Blame
Date:
Sun Oct 2 04:00:24 2022
UTC
Message:
Daily backup
11
2022-04-02
text=All servers need a way to resolve ip addresses to and from hostnames. In the good old days of the internet you could point your /etc/resolv.conf file at any valid nameserver and things would Just Work(tm). Not anymore.%0a%0aUnfortunately the bad guys have figured out that by spoofing millions of dns requests and setting the fake origin address to your ip they could get thousands of nameservers to flood you with millions of dns responses. Since those responses are usually 10-100 times bigger than the request this makes for a very nice [[https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification|dns amplification attack]].%0a%0aThis is why most nameservers on the internet stopped offering anonymous resolver services. So most people let some horrible company do it for them "for free". This is known as [[https://www.zdnet.com/article/how-surveillance-capitalism-will-totally-transform-the-domain-name-system/|surveillance capitalism]]. But we care about freedom and defending our user's privacy so we are going to rely on systems that we build and maintain ourselves.%0a%0aTo quickly install and configure your own dns resolver that is available only for your clients you can do this:%0a%0a[@%0a# pkg_add isc-bind%0aquirks-4.54 signed on 2022-02-09T17:55:10Z%0aAmbiguous: choose package for isc-bind%0aa 0: %3cNone>%0a 1: isc-bind-9.16.23v3%0a 2: isc-bind-9.16.23v3-geoip%0aYour choice: @] '''1''' [@%0aisc-bind-9.16.23v3:libuv-1.40.0: ok%0aisc-bind-9.16.23v3:json-c-0.13.1p0: ok%0aisc-bind-9.16.23v3: ok%0aThe following new rcscripts were installed: /etc/rc.d/isc_named%0aSee rcctl(8) for details.%0a%0a@]%0a%0aThen do this:%0a%0a'''cd /var/named/etc'''%0a%0a'''ftp https://www.internic.net/domain/named.root'''%0a%0a%0aNow you just need to configure the named.conf file. For your convenience you can cut and paste this to overwrite the existing file:%0a%0a[@%0a'''cat %3c%3cEOF > named.conf'''%0a// $OpenBSD: named.conf,v 1.3 2020/05/29 20:05:37 sthen Exp $%0a//%0a// Example file for a simple configuration of BIND, processing only%0a// recursive queries. Consult BIND's Administration and Reference Manual%0a// for more information.%0a%0aacl clients {%0a localnets;%0a ::1;%0a};%0a%0aoptions {%0a directory "/tmp"; // working directory, inside the /var/named chroot%0a // - must be writable by _bind%0a version ""; // remove this to allow version queries%0a%0a listen-on { any; };%0a listen-on-v6 { any; };%0a%0a empty-zones-enable yes;%0a%0a allow-recursion { 127.0.0.0/8; 38.81.163.0/24; 38.87.162.0/24; 2602:fccf:1::/48; };%0a};%0a%0azone "." {%0a type hint;%0a file "/etc/named.root";%0a};%0aEOF%0a%0a@]%0a%0aOr you can download this version instead: Attach:named.conf%0a%0aNow all you need to do is edit your server's /etc/resolv.conf and add a line like this:%0a%0a[@%0anameserver 127.0.0.1%0a@]%0a%0aAnd on every other client you would put your new nameserver's ip address in there instead:%0a%0a[@%0anameserver 38.87.162.999%0a@]%0a%0a
15
2022-04-02
diff:1644478229:1644478229:=1,81d0%0a%3c All servers need a way to resolve ip addresses to and from hostnames. In the good old days of the internet you could point your /etc/resolv.conf file at any valid nameserver and things would Just Work(tm). Not anymore.%0a%3c %0a%3c Unfortunately the bad guys have figured out that by spoofing millions of dns requests and setting the fake origin address to your ip they could get thousands of nameservers to flood you with millions of dns responses. Since those responses are usually 10-100 times bigger than the request this makes for a very nice [[https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification|dns amplification attack]].%0a%3c %0a%3c This is why most nameservers on the internet stopped offering anonymous resolver services. So most people let some horrible company do it for them "for free". This is known as [[https://www.zdnet.com/article/how-surveillance-capitalism-will-totally-transform-the-domain-name-system/|surveillance capitalism]]. But we care about freedom and defending our user's privacy so we are going to rely on systems that we build and maintain ourselves.%0a%3c %0a%3c To quickly install and configure your own dns resolver that is available only for your clients you can do this:%0a%3c %0a%3c [@%0a%3c # pkg_add isc-bind%0a%3c quirks-4.54 signed on 2022-02-09T17:55:10Z%0a%3c Ambiguous: choose package for isc-bind%0a%3c a 0: %3cNone>%0a%3c 1: isc-bind-9.16.23v3%0a%3c 2: isc-bind-9.16.23v3-geoip%0a%3c Your choice: @] '''1''' [@%0a%3c isc-bind-9.16.23v3:libuv-1.40.0: ok%0a%3c isc-bind-9.16.23v3:json-c-0.13.1p0: ok%0a%3c isc-bind-9.16.23v3: ok%0a%3c The following new rcscripts were installed: /etc/rc.d/isc_named%0a%3c See rcctl(8) for details.%0a%3c %0a%3c @]%0a%3c %0a%3c Then do this:%0a%3c %0a%3c '''cd /var/named/etc'''%0a%3c %0a%3c '''ftp https://www.internic.net/domain/named.root'''%0a%3c %0a%3c %0a%3c Now you just need to configure the named.conf file. For your convenience you can cut and paste this to overwrite the existing file:%0a%3c %0a%3c [@%0a%3c '''cat %3c%3cEOF > named.conf'''%0a%3c // $OpenBSD: named.conf,v 1.3 2020/05/29 20:05:37 sthen Exp $%0a%3c //%0a%3c // Example file for a simple configuration of BIND, processing only%0a%3c // recursive queries. Consult BIND's Administration and Reference Manual%0a%3c // for more information.%0a%3c %0a%3c acl clients {%0a%3c localnets;%0a%3c ::1;%0a%3c };%0a%3c %0a%3c options {%0a%3c directory "/tmp"; // working directory, inside the /var/named chroot%0a%3c // - must be writable by _bind%0a%3c version ""; // remove this to allow version queries%0a%3c %0a%3c listen-on { any; };%0a%3c listen-on-v6 { any; };%0a%3c %0a%3c empty-zones-enable yes;%0a%3c %0a%3c allow-recursion { 127.0.0.0/8; 38.81.163.0/24; 38.87.162.0/24; 2602:fccf:1::/48; };%0a%3c };%0a%3c %0a%3c zone "." {%0a%3c type hint;%0a%3c file "/etc/named.root";%0a%3c };%0a%3c EOF%0a%3c %0a%3c @]%0a%3c %0a%3c Or you can download this version instead: Attach:named.conf%0a%3c %0a%3c Now all you need to do is edit your server's /etc/resolv.conf and add a line like this:%0a%3c %0a%3c [@%0a%3c nameserver 127.0.0.1%0a%3c @]%0a%3c %0a%3c And on every other client you would put your new nameserver's ip address in there instead:%0a%3c %0a%3c [@%0a%3c nameserver 38.87.162.999%0a%3c @]%0a%3c %0a