Revision history for API BindACL
Revision [3904]
Last edited on 2017-02-23 13:50:34 by JeffTaylor [Added opennic_blacklist to examples]Additions:
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
!opennic_blacklist;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
Deletions:
opennic_whitelist; localhost;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist; localhost;
Additions:
Finally, please take a look at the Tier2Security page, which contains information to further secure a whitelisted server against random queries.
Revision [3543]
Edited on 2015-03-20 19:40:54 by Bushy [Added localhost as its no longer in the acl?]Additions:
opennic_whitelist; localhost;
opennic_whitelist; localhost;
opennic_whitelist; localhost;
opennic_whitelist; localhost;
opennic_whitelist; localhost;
opennic_whitelist; localhost;
opennic_whitelist; localhost;
Deletions:
opennic_whitelist;
opennic_whitelist;
opennic_whitelist;
Additions:
DIR="/etc/bind"
FILE="OpenNIC.acl"
curl -sR "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $DIR/$FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then /usr/sbin/rndc reload; fi
FILE="OpenNIC.acl"
curl -sR "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $DIR/$FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then /usr/sbin/rndc reload; fi
Deletions:
curl -sR "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then echo "rndc reload" ; fi
Additions:
Administrators running open Tier1 and Tier2 servers may wish to make use of the automatically-generated ACL file. This file is a BIND-formatted ACL which has listings for Tier1 addresses, Tier2 addresses, and whitelisted user IP addresses. Each list may be combined as desired to control access to your server. ACL lists have been supported since BIND 8.2.1.
FILE="/etc/bind/OpenNIC.acl"
You will need to include this file in your named.conf configuration. Please note that you **cannot** put this in the //options// section of named.conf; if you do you will get an //unknown option 'acl'// error! Just place it anywhere outside of the named sections:
include "/etc/bind/OpenNIC.acl"
----
CategoryDNSSecurity
FILE="/etc/bind/OpenNIC.acl"
You will need to include this file in your named.conf configuration. Please note that you **cannot** put this in the //options// section of named.conf; if you do you will get an //unknown option 'acl'// error! Just place it anywhere outside of the named sections:
include "/etc/bind/OpenNIC.acl"
----
CategoryDNSSecurity
Deletions:
FILE="/etc/bin/OpenNIC.acl"
Additions:
To include these ACLs in BIND9, you could add something like the following to the appropriate named.conf or view:
allow-recursion {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-query {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-query-cache {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-transfer {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-recursion {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-query {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-query-cache {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
allow-transfer {
opennic_T0; opennic_T1; opennic_T2;
opennic_whitelist;
};
Additions:
%%wget -qO- "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash"
curl "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash"%%
%%wget -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"
curl "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"%%
curl -sR "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then echo "rndc reload" ; fi
curl "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash"%%
%%wget -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"
curl "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"%%
curl -sR "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then echo "rndc reload" ; fi
Deletions:
curl --insecure "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash"%%
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"
curl --insecure "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"%%
curl -sRk "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then echo "rndc reload" ; fi
//Note that the API page currently uses a self-signed certificate, thus the need for the flags in the wget and curl commands. These will be removed from documentation once an official certificate has been applied to api.opennicproject.org.//
Additions:
Complete automation may be achieved by calling the following script as a cron job. It only updates when a new file is available, so you should check it at least every 1-5 minutes.
%%
#!/bin/sh
USER="myUserName"
AUTH="myAuthCode"
FILE="/etc/bin/OpenNIC.acl"
curl -sRk "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then echo "rndc reload" ; fi
%%
//Note that the API page currently uses a self-signed certificate, thus the need for the flags in the wget and curl commands. These will be removed from documentation once an official certificate has been applied to api.opennicproject.org.//
%%
#!/bin/sh
USER="myUserName"
AUTH="myAuthCode"
FILE="/etc/bin/OpenNIC.acl"
curl -sRk "https://api.opennicproject.org/acl/bind/?user=$USER&auth=$AUTH" -z $FILE -o $FILE -w %{http_code} | if [ "${*:-`cat`}" == "200" ]; then echo "rndc reload" ; fi
%%
//Note that the API page currently uses a self-signed certificate, thus the need for the flags in the wget and curl commands. These will be removed from documentation once an official certificate has been applied to api.opennicproject.org.//
Deletions:
Additions:
There is also an SHA256 hash provided to validate the information you receive. The hash may be accessed in the same manner as the ACL file:
The hash can be calculated in linux as follows:
%%sha256sum <acl-file.name>%%
The hash can be calculated in linux as follows:
%%sha256sum <acl-file.name>%%
Deletions:
Additions:
curl --insecure "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash"%%
curl --insecure "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"%%
curl --insecure "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"%%
Deletions:
curl --insecure --data "user=myUser&auth=myHash" https://api.opennicproject.org/acl/hash/%%
Additions:
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash"
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash"
Deletions:
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash
Additions:
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/bind/?user=myUser&auth=myHash
curl --insecure --data "user=myUser&auth=myHash" https://api.opennicproject.org/acl/bind/%%
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash
curl --insecure --data "user=myUser&auth=myHash" https://api.opennicproject.org/acl/hash/%%
Note that this page currently uses a self-signed certificate, thus the need for the flags in the wget and curl commands. These will be removed from documentation once an official certificate has been applied to api.opennicproject.org.
curl --insecure --data "user=myUser&auth=myHash" https://api.opennicproject.org/acl/bind/%%
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash
curl --insecure --data "user=myUser&auth=myHash" https://api.opennicproject.org/acl/hash/%%
Note that this page currently uses a self-signed certificate, thus the need for the flags in the wget and curl commands. These will be removed from documentation once an official certificate has been applied to api.opennicproject.org.
Deletions:
%%wget --no-check-certificate -qO- "https://api.opennicproject.org/acl/hash/?user=myUser&auth=myHash%%
