Made on IRCNow

Blame

Date:: Sun Jan 22 05:00:30 2023 UTC
Message:: Daily backup
Actions:: History | Blob | Raw File
 1 aa513bf8 2023-01-22 jrmu version=pmwiki-2.2.130 ordered=1 urlencoded=1
 2 aa513bf8 2023-01-22 jrmu agent=Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
 3 aa513bf8 2023-01-22 jrmu author=nixdork
 4 aa513bf8 2023-01-22 jrmu charset=UTF-8
 5 aa513bf8 2023-01-22 jrmu csum=First draft of bind resolver howto
 6 aa513bf8 2023-01-22 jrmu ctime=1644478229
 7 aa513bf8 2023-01-22 jrmu host=185.220.100.255
 8 aa513bf8 2023-01-22 jrmu name=Dns.BindResolver
 9 aa513bf8 2023-01-22 jrmu rev=1
10 aa513bf8 2023-01-22 jrmu targets=
11 aa513bf8 2023-01-22 jrmu text=All servers need a way to resolve ip addresses to and from hostnames.  In the good old days of the internet you could point your /etc/resolv.conf file at any valid nameserver and things would Just Work(tm).  Not anymore.%0a%0aUnfortunately the bad guys have figured out that by spoofing millions of dns requests and setting the fake origin address to your ip they could get thousands of nameservers to flood you with millions of dns responses.  Since those responses are usually 10-100 times bigger than the request this makes for a very nice [[https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification|dns amplification attack]].%0a%0aThis is why most nameservers on the internet stopped offering anonymous resolver services.  So most people let some horrible company do it for them "for free". This is known as [[https://www.zdnet.com/article/how-surveillance-capitalism-will-totally-transform-the-domain-name-system/|surveillance capitalism]].  But we care about freedom and defending our user's privacy so we are going to rely on systems that we build and maintain ourselves.%0a%0aTo quickly install and configure your own dns resolver that is available only for your clients you can do this:%0a%0a[@%0a# pkg_add isc-bind%0aquirks-4.54 signed on 2022-02-09T17:55:10Z%0aAmbiguous: choose package for isc-bind%0aa       0: %3cNone>%0a        1: isc-bind-9.16.23v3%0a        2: isc-bind-9.16.23v3-geoip%0aYour choice: @] '''1''' [@%0aisc-bind-9.16.23v3:libuv-1.40.0: ok%0aisc-bind-9.16.23v3:json-c-0.13.1p0: ok%0aisc-bind-9.16.23v3: ok%0aThe following new rcscripts were installed: /etc/rc.d/isc_named%0aSee rcctl(8) for details.%0a%0a@]%0a%0aThen do this:%0a%0a'''cd /var/named/etc'''%0a%0a'''ftp https://www.internic.net/domain/named.root'''%0a%0a%0aNow you just need to configure the named.conf file.  For your convenience you can cut and paste this to overwrite the existing file:%0a%0a[@%0a'''cat %3c%3cEOF > named.conf'''%0a// $OpenBSD: named.conf,v 1.3 2020/05/29 20:05:37 sthen Exp $%0a//%0a// Example file for a simple configuration of BIND, processing only%0a// recursive queries.  Consult BIND's Administration and Reference Manual%0a// for more information.%0a%0aacl clients {%0a	localnets;%0a	::1;%0a};%0a%0aoptions {%0a	directory "/tmp";	// working directory, inside the /var/named chroot%0a				// - must be writable by _bind%0a	version "";		// remove this to allow version queries%0a%0a	listen-on    { any; };%0a	listen-on-v6 { any; };%0a%0a	empty-zones-enable yes;%0a%0a	allow-recursion { 127.0.0.0/8; 38.81.163.0/24; 38.87.162.0/24; 2602:fccf:1::/48; };%0a};%0a%0azone "." {%0a	type hint;%0a	file "/etc/named.root";%0a};%0aEOF%0a%0a@]%0a%0aOr you can download this version instead: Attach:named.conf%0a%0aNow all you need to do is edit your server's /etc/resolv.conf and add a line like this:%0a%0a[@%0anameserver 127.0.0.1%0a@]%0a%0aAnd on every other client you would put your new nameserver's ip address in there instead:%0a%0a[@%0anameserver 38.87.162.999%0a@]%0a%0a
12 aa513bf8 2023-01-22 jrmu time=1644478229
13 aa513bf8 2023-01-22 jrmu author:1644478229=nixdork
14 aa513bf8 2023-01-22 jrmu csum:1644478229=First draft of bind resolver howto
15 aa513bf8 2023-01-22 jrmu diff:1644478229:1644478229:=1,81d0%0a%3c All servers need a way to resolve ip addresses to and from hostnames.  In the good old days of the internet you could point your /etc/resolv.conf file at any valid nameserver and things would Just Work(tm).  Not anymore.%0a%3c %0a%3c Unfortunately the bad guys have figured out that by spoofing millions of dns requests and setting the fake origin address to your ip they could get thousands of nameservers to flood you with millions of dns responses.  Since those responses are usually 10-100 times bigger than the request this makes for a very nice [[https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification|dns amplification attack]].%0a%3c %0a%3c This is why most nameservers on the internet stopped offering anonymous resolver services.  So most people let some horrible company do it for them "for free". This is known as [[https://www.zdnet.com/article/how-surveillance-capitalism-will-totally-transform-the-domain-name-system/|surveillance capitalism]].  But we care about freedom and defending our user's privacy so we are going to rely on systems that we build and maintain ourselves.%0a%3c %0a%3c To quickly install and configure your own dns resolver that is available only for your clients you can do this:%0a%3c %0a%3c [@%0a%3c # pkg_add isc-bind%0a%3c quirks-4.54 signed on 2022-02-09T17:55:10Z%0a%3c Ambiguous: choose package for isc-bind%0a%3c a       0: %3cNone>%0a%3c         1: isc-bind-9.16.23v3%0a%3c         2: isc-bind-9.16.23v3-geoip%0a%3c Your choice: @] '''1''' [@%0a%3c isc-bind-9.16.23v3:libuv-1.40.0: ok%0a%3c isc-bind-9.16.23v3:json-c-0.13.1p0: ok%0a%3c isc-bind-9.16.23v3: ok%0a%3c The following new rcscripts were installed: /etc/rc.d/isc_named%0a%3c See rcctl(8) for details.%0a%3c %0a%3c @]%0a%3c %0a%3c Then do this:%0a%3c %0a%3c '''cd /var/named/etc'''%0a%3c %0a%3c '''ftp https://www.internic.net/domain/named.root'''%0a%3c %0a%3c %0a%3c Now you just need to configure the named.conf file.  For your convenience you can cut and paste this to overwrite the existing file:%0a%3c %0a%3c [@%0a%3c '''cat %3c%3cEOF > named.conf'''%0a%3c // $OpenBSD: named.conf,v 1.3 2020/05/29 20:05:37 sthen Exp $%0a%3c //%0a%3c // Example file for a simple configuration of BIND, processing only%0a%3c // recursive queries.  Consult BIND's Administration and Reference Manual%0a%3c // for more information.%0a%3c %0a%3c acl clients {%0a%3c 	localnets;%0a%3c 	::1;%0a%3c };%0a%3c %0a%3c options {%0a%3c 	directory "/tmp";	// working directory, inside the /var/named chroot%0a%3c 				// - must be writable by _bind%0a%3c 	version "";		// remove this to allow version queries%0a%3c %0a%3c 	listen-on    { any; };%0a%3c 	listen-on-v6 { any; };%0a%3c %0a%3c 	empty-zones-enable yes;%0a%3c %0a%3c 	allow-recursion { 127.0.0.0/8; 38.81.163.0/24; 38.87.162.0/24; 2602:fccf:1::/48; };%0a%3c };%0a%3c %0a%3c zone "." {%0a%3c 	type hint;%0a%3c 	file "/etc/named.root";%0a%3c };%0a%3c EOF%0a%3c %0a%3c @]%0a%3c %0a%3c Or you can download this version instead: Attach:named.conf%0a%3c %0a%3c Now all you need to do is edit your server's /etc/resolv.conf and add a line like this:%0a%3c %0a%3c [@%0a%3c nameserver 127.0.0.1%0a%3c @]%0a%3c %0a%3c And on every other client you would put your new nameserver's ip address in there instead:%0a%3c %0a%3c [@%0a%3c nameserver 38.87.162.999%0a%3c @]%0a%3c %0a
16 aa513bf8 2023-01-22 jrmu host:1644478229=185.220.100.255