Higher Logic notes on screwing with tech…

20Jun/110

Reverse DNS wall using DJBDNS

Another DNS post yay! Out of all aspects of DNS services this one is used least. So whats a reverse DNS wall? You know reverse DNS? thats where you look up an IP address and get the name associated as opposed to the other way round.

Now "some" special needs servers on the internet (FTP, SSH) like to do a reverse resolve of the incoming IP and block based upon the result. Some even rarer server would then would do a A record check on the reverse to make sure that matches the originating IP.

Lets say I have a whole bunch of computers that don't have DNS names, not now, not ever, how do they connect to these pesky services? Tell the service provide to stop be daft! Once you recover from the slap they gave you then setup our own reverse DNS wall. When queried these things will respond with the good stuff and take you to the promise land!


# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false walldns

# Config
walldns-conf walldns dnslog /etc/walldns 1.2.3.4
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/walldns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/walldns
# Shutting down
svc -d /etc/service/walldns
# Starting up
svc -u /etc/service/walldns

Now get the upstream hosters of your IP address delegate the reverse zone to your server and you are good to go.

16Jun/110

Ubuntu serial connection to Cisco devices

Nice and short one, I bet its what all the girls say!

# install the bastard
sudo apt-get install minicom
# check out which serial ports you have
$ dmesg | grep ttyl
spidey@app03:~$ dmesg | grep tty
[ 0.000000] console [tty0] enabled
[ 3.278021] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 3.278114] serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
[ 3.278334] 00:05: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 3.278451] 00:06: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
# from the above you can see I have ttyS0 which is /dev/ttyS0
# configure away!
sudo minicom -s
# go to "Serial Port Setup"
Set "line speed" to "9600"
Set "hardware flow control" to "No"
Set "serial device" to "/dev/ttyS0"
# Save the settings
# sit back and have some cake
sudo minicom

13Jun/111

Djbdns on ubuntu 10.04 server, migration from BIND and zone transfers to secondaries (BIND)

What are you going to do with rainy Sundays? Move from BIND to djbdns ofcourse :D I have been wanting to do this for quite some time, so here it goes...

Criteria for this djbdns:

  • Must use ubuntu base repositories (ease of maintenance)
  • Still play nicely with BIND slaves (can't change those :()
  • Still resolve custom internal domain (mine is *.prove)
  • DNS servering is separated from DNS resolving

Background info for the following technical steps:

  • dns server listening on 1.2.3.4
  • dns resolving service listening on 1.2.3.5
  • dns resolving service only allowing clients from 1.2.3.0/24
  • zones transferred from BIND, higherlogic.com.au and .prove (internal)

Setup tinydns (dns server) and dnscache (resolver cache)

Drill and lay down some foundations
# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
# alternatively install dbndns for extra debian goodness with ipv6 and others
apt-get install daemontools daemontools-run ucspi-tcp dbndns
# Users for the chroot jail
adduser --no-create-home --disabled-login --shell /bin/false dnslog
adduser --no-create-home --disabled-login --shell /bin/false tinydns
adduser --no-create-home --disabled-login --shell /bin/false dnscache

Build the house
# Config
tinydns-conf tinydns dnslog /etc/tinydns/ 1.2.3.4
dnscache-conf dnscache dnslog /etc/dnscache 1.2.3.5
cd /etc/dnscache; touch /etc/dnscache/root/ip/1.2.3
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/tinydns/

Check that its sturdy
# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/tinydns
svstat /etc/service/dnscache
# Shutting down
svc -d /etc/service/tinydns
svc -d /etc/service/dnscache
# Starting up
svc -u /etc/service/tinydns
svc -u /etc/service/dnscache

Pack the boxes at the old place
# Normal forward zone retrieval
tcpclient ns.higherlogic.com.au 53 axfr-get higherlogic.com.au zone-higherlogic.com.au zone-higherlogic.com.au.tmp
tcpclient ns.higherlogic.com.au 53 axfr-get prove zone-prove zone-prove.tmp
# Example Reverse IP
tcpclient dns1.mydomain.com 53 axfr-get 32.58.212.in-addr.arpa zone-32.58.212 zone-32.58.212.tmp

Move in!
# Create new combined zone db which will drive tinydns
cd /etc/tinydns/root/
sort -u zone* > data
make

If you host your own internal custom domain (*.prove in my case)
# Make sure the zone is setup in tinydns already
# Fix up your dnscache to resolve your custom zones and restart service
cd /service/dnscache
echo 1.2.3.4 > root/servers/prove
chmod 644 root/servers/prove
svc -t /etc/dnscache

Some tire-kicking?
# Test what djbdns is returning vs bind should be identical
tinydns-get a www.higherlogic.com.au
dnsq a www.higherlogic.com.au ns.higherlogic.com.au

Setup zone transfers with BIND using axfrdns

# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false axfrdns

# Config
axfrdns-conf axfrdns dnslog /etc/axfrdns /etc/tinydns 1.2.3.4
cd /etc/service ; ln -sf /etc/axfrdns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/axfrdns
# Shutting down
svc -d /etc/service/axfrdns
# Starting up
svc -u /etc/service/axfrdns

# Restrict zone transfers from 2.3.4.5 by editing /etc/axfrdns/tcp
=2.3.4.5:allow
:allow,AXFR="" #allows large queries through TCP

#update tcp file similar to tinydns
cd /etc/axfrdns
make

Last step setup a notify script

Tinydns.org has many different versions of this script tailored for various situations See Section: Database replication via the "Zone transfer" mechanism. I picked the James Raftery version.

   
css.php