Higher Logic notes on screwing with tech…


Reverse DNS wall using DJBDNS

Another DNS post yay! Out of all aspects of DNS services this one is used least. So whats a reverse DNS wall? You know reverse DNS? thats where you look up an IP address and get the name associated as opposed to the other way round.

Now "some" special needs servers on the internet (FTP, SSH) like to do a reverse resolve of the incoming IP and block based upon the result. Some even rarer server would then would do a A record check on the reverse to make sure that matches the originating IP.

Lets say I have a whole bunch of computers that don't have DNS names, not now, not ever, how do they connect to these pesky services? Tell the service provide to stop be daft! Once you recover from the slap they gave you then setup our own reverse DNS wall. When queried these things will respond with the good stuff and take you to the promise land!

# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false walldns

# Config
walldns-conf walldns dnslog /etc/walldns
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/walldns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/walldns
# Shutting down
svc -d /etc/service/walldns
# Starting up
svc -u /etc/service/walldns

Now get the upstream hosters of your IP address delegate the reverse zone to your server and you are good to go.


TXT style record with tinydns (djbdns)

If you want TXT records in tinydns, It looks a little like this:


I used this one above for google domain verification. If you have '\n' and ':' and other characters in your TXT be a little careful as tinydns expects it encoded right, and use Anders TXT record builder

Tagged as: , , No Comments

Djbdns on ubuntu 10.04 server, migration from BIND and zone transfers to secondaries (BIND)

What are you going to do with rainy Sundays? Move from BIND to djbdns ofcourse :D I have been wanting to do this for quite some time, so here it goes...

Criteria for this djbdns:

  • Must use ubuntu base repositories (ease of maintenance)
  • Still play nicely with BIND slaves (can't change those :()
  • Still resolve custom internal domain (mine is *.prove)
  • DNS servering is separated from DNS resolving

Background info for the following technical steps:

  • dns server listening on
  • dns resolving service listening on
  • dns resolving service only allowing clients from
  • zones transferred from BIND, higherlogic.com.au and .prove (internal)

Setup tinydns (dns server) and dnscache (resolver cache)

Drill and lay down some foundations
# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
# alternatively install dbndns for extra debian goodness with ipv6 and others
apt-get install daemontools daemontools-run ucspi-tcp dbndns
# Users for the chroot jail
adduser --no-create-home --disabled-login --shell /bin/false dnslog
adduser --no-create-home --disabled-login --shell /bin/false tinydns
adduser --no-create-home --disabled-login --shell /bin/false dnscache

Build the house
# Config
tinydns-conf tinydns dnslog /etc/tinydns/
dnscache-conf dnscache dnslog /etc/dnscache
cd /etc/dnscache; touch /etc/dnscache/root/ip/1.2.3
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/tinydns/

Check that its sturdy
# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/tinydns
svstat /etc/service/dnscache
# Shutting down
svc -d /etc/service/tinydns
svc -d /etc/service/dnscache
# Starting up
svc -u /etc/service/tinydns
svc -u /etc/service/dnscache

Pack the boxes at the old place
# Normal forward zone retrieval
tcpclient ns.higherlogic.com.au 53 axfr-get higherlogic.com.au zone-higherlogic.com.au zone-higherlogic.com.au.tmp
tcpclient ns.higherlogic.com.au 53 axfr-get prove zone-prove zone-prove.tmp
# Example Reverse IP
tcpclient dns1.mydomain.com 53 axfr-get 32.58.212.in-addr.arpa zone-32.58.212 zone-32.58.212.tmp

Move in!
# Create new combined zone db which will drive tinydns
cd /etc/tinydns/root/
sort -u zone* > data

If you host your own internal custom domain (*.prove in my case)
# Make sure the zone is setup in tinydns already
# Fix up your dnscache to resolve your custom zones and restart service
cd /service/dnscache
echo > root/servers/prove
chmod 644 root/servers/prove
svc -t /etc/dnscache

Some tire-kicking?
# Test what djbdns is returning vs bind should be identical
tinydns-get a www.higherlogic.com.au
dnsq a www.higherlogic.com.au ns.higherlogic.com.au

Setup zone transfers with BIND using axfrdns

# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false axfrdns

# Config
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns
cd /etc/service ; ln -sf /etc/axfrdns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/axfrdns
# Shutting down
svc -d /etc/service/axfrdns
# Starting up
svc -u /etc/service/axfrdns

# Restrict zone transfers from by editing /etc/axfrdns/tcp
:allow,AXFR="" #allows large queries through TCP

#update tcp file similar to tinydns
cd /etc/axfrdns

Last step setup a notify script

Tinydns.org has many different versions of this script tailored for various situations See Section: Database replication via the "Zone transfer" mechanism. I picked the James Raftery version.