Difference between revisions of "ChaosVPN:DNS"

From CCCHHWiki
Jump to: navigation, search
m (dnsmasq)
 
(20 intermediate revisions by 6 users not shown)
Line 1: Line 1:
We have a DNS running.
+
[[ChaosVPN|Back]]
  
= configs =
+
{{Template:ChaosVPNBanner}}
  
The main zonefile atm is edited with vim on cvpn-dns.
+
We have a DNS running (or not).
  
This server is available at 172.31.0.5 or 212.12.52.216.
+
= how to get entries =
  
You can either be secondary and transfer the zonefile or query this server.
+
Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.
  
If you are a secondary you need to add your server here so it can be included in the zonefile.
+
= configs =
  
= secondarys =
+
The main zonefile atm is edited with vim on cvpn-dns.
  
* ns.sliepen.hack (172.31.116.1)
+
This server is available at 172.31.0.5.
* ns1.syn2cat.hack (195.24.78.86 and 2a01:608:ccc::ccc)
 
* ns1.crest.dn42 (172.22.228.6) with 1Mbit/s upstream, ns2.crest.dn42 (172.22.228.85) and ns3.crest.dn42 (172.22.228.84) with 100Mbit/s upstream
 
* ns.yojimbo.hack (10.103.252.85)
 
  
= HowTo=
+
You can either be secondary and transfer the zonefile, or query this server.
  
 +
But for queries it is better to use the anycasted IP 172.31.255.53, which is answered by more than one machine and should stay available in case of problem with the master.
  
== NSD + unbound ==
+
= HowTo=
  
'''unbound''' and '''NSD''' were developed by [http://www.nlnetlabs.nl/ NLnet Labs] with focus on small footprints and reliability. While '''NSD''' is a complete name server software for authoritative zones only, they also provide '''unbound''' as caching and recursive resolver.  
+
These are configuration example for multiple nameserver programs - choose the config for the one you are running.
  
=== nsd ===
+
== dnsmasq ==
In /etc/nsd/nsd3.conf add at bottom:
 
  
  zone:
+
Add to /etc/dnsmasq.conf:
        name: "hack"
 
        zonefile: "hack.zone"
 
        allow-notify: 127.0.0.1 NOKEY
 
        allow-notify: 172.31.0.5 NOKEY
 
        request-xfr: 172.31.0.5 NOKEY
 
  
 +
server=/hack/172.31.255.53
 +
server=/31.172.in-addr.arpa/172.31.255.53
 +
server=/100.10.in-addr.arpa/172.31.255.53
 +
server=/101.10.in-addr.arpa/172.31.255.53
 +
server=/102.10.in-addr.arpa/172.31.255.53
 +
server=/103.10.in-addr.arpa/172.31.255.53
 +
server=/dn42/172.23.0.53
 +
server=/20.172.in-addr.arpa/172.23.0.53
 +
server=/21.172.in-addr.arpa/172.23.0.53
 +
server=/22.172.in-addr.arpa/172.23.0.53
 +
server=/23.172.in-addr.arpa/172.23.0.53
  
 +
In some configurations, i.E. in OpenWRT, dnsmasq has rebind protection enabled by default. It will be usefull to exclude the domains above. Add to /etc/dnsmasq.conf too:
  
 
+
rebind-domain-ok=hack
=== unbound ===
+
rebind-domain-ok=31.172.in-addr.arpa
 
+
rebind-domain-ok=100.10.in-addr.arpa
In /etc/unbound/unbound.conf add at bottom:
+
rebind-domain-ok=101.10.in-addr.arpa
 
+
rebind-domain-ok=102.10.in-addr.arpa
  forward-zone:
+
rebind-domain-ok=103.10.in-addr.arpa
  name: "hack"
+
rebind-domain-ok=dn42
  forward-addr: 172.31.0.5
+
rebind-domain-ok=20.172.in-addr.arpa
  forward-addr: 172.31.116.1
+
rebind-domain-ok=21.172.in-addr.arpa
  forward-zone:
+
rebind-domain-ok=22.172.in-addr.arpa
  name: "dn42"
+
rebind-domain-ok=23.172.in-addr.arpa
  forward-addr: 172.22.228.85
 
  forward-addr: 172.22.222.6
 
 
 
  
 
== bind9 ==
 
== bind9 ==
Line 57: Line 58:
  
 
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
 
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
 +
 +
'''NOTE:''' bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.
  
 
=== Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) ===
 
=== Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) ===
  
  zone "hack" {
+
zone "hack" {
    type static-stub;       
+
  type static-stub;       
    server-addresses { 172.31.0.5; 172.31.2.51; };    
+
  server-addresses { 172.31.255.53; };
  };
+
};
  zone "31.172.in-addr.arpa" {
+
zone "dn42" {
    type static-stub;    
+
  type static-stub;
    server-addresses { 172.31.0.5; 172.31.2.51; };    
+
  server-addresses { 172.23.0.53; };
  };
+
};
  zone "100.10.in-addr.arpa" {
+
zone "20.in-addr.arpa" {
    type static-stub;    
+
  type static-stub;
    server-addresses { 172.31.0.5; 172.31.2.51; };    
+
  server-addresses { 172.23.0.53; };
  };
+
};
  zone "101.10.in-addr.arpa" {
+
zone "21.in-addr.arpa" {
    type static-stub;       
+
  type static-stub;
    server-addresses { 172.31.0.5; 172.31.2.51; };    
+
  server-addresses { 172.23.0.53; };
  };
+
};
  zone "102.10.in-addr.arpa" {
+
zone "22.in-addr.arpa" {
    type static-stub;       
+
  type static-stub;
    server-addresses { 172.31.0.5; 172.31.2.51; };    
+
  server-addresses { 172.23.0.53; };
  };
+
};
  zone "103.10.in-addr.arpa" {
+
zone "23.in-addr.arpa" {
    type static-stub;       
+
  type static-stub;
    server-addresses { 172.31.0.5; 172.31.2.51; };    
+
  server-addresses { 172.23.0.53; };
  };
+
};
 +
zone "31.172.in-addr.arpa" {
 +
  type static-stub;       
 +
  server-addresses { 172.31.255.53; };
 +
};
 +
zone "100.10.in-addr.arpa" {
 +
  type static-stub;    
 +
  server-addresses { 172.31.255.53; };
 +
};
 +
zone "101.10.in-addr.arpa" {
 +
  type static-stub;       
 +
  server-addresses { 172.31.255.53; };
 +
};
 +
zone "102.10.in-addr.arpa" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.255.53; };
 +
};
 +
zone "103.10.in-addr.arpa" {
 +
  type static-stub;       
 +
  server-addresses { 172.31.255.53; };
 +
};
  
 
=== Bind as secondary ===
 
=== Bind as secondary ===
Line 99: Line 122:
 
     forwarders { 172.31.0.5; };
 
     forwarders { 172.31.0.5; };
 
   };
 
   };
 +
 +
 +
 +
== NSD + unbound ==
 +
 +
'''unbound''' and '''NSD''' were developed by [http://www.nlnetlabs.nl/ NLnet Labs] with focus on small footprints and reliability. While '''NSD''' is a complete name server software for authoritative zones only, they also provide '''unbound''' as caching and recursive resolver.
 +
 +
=== nsd ===
 +
In /etc/nsd/nsd3.conf add at bottom:
 +
 +
  zone:
 +
        name: "hack"
 +
        zonefile: "hack.zone"
 +
        allow-notify: 127.0.0.1 NOKEY
 +
        allow-notify: 172.31.0.5 NOKEY
 +
        request-xfr: 172.31.0.5 NOKEY
 +
 +
 +
 +
 +
=== unbound ===
 +
 +
In /etc/unbound/unbound.conf add at bottom:
 +
 +
  forward-zone:
 +
  name: "hack"
 +
  forward-addr: 172.31.255.53
 +
  forward-zone:
 +
  name: "dn42"
 +
  forward-addr: 172.23.0.53
 +
 +
Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:
 +
 +
  private-domain: "hack"
 +
  domain-insecure: "hack"
 +
  private-domain: "dn42"
 +
  domain-insecure: "dn42"
  
 
== maradns ==
 
== maradns ==
Line 108: Line 168:
 
Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile.
 
Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile.
  
== dnsmasq ==
 
  
Add to /etc/dnsmasq.conf:
+
== pdns-recursor ==
 +
 
 +
Enable in /etc/powerdns/recursor.conf:
 +
 
 +
forward-zones-file=/etc/powerdns/forward-zones-file.conf
  
server=/hack/172.31.0.5
+
And create /etc/powerdns/forward-zones-file.conf with the following contents:
server=/31.172.in-addr.arpa/172.31.0.5
 
server=/100.10.in-addr.arpa/172.31.0.5
 
server=/101.10.in-addr.arpa/172.31.0.5
 
server=/102.10.in-addr.arpa/172.31.0.5
 
server=/103.10.in-addr.arpa/172.31.0.5
 
  
 +
+hack=172.31.255.53
 +
+31.172.in-addr.arpa=172.31.255.53
 +
+100.10.in-addr.arpa=172.31.255.53
 +
+101.10.in-addr.arpa=172.31.255.53
 +
+102.10.in-addr.arpa=172.31.255.53
 +
+103.10.in-addr.arpa=172.31.255.53
 +
+dn42=172.23.0.53
 +
+20.172.in-addr.arpa=172.23.0.53
 +
+21.172.in-addr.arpa=172.23.0.53
 +
+22.172.in-addr.arpa=172.23.0.53
 +
+23.172.in-addr.arpa=172.23.0.53
  
  
 
[[Category:ChaosVPN]]
 
[[Category:ChaosVPN]]

Latest revision as of 11:54, 26 April 2021

Back

Note:
ChaosVPN is a VPN to connect Hackers and Hackerspaces - it does NOT provide anonymous internet access!
For this look at tor or other similar services.

It will also not help you to reach domains like .rdos, .lll, .clos or any other strange things supposed to be available on the "dark web".

Alternative: If you prefer BGP, you can also connect via https://dn42.net/, we are interconnected.

We have a DNS running (or not).

how to get entries

Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.

configs

The main zonefile atm is edited with vim on cvpn-dns.

This server is available at 172.31.0.5.

You can either be secondary and transfer the zonefile, or query this server.

But for queries it is better to use the anycasted IP 172.31.255.53, which is answered by more than one machine and should stay available in case of problem with the master.

HowTo

These are configuration example for multiple nameserver programs - choose the config for the one you are running.

dnsmasq

Add to /etc/dnsmasq.conf:

server=/hack/172.31.255.53
server=/31.172.in-addr.arpa/172.31.255.53
server=/100.10.in-addr.arpa/172.31.255.53
server=/101.10.in-addr.arpa/172.31.255.53
server=/102.10.in-addr.arpa/172.31.255.53
server=/103.10.in-addr.arpa/172.31.255.53
server=/dn42/172.23.0.53
server=/20.172.in-addr.arpa/172.23.0.53
server=/21.172.in-addr.arpa/172.23.0.53
server=/22.172.in-addr.arpa/172.23.0.53
server=/23.172.in-addr.arpa/172.23.0.53

In some configurations, i.E. in OpenWRT, dnsmasq has rebind protection enabled by default. It will be usefull to exclude the domains above. Add to /etc/dnsmasq.conf too:

rebind-domain-ok=hack
rebind-domain-ok=31.172.in-addr.arpa
rebind-domain-ok=100.10.in-addr.arpa
rebind-domain-ok=101.10.in-addr.arpa
rebind-domain-ok=102.10.in-addr.arpa
rebind-domain-ok=103.10.in-addr.arpa
rebind-domain-ok=dn42
rebind-domain-ok=20.172.in-addr.arpa
rebind-domain-ok=21.172.in-addr.arpa
rebind-domain-ok=22.172.in-addr.arpa
rebind-domain-ok=23.172.in-addr.arpa

bind9

Should-Do´s:

in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):

NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.

Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)

zone "hack" {
  type static-stub;      
  server-addresses { 172.31.255.53; };
};
zone "dn42" {
  type static-stub;
  server-addresses { 172.23.0.53; };
};
zone "20.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.23.0.53; };
};
zone "21.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.23.0.53; };
};
zone "22.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.23.0.53; };
};
zone "23.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.23.0.53; };
};
zone "31.172.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.255.53; };
};
zone "100.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.255.53; };
};
zone "101.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.255.53; };
};
zone "102.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.255.53; };
};
zone "103.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.255.53; };
};

Bind as secondary

 zone "hack" {
   type slave;
   file "slave/slave.hack";
   masters { 172.31.0.5; };
 };

Old Bind as Forwarder

 zone "hack" {
   type forward;
   forwarders { 172.31.0.5; };
 };


NSD + unbound

unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.

nsd

In /etc/nsd/nsd3.conf add at bottom:

 zone:
       name: "hack"
       zonefile: "hack.zone"
       allow-notify: 127.0.0.1 NOKEY
       allow-notify: 172.31.0.5 NOKEY
       request-xfr: 172.31.0.5 NOKEY



unbound

In /etc/unbound/unbound.conf add at bottom:

 forward-zone:
 	name: "hack"
 	forward-addr: 172.31.255.53
 forward-zone:
 	name: "dn42"
 	forward-addr: 172.23.0.53

Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:

 	private-domain: "hack"
 	domain-insecure: "hack"
 	private-domain: "dn42"
 	domain-insecure: "dn42"

maradns

maradns as secondary

 getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack

Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.


pdns-recursor

Enable in /etc/powerdns/recursor.conf:

forward-zones-file=/etc/powerdns/forward-zones-file.conf

And create /etc/powerdns/forward-zones-file.conf with the following contents:

+hack=172.31.255.53
+31.172.in-addr.arpa=172.31.255.53
+100.10.in-addr.arpa=172.31.255.53
+101.10.in-addr.arpa=172.31.255.53
+102.10.in-addr.arpa=172.31.255.53
+103.10.in-addr.arpa=172.31.255.53
+dn42=172.23.0.53
+20.172.in-addr.arpa=172.23.0.53
+21.172.in-addr.arpa=172.23.0.53
+22.172.in-addr.arpa=172.23.0.53
+23.172.in-addr.arpa=172.23.0.53