This purpose of this guide is to walk you through setting up your domains to use Hurricane Electric’s (referred to as HE going forward) free DNS service. They offer the functionality to host a master zone on their nameservers, or slave zones, pulled from your own master. They also allow you to setup reverse zones, but I wont cover that.

As the setup of a master zone is rather self explanatory, I will focus on the setup of slave zones. This can be handy in that it allows you to setup a DNS server on your own infrastructure for you to edit your zones and then send a notify to HE so they can pull an updated copy of the zone file.

We will be using PowerDNS for this walk through. I’m not going to cover the initial PDNS setup. You can check out https://doc.powerdns.com/authoritative/installation.html for that.

Prerequisites:

  1. You have a PowerDNS server setup, with an appropriate back end.
  2. You have created a free account with HE. See here: https://ipv6.he.net/certification/register.php

Firewall:

You need to configure your PDNS master’s firewall to allow connections over port 53 from HE’s servers. For IP, you need to whitelist 216.218.133.2. For IPv6:, allow 2001:470:600::2 through.

PDNS Config:

You also need to tell PDNS to allow AXFR requests from HE’s servers. Open up /etc/pdns/pdns.conf and edit the “allow-axfr-ips” line. It should look something like this:

allow-axfr-ips=127.0.0.0/8,::1,216.218.133.2,2001:470:600::2 

Save the file, and restart PDNS:

systemctl restart pdns

Change your nameservers:

I am not sure if this explicitly required before HE will pull your zone, but I’ve had issues if I haven’t done this first, so set your nameservers to:

ns2.he.net
ns3.he.net
ns4.he.net
ns5.he.net

Create a zone:

Create the zone you’d like to use. You can do this via your choice of backend, or you can use pdnsutil to do so. The following should get you going:

pdnsutil create-zone myawesomedomain.com

Set the domain to be a MASTER:

pdnsutil set-kind myawesomedomain.com master

Edit the zone, and add HE’s servers as your NS records:

pdnsutil edit-zone myawesomedomain.com

It’ll look like this by default:

; Warning - every name in this file is ABSOLUTE!
$ORIGIN .
myawesomedomain.com 3600 IN SOA a.misconfigured.powerdns.server hostmaster.myawesomedomain.com 1 10800 3600 604800 3600

Add in HE’s servers as your NS records. Update the SOA while you’re at it, for good measure. You should end up with something like this:

; Warning - every name in this file is ABSOLUTE!
$ORIGIN .
myawesomedomain.com 3600 IN SOA ns2.he.net dnsadmin.myawesomedomain.com 1 10800 3600 604800 3600
myawesomedomain.com 300 IN NS ns1.he.net
myawesomedomain.com 300 IN NS ns2.he.net
myawesomedomain.com 300 IN NS ns3.he.net
myawesomedomain.com 300 IN NS ns4.he.net
myawesomedomain.com 300 IN NS ns5.he.net

Exit the editor (Vim commands, by default). Make sure it accepted your edits. If not, check for typos.

[root@server 21:28:23] ~ pdnsutil edit-zone myawesomedomain.com
 Checked 6 records of 'myawesomedomain.com', 0 errors, 0 warnings.
 Detected the following changes:
 +myawesomedomain.com 300 IN NS ns1.he.net
 +myawesomedomain.com 300 IN NS ns2.he.net
 +myawesomedomain.com 300 IN NS ns3.he.net
 +myawesomedomain.com 300 IN NS ns4.he.net
 +myawesomedomain.com 300 IN NS ns5.he.net
 -myawesomedomain.com 3600 IN SOA a.misconfigured.powerdns.server hostmaster.myawesomedomain.com 1 10800 3600 604800 3600
 +myawesomedomain.com 3600 IN SOA ns2.he.net dnsadmin.myawesomedomain.com 1 10800 3600 604800 3600
 (a)pply these changes, (e)dit again, (r)etry with original zone, (q)uit: a
 Adding empty non-terminals for non-DNSSEC zone
 [root@server 21:34:55] ~

Now we can add the domain to HE’s dns service. After creating an account, navigate to https://dns.he.net. Login, and then click the “Add a new slave” link:

Enter the information in the pop up. You should only need to fill our Domain Name and Master #1. You can use either an IP address of the DNS name for your master.

If you’ve done everything correctly so far, it should return a success message and will pull the zone shortly. If you get a message like “You must delegate to one or more of the slave nameservers“, make sure you’ve updated your nameservers, you properly added the NS records to the zone file, and HE is allowed to access your DNS master both via the firewall and the PDNS config.

Sometimes it can take a little bit for the initial AXFR of your zone. To check if that part has been completed, just navigate back to https://dns.he.net and click the “i” button next to your zone. If you see your NS records, the AXFR has been completed. If not, you need to wait a bit more. To double check that HE can reach your master, you can click the “validate” button.

Once your initial AXFR has completed, you can start updating zones and sending a notify to HE that they should update your zone.

By default. PDNS will send a notify request to all servers listed in the NS records in your zone. HE only accepts these to a single server, so open up /etc/pdns/pdns.conf and set the following line like so:

only-notify=216.218.130.2

Save the conf file, and restart pdns.

Now, you can use pdnsutil edit-zone to add or remove records as needed. You may want to add in an A record of MX record to start. Follow the same procedure for earlier, when we added in the NS record.

Once you’ve made changes and saved the zone, you need to update the serial. This lets PDNS know that it should send a notify to HE. HE will then request an AXFR and update the zone on their end. You can easily update the serial like so:

pdnsutil update-serial myawesomedomain.com

After a short while, HE will AXFR and your changes will go live. To double check everything is working properly, you can check the syslog. Any errors will show up there. That is /var/log/messages on RedHat based systems. I don’t run Ubuntu in production so don’t even ask me where PDNS logs to on that distro.

Leave a Reply

Your email address will not be published. Required fields are marked *