- Детальная настройка всего хозяйства
- Embedded:
- Записываем модули ядра в папку /boot/kernel/
- Perormance tests
- Encrypted swap
- Другие разновидности
- HTTPS и HSTS
- FreeNAS FC Target
- Делаем доступ к FC-дискам для FreeNAS
- FreeNAS изменение карты разделов корневого диска
- FreeNAS replication tasks
- PFSense and Ubiquiti
- Редактируем менюхи Web-GUI
- Старые версии приложений
- BHYVE and Pass-thru NIC
- Postgresql in freenas Jail
- Jails in PFSense
- FreeNAS rc.conf modification
- Embedded
- У свитчей Ubiquiti дефолтный админ называется ubnt
- PFSense Traffic Shaper
- PFSense. L2TP over IPSec
- Plex Home Theater embedded
- FreeNAS не грузится с флешки
- adv
- FreeBSD
- FreeBSD FUSE+ExFAT
- FreeBSD and NFS
- IPFW
- Install VirtalBox to FreeBSD and FreeNAS
- Выявляем состояние дисков
- FreeBSD: IPv6 setup
- Мониторинг RAID из командной строки
- FreeBSD Hardware Info
- FreeBSD pkg2ng and ports
- Unicode и Русский язык в FreeBSD 7.0 и выше
- FreeBSD 8.X - 9.X - 10.X Unicode Support
- Mellanox Infiniband Driver FreeBSD
- FreeBSD Network tuning
- VirtualBox 5 на Freebsd 10
- Установка времени и зоны
- Пароль на Single User
- OpenVPN
- UPS and nut
- FreeBSD iSCSI
- jails
- Diskless FreeBSD, iSCSI NetBoot
- Разрешение монитора
- Root on ZFS
- IPFW + NATD
- No buffer space available
- Работа с ZFS
- FreeBSD GEOM Recovery
- Postfix LDAP Sasl
- Links
- FreeBSD get sources
- Link Aggregation
- 10 Gb Ethernet Drivers
- Highpoint RocketRAID 2680 FreeBSD
- Webmin not starts, miniserv got an error (opt)
- Mount iso and other tips
- Работа с дисками
- LSI Pre-boot USB and CD installation instructions, EULA, and sources
- Выявляем состояние дисков
- MegaCli and tw_cli commands. Add drive to LSI RAID Volume
- Создание большого диска на FreeBSD
- Windows. OS not found Fix
- HPT Commands
- Resize EXT4
- Fsck
- Quantum StorNext
- RAID Basics
- Disk Recovery tools
- Выбор SSD
- RAID Basics
- Mac OS X: Manage GPT structure
- FreeBSD GEOM Recovery
- WD: Red, Green
- FreeNAS не грузится с флешки
- Create bsd slice
- Восстановление прошивки RAID-контроллеров LSI
- ZFS Administration
- EFI / UEFI
- Телефония
- Security Lab
- SSL Cert Auth
- Advanced IPFW rules
- Crypto Locker
- Astra Linux install Redis with SSL/TLS support
- Boot Password
- Default Passwords
- SSL A+
- Crypto Locker. Short English version
- Уязвимость OpenSSL
- SSL Auth Process
- Crypto Locker. Часть 2
- IPFW
- Скрипт диагностики сети
- Шьерт побьери
- SMS-оповещение
- Port Knock
- Козлизм
- NTP amplification attack
- Openssl create self-signed cert
- Социальная инженерия
- Постановление № 1119 от 02.11.2012
- Subject Alternate Name Certificate
- Switch Flood
- Видеонаблюдение
- DCP Checksum
- UDP Punch Attack
- Настройки общих для POSIX-систем служб
- Windows
- Linux
- RHEL / CentOS Install and inital configuration
- Linux Links
- Boot Linux into text mode
- GFS2
- Срубаем пароли
- Linux Hardware info
- Linux chroot
- DNSMASQ
- Ограничиваем память
- Bash history search like tsch
- NFS on RedHAT 5
- Делаем репозиторий для локалки
- ifcfg в RHEL/CentOS
- RHEL / CentOS UPGRADE: (6.3 -> 6.4, 6.4 -> 6.5)
- Openvpn
- Linux Security: systemd
- Mac OS X
- Скрыть юзера
- TLS server engine: cannot load CA data
- Mac Keeper
- IPv6 в Safari
- Mac OS create user
- Sudo repair
- XSAN
- Сбросить пароль
- DNS
- Rebuild System Cache
- CrossOver и русский кызя
- Хакинтош
- iTunes ip port
- Неофициальная поддержка LSI RAID
- Отобрать админские полномочия у пользователя
- Mac OS X: Manage GPT structure
- PF in Mac OS 10.7-10.9
- Расшарить папку по NFS
- ML (10.8) change hostname
- OpenDirectory passwd
- Open Directory SSL
- Cсылки afp://ip.addr/Share/Folder
- Legacy AFP
- sha1 checksum
- WiFi 5GHz
- Time Machine
- Network
- Виртуалки
Yet another one sysadsmin wiki.
Конфигурация ДНС сервера chroot
Живет в джейле BIND. Без chroot-a: bind в Jail-е не работает в chroot окружении.
Жалко мне 15 баксов на покупку ДНС хостинга - так что пусть жвет. ДНС имеет 2 view: один - для домашней сетки, второй - для инета. Удобно тем, что конфигурации независимые.
View удобны тем, что позволяют сделать невозможным корректное определение топологии сети через анализ ДНС записей для наблюдателя извне.
P.S. Внутренняя сеть сделана полностью на ipv6, соответственно и ДНС тоже; конфиг, по сравнению с указанным здесь, дополнен ipv6 адресами в ACL-ях
Bind собирался из портов
Версия 9.10.
cd /usr/ports/dns/bind910 make config
Отмечаем: Docs, IDN, IPV6, RRL, SIGCHASE, THREADS, GSSAPI_NONE, SSL
После сборки пишем в /etc/rc.conf
named_enable="YES" named_chrootdir="" named_program="/usr/local/sbin/named" named_flags="-c /etc/namedb/named.conf"
Primary Server config
cat /etc/namedb/named.conf
//////// ACLs ///////////
acl trusted-servers {
127.0.0.1; 87.255.21.209; 192.168.5.0/24; 10.105.144.1/24; 172.23.34.0/28;
193.232.130.14; 83.102.164.202; 78.107.92.65/26; 195.234.42.1; 178.33.255.252; 78.107.92.69;
};
acl home {
192.168.5.0/24;
};
acl xname {
195.234.42.0/24; 193.218.105.144/28; 178.33.255.252; 88.191.64.64; 92.243.3.119; 92.243.14.172;
};
acl nicru {
91.217.20.0/26; 91.217.21.0/26; 194.226.96.192/28; 31.177.66.192/28; 195.253.54.22; 195.253.51.22;
};
acl internal {
!key extview-key;
192.168.5.0/24;
localhost;
};
acl external {
!key intview-key;
key extview-key;
!192.168.5.0/24;
any;
};
/////// KEYS ////////
key intview-key {
algorithm HMAC-MD5;
secret "INT_ZONE_secret";
};
key extview-key {
algorithm HMAC-MD5;
secret "EXT_ZONE_secret";
};
//////// GLOBAL OPTIONS //////////
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-recursion { trusted-servers; };
allow-update { none; };
allow-query { trusted-servers; nicru; };
allow-query-cache { trusted-servers; };
notify explicit;
allow-transfer { trusted-servers; };
version "get lost";
listen-on { 127.0.0.1; 192.168.5.29; };
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
};
//////////// GLOBAL OPTIONS HAS BEEN ENDED ////////////
////////// LOGGING /////////
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
print-time yes;
};
category default { default_file; };
};
// zone "." { type hint; file "/etc/namedb/named.root"; };
view internal {
match-clients { internal; };
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
zone "chroot.ru" {
type master;
file "/etc/namedb/master/internal/chroot.ru";
also-notify { 192.168.5.31 key intview-key; };
allow-transfer { home; key intview-key; };
};
zone "." {
type slave;
file "/etc/namedb/slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "arpa" {
type slave;
file "/etc/namedb/slave/arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
////////// RFC zones ///////////////
zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
...
zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// Shared Address Space (RFC 6598)
zone "64.100.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "65.100.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
...
zone "127.100.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// Link-local/APIPA (RFCs 3927, 5735 and 6303)
zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IETF protocol assignments (RFCs 5735 and 5736)
zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// TEST-NET-[1-3] for Documentation (RFCs 3849, 5735, 5737 and 6303)
zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// Domain Names for Documentation and Testing (BCP 32)
zone "test" { type master; file "/etc/namedb/master/empty.db"; };
zone "example" { type master; file "/etc/namedb/master/empty.db"; };
zone "invalid" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.net" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.org" { type master; file "/etc/namedb/master/empty.db"; };
// Router Benchmark Testing (RFCs 2544 and 5735)
zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IANA Reserved - Old Class E Space (RFC 5735)
zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
...
zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
...
zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
...
zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
...
zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IPv6 ULA (RFCs 4193 and 6303)
zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IPv6 Link Local (RFCs 4291 and 6303)
zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };
// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; };
};
view external {
match-clients { external; };
rate-limit {
responses-per-second 6;
slip 0;
min-table-size 5;
};
zone "chroot.ru" {
type master;
file "/etc/namedb/master/external/chroot.ru";
also-notify { 192.168.5.31 key extview-key; 195.253.54.22; 195.253.51.22; };
allow-transfer { xname; nicru; key extview-key; };
allow-query { any; };
};
zone "arlc.ru" {
type master;
file "/etc/namedb/master/external/arlc.ru";
also-notify { 192.168.5.31 key extview-key; 195.253.54.22; 195.253.51.22; };
allow-transfer { xname; nicru; key extview-key; };
allow-query { any; };
};
};
Описания зоны
cat /etc/namedb/master/external/chroot.ru
$TTL 86400 ; Default TTL
chroot.ru. IN SOA ns0.chroot.ru. dr.chroot.ru. (
2015051001 ; serial
10800 ; Refresh period
3600 ; Retry interval
86400 ; Expire time
10800 ; Negative caching TTL
)
$ORIGIN chroot.ru.
@ IN NS ns8-l2.nic.ru.
@ IN NS ns4-l2.nic.ru.
@ IN NS ns0.chroot.ru.
@ IN NS ns8-cloud.nic.ru.
@ IN NS ns4-cloud.nic.ru.
IN MX 1 aspmx.l.google.com.
IN MX 5 alt1.aspmx.l.google.com.
IN MX 10 alt2.aspmx.l.google.com.
IN MX 15 aspmx2.googlemail.com.
wiki IN A 87.255.21.209
ns0 IN A 87.255.21.209
unifi IN A 87.255.21.209
* IN CNAME ghs.google.com.
www IN CNAME ghs.google.com
notes IN CNAME ghs.google.com.
mail IN CNAME ghs.google.com.
webdav IN CNAME wiki
home IN CNAME wiki
dr IN CNAME wiki
cat /etc/namedb/master/internal/chroot.ru
$TTL 86400 ; Default TTL
chroot.ru. IN SOA freebsd-93.chroot.ru. dr.chroot.ru. (
2015051001 ; serial
10800 ; Refresh period
3600 ; Retry interval
86400 ; Expire time
10800 ; Negative caching TTL
)
$ORIGIN chroot.ru.
@ IN NS freebsd-93.chroot.ru.
@ IN NS freebsd-named-slave.chroot.ru.
IN MX 1 aspmx.l.google.com.
IN MX 5 alt1.aspmx.l.google.com.
IN MX 10 alt2.aspmx.l.google.com.
IN MX 15 aspmx2.googlemail.com.
dr IN A 192.168.5.4
wiki IN A 192.168.5.26
freebsd-93 IN A 192.168.5.29
freebsd-named-slave IN A 192.168.5.31
chat IN A 192.168.5.33
vbox IN A 192.168.5.100
unifi IN A 192.168.5.125
* IN CNAME ghs.google.com.
www IN CNAME ghs.google.com
notes IN CNAME ghs.google.com.
mail IN CNAME ghs.google.com.
webdav IN CNAME wiki
home IN CNAME wiki
