Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:DNS"
(→dnsmasq: hint rebind protection) |
(pdns-recursor setup) |
||
Line 150: | Line 150: | ||
Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile. | Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile. | ||
+ | |||
+ | |||
+ | == pdns-recursor == | ||
+ | |||
+ | Enable in /etc/powerdns/recursor.conf: | ||
+ | |||
+ | forward-zones-file=/etc/powerdns/forward-zones-file.conf | ||
+ | |||
+ | And create /etc/powerdns/forward-zones-file.conf with the following contents: | ||
+ | |||
+ | +hack=172.31.255.53 | ||
+ | +31.172.in-addr.arpa=172.31.0.5 | ||
+ | +100.10.in-addr.arpa=172.31.0.5 | ||
+ | +101.10.in-addr.arpa=172.31.0.5 | ||
+ | +102.10.in-addr.arpa=172.31.0.5 | ||
+ | +103.10.in-addr.arpa=172.31.0.5 | ||
+ | +dn42=172.22.0.53 | ||
+ | +22.172.in-addr.arpa=172.22.0.53 | ||
+ | +23.172.in-addr.arpa=172.22.0.53 | ||
[[Category:ChaosVPN]] | [[Category:ChaosVPN]] |
Revision as of 19:06, 27 February 2016
We have a DNS running.
Contents
how to get entries
Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.
configs
The main zonefile atm is edited with vim on cvpn-dns.
This server is available at 172.31.0.5.
You can either be secondary and transfer the zonefile, or query this server.
HowTo
These are configuration example for multiple nameserver programs - choose the config for the one you are running.
dnsmasq
Add to /etc/dnsmasq.conf:
server=/hack/172.31.0.5 server=/31.172.in-addr.arpa/172.31.0.5 server=/100.10.in-addr.arpa/172.31.0.5 server=/101.10.in-addr.arpa/172.31.0.5 server=/102.10.in-addr.arpa/172.31.0.5 server=/103.10.in-addr.arpa/172.31.0.5 server=/dn42/172.22.0.53 server=/22.172.in-addr.arpa/172.22.0.53 server=/23.172.in-addr.arpa/172.22.0.53
In some configurations, i.E. in OpenWRT, dnsmasq has rebind protection enabled by default. It will be usefull to exclude the domains above. Add to /etc/dnsmasq.conf too:
rebind-domain-ok=hack rebind-domain-ok=31.172.in-addr.arpa rebind-domain-ok=100.10.in-addr.arpa rebind-domain-ok=101.10.in-addr.arpa rebind-domain-ok=102.10.in-addr.arpa rebind-domain-ok=103.10.in-addr.arpa rebind-domain-ok=dn42 rebind-domain-ok=22.172.in-addr.arpa rebind-domain-ok=23.172.in-addr.arpa
bind9
Should-Do´s:
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.
Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)
zone "hack" { type static-stub; server-addresses { 172.31.0.5; }; }; zone "dn42" { type static-stub; server-addresses { 172.22.0.53; }; }; zone "22.in-addr.arpa" { type static-stub; server-addresses { 172.22.0.53; }; }; zone "23.in-addr.arpa" { type static-stub; server-addresses { 172.22.0.53; }; }; zone "31.172.in-addr.arpa" { type static-stub; server-addresses { 172.31.0.5; }; }; zone "100.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.0.5; }; }; zone "101.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.0.5; }; }; zone "102.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.0.5; }; }; zone "103.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.0.5; }; };
Bind as secondary
zone "hack" { type slave; file "slave/slave.hack"; masters { 172.31.0.5; }; };
Old Bind as Forwarder
zone "hack" { type forward; forwarders { 172.31.0.5; }; };
NSD + unbound
unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.
nsd
In /etc/nsd/nsd3.conf add at bottom:
zone: name: "hack" zonefile: "hack.zone" allow-notify: 127.0.0.1 NOKEY allow-notify: 172.31.0.5 NOKEY request-xfr: 172.31.0.5 NOKEY
unbound
In /etc/unbound/unbound.conf add at bottom:
forward-zone: name: "hack" forward-addr: 172.31.0.5 forward-addr: 172.31.116.1 forward-zone: name: "dn42" forward-addr: 172.22.0.53
Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:
private-domain: "hack" domain-insecure: "hack" private-domain: "dn42" domain-insecure: "dn42"
maradns
maradns as secondary
getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack
Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.
pdns-recursor
Enable in /etc/powerdns/recursor.conf:
forward-zones-file=/etc/powerdns/forward-zones-file.conf
And create /etc/powerdns/forward-zones-file.conf with the following contents:
+hack=172.31.255.53 +31.172.in-addr.arpa=172.31.0.5 +100.10.in-addr.arpa=172.31.0.5 +101.10.in-addr.arpa=172.31.0.5 +102.10.in-addr.arpa=172.31.0.5 +103.10.in-addr.arpa=172.31.0.5 +dn42=172.22.0.53 +22.172.in-addr.arpa=172.22.0.53 +23.172.in-addr.arpa=172.22.0.53