Revision history for RunningT2
Additions:
<<
This page has been merged with Tier2ServerConfig.
<<::c::
This page has been merged with Tier2ServerConfig.
<<::c::
Deletions:
~&This guide only covers bind9, other guides should be sent to support@opennicproject.org
=====configuration=====
OpenNIC supports two methods for running a Tier 2 server using bind9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.
====//method 1:// slaving the root file====
We will first go through the method of slaving the root zone. First, it should be known that Tier 1 servers are the only location to obtain the OpenNIC root zone. Other sources cannot be trusted. OpenNIC's Tier 0 server should never be queried directly.
Here we go, below is the statement to add into your bind named.conf.
%%
zone "." {
type slave;
file "/etc/bind/zones/db.root";
masters { <tier-1-ipaddress>; };
allow-transfer { any; };
notify no;
};
%%
It is best practice to add all of the Tier 1 servers into the ip list above. E.G masters { 58.6.115.45; 58.6.115.46; }; This will allow your zone transfer to work in the event one of the Tier 1 servers goes down. Here is the current list of Tier 1 servers;
* ns1.opennic.glue
* ns2.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns7.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
====//method 2:// using the hints file====
Using the hints file is easy to! Below will show you how.
First browse to your bind root dir. Mine is at /etc/bind. When in that dir;
%%
dig . NS @58.6.115.46 > db.root
%%
Your bind named.conf should already contain the below;
%%
zone "." {
type hint;
file "db.root";
};
%%
Remember that once done, restart bind!
=====operation=====
There is not much to running a OpenNIC Tier 2 server. Once you have it configured, the auditingWG will monitor it, and let you know via emails if anything goes wrong along the way. You can also except to use a few gig of bandwidth each month of DNS traffic, this of course varies on how used your DNS server is.
Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, I have provided a perl script written by Brianko which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members right to browse the internet in complete privacy, so use of this perl script is highly encouraged.
To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file;
%%
logging {
channel "misc" {
file "/var/log/misc.log" versions 2 size 25M;
severity info; print-severity no;
print-category yes; print-time yes;
};
channel "querylog" {
file "/var/log/named.log" versions 2 size 25M;
severity info; print-severity no;
print-category no; print-time yes;
};
category "queries" { "querylog"; };
category default { "misc"; };
};
%%
Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue;
%%
touch named.log
chown bind:bind named.log
touch misc.log
chown misc.log
%%
==== Obfuscating named logs ====
In the interest of privacy and anonymity, a couple of ideas for obfuscating named logs are presented below. Currently, there is no official OpenNIC policy that addresses the privacy and retention issues of named logs.
=== //method 1:// Post-logging processing ===
This setup anonymizes the named log after queries have been logged.
Here is that script that Brianko wrote;
%%
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;
while(<STDIN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print $_;
}
%%
Its easy to add this to a script! Below is what I use;
%%
#!/bin/sh
date=`date +%d`
current=`date +%d%m%y`
if [ "$(echo $date)" = 01 ];then
tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.*
rm /var/log/named/*.log.*
fi
cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current
rm /var/lib/named/var/log/named.log
touch /var/lib/named/var/log/named.log
chown bind:bind /var/lib/named/var/log/named.log
/etc/init.d/bind9 restart
%%
=== //method 2:// Log anonymization using named pipes ===
//Note: Please be aware that this method exposes data (in this case, log entries) to processes outside the chroot jail. Be very careful when processing this data, as it is feasible that an injection-type attack is possible if an attacker is aware of vulnerabilities in the external script.//
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc. The instructions below assume the following:
~- Running on Unix system that supports signals and 'pidof' utility.
~- Running BIND named daemon in a chroot jail under user 'named'. The chroot jail is /var/named/chroot in this example.
~- Log will be saved in /var/named/chroot/var/log directory.
~- Support for named pipes.
~- Using logrotate to manage logs.
==Installation instructions==
~- Install the following script **outside** of your chroot jail. Set the permissions so that it can be executed by user 'named'. (In this example, I've copied the script to /var/named.)
%%(perl)
#! /usr/bin/perl
#
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
#
# Usage: su -c ./processNamedLog.pl named &
#
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
#
#####################################################################
use strict;
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
}
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print OUT $_;
}
%%
~- Create a named pipe in the directory of your choice.
%%(bash)
# cd /var/named/chroot/var/tmp
# mknod named.pipe p
# chmod 0666 named.pipe
%%
~- Create a new channel in your named.conf file. Change your category logging directives to use this new channel for all logging.
%%
channel pipe_log {
file "/var/tmp/named.pipe";
print-category no; // Category unneeded in debug file?
print-severity yes;
print-time yes;
};
%%
~- (Optional) Add a new entry in your /etc/logrotate.conf file.
%%
# system-specific logs may be also be configured here.
/var/named/chroot/var/log/named.log {
rotate 3
size 20M
postrotate
kill -HUP `/sbin/pidof -x processNamedLog.pl`
endscript
}
%%
~- Start the perl script in the background, and then reload your named.conf file.
%%(bash)
# su - c /var/named/processNamedLog.pl named &
# /sbin/rndc reload
%%
~- Check to make sure named.log has been created and is logging data.
%%(bash)
# tail -f /var/named/chroot/var/log/named.log
%%
~- Check to make sure logs are rotated when logrotate is called, and that logging is initiated in the newly-created named.log file.
%%(bash)
# /usr/sbin/logrotate -f /etc/logrotate.conf
%%
~- (Optional) Check to ensure processNamedLog.pl is being respawned. Example output to stdout is for demonstration purposes only.
%%(bash)
# ps -ax | grep processNamedLog.pl
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
%%
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services and bandwidth to OpenNIC, please post your server IP on the [[MailingLists mailing list]] with a request to have it included in the T2 list.
Revision [2211]
Edited on 2010-12-09 14:08:21 by BrianKoontz [updated obfuscation scripts for ipv6 addys]Additions:
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
Additions:
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services and bandwidth to OpenNIC, please post your server IP on the [[MailingLists mailing list]] with a request to have it included in the T2 list.
Deletions:
Revision [1969]
Edited on 2009-06-26 14:12:56 by BrianKoontz [Added instructions for sanitizing IPv4 addys in named logs]Additions:
//Note: Please be aware that this method exposes data (in this case, log entries) to processes outside the chroot jail. Be very careful when processing this data, as it is feasible that an injection-type attack is possible if an attacker is aware of vulnerabilities in the external script.//
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc. The instructions below assume the following:
~- Running on Unix system that supports signals and 'pidof' utility.
~- Running BIND named daemon in a chroot jail under user 'named'. The chroot jail is /var/named/chroot in this example.
~- Log will be saved in /var/named/chroot/var/log directory.
~- Support for named pipes.
~- Using logrotate to manage logs.
==Installation instructions==
~- Install the following script **outside** of your chroot jail. Set the permissions so that it can be executed by user 'named'. (In this example, I've copied the script to /var/named.)
%%(perl)
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
# Usage: su -c ./processNamedLog.pl named &
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
print OUT $_;
~- Create a named pipe in the directory of your choice.
%%(bash)
# cd /var/named/chroot/var/tmp
# mknod named.pipe p
# chmod 0666 named.pipe
~- Create a new channel in your named.conf file. Change your category logging directives to use this new channel for all logging.
channel pipe_log {
file "/var/tmp/named.pipe";
print-category no; // Category unneeded in debug file?
print-severity yes;
print-time yes;
};
~- (Optional) Add a new entry in your /etc/logrotate.conf file.
# system-specific logs may be also be configured here.
/var/named/chroot/var/log/named.log {
rotate 3
size 20M
postrotate
kill -HUP `/sbin/pidof -x processNamedLog.pl`
endscript
~- Start the perl script in the background, and then reload your named.conf file.
%%(bash)
# su - c /var/named/processNamedLog.pl named &
# /sbin/rndc reload
~- Check to make sure named.log has been created and is logging data.
%%(bash)
# tail -f /var/named/chroot/var/log/named.log
~- Check to make sure logs are rotated when logrotate is called, and that logging is initiated in the newly-created named.log file.
%%(bash)
# /usr/sbin/logrotate -f /etc/logrotate.conf
~- (Optional) Check to ensure processNamedLog.pl is being respawned. Example output to stdout is for demonstration purposes only.
%%(bash)
# ps -ax | grep processNamedLog.pl
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
%%
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc. The instructions below assume the following:
~- Running on Unix system that supports signals and 'pidof' utility.
~- Running BIND named daemon in a chroot jail under user 'named'. The chroot jail is /var/named/chroot in this example.
~- Log will be saved in /var/named/chroot/var/log directory.
~- Support for named pipes.
~- Using logrotate to manage logs.
==Installation instructions==
~- Install the following script **outside** of your chroot jail. Set the permissions so that it can be executed by user 'named'. (In this example, I've copied the script to /var/named.)
%%(perl)
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
# Usage: su -c ./processNamedLog.pl named &
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
print OUT $_;
~- Create a named pipe in the directory of your choice.
%%(bash)
# cd /var/named/chroot/var/tmp
# mknod named.pipe p
# chmod 0666 named.pipe
~- Create a new channel in your named.conf file. Change your category logging directives to use this new channel for all logging.
channel pipe_log {
file "/var/tmp/named.pipe";
print-category no; // Category unneeded in debug file?
print-severity yes;
print-time yes;
};
~- (Optional) Add a new entry in your /etc/logrotate.conf file.
# system-specific logs may be also be configured here.
/var/named/chroot/var/log/named.log {
rotate 3
size 20M
postrotate
kill -HUP `/sbin/pidof -x processNamedLog.pl`
endscript
~- Start the perl script in the background, and then reload your named.conf file.
%%(bash)
# su - c /var/named/processNamedLog.pl named &
# /sbin/rndc reload
~- Check to make sure named.log has been created and is logging data.
%%(bash)
# tail -f /var/named/chroot/var/log/named.log
~- Check to make sure logs are rotated when logrotate is called, and that logging is initiated in the newly-created named.log file.
%%(bash)
# /usr/sbin/logrotate -f /etc/logrotate.conf
~- (Optional) Check to ensure processNamedLog.pl is being respawned. Example output to stdout is for demonstration purposes only.
%%(bash)
# ps -ax | grep processNamedLog.pl
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
%%
Deletions:
Additions:
=== //method 2:// Log anonymization using named pipes ===
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc.
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc.
Deletions:
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc.
Revision [1955]
Edited on 2009-06-26 12:48:24 by BrianKoontz [Updating with new anonymization techniques]Additions:
==== Obfuscating named logs ====
In the interest of privacy and anonymity, a couple of ideas for obfuscating named logs are presented below. Currently, there is no official OpenNIC policy that addresses the privacy and retention issues of named logs.
=== //method 1:// Post-logging processing ===
This setup anonymizes the named log after queries have been logged.
=== //method 2:// log anonymization using named pipes ===
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc.
In the interest of privacy and anonymity, a couple of ideas for obfuscating named logs are presented below. Currently, there is no official OpenNIC policy that addresses the privacy and retention issues of named logs.
=== //method 1:// Post-logging processing ===
This setup anonymizes the named log after queries have been logged.
=== //method 2:// log anonymization using named pipes ===
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc.
Additions:
* ns7.opennic.glue
Deletions:
* ns4.opennic.glue
* ns7.opennic.glue
Additions:
=====configuration=====
====//method 1:// slaving the root file====
====//method 2:// using the hints file====
=====operation=====
====//method 1:// slaving the root file====
====//method 2:// using the hints file====
=====operation=====
Additions:
* ns7.opennic.glue
Additions:
OpenNIC supports two methods for running a Tier 2 server using bind9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.
Deletions:
Additions:
There is not much to running a OpenNIC Tier 2 server. Once you have it configured, the auditingWG will monitor it, and let you know via emails if anything goes wrong along the way. You can also except to use a few gig of bandwidth each month of DNS traffic, this of course varies on how used your DNS server is.
Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, I have provided a perl script written by Brianko which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members right to browse the internet in complete privacy, so use of this perl script is highly encouraged.
To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file;
logging {
channel "misc" {
file "/var/log/misc.log" versions 2 size 25M;
severity info; print-severity no;
print-category yes; print-time yes;
};
channel "querylog" {
file "/var/log/named.log" versions 2 size 25M;
severity info; print-severity no;
print-category no; print-time yes;
};
category "queries" { "querylog"; };
category default { "misc"; };
Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue;
touch named.log
chown bind:bind named.log
touch misc.log
chown misc.log
Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;
while(<STDIN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
print $_;
}
Its easy to add this to a script! Below is what I use;
#!/bin/sh
date=`date +%d`
current=`date +%d%m%y`
if [ "$(echo $date)" = 01 ];then
tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.*
rm /var/log/named/*.log.*
fi
cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current
rm /var/lib/named/var/log/named.log
touch /var/lib/named/var/log/named.log
chown bind:bind /var/lib/named/var/log/named.log
/etc/init.d/bind9 restart
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services, and bandwidth to OpenNIC visit, http://reg.opennic.glue/
Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, I have provided a perl script written by Brianko which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members right to browse the internet in complete privacy, so use of this perl script is highly encouraged.
To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file;
logging {
channel "misc" {
file "/var/log/misc.log" versions 2 size 25M;
severity info; print-severity no;
print-category yes; print-time yes;
};
channel "querylog" {
file "/var/log/named.log" versions 2 size 25M;
severity info; print-severity no;
print-category no; print-time yes;
};
category "queries" { "querylog"; };
category default { "misc"; };
Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue;
touch named.log
chown bind:bind named.log
touch misc.log
chown misc.log
Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;
while(<STDIN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
print $_;
}
Its easy to add this to a script! Below is what I use;
#!/bin/sh
date=`date +%d`
current=`date +%d%m%y`
if [ "$(echo $date)" = 01 ];then
tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.*
rm /var/log/named/*.log.*
fi
cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current
rm /var/lib/named/var/log/named.log
touch /var/lib/named/var/log/named.log
chown bind:bind /var/lib/named/var/log/named.log
/etc/init.d/bind9 restart
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services, and bandwidth to OpenNIC visit, http://reg.opennic.glue/
Additions:
~&This guide only covers bind9, other guides should be sent to support@opennicproject.org
OpenNIC supports two methods for running a Tier 2 server using bing9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.
We will first go through the method of slaving the root zone. First, it should be known that Tier 1 servers are the only location to obtain the OpenNIC root zone. Other sources cannot be trusted. OpenNIC's Tier 0 server should never be queried directly.
Here we go, below is the statement to add into your bind named.conf.
%%
zone "." {
type slave;
file "/etc/bind/zones/db.root";
masters { <tier-1-ipaddress>; };
allow-transfer { any; };
notify no;
};
%%
It is best practice to add all of the Tier 1 servers into the ip list above. E.G masters { 58.6.115.45; 58.6.115.46; }; This will allow your zone transfer to work in the event one of the Tier 1 servers goes down. Here is the current list of Tier 1 servers;
* ns1.opennic.glue
* ns2.opennic.glue
* ns3.opennic.glue
* ns4.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
Using the hints file is easy to! Below will show you how.
First browse to your bind root dir. Mine is at /etc/bind. When in that dir;
%%
dig . NS @58.6.115.46 > db.root
%%
Your bind named.conf should already contain the below;
%%
zone "." {
type hint;
file "db.root";
};
%%
Remember that once done, restart bind!
OpenNIC supports two methods for running a Tier 2 server using bing9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.
We will first go through the method of slaving the root zone. First, it should be known that Tier 1 servers are the only location to obtain the OpenNIC root zone. Other sources cannot be trusted. OpenNIC's Tier 0 server should never be queried directly.
Here we go, below is the statement to add into your bind named.conf.
%%
zone "." {
type slave;
file "/etc/bind/zones/db.root";
masters { <tier-1-ipaddress>; };
allow-transfer { any; };
notify no;
};
%%
It is best practice to add all of the Tier 1 servers into the ip list above. E.G masters { 58.6.115.45; 58.6.115.46; }; This will allow your zone transfer to work in the event one of the Tier 1 servers goes down. Here is the current list of Tier 1 servers;
* ns1.opennic.glue
* ns2.opennic.glue
* ns3.opennic.glue
* ns4.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
Using the hints file is easy to! Below will show you how.
First browse to your bind root dir. Mine is at /etc/bind. When in that dir;
%%
dig . NS @58.6.115.46 > db.root
%%
Your bind named.conf should already contain the below;
%%
zone "." {
type hint;
file "db.root";
};
%%
Remember that once done, restart bind!
Deletions:
Here will live a guide for a Tier 2 server.
