Dieses Wiki ist ein Archiv bis 2023. Das aktuelle Wiki findet sich unter https://wiki.hamburg.ccc.de/

ChaosVPN:DNS

From CCCHHWiki
Revision as of 20:06, 27 February 2016 by Haegar (talk | contribs) (pdns-recursor setup)
Jump to: navigation, search

We have a DNS running.

how to get entries

Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.

configs

The main zonefile atm is edited with vim on cvpn-dns.

This server is available at 172.31.0.5.

You can either be secondary and transfer the zonefile, or query this server.


HowTo

These are configuration example for multiple nameserver programs - choose the config for the one you are running.

dnsmasq

Add to /etc/dnsmasq.conf: 

server=/hack/172.31.0.5
server=/31.172.in-addr.arpa/172.31.0.5
server=/100.10.in-addr.arpa/172.31.0.5
server=/101.10.in-addr.arpa/172.31.0.5
server=/102.10.in-addr.arpa/172.31.0.5
server=/103.10.in-addr.arpa/172.31.0.5
server=/dn42/172.22.0.53
server=/22.172.in-addr.arpa/172.22.0.53
server=/23.172.in-addr.arpa/172.22.0.53

In some configurations, i.E. in OpenWRT, dnsmasq has rebind protection enabled by default. It will be usefull to exclude the domains above. Add to /etc/dnsmasq.conf too: 

rebind-domain-ok=hack
rebind-domain-ok=31.172.in-addr.arpa
rebind-domain-ok=100.10.in-addr.arpa
rebind-domain-ok=101.10.in-addr.arpa
rebind-domain-ok=102.10.in-addr.arpa
rebind-domain-ok=103.10.in-addr.arpa
rebind-domain-ok=dn42
rebind-domain-ok=22.172.in-addr.arpa
rebind-domain-ok=23.172.in-addr.arpa

bind9

Should-Do´s:

in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):

NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.

Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)

zone "hack" {
  type static-stub;      
  server-addresses { 172.31.0.5; };      
};
zone "dn42" {
  type static-stub;
  server-addresses { 172.22.0.53; };
};
zone "22.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.22.0.53; };
};
zone "23.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.22.0.53; };
};
zone "31.172.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "100.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "101.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "102.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "103.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};

Bind as secondary

 zone "hack" {
   type slave;
   file "slave/slave.hack";
   masters { 172.31.0.5; };
 };

Old Bind as Forwarder

 zone "hack" {
   type forward;
   forwarders { 172.31.0.5; };
 };


NSD + unbound

unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.

nsd

In /etc/nsd/nsd3.conf add at bottom: 

 zone:
       name: "hack"
       zonefile: "hack.zone"
       allow-notify: 127.0.0.1 NOKEY
       allow-notify: 172.31.0.5 NOKEY
       request-xfr: 172.31.0.5 NOKEY



unbound

In /etc/unbound/unbound.conf add at bottom: 

 forward-zone:
 	name: "hack"
 	forward-addr: 172.31.0.5
 	forward-addr: 172.31.116.1
 forward-zone:
 	name: "dn42"
 	forward-addr: 172.22.0.53

Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42: 

 	private-domain: "hack"
 	domain-insecure: "hack"
 	private-domain: "dn42"
 	domain-insecure: "dn42"

maradns

maradns as secondary

 getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack

Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.


pdns-recursor

Enable in /etc/powerdns/recursor.conf: 

forward-zones-file=/etc/powerdns/forward-zones-file.conf

And create /etc/powerdns/forward-zones-file.conf with the following contents: 

+hack=172.31.255.53
+31.172.in-addr.arpa=172.31.0.5
+100.10.in-addr.arpa=172.31.0.5
+101.10.in-addr.arpa=172.31.0.5
+102.10.in-addr.arpa=172.31.0.5
+103.10.in-addr.arpa=172.31.0.5
+dn42=172.22.0.53
+22.172.in-addr.arpa=172.22.0.53
+23.172.in-addr.arpa=172.22.0.53
Retrieved from "https://oldwiki.hamburg.ccc.de/index.php?title=ChaosVPN:DNS&oldid=10429"