Revision [2908]
This is an old revision of Tier2ServerConfig made by felix on 2012-06-18 11:28:43.
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /home/sourpuss.net/http/www/mirror/wiki.opennicproject.org/3rdparty/plugins/geshi/geshi.php on line 2138
Here are some basic instructions on configuring your name server to access, and serve, the OpenNIC Top-Level Domains (TLDs). This page has, at the moment, instructions for only a limited range of nameservers. If you've configured another DNS server to use OpenNIC, please post instructions to the MailingLists discussion list (or edit this page) so we can expand this document.
Configuration entails a simple modification of the default configuration file to access the new Top-Level Domains (TLDs) by using the root (Tier1) servers administered by OpenNIC.
Please read the DNSSRVOperation policies before running a public T2 server. You should also join the appropriate MailingLists so you'll be notified of changing situations which may affect your operation.
BIND (8/9)
Most Unix systems put the BIND configuration file at either /etc/named.conf (as most Linux distributions do) or ar /var/named/named.conf (as the bind8 port installer for OpenBSD does).
Root Setup
In the named.conf (or one of its includes), find a block that looks like this:
zone "." in
{
type hint;
file "root.cache";
};This specifies a hint zone named '.', the root zone. Hints specified in the root.cache file are used to locate root servers and perform recursive queries. The root.cache file may also be called named.cache.
method 1: Hints File
To switch from the IANA root servers to OpenNIC root servers:
dig . NS @IP > root.cache && /usr/sbin/rndc reload 1>/dev/null
BIND will query a root servers in the hints file for the NS records for '.' (the root zone), and use that list of root servers to perform queries. This is how a normal recursive DNS server operates, even outside of OpenNIC. Make sure to update this file via cron on a weekly basis. This is the easiest way to configure BIND to use the OpenNIC root.
You should replace IP with a IP from the T1 List. Please check which server is closest to you and insert the ip. Please dont use the Domain Name since it will lead to problems when you dont have OpenNIC aware resolvers.
method 2: Root Slave
Alternatively, you can slave the root zone from root servers that allow transfer of the root zone. Change it to look like this:
zone "." IN
{
type slave;
file "/etc/bind/zones/db.root";
masters { [server IP number]; [server IP number]; [server IP number]; };
notify no;
};You can have from 1 to many entries in the "master" section. We recommend using at least three Tier1 servers.
Slaving dns.opennic.glue.
Regardless of the options chosen above, the dns.opennic.glue. zone must also be slaved:
zone "dns.opennic.glue" IN {
type slave;
file "/etc/bind/zones/slaves/db.dns.opennic";
masters { 75.127.96.89; };
notify no;
};Note: The above IP is the Tier0 server.
Reloading Bind
After the above settings are changed, you must reload named.
BIND 4
Most Unix systems put the BIND 4 configuration file at either /etc/named.boot (as most Linux distributions do) or ar /var/named/named.boot (as the default install for OpenBSD does).
In the named.boot, you should have a line that looks like this:
cache . root.cache
Change it to look like this (please choose the nearest Tier1 server for this):
secondary . [server IP number] tld-root
DJBDNS
Instructions provided by Alan Hodgson, .geek hostnaster.
1) Change into your dnscache root/servers directory.
# cd /service/dnscache/root/servers
2) Replace your root servers file (root/servers/@) with the IP numbers of the Tier1 servers, obtained by using dnsq to query the Tier0 IP number (this step can be done manually, as well).
# cp -f @ /tmp/@.saved
# dnsq ns . [Server IP number] | grep -iv ns0.opennic.glue \
| awk '{ if (/^additional/) print $5}' > /tmp/@.new
# cat /tmp/@.new3) If it looks okay (i.e. a list of IP addresses), replace the file.
# mv -f /tmp/@.new @
4) Restart dnscache
# svc -t /service/dnscache
5) Verify that it's working
# dnsip www.opennic.glue
unbound
Use the default unbound.conf or one specifically for OpenNIC and have setting similar to the following:
server: verbosity: 1 statistics-interval: 3600 interface: <your IP address> access-control: 0.0.0.0/0 allow # this path is for OpenBSD root-hints: "/var/unbound/etc/opennic.cache" hide-version: yes log-queries: no
There are various other settings to tune your threads etc.
You will then need to get a copy of the root cache file and update it as per the instructions above.
Windows 2000 DNS Server
Contributed by Michael Patrick.
- Bring up the DNS Administrator from Administrative Tools...
- Bring up the properties of the DNS Server
- Go to the "Root Hints" tab
- Remove the root server entries
- Replace them with the Tier 1 servers from here.
- Stop and Start the DNS service
- If needed, clear and refresh your view of the cache and you should see .glue
- try it out on http://www.opennic.glue.
My C:\WINNT\system32\dns\cache.dns file after modification (I would recommend keeping a copy of your file in case something bad happens to it). [And keep in mind that server IPs can change.]
Operation
There is not much to running a OpenNIC Tier2 server. Once you have it configured, the AuditingWG will monitor it, and let you know via email if anything goes wrong along the way. You can also expect to use a few gig of bandwidth each month of DNS traffic; this varies on how much your DNS server is used.Logging in Bind 9
Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, provided is a perl script, written by Brianko, which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members' right to browse the internet in complete privacy, so use of this perl script is highly encouraged.To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file:
logging {
channel "misc" {
file "/var/log/misc.log" versions 2 size 25M;
severity info; print-severity no;
print-category yes; print-time yes;
};
channel "querylog" {
file "/var/log/named.log" versions 2 size 25M;
severity info; print-severity no;
print-category no; print-time yes;
};
category "queries" { "querylog"; };
category default { "misc"; };
};Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log, and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue:
touch named.log chown bind:bind named.log touch misc.log chown misc.log
Obfuscating named logs
In the interest of privacy and anonymity, a couple of ideas for obfuscating named logs are presented below. There is no official OpenNIC policy that addresses the privacy and retention of named logs.
method 1: Post-logging processing
This setup anonymizes the named log after queries have been logged.
Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;
while(<STDIN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print $_;
}Its easy to add this to a script:
#!/bin/sh date=`date +%d` current=`date +%d%m%y` if [ "$(echo $date)" = 01 ];then tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.* rm /var/log/named/*.log.* fi cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current rm /var/lib/named/var/log/named.log touch /var/lib/named/var/log/named.log chown bind:bind /var/lib/named/var/log/named.log /etc/init.d/bind9 restart
method 2: Log anonymization using named pipes
Notes
named will refuse to start, most likely without meaningful error messages, if the perl script is not running prior to starting named!
Please be aware that this method exposes data (in this case, log entries) to processes outside the chroot jail. Be very careful when processing this data, as it is feasible that an injection-type attack is possible if an attacker is aware of vulnerabilities in the external script.
named will refuse to start, most likely without meaningful error messages, if the perl script is not running prior to starting named!
Please be aware that this method exposes data (in this case, log entries) to processes outside the chroot jail. Be very careful when processing this data, as it is feasible that an injection-type attack is possible if an attacker is aware of vulnerabilities in the external script.
This method anonymizes named logs as they are generated. It also permits preprocessing of raw log data (with IP addresses intact) for purposes of traffic analysis, blacklisting, etc. The instructions below assume the following:
- Running on Unix system that supports signals and 'pidof' utility.
- Running BIND named daemon in a chroot jail under user 'named'. The chroot jail is /var/named/chroot in this example.
- Log will be saved in /var/named/chroot/var/log directory.
- Support for named pipes.
- Using logrotate to manage logs.
Installation instructions
- Install the following script outside of your chroot jail. Set the permissions so that it can be executed by user 'named'. (In this example, I've copied the script to /var/named.)
#! /usr/bin/perl
#
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
#
# Usage: su -c ./processNamedLog.pl named &
#
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
#
#####################################################################
use strict;
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
}
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print OUT $_;
}
#
# processNamedLog.pl - Obfuscate IPv4 addresses in a named log.
# Respawns upon receipt of HUP signal (useful for logrotate).
#
# Usage: su -c ./processNamedLog.pl named &
#
# Author: Brian Koontz (http://wiki.opennic.glue/BrianKoontz)
# Docs: http://wiki.opennic.glue/RunningT2
#
#####################################################################
use strict;
use POSIX();
# Set autoflush on (keeps named pipe from getting full)
my $oldfh = select(OUT);
$| = 1;
select($oldfh);
# POSIX-compliant signal handler
my $sigset = POSIX::SigSet->new();
my $action = POSIX::SigAction->new(
'HUP_handler',
$sigset,
&POSIX::SA_NODEFER);
POSIX::sigaction(&POSIX::SIGHUP, $action);
sub HUP_handler {
close IN;
close OUT;
my @args = ("/var/named/processNamedLog.pl&");
exec @args;
exit(0);
}
my $pipe = "/var/named/chroot/var/tmp/named.pipe";
my $out = "/var/named/chroot/var/log/named.log";
open(IN, "+<$pipe") or die "Can't open $pipe for reading!";
open(OUT, ">>$out") or die "Can't open $out for writing!";
while(<IN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
s/([0-9A-Fa-f]{4}:[0-9A-Fa-f:]+:[0-9A-Fa-f]{1,4})([^:0-9A-Fa-f])/XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX$2/g;
print OUT $_;
}
- Create a named pipe in the directory of your choice.
# cd /var/named/chroot/var/tmp
# mknod named.pipe p
# chmod 0666 named.pipe
# mknod named.pipe p
# chmod 0666 named.pipe
- Create a new channel in your named.conf file. Change your category logging directives to use this new channel for all logging.
channel pipe_log {
file "/var/tmp/named.pipe";
print-category no; // Category unneeded in debug file?
print-severity yes;
print-time yes;
};- (Optional) Add a new entry in your /etc/logrotate.conf file.
# system-specific logs may be also be configured here.
/var/named/chroot/var/log/named.log {
rotate 3
size 20M
postrotate
kill -HUP `/sbin/pidof -x processNamedLog.pl`
endscript
}- Start the perl script in the background, and then reload your named.conf file. The named process will hang if the perl script is not running prior to reload!
# su - c /var/named/processNamedLog.pl named &
# /sbin/rndc reload
# /sbin/rndc reload
- Check to make sure named.log has been created and is logging data.
# tail -f /var/named/chroot/var/log/named.log
- Check to make sure logs are rotated when logrotate is called, and that logging is initiated in the newly-created named.log file.
# /usr/sbin/logrotate -f /etc/logrotate.conf
- (Optional) Check to ensure processNamedLog.pl is being respawned. Example output to stdout is for demonstration purposes only.
# ps -ax | grep processNamedLog.pl
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
8330 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# kill -HUP 8330
# ps -ax | grep processNamedLog.pl
9566 ? S 0:00 /usr/bin/perl /var/named/processNamedLog.pl
# tail -f /var/named/chroot/var/log/named.log
26-Jun-2009 04:16:23.132 info: client XX.XX.XX.XX#60287: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
26-Jun-2009 04:16:25.880 info: client XX.XX.XX.XX#62970: view tier2_server_ipv4: query: ISAI.gateway.2wire.net IN A +
etc...
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services and bandwidth to OpenNIC, please post your server IP on the MailingLists mailing list with a request to have it included in the T2 list.
CategoryHostmastering
