Revision [2211]
This is an old revision of RunningT2 made by BrianKoontz on 2010-12-09 14:08:21.
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Configuring and Operating A Tier 2 DNS Server Guide
- This guide only covers bind9, other guides should be sent to support@opennicproject.org
configuration
OpenNIC supports two methods for running a Tier 2 server using bind9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.method 1: slaving the root file
We will first go through the method of slaving the root zone. First, it should be known that Tier 1 servers are the only location to obtain the OpenNIC root zone. Other sources cannot be trusted. OpenNIC's Tier 0 server should never be queried directly.Here we go, below is the statement to add into your bind named.conf.
zone "." {
type slave;
file "/etc/bind/zones/db.root";
masters { <tier-1-ipaddress>; };
allow-transfer { any; };
notify no;
};It is best practice to add all of the Tier 1 servers into the ip list above. E.G masters { 58.6.115.45; 58.6.115.46; }; This will allow your zone transfer to work in the event one of the Tier 1 servers goes down. Here is the current list of Tier 1 servers;
* ns1.opennic.glue
* ns2.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns7.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
* ns2.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns7.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
method 2: using the hints file
Using the hints file is easy to! Below will show you how.First browse to your bind root dir. Mine is at /etc/bind. When in that dir;
dig . NS @58.6.115.46 > db.root
Your bind named.conf should already contain the below;
zone "." {
type hint;
file "db.root";
};Remember that once done, restart bind!
operation
There is not much to running a OpenNIC Tier 2 server. Once you have it configured, the auditingWG will monitor it, and let you know via emails if anything goes wrong along the way. You can also except to use a few gig of bandwidth each month of DNS traffic, this of course varies on how used your DNS server is.Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, I have provided a perl script written by Brianko which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members right to browse the internet in complete privacy, so use of this perl script is highly encouraged.
To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file;
logging {
channel "misc" {
file "/var/log/misc.log" versions 2 size 25M;
severity info; print-severity no;
print-category yes; print-time yes;
};
channel "querylog" {
file "/var/log/named.log" versions 2 size 25M;
severity info; print-severity no;
print-category no; print-time yes;
};
category "queries" { "querylog"; };
category default { "misc"; };
};Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue;
touch named.log chown bind:bind named.log touch misc.log chown misc.log
Obfuscating named logs
In the interest of privacy and anonymity, a couple of ideas for obfuscating named logs are presented below. Currently, there is no official OpenNIC policy that addresses the privacy and retention issues of named logs.
method 1: Post-logging processing
This setup anonymizes the named log after queries have been logged.
Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;
while(<STDIN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print $_;
}Its easy to add this to a script! Below is what I use;
#!/bin/sh date=`date +%d` current=`date +%d%m%y` if [ "$(echo $date)" = 01 ];then tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.* rm /var/log/named/*.log.* fi cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current rm /var/lib/named/var/log/named.log touch /var/lib/named/var/log/named.log chown bind:bind /var/lib/named/var/log/named.log /etc/init.d/bind9 restart
method 2: Log anonymization using named pipes
Note: Please be aware that this method exposes data (in this case, log entries) to processes outside the chroot jail. Be very careful when processing this data, as it is feasible that an injection-type attack is possible if an attacker is aware of vulnerabilities in the external script.
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc. The instructions below assume the following:
- Running on Unix system that supports signals and 'pidof' utility.
- Running BIND named daemon in a chroot jail under user 'named'. The chroot jail is /var/named/chroot in this example.
- Log will be saved in /var/named/chroot/var/log directory.
- Support for named pipes.
- Using logrotate to manage logs.
Installation instructions
- Install the following script outside of your chroot jail. Set the permissions so that it can be executed by user 'named'. (In this example, I've copied the script to /var/named.)
#! /usr/bin/perl
#
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
#
# Usage: su -c ./processNamedLog.pl named &
#
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
#
#####################################################################
use strict;
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
}
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print OUT $_;
}
#
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
#
# Usage: su -c ./processNamedLog.pl named &
#
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
#
#####################################################################
use strict;
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
}
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print OUT $_;
}
- Create a named pipe in the directory of your choice.
# cd /var/named/chroot/var/tmp
# mknod named.pipe p
# chmod 0666 named.pipe
# mknod named.pipe p
# chmod 0666 named.pipe
- Create a new channel in your named.conf file. Change your category logging directives to use this new channel for all logging.
channel pipe_log {
file "/var/tmp/named.pipe";
print-category no; // Category unneeded in debug file?
print-severity yes;
print-time yes;
};- (Optional) Add a new entry in your /etc/logrotate.conf file.
# system-specific logs may be also be configured here.
/var/named/chroot/var/log/named.log {
rotate 3
size 20M
postrotate
kill -HUP `/sbin/pidof -x processNamedLog.pl`
endscript
}- Start the perl script in the background, and then reload your named.conf file.
# su - c /var/named/processNamedLog.pl named &
# /sbin/rndc reload
# /sbin/rndc reload
- Check to make sure named.log has been created and is logging data.
# tail -f /var/named/chroot/var/log/named.log
- Check to make sure logs are rotated when logrotate is called, and that logging is initiated in the newly-created named.log file.
# /usr/sbin/logrotate -f /etc/logrotate.conf
- (Optional) Check to ensure processNamedLog.pl is being respawned. Example output to stdout is for demonstration purposes only.
# ps -ax | grep processNamedLog.pl
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services and bandwidth to OpenNIC, please post your server IP on the MailingLists mailing list with a request to have it included in the T2 list.
