Revision [2391]

This is an old revision of Tier2ServerConfig made by BrianKoontz on 2011-01-04 14:35:40.

 


Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138

Here are some basic instructions on configuring your name server to access, and serve, the OpenNIC Top-Level Domains (TLDs). This page has, at the moment, instructions for only a limited range of nameservers. If you've configured another DNS server to use OpenNIC, please post instructions to the MailingLists discussion list (or edit this page!) so we can expand this page.

Configuration entails a simple modification of the default configuration file to access the new Top-Level Domains (TLDs) by using the root (Tier1) servers administered by OpenNIC.

You should also join the appropriate MailingLists so you'll be notified of changing situations which may affect your operation.

BIND (8/9)


Most Unix systems put the BIND configuration file at either /etc/named.conf (as most Linux distributions do) or ar /var/named/named.conf (as the bind8 port installer for OpenBSD does).

Root Setup


In the named.conf (or one of its includes), find a block that looks like this:

zone "." in
{
	type hint;
	file "root.cache";
};


This specifies a hint zone named '.', the root zone. Hints specified in the root.cache file are used to locate root servers and perform recursive queries. The root.cache file may also be called named.cache.

method 1: Hints File

To switch from the IANA root servers to OpenNIC root servers:

dig . NS @ns0.opennic.glue > root.cache


BIND will query a root servers in the hints file for the NS records for '.' (the root zone), and use that list of root servers to perform queries. This is how a normal recursive DNS server operates, even outside of OpenNIC. Make sure to update this file via cron. This is the easiest way to configure BIND to use the OpenNIC root.

method 2: Root Slave

Alternatively, you can slave the root zone from root servers that allow transfer of the root zone. Change it to look like this:

zone "." IN
{
	type slave;
	file "/etc/bind/zones/db.root";
	masters { [server IP number]; [server IP number]; [server IP number]; };
	notify no;
};


Slaving dns.opennic.glue.


Regardless of the options chosen above, the dns.opennic.glue. zone must also be slaved:

zone "dns.opennic.glue" IN {
	      type slave;
	      file "/etc/bind/zones/slaves/db.dns.opennic";
	      masters { [server IP number]; [server IP number]; [server IP number]; };
	      notify no;
	      allow-transfer { any; };
};


You can have from 1 to many entries in the "master" section. We recommend using at least three Tier1 servers.

Reloading Bind


After the above settings are changed, you must reload named.

BIND 4


Most Unix systems put the BIND 4 configuration file at either /etc/named.boot (as most Linux distributions do) or ar /var/named/named.boot (as the default install for OpenBSD does).

In the named.boot, you should have a line that looks like this:

cache			.		root.cache


Change it to look like this (please choose the nearest Tier1 server for this):

secondary		.		[server IP number]		tld-root


DJBDNS


Instructions provided by Alan Hodgson, .geek hostnaster.

1) Change into your dnscache root/servers directory.

	# cd /service/dnscache/root/servers


2) Replace your root servers file (root/servers/@) with the IP numbers of the Tier1 servers, obtained by using dnsq to query the Tier0 IP number (this step can be done manually, as well).

	# cp -f @ /tmp/@.saved
	# dnsq ns . [Server IP number] | grep -iv ns0.opennic.glue \
	  | awk '{ if (/^additional/) print $5}' > /tmp/@.new
	# cat /tmp/@.new


3) If it looks okay (i.e. a list of IP addresses), replace the file.

	# mv -f /tmp/@.new @


4) Restart dnscache

	# svc -t /service/dnscache


5) Verify that it's working

	# dnsip www.opennic.glue


Windows 2000 DNS Server


Contributed by Michael Patrick.
  1. Bring up the DNS Administrator from Administrative Tools...
  2. Bring up the properties of the DNS Server
  3. Go to the "Root Hints" tab
  4. Remove the root server entries
  5. Replace them with the Tier 1 servers from here.
  6. Stop and Start the DNS service
  7. If needed, clear and refresh your view of the cache and you should see .glue
  8. try it out on http://www.opennic.glue.

My C:\WINNT\system32\dns\cache.dns file after modification (I would recommend keeping a copy of your file in case something bad happens to it). [And keep in mind that server IPs can change.]

Operation

There is not much to running a OpenNIC Tier2 server. Once you have it configured, the AuditingWG will monitor it, and let you know via email if anything goes wrong along the way. You can also expect to use a few gig of bandwidth each month of DNS traffic; this varies on how much your DNS server is used.

Logging in Bind 9

Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, provided is a perl script, written by Brianko, which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members' right to browse the internet in complete privacy, so use of this perl script is highly encouraged.

To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file:
logging {
   channel "misc" {
	     file "/var/log/misc.log" versions 2 size 25M;
	     severity info; print-severity no;
	     print-category yes; print-time yes;
	     };
  channel "querylog" {
	     file "/var/log/named.log" versions 2 size 25M;
	     severity info; print-severity no;
	     print-category no; print-time yes;
	     };
  category "queries" { "querylog"; };
  category default { "misc"; };
};


Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log, and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue:
touch named.log
chown bind:bind named.log
touch misc.log
chown misc.log


Obfuscating named logs


In the interest of privacy and anonymity, a couple of ideas for obfuscating named logs are presented below. There is no official OpenNIC policy that addresses the privacy and retention of named logs.

method 1: Post-logging processing


This setup anonymizes the named log after queries have been logged.

Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;

while(<STDIN>)
{
	s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
	s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
	print $_;
}


Its easy to add this to a script:
#!/bin/sh

date=`date +%d`
current=`date +%d%m%y`

if [ "$(echo $date)" = 01 ];then
	    tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.*
	    rm /var/log/named/*.log.*
fi

cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current
rm /var/lib/named/var/log/named.log
touch /var/lib/named/var/log/named.log
chown bind:bind /var/lib/named/var/log/named.log

/etc/init.d/bind9 restart


method 2: Log anonymization using named pipes


Notes
named will refuse to start, most likely without meaningful error messages, if the perl script is not running prior to starting named!

Please be aware that this method exposes data (in this case, log entries) to processes outside the chroot jail. Be very careful when processing this data, as it is feasible that an injection-type attack is possible if an attacker is aware of vulnerabilities in the external script.
 


This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc. The instructions below assume the following:

Installation instructions

#! /usr/bin/perl
#
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
#
# Usage: su -c ./processNamedLog.pl named &
#
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
#
#####################################################################
use strict;
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);

# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
                'HUP_handler',
                $sigset,
                &POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
    close IN;
    close OUT;
    my @args = ("/var/named/processNamedLog.pl&");
    exec @args;
    exit(0);
}

my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
{
    s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
    s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
    print OUT $_;
}

# cd /var/named/chroot/var/tmp
# mknod named.pipe p
# chmod 0666 named.pipe

	    channel pipe_log {
	      file "/var/tmp/named.pipe";
	      print-category no;          // Category unneeded in debug file?
	      print-severity yes;
	      print-time yes;
	    };

# system-specific logs may be also be configured here.
/var/named/chroot/var/log/named.log {
	rotate 3 
	size 20M
	postrotate
	    kill -HUP `/sbin/pidof -x processNamedLog.pl`
	endscript
}

# su - c /var/named/processNamedLog.pl named &
# /sbin/rndc reload

# tail -f /var/named/chroot/var/log/named.log

# /usr/sbin/logrotate -f /etc/logrotate.conf

# ps -ax | grep processNamedLog.pl
8330 ?        S      0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ?        S      0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...


Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services and bandwidth to OpenNIC, please post your server IP on the MailingLists mailing list with a request to have it included in the T2 list.

CategoryHostmastering
There are 2 comments on this page. [Show comments]
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki