Has anyone installed NicTool on OpenBSD with httpd chrooted?

richmond · June 17, 2014, 07:37:52 PM

I seem to be hitting wall after wall with incorrect/missing perl dependencies on a current release of Openbsd (not -current). Has anyone gone through the effort of making this work on this OS?

I would like to keep chroot enabled and as much security control in place as possible as I'm building this for a group known to not be very proactive with administrative duties.

-Apologies, forgot more context-
I'm looking for a client/server install with BIND on the same host as well as a second host running BIND only.

matt · June 17, 2014, 09:45:25 PM

I just installed OpenBSD 5.5 to have a look. I went along far enough to see where the issue would be:

https://github.com/msimerson/NicTool/wiki/Install-NicTool-on-OpenBSD

Digest version: Installing chrooted is going to be painful.

We aren't in the dark days of yore when hardware was expensive and we had to run as much as we could on it. This system will probably run only NicTool, right? Is chroot even sensible? What exists non that host, outside the chroot, that you are protecting? **

Matt

** besides the nictool data in mysql, which is already compromised if attackers own the chroot environment.

richmond · June 17, 2014, 09:53:26 PM

You ask reasonable questions.

Habit is my first answer and cheap clients is my second answer but separating out any other services (there was going to be client VPN termination on this box as well) will likely be the path of least pain/annoyance/time. I will consider my options and strongly suggest isolating DNS from other services and a well audited off-site backup if they are worried about data loss.

Thanks Matt. I had a sneaking suspicion that this would be the case and had kinda hoped someone bundled the modules for a chroot environment allowing me to be a bit lazier.

matt · June 17, 2014, 10:07:41 PM

I just asked, "does OpenBSD have any decent virtualization tools" that might permit you to:

run BIND in one VM
run Apache/NicTool in a VM
run MySQL in a VM
run VPN thingy in a VM

Sort of like how I recommend here with FreeBSD jails. With jails, every "VM" gets a full unix host environment, which is tremendously easier to maintain, and more secure that dumping everything into one. Easily maintained systems are much more likely to be maintained, and therefore, more secure.

And then I read this stack exchange post.

Since OpenBSD sucks at virtualization, do could instead run it under VMware. Or Xen. Or ...

rainer_d · June 18, 2014, 05:24:15 PM

From http://bhyve.org/faq/ I assume, one could run it on OpenBSD in a byhve-VM on FreeBSD10 - if one was inclined to do such a thing.
But one could probably create an absolutely minimal FreeBSD jail with just the dependencies for NicTool (and a separate one with just MySQL) and be done with it.

I'd rather concentrate on getting the name servers locked-down properly...

matt · June 18, 2014, 05:43:33 PM

Quote from: rainer_d on June 18, 2014, 05:24:15 PM
I'd rather concentrate on getting the name servers locked-down properly...

That's good thinking. But if security (and performance) are your concerns (versus "support every DNS feature and install everywhere, at the cost of security") than that almost certainly means not using BIND in the first place. Just look at all them CVEs! For performance and security, choose NSD, Knot, or tinydns instead.

rainer_d · June 19, 2014, 08:03:22 AM

I'm thinking of moving everything to NSD.
Today, it's a horrible, unholy mess of a convoluted BIND-setup, with a 15-year legacy (yeah, we run an open resolver - on purpose).
Thankfully, management has finally agreed to move everything to NicTool (mostly, because nobody could come up with anything better in a short time, which is (IMO) no surprise to anyone who has been watching this place.
There are alternatives to NicTool (some are actually great), but each one comes with a different set of trade-offs and a different five- or six-figures price-tag....

matt · June 19, 2014, 10:59:11 AM

Quote from: rainer_d on June 19, 2014, 08:03:22 AM
I'm thinking of moving everything to NSD.
Quote

I just *love* the fact that today we have choices. When tinydns was released, it was *the* alternative. PowerDNS came along and provided an alternative to BIND for the anti-djb crowd. It really wasn't until NSD, Knot, and Yadifa that there was a market of competitive choices. Six months ago I switched one tinydns to NSD and a few days ago I switched out BIND for Knot on another. So I'm running tinydns, NSD, and Knot.

Quote from: rainer_d on June 19, 2014, 08:03:22 AM
Today, it's a horrible, unholy mess of a convoluted BIND-setup, with a 15-year legacy (yeah, we run an open resolver - on purpose).

I remember first separating auth from recursive in 2000, and it was "a little bumpy" then. It proved easiest to move auth servers to new IPs and leave the old servers as caches, because so many systems pointed at them. Having done so, you get a lot of new options you didn't have before.

Quote from: rainer_d on June 19, 2014, 08:03:22 AM
Thankfully, management has finally agreed to move everything to NicTool (mostly, because nobody could come up with anything better in a short time, which is (IMO) no surprise to anyone who has been watching this place.
There are alternatives to NicTool (some are actually great), but each one comes with a different set of trade-offs and a different five- or six-figures price-tag....

I am aware of managed DNS providers who provide the equivalent of "NicTool + a cluster of DNS servers," but the cost for anything more than a handful of domains starts getting very pricey very fast. It only makes sense if you need "special" features like GeoDNS, or you don't have servers to deploy on. I have a number of clients that deployed several VPSes with NicTool because that saves them $1,000/month that it costed to use Managed DNS services.