Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:DNS"
m (Server is down.) |
|||
| Line 1: | Line 1: | ||
We have a DNS running. | We have a DNS running. | ||
| + | |||
| + | = how to get entries = | ||
| + | |||
| + | Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered. | ||
= configs = | = configs = | ||
| Line 5: | Line 9: | ||
The main zonefile atm is edited with vim on cvpn-dns. | The main zonefile atm is edited with vim on cvpn-dns. | ||
| − | This server is available at 172.31.0.5 or | + | This server is available at 172.31.0.5. |
| + | |||
| + | You can either be secondary and transfer the zonefile, or query this server. | ||
| + | |||
| + | |||
| + | = HowTo= | ||
| + | |||
| + | These are configuration example for multiple nameserver programs - choose the config for the one you are running. | ||
| + | |||
| + | == dnsmasq == | ||
| + | |||
| + | Add to /etc/dnsmasq.conf: | ||
| − | + | server=/hack/172.31.0.5 | |
| + | server=/31.172.in-addr.arpa/172.31.0.5 | ||
| + | server=/100.10.in-addr.arpa/172.31.0.5 | ||
| + | server=/101.10.in-addr.arpa/172.31.0.5 | ||
| + | server=/102.10.in-addr.arpa/172.31.0.5 | ||
| + | server=/103.10.in-addr.arpa/172.31.0.5 | ||
| + | server=/dn42/172.22.0.53 | ||
| + | server=/22.172.in-addr.arpa/172.22.0.53 | ||
| + | server=/23.172.in-addr.arpa/172.22.0.53 | ||
| − | + | == bind9 == | |
| − | + | Should-Do´s: | |
| − | + | in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local): | |
| − | + | ||
| − | + | '''NOTE:''' bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work. | |
| + | |||
| + | === Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) === | ||
| + | |||
| + | zone "hack" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.31.0.5; }; | ||
| + | }; | ||
| + | zone "dn42" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.22.0.53; }; | ||
| + | }; | ||
| + | zone "22.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.22.0.53; }; | ||
| + | }; | ||
| + | zone "23.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.22.0.53; }; | ||
| + | }; | ||
| + | zone "31.172.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.31.0.5; }; | ||
| + | }; | ||
| + | zone "100.10.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.31.0.5; }; | ||
| + | }; | ||
| + | zone "101.10.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.31.0.5; }; | ||
| + | }; | ||
| + | zone "102.10.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.31.0.5; }; | ||
| + | }; | ||
| + | zone "103.10.in-addr.arpa" { | ||
| + | type static-stub; | ||
| + | server-addresses { 172.31.0.5; }; | ||
| + | }; | ||
| + | |||
| + | === Bind as secondary === | ||
| + | |||
| + | zone "hack" { | ||
| + | type slave; | ||
| + | file "slave/slave.hack"; | ||
| + | masters { 172.31.0.5; }; | ||
| + | }; | ||
| + | |||
| + | === Old Bind as Forwarder === | ||
| + | |||
| + | zone "hack" { | ||
| + | type forward; | ||
| + | forwarders { 172.31.0.5; }; | ||
| + | }; | ||
| − | |||
| Line 47: | Line 123: | ||
forward-zone: | forward-zone: | ||
name: "dn42" | name: "dn42" | ||
| − | forward-addr: 172.22. | + | forward-addr: 172.22.0.53 |
| − | + | Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42: | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | private-domain: "hack" | |
| − | + | domain-insecure: "hack" | |
| − | + | private-domain: "dn42" | |
| − | + | domain-insecure: "dn42" | |
| − | |||
| − | |||
== maradns == | == maradns == | ||
| Line 80: | Line 139: | ||
Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile. | Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | [[Category:ChaosVPN]] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 02:44, 5 April 2015
We have a DNS running.
Contents
how to get entries
Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.
configs
The main zonefile atm is edited with vim on cvpn-dns.
This server is available at 172.31.0.5.
You can either be secondary and transfer the zonefile, or query this server.
HowTo
These are configuration example for multiple nameserver programs - choose the config for the one you are running.
dnsmasq
Add to /etc/dnsmasq.conf:
server=/hack/172.31.0.5 server=/31.172.in-addr.arpa/172.31.0.5 server=/100.10.in-addr.arpa/172.31.0.5 server=/101.10.in-addr.arpa/172.31.0.5 server=/102.10.in-addr.arpa/172.31.0.5 server=/103.10.in-addr.arpa/172.31.0.5 server=/dn42/172.22.0.53 server=/22.172.in-addr.arpa/172.22.0.53 server=/23.172.in-addr.arpa/172.22.0.53
bind9
Should-Do´s:
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.
Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)
zone "hack" {
type static-stub;
server-addresses { 172.31.0.5; };
};
zone "dn42" {
type static-stub;
server-addresses { 172.22.0.53; };
};
zone "22.in-addr.arpa" {
type static-stub;
server-addresses { 172.22.0.53; };
};
zone "23.in-addr.arpa" {
type static-stub;
server-addresses { 172.22.0.53; };
};
zone "31.172.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; };
};
zone "100.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; };
};
zone "101.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; };
};
zone "102.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; };
};
zone "103.10.in-addr.arpa" {
type static-stub;
server-addresses { 172.31.0.5; };
};
Bind as secondary
zone "hack" {
type slave;
file "slave/slave.hack";
masters { 172.31.0.5; };
};
Old Bind as Forwarder
zone "hack" {
type forward;
forwarders { 172.31.0.5; };
};
NSD + unbound
unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.
nsd
In /etc/nsd/nsd3.conf add at bottom:
zone:
name: "hack"
zonefile: "hack.zone"
allow-notify: 127.0.0.1 NOKEY
allow-notify: 172.31.0.5 NOKEY
request-xfr: 172.31.0.5 NOKEY
unbound
In /etc/unbound/unbound.conf add at bottom:
forward-zone: name: "hack" forward-addr: 172.31.0.5 forward-addr: 172.31.116.1 forward-zone: name: "dn42" forward-addr: 172.22.0.53
Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:
private-domain: "hack" domain-insecure: "hack" private-domain: "dn42" domain-insecure: "dn42"
maradns
maradns as secondary
getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack
Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.
