标签: DNS

  • asme.sh with DNS Alias Mode

    由于 Godaddy 停止了免费的支持ACME SSL 证书签发(DNS 模式),

    不得不改用 DNS Alias 模式, 让阿里云 为Godaddy 管理的域名,代理合作签发SSL证书

    默认的机构,ZEROSSL,一个初创企业,早已超负荷运转,多数时间已经无法正常签发了。改用Google的证书机构,相对门槛较高,需要有Google帐户,而且国内访问受限,所以签发都一直顺畅。

    #!/bin/bash
#
#  Godaddy Domain:
DOMAIN=zhenglei.net
DNSAPI=dns_gd
#  Aliyun Domain as Proxy:
DOMAIN_PROXY=778065.xyz
DNSAPI_PROXY=dns_ali
#  Setup CNAME record mapping of _acme-challenge  between ${DOMAIN} and ${DOMAIN_PROXY}
# _acme-challenge.zhenglei.net       CNAME==>   _acme-challenge.778065.xyz
# _acme-challenge.blog.zhenglei.net  CNAME==>   _acme-challenge.778065.xyz
# ...
# nslookup -type=CNAME _acme-challenge.zhenglei.net
# nslookup -type=CNAME _acme-challenge.blog.zhenglei.net
# Aliyun key & secret to generate acme cert
# dnsapi=dns_ali
Ali_Key="Your Aliyun Key"
Ali_Secret="Your Aliyun Secret"
export Ali_Key=${Ali_Key}
export Ali_Secret=${Ali_Secret}
# Godaddy key & secret to generate acme cert
# dnsapi=dns_gd
GD_Key="Your Godaddy Key"
GD_Secret="Your Godaddy Secret"
#
#  Using alias dns mode of acme.sh
M=" --challenge-alias ${DOMAIN_PROXY} "
N=" --challenge-alias no "
#
#
# IP PROTOCOL
IP=--listen-v6
#
#
#
DNSSLEEP=40
# Init
source  /root/env.sh
ACME_SH=/root/.acme.sh/acme.sh
#
#
DSUB=""
DSUB+=" -d ${DOMAIN} ${M}"
DSUB+=" -d ${DOMAIN_PROXY} ${N}"
DSUB+=" -d blog.${DOMAIN} ${M}"
DSUB+=" -d blog.${DOMAIN_PROXY} ${N}"
DSUB+=" -d blog1.${DOMAIN} ${M} "
DSUB+=" -d blog2.${DOMAIN} ${M} "
DSUB+=" -d gallery.${DOMAIN} ${M} "
DSUB+=" -d gallery.${DOMAIN_PROXY} ${N} "
DSUB+=" -d gallery1.${DOMAIN} ${M} "
DSUB+=" -d gallery2.${DOMAIN} ${M} "
DSUB+=" -d music.${DOMAIN} ${M} "
DSUB+=" -d music.${DOMAIN_PROXY} ${N} "
DSUB+=" -d music1.${DOMAIN} ${M} "
DSUB+=" -d music2.${DOMAIN} ${M} "
DSUB+=" -d mpd.${DOMAIN} ${M} "
DSUB+=" -d mpd.${DOMAIN_PROXY} ${N} "
DSUB+=" -d mympd.${DOMAIN} ${M} "
DSUB+=" -d mympd.${DOMAIN_PROXY} ${N} "
DSUB+=" -d stream.${DOMAIN} ${M} "
DSUB+=" -d stream.${DOMAIN_PROXY} ${N} "
DSUB+=" -d video.${DOMAIN} ${M} "
DSUB+=" -d video.${DOMAIN_PROXY} ${N} "
DSUB+=" -d *.${DOMAIN} ${M} "
DSUB+=" -d *.${DOMAIN_PROXY} ${N} "
P=""
P+=" --dns ${DNSAPI_PROXY} "
P+=" --dnssleep ${DNSSLEEP} "
P+=" -k ec-384 "
P+=" --force "#  Issue:
echo "${ACME_SH} --issue  ${P} ${DSUB}"
      ${ACME_SH} --issue  ${P} ${DSUB}
# Install
INST_PATH=/opt/local/cert/acme_zhenglei.net
INST_CER=${INST_PATH}/fullchain.cer
INST_KEY=${INST_PATH}/zhenglei.net.key
# P+=" --debug "
# P+=" --log "
#  Issue:
echo "${ACME_SH} --issue  ${P} ${DSUB}"
      ${ACME_SH} --issue  ${P} ${DSUB}
# Install
INST_PATH=/opt/local/cert/acme_zhenglei.net
INST_CER=${INST_PATH}/fullchain.cer
INST_KEY=${INST_PATH}/zhenglei.net.key
OPENRESTY=/opt/local/etc/init.d/openresty
${ACME_SH} --install-cert -d ${DOMAIN} \
           --key-file ${INST_KEY} \
           --fullchain-file ${INST_CER} \
           --reloadcmd "${OPENRESTY} stop ; ${OPENRESTY} start"
    godaddy 停止支持acme.sh的dns 模式

    https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode

  • FreeNAS

     Two TrueNAS (FreeNAS)  NAS system are setup for the purpose of data backup, including the resumed blog running on ESXi virtual machine, replaced the Buffalo lS-WXL and WdMycloud.

    The benefit of FreeNAS:

    • Based on Freebsd OS, stable
    • Native support ZFS, and snapshot
    • Other professional feature ready

     

    The blog data is backup into the 1st FreeNAS, manually after updating the blog.

    The 1st FreeNas will generate a snapshot every day, thanks to the Periodic Snapshot Task provided by FreeNAS system, and them replicate the snapshot to the 2nd FreeNas machine, also thanks to the Replication Task of freeNas system.

     

    Hardware spec of 1st NAS:

    1. HP T610 plus thin client  ( AMD (G-T56N) 1.65GHz dual core / E350 )
    2. 16GB DDR3  (2 X 8GB)
    3. 32GB Flash driver  for FreeNAS system + 4TB 3.5 HD for data
    4. 10/100/1000  Ethernet

     

        Cost: without Data Disk:

                 AMD T610 Plus                               RMB 185
                 Power:19V4.74  7.4*5.0mm         RMB 30
                 SATA2 32G SSD                            RMB 45
                 DDR3L 8G/1600  X2                       RMB 398
    ———————————————————————–
                     Total                                            RMB 658      

     

     

    Hardware spec of 2st NAS:

    1. HP Z220 MT workstation
    2. 32GB DRR3 ECC RAM
    3. Intel G3250T CPU
    4. One USB key for FreeNAS system + 10T HD for data

     

    The Raid sub-system is not a best choice.

    As Home User, we don’t care about the data lost, or data server down in a short period of time.  That’s way we two NAS system / Data replication instead of raid sub-system.

     

     

     

     

     

  • Setup DNS server to resolve my domain

    How to setup DNS server on two host  to resolve my_domain:

    Login into Godaddy account

    Goto the Domain Detail of mydomain:

    From Host Name:

             Register two hosts into mydomain:   ns1=host1_ip,. ns2=host2_ip

    From Nameservers:

            Change Setup Type from Standard to Custom

           Add the two Nameservers:  ns1.mydomain  ns2.mydomain

     

    Login into host1 & host2

    Setup DNS server, with the following config:

    T-NS record:       ns1.mydomain, ns2.mydomain  (dns server)

    T_MX record:     mx1.mydomain,  mx2.mydoamin  (email server)

    T_TXT record:  “v=spf1 …”       (for email  )

    “goodle-site-verification=…”    (for email, and web server)

     

    SPF record for email:

    “v=spf1 a a:host1.domain.net a:host2.domain.net mx ip:11.22.33.44 -all”

    Only following host allowed for SMTP delivery”

    host1.domain.net, host2.domain.net, 11.22.33.44, all in MX record

     

    Google site notification:  (Verify domain by adding a TXT/SPF record)

    Refer to:

    https://www.google.com/webmasters/verification/home?hl=en

     

     How to Add PTR record for mx server:

    PTR record is managed by ISP,  not the DNS supplier, such as Godaddy

    Some VPS supplier support PTR record modification, such as Hostus, ComfortHost.

     

     Tool for email server check:

    https://mxtoolbox.com/

  • dnstap

    http://dnstap.info/slides/dnstap_nanog61.pdf

     

    dnstap

     –  What  is  it?

    • High  speed  DNS  logging  without  packet  capture
    • Encoding  uses  Protocol  Buffers
    • Binary  clean
    • Efficient  encoding
    • Extendable
    • Implementa6ons  available  for  many  programming

  • Update NO-IP DDNS

    Updating no-ip ddns on

    DDWRT Router:  

    with the help of inadyn tool

    https://github.com/torglobit/inadyn

     

     

     

    Linux box:

    With the help of noip-udc-linux

    http://www.no-ip.com/client/linux

     

    Failed Issus:

    No direct internet link

       DNS resolve too slow

    inadyn:   timeout=IP_DEFAULT_TIMEOUT=20s

    noip-udc:   using gethostbyname  linux api to get IP address,  the timeout can be defined in /etc/resolv.conf,  the default value in linux is 5 ms,

    Example of resolv.conf:

    nameserver 8.8.8.8 options timeout:30

     

     

  • DNS resource

     

     

     

    http://www.statdns.com/resources/

    http://www.zytrax.com/books/dns/apc/

     

    http://public-dns.tk/nameserver/us.html

     

     

  • DNS software: rbldnsd

    rbldnsd:
    http://www.corpit.ru/mjt/rbldnsd.html

    git://git.corpit.ru/rbldnsd.git

    RBLDNSD :- Meaning is “DNS daemon suitable for running DNS-based blocklists”.
    rbldnsd is a small DNS-protocol daemon which is designed to handle queries to DNS-based IP-listing or NAME-listing services. Such services are a simple way to share/publish a list of IP addresses or (domain) names which are “listed” for for some reason, for example in order to be able to refuse a service to a client which is “listed” in some blocklist.

    http://linux.die.net/man/8/rbldnsd

     http://www.blue-quartz.com/rbl/

    Example

    http://www.uceprotect.net/en/?m=6&s=10

     

    Setup within Debian

    # Disable existed DNS service
    update-rc.d bind9 disable
    /etc/init.d/bind9 stop

    # Install rbldnsd

    setup.zip

  • DNS software

    Copy from:  http://maradns.samiam.org/dns_software.html

    DNS software

    The “big five”. The “CVE” links point to the National Vulnerability Database’s list of security issues for the program in question; I also have a comparison of DNS servers’ security history.

    • BIND is the swiss army knife of DNS servers. It has a lot of features and can do pretty much everything. It’s also a big binary and sometimes difficult to configure. CVE
    • Unbound and NSD make up a suite of DNS servers; they are both from NLnet Labs.Basically, one (NSD) puts your web page on the Internet; the other (Unbound) looks for web pages on the Internet. NSD CVE (None of those entries look to point to NSD; it appears to have no CVE entries) Unbound CVE
    • PowerDNS (which like Unbound/NSD, is two separate programs) has a lot of flexibility with connecting to databases or what not to resolve a DNS name. Used by Wikimedia, among others. CVE.
    • DjbDNS. Great tiny two-program DNS suite that sadly hasn’t been updated by DJB since 2001. Yes, it does have security problems (That’s a CVE link). Note that there are still people on the Internet who pretend DjbDNS 1.05 is magically perfectly secure. Sigh; there’s a lot of stupid out there on the ’net.For anyone who wants to use DjbDNS, use N-DjbDNS, which is patched against all known security holes (be sure to use a version with commit 16cb625e).
    • MaraDNS. I think it’s the best one, but my opinion is a little biased. It was once a single program, now two separate programs (like Unbound/BSD and PowerDNS) Easy-to-configure; tiny binary suitable for embedded systems. CVE

    There are many many other DNS servers, both open source and non-open source.

    Some other DNS servers:

    Freely downloadable DNS servers

    Caching DNS servers

    • DnsMasq is a non-recursive caching DNS server.
    • pdnsd is a recursive caching DNS server. Paul Rombouts is (was?) the current maintainer of this program.
    • Posadis is another DNS server project, similar to MaraDNS. This server is now both a resolving and an authoritative DNS server. Hasn’t been updated in a while.

    Non-recursive DNS servers

    • Knot DNS has DNSSEC support.
    • MyDNS is an authoritative-only DNS server which uses MySQL as a database back end. The most currently updated version appears to be MyDNS-ng, the “next generation” version of MyDNS.
    • SDNS is a project written in the late 1990s by Sandia Labs. Like MaraDNS, this project was written with security in mind. Since this is a government project, the code is public domain. The program does not seem to be downloadable anywhere, so I am mirroring it here. I would like to thank Fred Cohen for informing me about this package.
    • The Pliant language/package comes with a DNS server. This DNS server can not recursively process DNS queries given a list of root servers.
    • Twisted includes a non-recursive DNS server.
    • DnsJAVA is an authoritative-only DNS server written in Java.
    • The Eddit project includes a DNS server
    • SheerDNS is a simple non-caching DNS server that stores all records as their own files.

    Abandoned DNS server projects

    These are DNS server projects which have not released any files for a significant period of time, and are not fully functioning DNS servers (either because the program did not have basic DNS functionality when abandoned, the program was not documented before being abandoned, or because the program was abandoned so long ago that it is not fully functional on today’s internet).

    • Oak DNS is a DNS server written completely in python. It is compatible (I think) with both BIND zone files and cache files. The file can be downloaded here, or here. The most recent alpha version can be downloaded here. The most recent file in this alpha is from February of 2003; the original website is now owned by a cyber-squatter. (Thanks, Michel Talon, for the update)
    • MooDNS is another DNS server project. A CVS checkout on January 21, 2003 shows that no files have been updated since July 20, 2002, except for a single readme file updated on August 1, 2002. This project is abandoned.I have made a tarball available for people who do not want to bother with a CVS checkout.
    • Dents is a DNS server that showed a lot of promise. Unfortunately, no files have been released since 1999.
    • Yaku-NS is a DNS server geared towards embedded systems. According to the changelog, no one has made any changes to this software since Feburary, 2001.
    • CustomDNS has not released any files since the summer of 2000.

    Other

    Proprietary DNS solutions

    No, I have not listed every single DNS server that exists here.

  • Find list of subdomain

    http://webbreacher.blogspot.com/2013/08/dns-host-enumeration-tool-bake-off.html

    subbrute    https://github.com/TheRook/subbrute

    Fierce           http://ha.ckers.org/fierce/

    dnsmap:            https://code.google.com/p/dnsmap/

    dns-discovery    https://code.google.com/p/dns-discovery/

    dnsenum           https://code.google.com/p/dnsenum/

                              https://github.com/fwaeytens/dnsenum

     

     

    NameList:              https://github.com/darkoperator/dnsrecon/blob/master/namelist.txt

    Online tool

     

    http://www.wolframalpha.com/

     

    https://pentest-tools.com/reconnaissance/find-subdomains-of-domain#

     

  • DNS namebench (Chicago)

    IP
    		 Descr. Hostname Avg (ms) Diff Min Max TO N
    208.67.222.222 OpenDNS-2 resolver1.opendns.com 460.57 3.6% 261.0 3500.0 2 1 
    8.8.8.8
    		 SYS-8.8.8.8 google-public-dns-a.google.com 476.94 273.9 3500.0 3 0 
    209.253.113.18
    		 Mcleod 3 US cachens3.mcleodusa.net 513.36 -7.1% 262.7 3500.0 2 1
    216.165.129.157 216.165.129.157 ns6.dns.tds.net 529.09 -9.9% 262.6 3500.0 2 0
    216.170.153.146 TDS 8 US ns8.dns.tds.net 560.03 -14.8% 262.7 3500.0 3 0
    216.52.129.1 Internap CHI US ns1.chi.pnap.net 567.64 -16.0% 264.2 3500.0 3 0
    134.48.1.32 Marquette Uni US dns1.mu.edu 596.11 -20.0% 266.2 3500.0 7 0
    4.2.2.2 Level 3/GTEI-2 b.resolvers.Level3.net 603.13 -20.9% 261.8 3500.0 2 0
    156.154.70.1 UltraDNS rdns1.ultradns.net 610.57 -21.9% 261.7 3500.0 4 0
    216.52.129.33 216.52.129.33 ns2.chi.pnap.net 611.23 -22.0% 263.8 3500.0 5 0
    4.2.2.3 Level 3/GTEI-3 c.resolvers.level3.net 630.44 -24.3% 261.9 3500.0 3 0
    4.2.2.1 Level 3/GTEI a.resolvers.level3.net 654.94 -27.2% 262.4 3500.0 3 0
    216.81.128.132 216.81.128.132 nscache3-mngt.dsm.lightedge.com 690.13 -30.9% 268.0 3500.0 3 2
    174.34.129.34 174.34.129.34 174.34.129.34.rdns.ubiquityservers.com 690.90 -31.0% 264.0 3500.0 5 0
    64.58.254.2 64.58.254.2 ns1.met-net.com 750.62 -36.5% 275.8 3500.0 12 0
    216.146.35.35 DynGuide resolver1.dyndnsinternetguide.com 1222.12 -61.0% 262.4 3500.0 55 
    2