Difference between revisions of "ChaosVPN:DNS"

From CCCHHWiki
Jump to: navigation, search
m (Server is down.)
m (Reverted edits by Tokachu (talk) to last revision by Haegar)
Line 1: Line 1:
 
We have a DNS running.
 
We have a DNS running.
 +
 +
= how to get entries =
 +
 +
Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.
  
 
= configs =
 
= configs =
Line 5: Line 9:
 
The main zonefile atm is edited with vim on cvpn-dns.
 
The main zonefile atm is edited with vim on cvpn-dns.
  
This server is available at 172.31.0.5 or 212.12.52.216.  
+
This server is available at 172.31.0.5.
 +
 
 +
You can either be secondary and transfer the zonefile, or query this server.
 +
 
 +
 
 +
= HowTo=
 +
 
 +
These are configuration example for multiple nameserver programs - choose the config for the one you are running.
 +
 
 +
== dnsmasq ==
 +
 
 +
Add to /etc/dnsmasq.conf:
  
You can either be secondary and transfer the zonefile or query this server.
+
server=/hack/172.31.0.5
 +
server=/31.172.in-addr.arpa/172.31.0.5
 +
server=/100.10.in-addr.arpa/172.31.0.5
 +
server=/101.10.in-addr.arpa/172.31.0.5
 +
server=/102.10.in-addr.arpa/172.31.0.5
 +
server=/103.10.in-addr.arpa/172.31.0.5
 +
server=/dn42/172.22.0.53
 +
server=/22.172.in-addr.arpa/172.22.0.53
 +
server=/23.172.in-addr.arpa/172.22.0.53
  
If you are a secondary you need to add your server here so it can be included in the zonefile.
+
== bind9 ==
  
= secondarys =
+
Should-Do´s:
  
* ns.sliepen.hack (172.31.116.1)
+
in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):
* ns1.syn2cat.hack (195.24.78.86 and 2a01:608:ccc::ccc)
+
 
* ns1.crest.dn42 (172.22.228.6) with 1Mbit/s upstream, ns2.crest.dn42 (172.22.228.85) and ns3.crest.dn42 (172.22.228.84) with 100Mbit/s upstream
+
'''NOTE:''' bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.
 +
 
 +
=== Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer) ===
 +
 
 +
zone "hack" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.0.5; };     
 +
};
 +
zone "dn42" {
 +
  type static-stub;
 +
  server-addresses { 172.22.0.53; };
 +
};
 +
zone "22.in-addr.arpa" {
 +
  type static-stub;
 +
  server-addresses { 172.22.0.53; };
 +
};
 +
zone "23.in-addr.arpa" {
 +
  type static-stub;
 +
  server-addresses { 172.22.0.53; };
 +
};
 +
zone "31.172.in-addr.arpa" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.0.5; };
 +
};
 +
zone "100.10.in-addr.arpa" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.0.5; };
 +
};
 +
zone "101.10.in-addr.arpa" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.0.5; };
 +
};
 +
zone "102.10.in-addr.arpa" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.0.5; };
 +
};
 +
zone "103.10.in-addr.arpa" {
 +
  type static-stub;     
 +
  server-addresses { 172.31.0.5; };
 +
};
 +
 
 +
=== Bind as secondary ===
 +
 
 +
  zone "hack" {
 +
    type slave;
 +
    file "slave/slave.hack";
 +
    masters { 172.31.0.5; };
 +
  };
 +
 
 +
=== Old Bind as Forwarder ===
 +
 
 +
  zone "hack" {
 +
    type forward;
 +
    forwarders { 172.31.0.5; };
 +
  };
  
= HowTo=
 
  
  
Line 47: Line 123:
 
   forward-zone:
 
   forward-zone:
 
   name: "dn42"
 
   name: "dn42"
   forward-addr: 172.22.228.85
+
   forward-addr: 172.22.0.53
  forward-addr: 172.22.222.6
+
Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:
 
 
 
 
== bind9 ==
 
 
 
Should-Do´s:
 
 
 
in /etc/bind/named.conf:
 
 
 
=== Bind as secondary ===
 
 
 
  zone "hack" in{
 
    type slave;
 
    file "slave/slave.hack";
 
    masters {172.31.0.5;};
 
  };
 
  
=== Bind as Forwarder ===
+
  private-domain: "hack"
 
+
  domain-insecure: "hack"
  zone "hack" in{
+
  private-domain: "dn42"
    type forward;
+
  domain-insecure: "dn42"
    forwarders {172.31.0.5; 172.31.116.1;}; };
 
  };
 
  
 
== maradns ==
 
== maradns ==
Line 80: Line 139:
 
Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile.
 
Where '''mycoolnode.hack''' is the domain name, '''212.12.52.216''' is the primary name server and '''db.domain.hack''' is the filename of the zonefile.
  
== dnsmasq ==
 
edit
 
 
/etc/dnsmasq.conf
 
 
# Tells dnsmasq to forward anything with the domain of .hack to dns server 172.31.0.5
 
server=/.hack/172.31.0.5
 
 
# Listen to requests only coming from the local machine
 
listen-address=127.0.0.1
 
 
# Do not cache anything
 
# A decent dns server will already cache for your local network
 
cache-size=0
 
 
and <br>
 
/etc/resolv.conf
 
  
# local dnsmasq server
+
[[Category:ChaosVPN]]
nameserver 127.0.0.1
 
 
# Your main dns server (dnsmasq will forward all requests to this server) 208.67.222.222 OpenDNS / 172.31.0.5 main ChaosVPn DNS Server
 
nameserver 208.67.222.222
 
nameserver 172.31.0.5
 

Revision as of 02:44, 5 April 2015

We have a DNS running.

how to get entries

Email chaosvpn-join@hamburg.ccc.de to get an entry under .hack or to get a reverse-lookup for your IP / range registered.

configs

The main zonefile atm is edited with vim on cvpn-dns.

This server is available at 172.31.0.5.

You can either be secondary and transfer the zonefile, or query this server.


HowTo

These are configuration example for multiple nameserver programs - choose the config for the one you are running.

dnsmasq

Add to /etc/dnsmasq.conf:

server=/hack/172.31.0.5
server=/31.172.in-addr.arpa/172.31.0.5
server=/100.10.in-addr.arpa/172.31.0.5
server=/101.10.in-addr.arpa/172.31.0.5
server=/102.10.in-addr.arpa/172.31.0.5
server=/103.10.in-addr.arpa/172.31.0.5
server=/dn42/172.22.0.53
server=/22.172.in-addr.arpa/172.22.0.53
server=/23.172.in-addr.arpa/172.22.0.53

bind9

Should-Do´s:

in /etc/bind/named.conf (or for Debian in /etc/bind/named.conf.local):

NOTE: bind9 in debian now attempts to use DNSSEC, which you need to disable in /etc/bind/named.conf.options. Change 'dnssec-validation auto;' to 'dnssec-validation no;' and the static-stub defs should work.

Bind 9.8+ using static-stub (preferred method, Debian Wheezy or newer)

zone "hack" {
  type static-stub;      
  server-addresses { 172.31.0.5; };      
};
zone "dn42" {
  type static-stub;
  server-addresses { 172.22.0.53; };
};
zone "22.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.22.0.53; };
};
zone "23.in-addr.arpa" {
  type static-stub;
  server-addresses { 172.22.0.53; };
};
zone "31.172.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "100.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "101.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "102.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};
zone "103.10.in-addr.arpa" {
  type static-stub;      
  server-addresses { 172.31.0.5; };
};

Bind as secondary

 zone "hack" {
   type slave;
   file "slave/slave.hack";
   masters { 172.31.0.5; };
 };

Old Bind as Forwarder

 zone "hack" {
   type forward;
   forwarders { 172.31.0.5; };
 };


NSD + unbound

unbound and NSD were developed by NLnet Labs with focus on small footprints and reliability. While NSD is a complete name server software for authoritative zones only, they also provide unbound as caching and recursive resolver.

nsd

In /etc/nsd/nsd3.conf add at bottom:

 zone:
       name: "hack"
       zonefile: "hack.zone"
       allow-notify: 127.0.0.1 NOKEY
       allow-notify: 172.31.0.5 NOKEY
       request-xfr: 172.31.0.5 NOKEY



unbound

In /etc/unbound/unbound.conf add at bottom:

 forward-zone:
 	name: "hack"
 	forward-addr: 172.31.0.5
 	forward-addr: 172.31.116.1
 forward-zone:
 	name: "dn42"
 	forward-addr: 172.22.0.53

Make sure you allow private addresses to be returned (private-domain) and don't check signatures (DNSSEC, domain-insecure) for .hack and .dn42:

 	private-domain: "hack"
 	domain-insecure: "hack"
 	private-domain: "dn42"
 	domain-insecure: "dn42"

maradns

maradns as secondary

 getzone mycoolnode.hack 212.12.52.216 > /etc/maradns/db.domain.hack

Where mycoolnode.hack is the domain name, 212.12.52.216 is the primary name server and db.domain.hack is the filename of the zonefile.