Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
fuss:bind [2017/08/11 13:23]
office [Updating Dynamic Dns Zone Files]
fuss:bind [2017/12/27 22:37] (current)
office [Updating Dynamic Dns Zone Files]
Line 1: Line 1:
 +====== Using bind with Tor/i2p and other DarkNet Domains ======
 +
 +If you look at [[fuss:​privoxy#​Forwarding|privoxy'​s forwarding feature]], one line there:
 +
 +<​code>​
 +forward-socks4a .onion ​ 127.0.0.1:​9050 .
 +
 +</​code>​
 +
 +is responsible for forwarding all traffic to ''​.onion''​ websites through Tor. The [[networking:​tor|tor page]] describes an ''​iptables''​-level solution to redirect DNS requests over Tor but, in some cases, it may be desirable to just use ''​.onion''​ request with Tor instead of making all DNS queries through Tor.
 +
 +In order to do that, bind allows you to configure a forwarder zone (perhaps one of the few cases where it is justified).
 +
 +From ''/​etc/​bind/​named.conf.local'':​
 +<​code>​
 +zone "​onion"​ {
 +        type forward;
 +        forwarders { 127.0.0.2; };
 +        forward only;
 +};
 +
 +</​code>​
 +
 +This would make any ''​.onion''​ requests to the IP address ''​127.0.0.2''​ on port ''​53''​. Thus, we configure Tor, to listen on that address and port for DNS querries:
 +
 +From ''/​etc/​tor/​torrc'':​
 +<​code>​
 +DNSPort 53
 +DNSListenAddress 127.0.0.2
 +
 +</​code>​
 +
 +The result will be that bind will resolve all ''​.onion''​ queries through Tor, and anything else through "​clearnet"​.
 +
 +The same procedure can be repeated for any DarkNet relays, proxying DNS on loopbacks: ''​127.0.0.1'',​ ''​127.0.0.2'',​ ''​127.0.0.3'',​ etc...
 +
 +====== Turn EDNS Off ======
 +
 +Described in [[http://​www.ietf.org/​rfc/​rfc2671.txt|RFC2671]],​ it is intended as a set of extensions to DNS that allows passing UDP packets larger than ''​512''​ bytes between ''​EDNS''​-enabled nameservers.
 +
 +Many public DNS servers do not implement ''​EDNS''​ - excluding root servers, which just increases DNS traffic over the network needlessly. Misconfigured firewalls or cheap routers may have issues with the increased UDP packet length.
 +
 +The result is that log-files get jammed with messages such as ((not a joke, ISC, //"the authors of BIND"//​ do not have it configured properly)):
 +<​code>​
 +success resolving '​isc.org/​ANY'​ (in '​isc.org'?​) after reducing the advertised EDNS UDP packet size to 512 octets
 +</​code>​
 +and causes bind to [[http://​www.ietf.org/​rfc/​rfc1035.txt|fall-back to ''​512''​ byte packets (RFC1035)]]. ​
 +
 +Security-wise,​ as the ''​RFC2671''​ puts it: //​Requestor-side specification of the maximum buffer size may open a new DNS denial of service attack if responders can be made to send messages which are too large for intermediate gateways to forward, thus leading to potential ICMP storms between gateways and responders.//​
 +
 +To disable ''​EDNS'',​ you need to add the following two lines:
 +<​code>​
 +server ::/0 { edns no; };        ​
 +server 0.0.0.0/0 { edns no; }; 
 +</​code>​
 +
 +to the ''​named.conf''​ configuration file - note that it is not to be placed in the ''​options''​ block, but separately, like a zone.
 +
 +====== Updating Dynamic Dns Zone Files ======
 +
 +Zone files that are declared dynamic with a journal attached such as zones that are dynamically updated cannot be edited directly without shutting down bind - however, a better solution is to first pause dynamic updates by issuing the command:
 +<code bash>
 +rndc freeze zone.tld
 +</​code>​
 +
 +then making any changes necessary to the zone file (remembering to update the serial), and once the changes are done, unpausing the zone updates by issuing the command:
 +<code bash>
 +rndc thaw zone.tld
 +</​code>​
 +
 +When issuing the last command, isc-bind will reload the zone files, check the serial number and flush the journal file (''​.jnl''​) if necessary.
 +
 +====== Updating Records without Restarting Bind ======
 +
 +''​nsupdate''​ can be used to add or remove zones without having to manually edit the zone files. This can be particularly useful in case a hostname has changed and you would like to receive the DDNS update from DHCPd. Provided that you have bind configured with an authentication key (located at ''/​etc/​bind/​rndc.key''​) and that the key is allowed to update the zone then the following procedure can be used to remove entries.
 +
 +In order to remove a ''​PTR''​ record such as:
 +<​code>​
 +12    PTR    myhost.home.
 +</​code>​
 +
 +the following invocation of ''​nsupdate'',​
 +<code bash>
 +nsupdate -v -k /​etc/​bind/​rndc.key
 +> server 192.168.1.1
 +> zone 1.168.192.in-addr.arpa.
 +> update delete 12.1.168.192.in-addr.arpa. ptr myhost.home.
 +> send
 +> quit
 +</​code>​
 +will:
 +  - set the server to be updated to ''​192.168.1.1'',​
 +  - specify that the zone to be updated will be ''​1.168.192.in-addr.arpa.''​ (the reverse of ''​192.168.1.1''​),​
 +  - send a request to delete the reverse entry for ''​myhost.home''​ with the address ''​192.168.1.12''​ whose full qualified reverse address is ''​12.1.168.192.in-addr.arpa.''​
 +
 +In order to remove an ''​A''​ record:
 +<​code>​
 +myhost.home ​   A    192.168.1.12
 +</​code>​
 +he following invocation of ''​nsupdate'',​
 +<code bash>
 +nsupdate -v -k /​etc/​bind/​rndc.key
 +> server 192.168.1.1
 +> zone home
 +> update delete myhost.home a
 +> send
 +> quit
 +</​code>​
 +will:
 +  - set the server to be updated to ''​192.168.1.1'',​
 +  - set the zone to be updated to ''​home'',​
 +  - send a request to delete the ''​A''​ record of ''​myhost.home''​.
 +
 +After updating the zone, the command:
 +<code bash>
 +rndc reload
 +</​code>​
 +can be used to make bind reload the zones.
 +
  

fuss/bind.txt ยท Last modified: 2017/12/27 22:37 by office

Access website using Tor Access website using i2p


For the copyright, license, warranty and privacy terms for the usage of this website please see the license, privacy and plagiarism pages.