From 7d01f35fd076133eef5aa0af024a4a812d68fa99 Mon Sep 17 00:00:00 2001 From: goeranh Date: Fri, 13 Mar 2026 21:51:25 +0100 Subject: [PATCH 1/2] host dns and ntp server on proxy --- hosts/proxy/README.md | 113 ++++++++++++++++++++++++++++++++++++++-- hosts/proxy/default.nix | 35 +++++++++++++ 2 files changed, 145 insertions(+), 3 deletions(-) diff --git a/hosts/proxy/README.md b/hosts/proxy/README.md index cb5957d..8fd0f28 100644 --- a/hosts/proxy/README.md +++ b/hosts/proxy/README.md @@ -7,8 +7,8 @@ Central reverse proxy at 141.56.51.1 running as a full VM (not LXC container). - **Hostname**: proxy - **IP Address**: 141.56.51.1 - **Type**: Full VM (not LXC) -- **Services**: HAProxy, OpenSSH (ports 1005, 2142) -- **Role**: Central traffic router for all StuRa HTW Dresden services +- **Services**: HAProxy, BIND DNS, Chrony NTP, OpenSSH (ports 1005, 2142) +- **Role**: Central traffic router, DNS resolver, and NTP server for all StuRa HTW Dresden services ## Architecture @@ -45,6 +45,68 @@ HAProxy routes traffic using two methods: - Buffer size: 32,762 bytes - Timeouts: 5s connect, 30s client/server +### BIND DNS Resolver + +The proxy provides recursive DNS resolution for the internal network (141.56.51.0/24). + +**Configuration:** +- **Service**: BIND9 recursive resolver +- **Listen address**: 141.56.51.1 +- **Port**: 53 (UDP/TCP) +- **Allowed networks**: 127.0.0.0/8, 141.56.51.0/24 +- **Forwarders**: 9.9.9.9 (Quad9), 1.1.1.1 (Cloudflare) +- **IPv6**: Disabled + +**Usage:** +All hosts in the internal network can configure their DNS resolver to use `141.56.51.1` for name resolution. + +Example configuration for other hosts: +```nix +networking.nameservers = [ "141.56.51.1" ]; +``` + +**Why BIND?** +- Provides caching for frequently accessed domains +- Reduces external DNS queries and improves performance +- Allows central control of DNS resolution policies +- More reliable than relying solely on external DNS servers + +### Chrony NTP Server + +The proxy serves network time to all systems in the internal network. + +**Configuration:** +- **Service**: chrony NTP server +- **Port**: 123 (UDP) +- **Allowed network**: 141.56.51.0/24 +- **Upstream servers**: pool.ntp.org +- **Sync mode**: Fast initial sync (iburst) +- **Fallback**: Serves time even if not synced (stratum 10) + +**Usage:** +Other hosts can synchronize their system time with the proxy: + +```nix +services.chrony = { + enable = true; + servers = [ "141.56.51.1" ]; +}; +``` + +Or for systems using systemd-timesyncd: +```nix +services.timesyncd = { + enable = true; + servers = [ "141.56.51.1" ]; +}; +``` + +**Benefits:** +- Centralized time synchronization for all internal hosts +- Reduced external NTP queries from HTW network +- Consistent time across all StuRa infrastructure +- Local fallback if upstream NTP servers are unreachable + ### SSH Services **Port 1005: Admin SSH Access** @@ -177,7 +239,8 @@ nix run .#proxy-update - **Gateway**: 141.56.51.254 - **DNS**: 9.9.9.9, 1.1.1.1 (public DNS, not HTW internal) - **Firewall**: nftables enabled -- **Open ports**: 22, 80, 443, 1005, 2142 +- **Open TCP ports**: 22, 53 (DNS), 80, 443, 1005, 2142 +- **Open UDP ports**: 53 (DNS), 123 (NTP) ## Adding New Services @@ -379,6 +442,50 @@ telnet 141.56.51.2 80 grep -A 5 "ssh_srs2" /etc/haproxy/haproxy.cfg ``` +### DNS resolution not working + +```bash +# Check BIND status +systemctl status named + +# View BIND logs +journalctl -u named -f + +# Test DNS resolution from proxy +dig @127.0.0.1 google.com + +# Test DNS resolution from another host +dig @141.56.51.1 google.com + +# Check BIND configuration +named-checkconf /etc/bind/named.conf + +# Check allowed networks +grep -i "allow-query" /etc/bind/named.conf +``` + +### NTP synchronization not working + +```bash +# Check chrony status +systemctl status chronyd + +# View chrony tracking information +chronyc tracking + +# Check chrony sources +chronyc sources -v + +# View chrony logs +journalctl -u chronyd -f + +# Test NTP from another host +chronyc -h 141.56.51.1 tracking + +# Check if NTP port is accessible +nc -uv 141.56.51.1 123 +``` + ## Files and Directories - **HAProxy config**: `/etc/haproxy/haproxy.cfg` (generated by Nix) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 8ba30ff..048049f 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -27,11 +27,16 @@ firewall = { allowedTCPPorts = [ 22 + 53 # DNS 80 443 1005 2142 ]; + allowedUDPPorts = [ + 53 # DNS + 123 # NTP + ]; }; nftables = { enable = true; @@ -206,6 +211,36 @@ }; in { + # BIND DNS recursive resolver for the internal network + bind = { + enable = true; + cacheNetworks = [ + "127.0.0.0/8" + "141.56.51.0/24" + ]; + forwarders = [ + "9.9.9.9" + "1.1.1.1" + ]; + listenOn = [ "141.56.51.1" ]; + listenOnIpv6 = [ ]; + }; + + # Chrony NTP server for the internal network + chrony = { + enable = true; + enableNTS = false; + servers = [ "pool.ntp.org" ]; + serverOption = "iburst"; + extraConfig = '' + # Allow NTP client access from local network + allow 141.56.51.0/24 + + # Serve time even if not synced to a time source + local stratum 10 + ''; + }; + openssh = { # admin ssh access port listenAddresses = [ From 006c95424fa8b616447dcb7d1d6169173878d705 Mon Sep 17 00:00:00 2001 From: goeranh Date: Fri, 13 Mar 2026 22:14:45 +0100 Subject: [PATCH 2/2] enable bind dns and chrony ntp server and set them up in default.nix --- default.nix | 13 ++++++++++--- hosts/proxy/default.nix | 16 ++++++++++------ 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/default.nix b/default.nix index 4eea8ff..1a1f679 100644 --- a/default.nix +++ b/default.nix @@ -26,8 +26,8 @@ in { networking.nameservers = [ + "141.56.51.1" "141.56.1.1" - "141.56.1.2" ]; boot.kernelPackages = pkgs.linuxPackages_latest; @@ -52,6 +52,14 @@ in time.timeZone = "Europe/Berlin"; + # Use proxy as NTP server for time synchronization + # Disable in containers as they inherit time from the host + services.chrony = { + enable = !config.boot.isContainer; + servers = [ "141.56.51.1" ]; + enableNTS = false; + }; + i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; @@ -63,10 +71,9 @@ in services.nginx.recommendedOptimisation = true; services.nginx.recommendedGzipSettings = true; services.nginx.recommendedProxySettings = true; -#### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden. + #### Mit der Anwendung Nginx soll die (ausschließliche) Verwendung von https (http mit TLS), statt http ermoeglicht werden. services.nginx.recommendedTlsSettings = true; - users.users = { # erstmal nur mit root # administration = { diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 048049f..8692b17 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -20,10 +20,6 @@ } ]; defaultGateway.address = "141.56.51.254"; - nameservers = [ - "9.9.9.9" - "1.1.1.1" - ]; firewall = { allowedTCPPorts = [ 22 @@ -222,7 +218,10 @@ "9.9.9.9" "1.1.1.1" ]; - listenOn = [ "141.56.51.1" ]; + listenOn = [ + "141.56.51.1" + "127.0.0.1" + ]; listenOnIpv6 = [ ]; }; @@ -230,7 +229,12 @@ chrony = { enable = true; enableNTS = false; - servers = [ "pool.ntp.org" ]; + servers = [ + "0.de.pool.ntp.org" + "1.de.pool.ntp.org" + "2.de.pool.ntp.org" + "3.de.pool.ntp.org" + ]; serverOption = "iburst"; extraConfig = '' # Allow NTP client access from local network