Introduction

When using PKI certificates is critical that both DNS is working correctly and that hosts have their time synced via a reliable NTP server. In this part of the series I will build a utility server that will act as the DNS, NTP and root certificate authority. The utility server will use Centos 7 minimal as the OS with the firewall service disabled and SELinux set to permissive.

DNS

The DNS service will be provided by dnsmasq as it's lightweight and easy to setup.


sudo yum install -y dnsmasq
                

Create a dnsmasq user and group and assign the user to the group.


sudo groupadd -r dnsmasq
sudo useradd -r -g dnsmasq dnsmasq
                

Backup the old /etc/dnsmasq.conf configuration file.


sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old
                

Create an /etc/dnsmasq.conf file with the following contents.


# /etc/dnsmasq.conf
listen-address=127.0.0.1,192.168.121.120
port=53
bind-interfaces
user=dnsmasq
group=dnsmasq
pid-file=/var/run/dnsmasq.pid
domain-needed
domain=lab.local
expand-hosts
bogus-priv
dns-forward-max=150
cache-size=1000
no-negcache
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll
                

Create an /etc/resolv.dnsmasq file that uses google DNS as the upstream DNS servers.


# /etc/resolv.dnsmasq
nameserver 8.8.8.8
nameserver 8.8.4.4
                

Set the nameserver attribute in /etc/resolv.conf file to use a loopback address.


# /etc/resolv.conf
nameserver 127.0.0.1
                

Add the device host to IP address mappings to the /etc/hosts file.


# /etc/hosts
192.168.121.120 util
192.168.121.121 jenkins
192.168.121.122 gitlab
192.168.121.123 awx
192.168.121.124 netq
                

Note: When the /etc/hosts file is updated the dnsmasq service needs to be restarted to update its DNS cache.

The dnsmasq configuration can be tested for syntax errors with the dnsmasq --test command.


sudo dnsmasq --test

# output
dnsmasq: syntax check OK.
                

Start and enable the dnsmasq service.


sudo systemctl start dnsmasq
sudo systemctl enable dnsmasq
                

The hosts in this lab get their management IP addresses via DHCP. An update to the /etc/sysconfig/network-scripts/ifcfg-eth0 file is required to use the local dnsmasq service.


DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
PERSISTENT_DHCLIENT="yes"

# add the following
DNS1="127.0.0.1"
PEERDNS=no
                

Restart the network service.


sudo systemctl restart network
                

NTP

Install the ntp service.


sudo yum install -y ntp
                

Backup the old /etc/ntp.conf configuration file.


sudo mv /etc/ntp.conf /etc/ntp.conf.old
                

Create an /etc/ntp.conf file with the following contents.


# /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery

# Permit all access over the loopback interface.
restrict 127.0.0.1
restrict ::1

# Hosts on local network are less restricted.
restrict 192.168.121.0 mask 255.255.255.0 nomodify notrap

# Use NTP servers.
server time.google.com iburst
server time.apple.com iburst

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats

# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
                

Note: the subnet that can query the NTP server is restricted to 192.168.121.0/24 and the upstream NTP servers are set to the Google and Apple stratum 1 time servers.

Start and enable the ntp service.


sudo systemctl start ntpd
sudo systemctl enable ntpd
                

Test the connection to the NTP servers with the ntpq -p command.


ntpq -p

# output
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time4.google.co .GOOG.           1 u   15 1024  377  141.819   48.513  57.598
+ussjc2-ntp-002. .GPSs.           1 u  115 1024  377  218.000   18.940  32.073
                

Root CA

The root CA server will provide certificate signing services. The openssl package will be used to generate the root certificate and to also sign the hosts certificates. Note: I will be using a minimal configuration that is not very secure, please don't use this method in production.

Generate a signing key.


openssl genrsa -out ROOTCA.key 2048
                

Create a self-signed certificate using the signing key just created.


openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
    -subj "/C=AU/ST=NSW/L=NSW/O=LAB/CN=util.lab.local" \
    -out ROOTCA.pem
                

Move the certificates to the /etc/ssl/certs directory and update the permissions and ownership to the root user.


sudo mv ROOTCA.* /etc/ssl/certs/ ; cd /etc/ssl/certs/
sudo chown root:root ROOTCA.*
sudo chmod 0644 ROOTCA.pem
sudo chmod 0400 ROOTCA.key
                

Once this is done the ROOTCA.pem will need to be imported into the trusted certificate store of the host devices. The host themselves will need to generate a certificate signing request and have the certificate signed by the root CA.

Summary

Now that the utility server is configured with DNS, NTP and certificate services let move onto part 3 of this series: Gitlab Installation.

Links

https://www.techrepublic.com/article/how-to-configure-dnsmasq-on-fedora-desktop-and-server/
https://www.server-world.info/en/note?os=CentOS_7&p=dnsmasq
https://www.server-world.info/en/note?os=CentOS_7&p=ntp
https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/






















Published: 2018-01-24