and use it from that example client.
Looking back at how we made this work, it seems that the client creates a self-signed cert whose hash determines its URL under .box.knilxof.org
, but then it serves the LetsEncrypt cert, which will have a different hash altogether. It would be better if we use the hash of the actual LetsEncrypt cert, but the client already needs to edit DNS when only a csr exists, so not sure if/how we can extract the public key hash from the csr. Will have a look at which files letsencrypt.sh
produces.
Follow-up to #8:
For CNAMEs to work, you should return them not only in response to 'CNAME'-queries, but also include them in all responses to all query types, for instance like this:
Michiels-Laptop:~ Michiel$ dig A www.michielbdejong.com @meera.ns.cloudflare.com
[...]
;; ANSWER SECTION:
www.michielbdejong.com. 191 IN CNAME michielbdejong.com.
michielbdejong.com. 191 IN A 104.27.176.52
michielbdejong.com. 191 IN A 104.27.177.52
Michiels-Laptop:~ Michiel$ dig NS www.michielbdejong.com @meera.ns.cloudflare.com
[...]
;; ANSWER SECTION:
www.michielbdejong.com. 296 IN CNAME michielbdejong.com.
michielbdejong.com. 86400 IN NS meera.ns.cloudflare.com.
michielbdejong.com. 86400 IN NS beau.ns.cloudflare.com.
Michiels-Laptop:~ Michiel$ dig www.michielbdejong.com @meera.ns.cloudflare.com
[...]
;; ANSWER SECTION:
www.michielbdejong.com. 300 IN CNAME michielbdejong.com.
michielbdejong.com. 300 IN A 104.27.177.52
michielbdejong.com. 300 IN A 104.27.176.52
The names created in this server fail to resolve with the DNS server supplied in the DHCPACK from the BT Home Hub 5:
Succesful resolution bypassing the DHCP supplied DNS server
$ nslookup local.006c824eb59a3422e543d708d2d0a2e576f896b4.box.knilxof.org 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: local.006c824eb59a3422e543d708d2d0a2e576f896b4.box.knilxof.org
Address: 192.168.1.67
Fails using the DNS server response from the router configured via DHCP:
.$ nslookup local.006c824eb59a3422e543d708d2d0a2e576f896b4.box.knilxof.org
Server: 192.168.1.254
Address: 192.168.1.254#53
Non-authoritative answer:
*** Can't find local.006c824eb59a3422e543d708d2d0a2e576f896b4.box.knilxof.org: No answer
Routers known to prevent DNS rebinding attacks by stripping local IPs rom responses:
Apart from the fact that anybody can use this pagekite instance using the hard-coded "secret", it currently exposes the unencrypted port 80 for the client (pagekite backend) to connect to the server (pagekite frontend).
There is a lot of room for improvement here (e.g. use a rest API instead of the scp
command to upload the challenge string, and the native-dns package is currently inbetween maintainers), but I got the following working on my machine:
./letsencrypt.sh --cron --domain my-link-box.knilxof.org --challenge dns-01 --hook ./deploy-challenges.sh
deploy-challenges.sh
contains:echo deploying challenge
echo $4 > ./tmp.txt
scp tmp.txt [email protected]:/root/dns-server/challenge.txt
my-link-box.knilxof.org
DNS is served by ns.knilxof.org
ns.knilxof.org
, run something like:var fs = require('fs'),
dns = require('native-dns'),
server = dns.createServer();
server.on('request', function (request, response) {
//console.log(request)
response.answer.push(dns.A({
name: request.question[0].name,
address: '127.0.0.1',
ttl: 600,
}));
response.answer.push(dns.TXT({
name: request.question[0].name,
data: [fs.readFileSync('./challenge.txt').toString().trim()],
ttl: 600,
}));
response.send();
});
server.on('error', function (err, buff, req, res) {
console.log(err.stack);
});
server.serve(53);
For query type 'A', if a 'CNAME' record exists, it should be returned (including the resolving A record?) in the answer section, even though the query type didn't match.
The pagekite instance we want to run as our tunnel server can be controlled (in terms of auth) by a DNS server, see http://pagekite.net/wiki/Howto/DnsBasedAuthentication.
Would be cool to get that working in this dns-server (maybe this would just be a client-side change, will look into it).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.