Adding Servers

BIND9 → DDI Central migration: Secure transition with lower privileges

Before onboarding and discovering a BIND9-based DNS server into DDI Central, you must reconfigure it to run under a dedicated, low-privilege user (ddi) and grant only the minimum required capabilities. This is because running named as root is risky—it gives the DNS process unnecessary system-level privileges. In order to harden security, transitioning the ddi user ensures the DNS server operates with just enough permission to function, significantly reducing the attack surface.

Step 1: Update Permissions on Configuration and Zone Files

For DDI Central to read, discover, and ingest your BIND9 configuration and zone files, they must be owned and accessible by the ddi user. Changing ownership (chown) and permissions (chmod) ensures proper access without exposing files to the wrong users.

Ensure the `ddi` user owns the necessary files and directories:

or

This makes sure the ddi user—and only that user—owns all of the BIND configuration and zone files.

or

Now that ddi owns them, only ddi (read/write) and the root or members of the file’s group (read/write) can touch those files. Everyone else is denied access.

Step 2: Grant required capabilities to BIND binaries

Linux privileges normally require you to run as root to open ports below 1024. To enable the `ddi` user to bind to privileged ports (TCP/UDP 53, 853, 443) without full root privileges, apply the following capabilities:

It grants just the CAP_NET_BIND_SERVICE capability to those two binaries, so they can open low ports.

Verify with:

Both commands should show that cap_net_bind_service=ep is set. By using Linux’s cap_net_bind_service, the DNS server can still bind to critical ports (53 for DNS, 853 for DoT, 443 for DoH) without needing root. This is essential for secure environments where full root execution is discouraged or prohibited.

Step 3: Configure systemd to drp root and run `named` as `ddi` user

-Open and edit your BIND systemd service file—depending on your OS it’ll be named either:Depending on your OS and setup, open:

• /etc/systemd/system/bind9.service or
• /etc/systemd/system/named.service

Then under [Service] section make these changes:

Here,

• -u ddi tells named to switch to the ddi user after startup.
• ProtectSystem, ProtectHome, and NoNewPrivileges lock down the filesystem and prevent privilege escalation.
• AmbientCapabilities and CapabilityBoundingSet ensure only the bind-to-port capability is retained.

After saving the changes, reload systemd:

Step 4: Discover your newly hardened BIND9 in DDI Central

Once the above steps are complete and `named` is running as the `ddi` user with the proper security context, proceed to:

1. Open the DDICentral UI.
2. Go to Settings-> Add Server. Navigate to the Discovery section.
3. Kick off a new discovery job targeting your BIND9 server’s IP or hostname..
4. Confirm in DDI Central that your zone files and named configurations have been imported correctly—your server should now appear as an onboarded DNS instance, running under the secure, low-privilege ddi account.

Adding servers in DDI Central console

Once the cluster is created, you'll be immediately directed to the Servers page to add your DNS and DHCP servers. If not, you can add servers by selecting the Settings menu from the menu bar along the left side of the screen. From the submenus that appear in parallel, choose Servers.

• On the Servers page, click the Add Server button on the top left corner.
• The Create Server page appears on the screen. Here, you can add your DNS-DHCP servers either by discovering existing server configurations or by simply adding the server to the DDI Central console and configure it using the DDI Central user interface at later stages.

Enter the server details like

1. SERVER NAME: A required field where you assign a unique name to the server being configured or added for identification.

   Note: No two servers in the same or different clusters can have the same name.
2. TYPE: Select the type of server being set up, such as DNS, DHCP, or both (server that is configured for both DNS and DHCP services).
3. SERVER IP: Specify the IP address of the server being added.
4. AGENT HTTP PORT: Specify the port number used by the DDI Node Agent installed in the server for HTTP connections.
5. AGENT HTTPS PORT: Specify the port number used by the DDI Node Agent installed in the server for HTTPS connections.
Note: Admins can select and update the network port used by the Node Agent to enhance flexibility and ensure compliance with both internal networking policies and external regulations. It is important to update the Node agent port number modified via the command window in the DDI Central Console UI immediately to avoid downtime. Failure to do so can lead to communication disruptions between the App Console and the specific server.





6. DISCOVER EXISTING CONFIGURATIONS?: You have two choices to make here; opt for Step 7 or Step 8 depending on your requirement.

   Step 7 -> Advanced DNS-DHCP-IP address discovery

   Specify any one of the options :DNS, DHCP, or Both to discover all the existing configurations from the server, or

   Step 8 -> Adding and configuring servers using DDI Central

   Specify No if you just want to add and setup a new server from the scratch. You can setup the required DNS, DHCP or combined configurations to your server to get it configured through the user-friendly DDI Central user interface later.

Advanced DNS-DHCP-IP address discovery

To discover all the advanced configurations of DNS-DHCP services, the whole IP address plan and the current IP address inventory

Choose any one of the three options: DNS, DHCP, Both, for the Discover Existing Configurations?.

Provide the essential Config Path and the Zone File path for the DNS servers, while providing the Lease Path and the DHCP server path for the DHCP servers.

Setting up servers through DDI Central

You can add new servers to DDI console and enable ManageEngine DDI Central to implement, configure, and manage DNS, DHCP and IPAM services on your network infrastructure from scratch.

As DDI Central has DNS and DHCP bundled with the product and it gets deployed on your servers while installing the product.

For this, you'll have to choose No for Discover Existing Configurations? option.

App Console Details

1. APP CONSOLE: Enter the static IP address of the central server that hosts the DDI application console associated with this server.

   Note: It is crucial that this IP address remains constant to maintain consistent connection between the central DDI console server and the Node Agents installed in all your DNS and DHCP servers.
2. HTTP PORT: Specify the port number of the central DDI application console server for HTTP connections.
3. HTTPS PORT: Specify the port number of the central DDI application console server for HTTPS connections.

4. Click Save to add the server into the ME DDI console.

   If you have chosen the discovery option as outlined in Step 7, ManageEngine DDI Central will begin to discover configurations from the designated paths for each service.

   Note: The discovery process takes a considerable amount of time depending on the volume of configurations in the servers. Wait until the whole process completes.

   Once you add your server into the DDI Central console you can further proceed modifying the discovered DNS-DHCP-IPAM configurations or quickly start setting up the DNS-DHCP-IPAM configurations for the new server through the user-friendly DDI Central user interface.

5. You can access the added servers with all the configurations in place, listed under the Setting->Servers Page. Here you can perform general actions like editing the server configurations, deleting the server, monitoring the server(s) health stats.

6. Other than the general actions, you can also perform the following actions:Flush DNS Cache: Hit the button "Flush DNS Cache" to refresh the DNS cache of the selected server to ensure that the DNS information hosted on the server is up-to-date.

   

   A dialog box appears prompting you to specify the scope of the cache flush. If you want to flush the cache of all the zones on the server, click Flush All or if you just want to flush the cache of a specific zone on the server, click Flush Specific.



7. Subsequently, specify the zone name and click Flush Cache.
   Note: Flush DNS Cache action is crucial for maintaining the reliability and speed of DNS resolutions of within your network.



8. The other special action is Reset Password which enables network admins to improve security with enhanced controls over DDI Central's Node Agent authentication. This option allows admins to reset passwords to ensure secure transactions between DDI Central's Node Agent and DDI Central's App Console.

9. Both DNS and DHCP servers within a cluster can be suspended from providing further updates to the app console UI, by going to Servers>Actions, and clicking on Suspend option in the dropdown menu.

   

   Note: The server on which the appconsole is running can't be suspended, and that server will be marked with a yellow crown icon.

   

   After selecting yes to suspend the selected server, the server will be marked Unmanaged in the status section.

   When the admin wants to change the state back to Manage, the suspended servers can also be resumed to reflect their updates in app console UI, by clicking on the Resume Operations option.

   

   

DDI Central now allows users to update the status of their servers and associated services by clicking the Check Status button after selecting the desired server. This action refreshes and displays the current status of both the server and the services it hosts. Users can select one or multiple servers to update their status simultaneously.