Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/
Difference between revisions of "ChaosVPN:DNS"
(→dnsmasq for OpenWRT) |
(add coredns) |
||
(30 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
− | We have a DNS running. | + | [[ChaosVPN|Back]] |
+ | |||
+ | {{Template:ChaosVPNBanner}} | ||
+ | |||
+ | We have a DNS running (or not). | ||
+ | |||
+ | = how to get entries = | ||
+ | |||
+ | Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered. | ||
= configs = | = configs = | ||
Line 5: | Line 13: | ||
The main zonefile atm is edited with vim on cvpn-dns. | The main zonefile atm is edited with vim on cvpn-dns. | ||
− | This server is available at 172.31.0.5 or | + | This server is available at 172.31.0.5. |
+ | |||
+ | You can either be secondary and transfer the zonefile, or query this server. | ||
+ | |||
+ | But for queries it is better to use the anycasted IP 172.31.255.53, which is answered by more than one machine and should stay available in case of problem with the master. | ||
+ | |||
+ | = HowTo= | ||
+ | |||
+ | These are configuration example for multiple nameserver programs - choose the config for the one you are running. | ||
+ | |||
+ | == dnsmasq == | ||
− | + | Add to /etc/dnsmasq.conf: | |
− | + | server=/hack/172.31.255.53 | |
+ | server=/31.172.in-addr.arpa/172.31.255.53 | ||
+ | server=/100.10.in-addr.arpa/172.31.255.53 | ||
+ | server=/101.10.in-addr.arpa/172.31.255.53 | ||
+ | server=/102.10.in-addr.arpa/172.31.255.53 | ||
+ | server=/103.10.in-addr.arpa/172.31.255.53 | ||
+ | server=/dn42/172.23.0.53 | ||
+ | server=/20.172.in-addr.arpa/172.23.0.53 | ||
+ | server=/21.172.in-addr.arpa/172.23.0.53 | ||
+ | server=/22.172.in-addr.arpa/172.23.0.53 | ||
+ | server=/23.172.in-addr.arpa/172.23.0.53 | ||
− | + | In some configurations, i.E. in OpenWRT, dnsmasq has rebind protection enabled by default. It will be usefull to exclude the domains above. Add to /etc/dnsmasq.conf too: | |
− | + | rebind-domain-ok=hack | |
− | + | rebind-domain-ok=31.172.in-addr.arpa | |
− | + | rebind-domain-ok=100.10.in-addr.arpa | |
+ | rebind-domain-ok=101.10.in-addr.arpa | ||
+ | rebind-domain-ok=102.10.in-addr.arpa | ||
+ | rebind-domain-ok=103.10.in-addr.arpa | ||
+ | rebind-domain-ok=dn42 | ||
+ | rebind-domain-ok=20.172.in-addr.arpa | ||
+ | rebind-domain-ok=21.172.in-addr.arpa | ||
+ | rebind-domain-ok=22.172.in-addr.arpa | ||
+ | rebind-domain-ok=23.172.in-addr.arpa | ||
+ | |||
+ | == bind9 == | ||
+ | |||
+ | Should-Do´s: | ||
+ | |||
+ | in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local): | ||
+ | |||
+ | '''NOTE:''' bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work. | ||
+ | |||
+ | === Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) === | ||
+ | |||
+ | zone "hack" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.31.255.53; }; | ||
+ | }; | ||
+ | zone "dn42" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.23.0.53; }; | ||
+ | }; | ||
+ | zone "20.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.23.0.53; }; | ||
+ | }; | ||
+ | zone "21.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.23.0.53; }; | ||
+ | }; | ||
+ | zone "22.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.23.0.53; }; | ||
+ | }; | ||
+ | zone "23.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.23.0.53; }; | ||
+ | }; | ||
+ | zone "31.172.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.31.255.53; }; | ||
+ | }; | ||
+ | zone "100.10.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.31.255.53; }; | ||
+ | }; | ||
+ | zone "101.10.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.31.255.53; }; | ||
+ | }; | ||
+ | zone "102.10.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.31.255.53; }; | ||
+ | }; | ||
+ | zone "103.10.in-addr.arpa" { | ||
+ | type static-stub; | ||
+ | server-addresses { 172.31.255.53; }; | ||
+ | }; | ||
+ | |||
+ | === Bind as secondary === | ||
+ | |||
+ | zone "hack" { | ||
+ | type slave; | ||
+ | file "slave/slave.hack"; | ||
+ | masters { 172.31.0.5; }; | ||
+ | }; | ||
+ | |||
+ | === Old Bind as Forwarder === | ||
+ | |||
+ | zone "hack" { | ||
+ | type forward; | ||
+ | forwarders { 172.31.0.5; }; | ||
+ | }; | ||
− | |||
Line 43: | Line 148: | ||
forward-zone: | forward-zone: | ||
name: "hack" | name: "hack" | ||
− | forward-addr: 172.31. | + | forward-addr: 172.31.255.53 |
− | |||
forward-zone: | forward-zone: | ||
name: "dn42" | name: "dn42" | ||
− | forward-addr: 172. | + | forward-addr: 172.23.0.53 |
− | |||
+ | Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42: | ||
− | + | private-domain: "hack" | |
+ | domain-insecure: "hack" | ||
+ | private-domain: "dn42" | ||
+ | domain-insecure: "dn42" | ||
− | + | == maradns == | |
− | + | === maradns as secondary === | |
− | |||
− | === | ||
− | + | getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack | |
− | |||
− | |||
− | |||
− | |||
− | + | Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile. | |
− | |||
− | |||
− | |||
− | |||
− | == | + | == pdns-recursor == |
− | + | Enable in /etc/powerdns/recursor.conf: | |
− | + | forward-zones-file=/etc/powerdns/forward-zones-file.conf | |
− | + | And create /etc/powerdns/forward-zones-file.conf with the following contents: | |
+ | +hack=172.31.255.53 | ||
+ | +31.172.in-addr.arpa=172.31.255.53 | ||
+ | +100.10.in-addr.arpa=172.31.255.53 | ||
+ | +101.10.in-addr.arpa=172.31.255.53 | ||
+ | +102.10.in-addr.arpa=172.31.255.53 | ||
+ | +103.10.in-addr.arpa=172.31.255.53 | ||
+ | +dn42=172.23.0.53 | ||
+ | +20.172.in-addr.arpa=172.23.0.53 | ||
+ | +21.172.in-addr.arpa=172.23.0.53 | ||
+ | +22.172.in-addr.arpa=172.23.0.53 | ||
+ | +23.172.in-addr.arpa=172.23.0.53 | ||
− | == | + | == Coredns == |
− | |||
− | + | Edit your Corefile and add: | |
− | + | hack., 31.172.in-addr.arpa., 100.10.in-addr.arpa., 101.10.in-addr.arpa., 102.10.in-addr.arpa., 103.10.in-addr.arpa. { | |
− | + | loop | |
+ | forward . 172.31.255.53:53 | ||
+ | } | ||
− | + | dn42., 20.172.in-addr.arpa., 21.172.in-addr.arpa., 22.172.in-addr.arpa., 23.172.in-addr.arpa., d.f.ip6.arpa. { | |
− | + | loop | |
− | + | forward . 172.20.0.53:53 | |
− | + | } | |
− | |||
− | |||
− | + | If you want to reduce the load on the servers or save unnecessary traffic, you can enable caching. You can do this by adding "cache" under loop. | |
− | |||
− | + | [[Category:ChaosVPN]] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 07:58, 21 October 2022
Note:
ChaosVPN is a VPN to connect Hackers and Hackerspaces - it does NOT provide anonymous internet access!
For this look at tor or other similar services.
It will also not help you to reach domains like .rdos, .lll, .clos or any other strange things supposed to be available on the "dark web".
Alternative: If you prefer BGP, you can also connect via https://dn42.net/, we are interconnected.
We have a DNS running (or not).
Contents
how to get entries
Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.
configs
The main zonefile atm is edited with vim on cvpn-dns.
This server is available at 172.31.0.5.
You can either be secondary and transfer the zonefile, or query this server.
But for queries it is better to use the anycasted IP 172.31.255.53, which is answered by more than one machine and should stay available in case of problem with the master.
HowTo
These are configuration example for multiple nameserver programs - choose the config for the one you are running.
dnsmasq
Add to /etc/dnsmasq.conf:
server=/hack/172.31.255.53 server=/31.172.in-addr.arpa/172.31.255.53 server=/100.10.in-addr.arpa/172.31.255.53 server=/101.10.in-addr.arpa/172.31.255.53 server=/102.10.in-addr.arpa/172.31.255.53 server=/103.10.in-addr.arpa/172.31.255.53 server=/dn42/172.23.0.53 server=/20.172.in-addr.arpa/172.23.0.53 server=/21.172.in-addr.arpa/172.23.0.53 server=/22.172.in-addr.arpa/172.23.0.53 server=/23.172.in-addr.arpa/172.23.0.53
In some configurations, i.E. in OpenWRT, dnsmasq has rebind protection enabled by default. It will be usefull to exclude the domains above. Add to /etc/dnsmasq.conf too:
rebind-domain-ok=hack rebind-domain-ok=31.172.in-addr.arpa rebind-domain-ok=100.10.in-addr.arpa rebind-domain-ok=101.10.in-addr.arpa rebind-domain-ok=102.10.in-addr.arpa rebind-domain-ok=103.10.in-addr.arpa rebind-domain-ok=dn42 rebind-domain-ok=20.172.in-addr.arpa rebind-domain-ok=21.172.in-addr.arpa rebind-domain-ok=22.172.in-addr.arpa rebind-domain-ok=23.172.in-addr.arpa
bind9
Should-Do´s:
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.
Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)
zone "hack" { type static-stub; server-addresses { 172.31.255.53; }; }; zone "dn42" { type static-stub; server-addresses { 172.23.0.53; }; }; zone "20.in-addr.arpa" { type static-stub; server-addresses { 172.23.0.53; }; }; zone "21.in-addr.arpa" { type static-stub; server-addresses { 172.23.0.53; }; }; zone "22.in-addr.arpa" { type static-stub; server-addresses { 172.23.0.53; }; }; zone "23.in-addr.arpa" { type static-stub; server-addresses { 172.23.0.53; }; }; zone "31.172.in-addr.arpa" { type static-stub; server-addresses { 172.31.255.53; }; }; zone "100.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.255.53; }; }; zone "101.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.255.53; }; }; zone "102.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.255.53; }; }; zone "103.10.in-addr.arpa" { type static-stub; server-addresses { 172.31.255.53; }; };
Bind as secondary
zone "hack" { type slave; file "slave/slave.hack"; masters { 172.31.0.5; }; };
Old Bind as Forwarder
zone "hack" { type forward; forwarders { 172.31.0.5; }; };
NSD + unbound
unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.
nsd
In /etc/nsd/nsd3.conf add at bottom:
zone: name: "hack" zonefile: "hack.zone" allow-notify: 127.0.0.1 NOKEY allow-notify: 172.31.0.5 NOKEY request-xfr: 172.31.0.5 NOKEY
unbound
In /etc/unbound/unbound.conf add at bottom:
forward-zone: name: "hack" forward-addr: 172.31.255.53 forward-zone: name: "dn42" forward-addr: 172.23.0.53
Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:
private-domain: "hack" domain-insecure: "hack" private-domain: "dn42" domain-insecure: "dn42"
maradns
maradns as secondary
getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack
Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.
pdns-recursor
Enable in /etc/powerdns/recursor.conf:
forward-zones-file=/etc/powerdns/forward-zones-file.conf
And create /etc/powerdns/forward-zones-file.conf with the following contents:
+hack=172.31.255.53 +31.172.in-addr.arpa=172.31.255.53 +100.10.in-addr.arpa=172.31.255.53 +101.10.in-addr.arpa=172.31.255.53 +102.10.in-addr.arpa=172.31.255.53 +103.10.in-addr.arpa=172.31.255.53 +dn42=172.23.0.53 +20.172.in-addr.arpa=172.23.0.53 +21.172.in-addr.arpa=172.23.0.53 +22.172.in-addr.arpa=172.23.0.53 +23.172.in-addr.arpa=172.23.0.53
Coredns
Edit your Corefile and add:
hack., 31.172.in-addr.arpa., 100.10.in-addr.arpa., 101.10.in-addr.arpa., 102.10.in-addr.arpa., 103.10.in-addr.arpa. { loop forward . 172.31.255.53:53 } dn42., 20.172.in-addr.arpa., 21.172.in-addr.arpa., 22.172.in-addr.arpa., 23.172.in-addr.arpa., d.f.ip6.arpa. { loop forward . 172.20.0.53:53 }
If you want to reduce the load on the servers or save unnecessary traffic, you can enable caching. You can do this by adding "cache" under loop.