Im trying to configure DNS server on my virtual computer without internet connection.
I'm using PowerDNS with BIND backend.
Here is my configuration of zone:
$ORIGIN example.com.
$TTL 86400
# IN SOA example2.com. (
2017020401 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum TTL
example.com. 172800 IN NS example1.com.
example.com. 172800 IN NS example2.com.
example.com. 172800 IN NS example3.com.
Im testing server with command dig, which looks like this :
root#osboxes:~# dig example.com #127.0.0.1 -p 5301
; <<>> DiG 9.16.1-Ubuntu <<>> example.com #127.0.0.1 -p 5301
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13819
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com. IN A
;; AUTHORITY SECTION:
example.com. 3600 IN SOA example2.com. 2017020401.example.com. 3600 1800 604800 86400 3600
;; Query time: 180 msec
;; SERVER: 127.0.0.1#5301(127.0.0.1)
;; WHEN: Wed Feb 03 16:45:50 EST 2021
;; MSG SIZE rcvd: 96
I want the request to be delegated to other servers example1.com, example2.com and example3.com.
For that, I need to have my NS records in AUTHORITY SECTION of the dig output.
However, its not happening, there is only the SOA record.
I tried to remove the SOA record, but afterwards I have no record in AUTHORITY SECTION.
Can somebody help me solving this problem please? What am I missing?
EDIT : adding configuration
recursor.conf
local-address=0.0.0.0
local-port=5301
allow-from=127.0.0.0/8, 10.0.0.0/8
forward-zones=example.com=127.0.0.1:5300
pdns.conf
launch=bind
bind-config=/etc/powerdns/named.conf
local-address=127.0.0.1
local-port=5300
named.conf
zone "example.com" IN {
type slave; # type of zone
file "/var/lib/powerdns/zone.net"; # location of forward zone file
allow-query { any; };
};
/var/lib/powerdns/zone.net
$ORIGIN example.com.
$TTL 86400
# IN SOA example2.com. (
2017020401 ; serial
3600 ; refresh
1800 ; retry
604800 ; expire
86400 ) ; minimum TTL
example.com. 172800 IN NS example1.com.
example.com. 172800 IN NS example2.com.
example.com. 172800 IN NS example3.com.
EDIT
I'm assuming you're using BIND9. If you are, you need to set minimal-responses to no in your options section. Most likely that's in /etc/bind/named.conf.options, if it's not there, then check /etc/bind/named.conf.
I found this on readthedocs for BIND, scroll down a bit and you'll see minimal-responses highlighted.
END EDIT
The dig query you tried is for example.com type A, which is an IPv4 address. Your zone file doesn't have any A records for example.com, so one thing you could do is add one, for example:
example.com. 172800 IN A 1.2.3.4
Then your dig query for example.com should return 1.2.3.4 in the answer section, and the NS records in the authority section (though that may depend on your DNS server's configuration).
If you add A (or AAAA) records for example1.com, example 2.com, and example3.com and then do your dig command again, you'll probably get those A records in the additional section. (IIRC, that's known as "glue")
Just a little more background, the response you got from your dig query is often called a "No Data" response. That means there's a record for the name you looked up (example.com), but it's a different type (NS) than the one you asked for (A), so it returns a NOERROR rcode with no answer (there's no answer section). If you ask for a name that doesn't exist at all, you'll get the same thing (no answer section), but an NXDOMAIN rcode instead of NOERROR.
Related
I want to use ICMPPING in zabbix as a simple check. I know it uses fping. But I want to override the fping program to do my desired work. fping utility can give me the result of an ICMP request from the system that runs it. I mean it investigates the availability of an IP address from just one server. But I want to use an API which is performed by the use of CURL that returns the results of availability of an IP address from multiple servers. I wrote the program with python and it is working well. But I don't know how to send the result to zabbix! By now it simply produce 1 if the IP is online and 0 if it is offline. I think I should submit the result in a JSON like format, but I do not know the right syntax!! I formerly wrote a script for discovering LVM partitions and submit the result with the following JSON synax: {"data":[{"{#MDNAME}":"md1"},{"{#MDNAME}":"md127"},{"{#MDNAME}":"md2"}]} But I don't know the correct json syntax for the icmpping! Any help is appreciated
It does not use JSON, Zabbix just parses the fping output - you would have to emulate that.
For example, fping output with the default settings and 3 packets sent looks like this:
> fping -C 3 127.0.0.1
127.0.0.1 : [0], 96 bytes, 0.07 ms (0.07 avg, 0% loss)
127.0.0.1 : [1], 96 bytes, 0.06 ms (0.06 avg, 0% loss)
127.0.0.1 : [2], 96 bytes, 0.07 ms (0.06 avg, 0% loss)
We're using CentOS and would like to ban several Asian countries from accessing the entire server. Almost every IP we check which has tried to hack into our server is allocated to an Asian country (Russia, China, Pakistan, etc.)
We have an IP to country MySQL database we can efficiently query and would like to try something like:
-A INPUT -p tcp -m tcp --dport 80 -j /path/to/perlscript.pl
The script would need the IP passed in as an argument, then it would return either an ACCEPT or DROP target?
Thanks for the answers, here's my follow up.
Do you know if it is possible though? Having a rule point to a script which returns a target? (ACCPET/DROP)
Not entirely sure how ipset works, will have to experiment I guess, but it looks like it creates a single rule. How would it handle Russia for example, which has over 6000 ranges assigned to it? And we want to add probably 20 - 40 countries in total, so we could end up needing to add in excess of 100,000 ranges. Wouldn't the overhead of a single MySQL query be less taxing?
SELECT country FROM ip_countries WHERE $VAR{ip} >= range1 && $VAR{ip} <= range2
The database we use is freely available here : http://software77.net/geo-ip/
It represents IPs in the database by converting the IP to a number using this formula :
$VAR{numberedIP} = $octs[3] + ($octs[2] * 256) + ($octs[1] * 256 * 256) + ($octs[0] * 256 * 256 * 256);
It will store the start of the range in the "range1" column, and the end of the range in the "range2" column.
So you can see how we'd look up an IP using the above query. Literally takes less than a hundredth of a second to get a result and it's quite accurate. We have one website on a dedicated server, quite low traffic. But as with all servers I have ever checked, this one is hit daily by hackers' robots, checking email accounts, FTP accounts etc. And just about every web server I've ever worked on is compromised sooner or later. In our case, 99.99% of traffic from Asian countries has criminal intent attached to it.
We'd like this to run via iptables so that all ports are covered, not just HTTP for example by using directives in say .htaccess.
Do you think ipset would still be faster and more efficient?
It would be far too slow to launch perl for every matching packet. The right tool for this sort of thing is ipset, and there is much more information and documentation available on the ipset man page.
In CentOS you can install it with yum. Naturally, all of these commands and the script need to run as root:
# yum install ipset
Next install the kernel modules (you'll want this to happen at boot as well):
# modprobe -v ipset ip_set_hash_netport
And then use a script like the following to populate an ipset and block IP's from its ranges using iptables:
#!/usr/bin/env perl
use strict;
use warnings;
use DBI;
my $dbh = DBI->connect('... your DSN ...',...);
# I have no knowledge of your schema, but if you can pull the
# address range in the form: AA.BB.CC.DD/NN
my $ranges = $dbh->selectcol_arrayref(
q{SELECT cidr FROM your_table WHERE country_code IN ('CN',...)});
`ipset create geoblock hash:netport`;
for (#$ranges) {
# to match on port 80:
`ipset add geoblock $_,80`;
}
`iptables -I INPUT -m set --set geoblock src -j DROP`;
If you would like to block all ports rather than just 80, use the ip_set_hash_net module instead of ip_set_hash_netport, change hash:netport to hash:net, and remove ,80 from the ipset command.
I would like to connect my linux board to an access point (i.e mobile phone) by using wpa_supplicant.
My mobile phone ap is configured with WPA (AES) security.
I modified the wpa_supplicant.conf as follow :
ctrl_interface=DIR=/var/run/wpa_supplicant
network={
ssid="HTC"
psk="mypasswd"
scan_ssid=1
proto=WPA2
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
priority=5
}
I set to up the mlan0 and launch wpa_supplicant as follow
root#root:~# wpa_supplicant -i mlan0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
root#root:~# rfkill: Cannot open RFKILL control device
[ 2113.867283] IPv6: ADDRCONF(NETDEV_UP): mlan0: link is not ready
[ 2113.999385] wlan: mlan0 START SCAN
mlan0: CTRL-EVENT-SCAN-STARTED
[ 2116.924881] wlan: SCAN COMPLETED: scanned AP count=9
mlan0: Trying to associate with 84:7a:88:50:b0:a7 (SSID='HTC' freq=2437 MHz)
[ 2116.954134] ASSOC_RESP: Association Failed, status code = 17, error = 0x411, a_id = 0x0
[ 2116.962280] IOCTL failed: 9a8db800 id=0x20000, sub_id=0x20001 action=1, status_code=0x4110011
mlan0: CTRL-EVENT-ASSOC-REJECT status_code=1
[ 2117.073403] wlan: mlan0 START SCAN
mlan0: CTRL-EVENT-SCAN-STARTED
...
But connection is never established.
Just from looking at the wpa_supplicant output, it is clear that there are no problems with your interfaces mlan/wlan or your IP, as suggested by other responders.
Just to explain the output:
[ 2113.999385] wlan: mlan0 START SCAN
mlan0: CTRL-EVENT-SCAN-STARTED
[ 2116.924881] wlan: SCAN COMPLETED: scanned AP count=9
mlan0: Trying to associate with 84:7a:88:50:b0:a7 (SSID='HTC' freq=2437 MHz)
The above means that:
wpa_supplicant launched successfully.
wpa_supplicant started a wireless scan of nearby BSS's (Basic Service Set).
wpa_supplicant found 9 nearby BSS's, one of them is 'HTC'.
wpa_supplicant started an association sequence with 'HTC' on 2437 Mhz frequency i.e. channel 6.
So, what went wrong???
[ 2116.954134] ASSOC_RESP: Association Failed, status code = 17, error = 0x411, a_id = 0x0
You got error code 17 - Association denied because AP is unable to handle additional associated stations. Will happen if you run out of AIDs on the AP(Access Point).
One of the bellow is probably true:
Your AP is a Hotspot with limited number of stations or you are using an inferior AP that doesn't support enough stations.
You tried to connect to very busy Access Point
So, my solutions are:
Try to configure your AP to enable larger number of stations.
Try to connect to different network to see if the problem reproduces.
If your AP configurations are OK and it is not very busy (low number of associated stations), this might be indicative of a problem. You won't be able to connect any new station. I'd suggest AP reboot.
try to give static IP to your board on the same subnet as your phone having.
rfkill: Cannot open RFKILL control device
I got the same error message when
forgot to plug in the WiFi dongle
the interface specified in -i flag does not exist.
(And maybe it's not "mlan0", it's "wlan0"?)
In the second case, try to modify your command from
wpa_supplicant -i mlan0 -c /etc/wpa_supplicant.conf
to
wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I'm running a mail server with CentOS 6.5 / Exim 4.72 / Dovecot 2.0.9, and have the following problem: when I send emails, from Thunderbird, say from the address me#mydomain.com, the email is delivered with the following headers (extract):
Return-path: <"me#mydomain.com"#mydomain.com>
Envelope-to: me#mydomain.com
...
Received: from host86-128-154-245.range86-128.btcentralplus.com ([86.128.154.245] helo=asus-i7.banchory)
by mail.mydomain.com with esmtpsa (UNKNOWN:AES128-SHA:128)
(Exim 4.72)
(envelope-from <"me#mydomain.com"#mydomain.com>)
id 1Xjdoz-0005Zt-7M; Thu, 30 Oct 2014 01:42:37 +0100
Message-ID: <54518978.6010305#mydomain.com>
...
From: Kalenz <me#mydomain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0
...
Sender: "me#mydomain.com"#mydomain.com
You can probably see what it's doing wrong: everywhere it says "me#mydomain.com"#mydomain.com it should actually be saying me#mydomain.com. I don't know why it is doing that.
Most recipients accept this anyway, but a few more conservative mail hosts will reject these messages. Replies arrive ok 99% of the time; sometimes they cite my original message as being from: "me#mydomain.com"#mydomain.com On Behalf Of me#mydomain.com.
I don't think it's Thunderbird, because this is not a problem with other mail servers (i.e., other addresses) from the same client.
From the Exim log (same message):
2014-10-30 01:42:37 1Xjdoz-0005Zt-7M <= "me#mydomain.com"#mydomain.com H=host86-128-154-245.range86-128.btcentralplus.com (asus-i7.banchory) [86.128.154.245] P=esmtpsa X=UNKNOWN:AES128-SHA:128 A=dovecot_plain:me#mydomain.com S=30908 id=54518978.6010305#mydomain.com
2014-10-30 01:42:38 1Xjdoz-0005Zt-7M => me <me#mydomain.com> R=dovecot_virtual_router T=dovecot_virtual_transport
2014-10-30 01:42:38 1Xjdoz-0005Zt-7M => otherguy#hisdomain.com <otherguy#hisdomain.com> R=dnslookup T=remote_smtp H=mail.hisdomain.com [12.34.56.78] X=TLSv1:DHE-RSA-AES256-SHA:256
2014-10-30 01:42:38 1Xjdoz-0005Zt-7M Completed
(That second line is a BCC to self.)
As you can see, Exim uses the Dovecot authenticator, and in the log file reports the correct user name at A=dovecot_plain:me#mydomain.com.
From /etc/exim.conf:
# Host's fully qualified canonical name
primary_hostname = mail.mydomain.com
# Our own mail domains:
domainlist local_domains = # : localhost : localhost.localdomain : mydomain.com : otherdomain.com
# The domain to add to all unqualified addresses (defaults to primary_hostname):
qualify_domain = mydomain.com
...
# Dovecot authenticators ref. http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_dovecot_authenticator.html
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
There are no rewrite rules in exim.conf.
From Dovecot configuration in /etc/dovecot/conf.d/10-auth.conf:
# Default realm/domain to use if none was specified.
# This is used for both SASL realms and appending #domain to username in plaintext logins.
auth_default_realm = mydomain.com
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey gss-spnego
auth_mechanisms = plain
...
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext
I did try blanking out auth_default_realm, but that did not help.
Then to /etc/dovecot/conf.d/auth-passwdfile.conf.ext:
# cat auth-passwdfile.conf.ext
# Authentication for passwd-file users. Included from auth.conf.
# Note: if the user logs in as "billy#domain.com", then %u="billy#domain.com" and %n="billy".
passdb {
driver = passwd-file
args = username_format=%u /path/to/passdb
}
userdb {
driver = passwd-file
args = username_format=%u /path/to/passdb
}
And entries in that passdb file look like this:
me#mydomain.com:{SHA512-CRYPT}[~~~]:dovecot:mail::/srv/mail/mydomain.com/me::
(N.B., I edited out the password hash, at [~~~].)
And this is where I'm stuck. I don't see Dovecot doing anything wrong (in any case, mail reception and POP/IMAP work fine), so I suspect an error in my Exim configuration.
I imagine I could put together a rewrite rule in Exim to fix the outgoing message headers, but I would rather get to the source of the problem. Any advice?
Sounds like an identical question is answered here (coincidentally, also by me) :
https://serverfault.com/questions/617712/exim-appending-hostname-to-fully-qualified-sender-address/618398#618398
https://serverfault.com/questions/502868/exim-virtual-domains-vs-main-domain-rewriting-rules/502894#502894
I have a java program which sends a results (as seen in a console) via HTTP to a browser. The real results are nicely formatted by tabs and newlines, as seen below:
./src/yse4 : The YSE emulator in use
[-w] - [w]rap around at tracefile end and begin anew at time zero.
[-f filename] - [-f tracefile to use from]
/home/Downloads/yse.wzt/tracefiles/capacity.3Mbps_400RTT_PER_0.0001.txt
File name: tracefiles/capacity.3Mbps_400RTT_PER_0.0001.txt
200 Forwarding Delay (ms)
200 Reversed Delay (ms)
3000000 Download Capacity (Mbps)
3000000 Upload Capacity (Mbps)
0.0001 Packet Error Rate (PER)
at=eth1
an=eth0
But when I send it as HTML, of course it does not recognize tabs and newlines. I manually add <br> at the end of each line, but still tabs are missing, and the browser shows it as below:
./src/yse4 : The YSE emulator in use
[-w] - [w]rap around at tracefile end and begin anew at time zero.
[-f filename] - [-f tracefile to use from]
/home/Downloads/yse.wzt/tracefiles/capacity.3Mbps_400RTT_PER_0.0001.txt
File name: tracefiles/capacity.3Mbps_400RTT_PER_0.0001.txt
200 Forwarding Delay (ms)
200 Reversed Delay (ms)
3000000 Download Capacity (Mbps)
3000000 Upload Capacity (Mbps)
0.0001 Packet Error Rate (PER)
at=eth1
an=eth0
How can I format it as HTML to be seen nicely? Maybe any library exists for that?
You can return an HTML Table containing two rows and format the table as you want
HTML Table