Thursday, September 22, 2011
MaraDNS - Running Authorative and Recursive DNS server
MaraDNS - Authorative DNS server Configuration
++++++++++++++++++++++++++++++++++++++++++++++
# apt-get install maradns
If you are using the default configuration file sometimes it's helpful to see the non-commented lines
# cat /etc/maradns/mararc | awk '/^[^#]/ { print $0 '}
-----------------------------------
Running an Authorative DNS Server
-----------------------------------
Now let's modify the mararc config file by adding/modifying the lines below:
# vim /etc/maradns/mararc
csv2 = {}
csv2["example.org."] = "db.example.org"
csv2["helloworld.net."] = "db.helloworld.net"
bind_address = "50.3.1.8"
chroot_dir = "/etc/maradns"
It's time to create the corresponding zone files.
# vim /etc/maradns/db.example.org
example.org NS ns1.example.org ~
example.org 1.2.3.4 ~
www.example.org 1.2.3.4 ~
example.org MX 10 mail.example.org ~
ns1.example.org 50.3.1.8 ~
mail.example.org 50.3.1.8 ~
irc.example.org 1.3.3.7 ~
Notice the lack of SOA records which are generate automagically.
Another way is to use the shortcut % which represents the domain as defined on mararc.
# vim /etc/maradns/db.helloworld.net
% NS ns1.% ~
% 1.2.3.4 ~
www.% 1.2.3.4 ~
% MX 10 mail.% ~
ns1.% 50.3.1.8 ~
mail.% 50.3.1.8 ~
irc.% 1.3.3.7 ~
This is exactly the same as above zone file except all '%' symbols in this file are
replaced by 'helloworld.net.'
Finally restart the service:
# /etc/init.d/maradns restart
and check the log,
# cat /var/log/syslog | grep maradns
to make sure there are no errors.
Test using 'askmara':
$ askmara Awww.example.org. 50.3.1.8
# Querying the server with the IP 50.3.1.8
# Question: Awww.example.org.
www.example.org. +86400 a 1.2.3.4
# NS replies:
#example.org. +86400 ns ns1.example.org.
# AR replies:
#ns1.example.org. +86400 a 50.3.1.8
Test using 'dig':
$ dig A www.example.org @50.3.1.8
;; ANSWER SECTION:
www.example.org. 86400 IN A 1.2.3.4
;; AUTHORITY SECTION:
example.org. 86400 IN NS ns1.example.org.
-------------------------------
Running a Recursive DNS Server
-------------------------------
In addition to authorative server, maradns can also funcation as a recursive DNS server.
To run a recursive server, add/modify lines in the config file.
# vim /etc/maradns/mararc
bind_address = "50.3.1.8"
chroot_dir = "/etc/maradns"
# Uncomment this line if commented.
ipv4_alias = {}
# Here you define the forwarders which in most cases are the providers DNS server IPs
# or Public DNS Servers. We're using Google DNS for this purpse
upstream_servers = {}
upstream_servers["."] = "8.8.8.8 8.8.4.4"
# Hosts allowed to perform recursive queries
recursive_acl = "192.168.51.0/24"
That's it. Verify it works:
$ dig A google.com @50.3.1.8
Since the modifcation of config file for both authorative and recursive purpose do
not conflict with one another, it is possible to run them both at the same time
through a single config file.
More Info:
* Example files: /usr/share/doc/maradns/en/examples
* Manual: man maradns
* Manual: man askmara
* Web: http://www.maradns.org
Coding Standards and Style Guides
List of coding standard and style guides to assist programmers in writing better code:
General:
BASH: http://wiki.bash-hackers.org/scripting/style
C: http://www.jetcafe.org/jim/c-style.html
C++: http://www.possibility.com/Cpp/CppCodingStandard.html
CSS: http://www.louddog.com/2008/create-maintainable-code-with-a-css-styleguide/
Django: https://docs.djangoproject.com/en/dev/internals/contributing/writing-code/coding-style/
Erlang: http://www.erlang.se/doc/programming_rules.shtml
Haskell: http://www.haskell.org/haskellwiki/Programming_guidelines
HTML5: http://coding.smashingmagazine.com/2009/08/04/designing-a-html-5-layout-from-scratch/
Java: http://www.oracle.com/technetwork/java/codeconvtoc-136057.html
Javascript: http://javascript.crockford.com/code.html
LaTeX: http://www.clt.mq.edu.au/~rdale/resources/writingnotes/latexstyle.html
Lisp: http://mumble.net/~campbell/scheme/style.txt
Matlab: http://www.cs.cornell.edu/courses/cs99/2002fa/matlabstyle.html
.Net Framework (including C#): http://blogs.msdn.com/b/brada/archive/2005/01/26/361363.aspx
node.js: http://nodeguide.com/style.html
Objective-C: http://cocoadevcentral.com/articles/000082.php
Perl: http://perldoc.perl.org/perlstyle.html
PHP: http://pear.php.net/manual/en/standards.php
Postscript: http://www.ghostscript.com/doc/current/Ps-style.htm
Python: http://www.python.org/dev/peps/pep-0008/
Ruby: https://github.com/chneukirchen/styleguide/blob/436e8c1bbeb6ffde8bcfbcf72af449c5f8a741f3/RUBY-STYLE
Visual Basic: http://msdn.microsoft.com/en-us/library/aa240822(v=vs.60).aspx
XML: http://google-styleguide.googlecode.com/svn/trunk/xmlstyle.html
Misc:
Drupal: http://drupal.org/coding-standards
Joomla: http://docs.joomla.org/Coding_style_and_standards
Mozilla: https://developer.mozilla.org/En/Mozilla_Coding_Style_Guide
Wikipedia: http://en.wikipedia.org/wiki/Wikipedia:Manual_of_Style
Wordpress: http://codex.wordpress.org/WordPress_Coding_Standards
Tuesday, September 06, 2011
Configuring IPv6 BGP Tunnel with Hurricane Electric (tunnelbroker.net)
Prerequisites: * Cisco IOS with IPv6 support * Internet Routable IPv4 address * AS number exclusively assigned to you by your RIR Throughout the guide, following assumptions are made: * Public IP of your Cisco Router is: 9.33.21.35 * Your ASN is: 31337 * Your RIR delegated IPv6 Prefix is: 1337:C0DE::/32 * 1337:C0DE:0A:49::74 an example IPv6 we'll assign to our router 1) Go to http://tunnelbroker.net 2) Register/Login 3) Create BGP Tunnel -> IPV4 Endpoint (Your Side) Enter Public IP Address, example: 9.33.21.35 Prefixes announced: 1337:C0DE::/32 Selection a tunnel endpoint that's closest to you (eg: Fremont, CA, US 64.71.128.83) Click on Create BGP Tunnel On the Main Page, under the tunnel you just created you get following information: IPv6 Tunnel Endpoints Server IPv4 Address: 64.71.128.83 Server IPv6 Address: 2001:1337:28:bad::1/64 Client IPv4 Address: 9.33.21.22 Client IPV6 Address: 2001:1337:28:bad::2/64 BGP Details Prefixes: 1337:C0DE::/32 Your ASN: 31337 Our ASN: 6262 Peer Address: 2001:1337:28:bad::1/64 This is sufficient information to create an IPv6 BGP Tunnel. Hurricane Electric/Tunnel Broker requires Letter of Authorization that you are the sole owner of your AS and the IPv6 Prefix. You will receive instructions through email to submit this authorization letter through email. 4) It's now time to configure the Cisco IOS. Login in to your Cisco IOS and enter the router configuration mode: First thing is to make sure IPv6 support is enabled on your router. To check, enter the command to enable ipv6 on the router router(config)# ipv6 unicast-routing If it gives an error such as: % Invalid input detected at '^' marker. then you may need to upgrade the firmware on the router or find another one that supports Ipv6 We configure the rest of the router according to the information above: interface Tunnel0 description Hurricane Electric IPV6 Tunnel Broker no ip address ipv6 address 2001:1337:28:bad::2/64 ipv6 enable tunnel source 9.33.21.22 tunnel destination 64.71.128.83 tunnel mode ipv6ip ! router bgp 31337 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 2001:1337:28:bad::1 remote-as 6262 neighbor 2001:1337:28:bad::1 update-source Tunnel0 ! address-family ipv6 neighbor 2001:1337:28:bad::1 activate neighbor 2001:1337:28:bad::1 remove-private-as neighbor 2001:1337:28:bad::1 route-map he-ipv6-in in neighbor 2001:1337:28:bad::1 route-map he-ipv6-out out network 1337:C0DE::/32 aggregate-address 1337:C0DE::/32 summary-only redistribute connected metric 1 no synchronization exit-address-family ! ipv6 route ::/0 Tunnel0 ! ipv6 prefix-list ipv6-general-prefix seq 5 deny ::/0 ipv6 prefix-list ipv6-general-prefix seq 10 permit ::/0 le 64 ! ipv6 prefix-list myprivate-prefix seq 5 permit 1337:C0DE::/32 le 64 ! route-map he-ipv6-out permit 10 match ipv6 address prefix-list myprivate-prefix set as-path prepend 31337 31337 31337 ! route-map he-ipv6-in permit 10 match ipv6 address prefix-list ipv6-general-prefix set as-path prepend 6262 6262 6262 ! This should look familiar if you have configured BGP before.
Notice the line "address-family ipv6" is configured from within the "router bgp" prompt.
This basically enables BGP for IPv6 addresses only.
The other lines are responsible for:
1) Setting up the default ipv6 route through the tunnel interface
2) Publishing aggregate routes with our delegated prefix-only to remote peer. The final step is to enable the IPv6 on the external router interface. ! interface GigabitEthernet0/0 ip address 9.33.21.35 255.255.255.0 ipv6 address 1337:C0DE:0A:49::74/64 ipv6 enable ipv6 nd ra suppress ! Notice, I've added the "ip address" line to show the interface with preconfigured IPv4 address we are using as tunnel endpoint. To verify the tunnel is working and the routes are established, use commands below: router# sh bgp ipv6 router# sh ipv6 routes If these commands produce a long list of IPv6 routes then you have successfully configured your Cisco IOS with BGP and IPv6. If you don't see the IPv6 routes, check the configuration for any errors and verify tunnelbroker.net has received your letter of authorization (shows up as "LoA on file" on the website's tunnel details page).
Configure Exim4 to provide SMTP Relay service with SMTP Authentication and TLS enabled
Prerequisites:
- Box running Debian Squeeze or Debian variants
- Exim4 Package (apt-get install exim4)
- Internet Routable Public IP Address (172.16.75.12) with reverse DNS relay.example.org
Reconfiguring Exim4
Run the command as root,
# dpkg-reconfigure exim4-config
There are two useful scenarios while delivering mails. Smarthosts is
safer option if your privoder has a SMTP server you can use.
If not, you will have to deliver them directly using your mail server.
If your IP is blacklisted, or doesn't have a reverse DNS, your mails may
not be delivered successfully.
Case 1: Direct delivery without Smarthost(eg: To deliver mails directly to remote SMTP servers):
internet site; mail is sent and received directly using SMTP System mail name: relay.example.org IP-address to listen on for incoming SMTP connections: 127.0.0.1; 172.16.75.12 Other destinations for which mail is accepted: Leave Empty Domains to relay mail for: * (This option will accept mail for any domain) Machines to relay mail for: Leave Empty (Or specify whitelisted relay IPs) Keep number of DNS-queries minimal (Dial-on-Demand)? No Delivery method for local mail: mbox format in /var/mail/ Split Configuration into small files? Yes (Very Important)
This should result in configuration file /etc/exim4/update-exim4.conf.conf
dc_eximconfig_configtype='internet' dc_other_hostnames='relay.example.org' dc_local_interfaces='127.0.0.1 ; 172.16.75.12' dc_readhost='relay.example.org' dc_relay_domains='*' dc_minimaldns='false' dc_relay_nets='' CFILEMODE='644' dc_use_split_config='true' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='maildir_home'
Case 2: Delivery with Smarthost (eg: To Use ISP's SMTP server to relay all your mails):
mail sent by smarthost; received via SMTP or fetchmail IP address of hostname of the outgoing smarthost: 1.2.3.4 Hide local mail name in outgoing mail? Yes Visible domain name for local users: relay.example.org
This should result in configuration file
/etc/exim4/update-exim4.conf.conf with minor differences from file above;
dc_eximconfig_configtype='smarthost' dc_smarthost='172.16.75.17'
Generate Self-signed Certificate
In order to use TLS (Transport Layer Security) with SMTP authentication,
you must generate a self-signed certificate or purchase one from reputed
CA.
# /usr/share/doc/exim4-base/examples/exim-gencert
After filling in all the details this will generate a certificate and
key files in: /etc/exim4/exim.crt , /etc/exim4/exim.key
This is the default location where exim4 searches for these files.
Add Exim4 User
To create username/passwords specifically for exim4 SMTP authentication,
run the command
# /usr/share/doc/exim4/examples/exim-adduser
You may also copy the file to /sbin and run it,
# cp /usr/share/doc/exim4/examples/exim-adduser /sbin # exim-adduser
Enabling TLS
Type the following command to create a config macro file to enable TLS
# echo "MAIN_TLS_ENABLE = yes" > /etc/exim4/conf.d/main/00_local_settings
Additional settings can be added to the file /etc/exim4/conf.d/main/00_local_settings
Enabling SMTP Authentication
Uncomment following lines in /etc/exim4/conf.d/auth/30_exim4-config_examples
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
login_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
Updating Exim4 Configuration
Finally run this command to update exim4 configuration and restart exim4:
# update-exim4.conf # /etc/init.d/exim4 restart
If your provider is blocking port 25 you may want to run the SMTP relay
service on additional ports. To do this, modify this line in /etc/default/exim4
SMTPLISTENEROPTIONS='-oX 587:25 -oP /var/run/exim4/exim.pid' This tells exim4 to listen on port 587 in addition to 25
Testing
# telnet 172.16.75.12 Type, EHLO SMTP If you see following line among other things, it means it's working. 250-STARTTLS
A full test can be performed using an email client.
