Category Archives: alix

DNS Server Scripts

The requirement is to be able to switch between DNS providers depending on the service being used, and to trigger this switch from the browser. I generally use Unlocator as it lets me access BBC iPlayer from outside the UK, however some services such as Amazon Prime don’t work with Unlocator, so I sometimes have to switch back to OpenDNS. The approach uses CGI scripts to change the resolv.conf file and restart the DNS server.

Configure dnsmasq to use the upstream DNS servers from a different file.

root@voyage:/etc# cat /etc/dnsmasq.conf

resolv-file=/etc/resolv.conf.dynamic
root@voyage:/etc# cat /etc/default/dnsmasq

IGNORE_RESOLVCONF=yes

The new resolv.conf file is called resolv.conf.dynamic because we will allow the script to overwrite it with a new set of addresses.

root@voyage:/etc# cat /etc/resolv.conf.dynamic
#nameserver 127.0.0.1
nameserver 206.67.222.222
nameserver 208.67.220.220

The new resolv.conf file will be overwritten with one of these two files.
File containing the OpenDNS servers:

root@voyage:/etc# cat /etc/resolv.conf.opendns
#nameserver 127.0.0.1
nameserver 206.67.222.222
nameserver 208.67.220.220

File containing the Unlocator DNS servers.

root@voyage:/home/lorcan# cat /etc/resolv.conf.unlocator
#nameserver 127.0.0.1
nameserver 185.37.37.37
nameserver 185.37.37.185

CGI script to overwrite resolv.conf.dynamic with the OpenDNS version.

root@voyage:/var/www/cgi-bin# cat setopendns.pl
#!/usr/bin/perl
print "Content-Type: text/plain", "\n\n";
print "Setting DNS servers to OpenDNS...", "\n";

system("sudo remountrw");
system("sudo /bin/cp /etc/resolv.conf.opendns /etc/resolv.conf.dynamic");
system("sudo remountro");

CGI script to overwrite resolv.conf.dynamic with the Unlocator version.

root@voyage:/var/www/cgi-bin# cat setunlocatordns.pl
#!/usr/bin/perl
print "Content-Type: text/plain", "\n\n";
print "Setting DNS servers to Unlocator...", "\n";

system("sudo remountrw");
system("sudo /bin/cp /etc/resolv.conf.unlocator /etc/resolv.conf.dynamic");
system("sudo remountro");

The web server runs as user www-data so to allow specific operations as root, the commands have to be added to a sudoers.d file.

root@voyage:/home/lorcan# cat /etc/sudoers.d/cgi-permissions
www-data ALL= NOPASSWD: /bin/mount
www-data ALL= NOPASSWD: /bin/cp /etc/resolv.conf.unlocator /etc/resolv.conf.dynamic
www-data ALL= NOPASSWD: /bin/cp /etc/resolv.conf.opendns /etc/resolv.conf.dynamic
www-data ALL= NOPASSWD: /bin/sync
www-data ALL= NOPASSWD: /etc/init.d/dnsmasq restart

HTML to call the scripts.

root@voyage:/home/lorcan# cat /var/www/index.html
...
<li><a href="/cgi-bin/setunlocatordns.pl">Set Unlocator DNS</a></li>
<li><a href="/cgi-bin/setopendns.pl">Set OpenDNS</a></li>
...

 

 

 

 

 

 

Advertisements

IPv6 on eir

root@voyage:/home/lorcan# more /etc/wide-dhcpv6/dhcp6c.conf
# Default dhpc6c configuration: it assumes the address is autoconfigured using
# router advertisements.
interface ppp0 {
# Identity Association for Prefix Delegation
send ia-pd 0;

# Identity Association for Non-temporary Addresses
# send ia-na 2;

# request domain-name-servers;
# request domain-name;
# script “/etc/wide-dhcpv6/dhcp6c-script”;
};

id-assoc pd 0 {
prefix-interface br0 {
# Assign subnet 1 to eth1
sla-id 1;

# IP address “postfix”. if not set it will use EUI-64 address of the interface.
# Combined with SLA-ID’d prefix to create full IP address of interface.
ifid 1;

# Prefix bits assigned.
# Take the prefix size you’re assigned (/48 or /56) and subtract it from 64.
# In my case I was being assigned a /56, so 64-56=8
sla-len 8;
};
};

 

root@voyage:/home/lorcan# more /etc/radvd.conf
interface br0
{
AdvSendAdvert on;
MaxRtrAdvInterval 30;

prefix ::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
AdvValidLifetime 300;
AdvPreferredLifetime 120;
};
};

 

 

Defaults for dhcpv6 client initscript
# Used by /etc/init.d/wide-dhcpv6-client

# Interfaces on which the client should send DHCPv6 requests and listen to
# answers. If empty, the client is deactivated.
INTERFACES=”ppp0″

 

/etc/ppp/peers/eircom-ipv6

user eircom@eircom.net
pty “/usr/sbin/pppoe -I eth0 -T 80 -m 1452”
noipdefault
usepeerdns
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist
mtu 1492
noaccomp
default-asyncmap
plugin rp-pppoe.so eth0
ipparam eircomipv6
+ipv6

root@voyage:/etc/wide-dhcpv6# /etc/init.d/wide-dhcpv6-client status
Status of dhcp6c:
dhcp6c is running.

 

root@voyage:/home/lorcan# /etc/init.d/radvd status
[ ok ] radvd is running.

 

root@voyage:/home/lorcan# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:86.44.5.168 P-t-P:95.44.44.1 Mask:255.255.255.255
inet6 addr: fe80::e4f2:9870:6c07:cc39/10 Scope:Link
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:446285 errors:0 dropped:0 overruns:0 frame:0
TX packets:648115 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:66695078 (63.6 MiB) TX bytes:827447912 (789.1 MiB)

 

 

root@voyage:/home/lorcan# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:0d:b9:29:46:fd
inet addr:192.168.11.254 Bcast:192.168.11.255 Mask:255.255.255.0
inet6 addr: fe80::20d:b9ff:fe29:46fd/64 Scope:Link
inet6 addr: 2001:bb6:3a00:1601::1/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:724907 errors:0 dropped:0 overruns:0 frame:0
TX packets:536722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:838528798 (799.6 MiB) TX bytes:186239015 (177.6 MiB)

 

 

C:\Users\bblab>ipconfig

Windows IP Configuration
Wireless LAN adapter Wireless Network Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:bb6:3a00:1601:70b5:c0b9:8694:128c
Temporary IPv6 Address. . . . . . : 2001:bb6:3a00:1601:14c7:d88b:83b0:20ec
Link-local IPv6 Address . . . . . : fe80::70b5:c0b9:8694:128c%17
IPv4 Address. . . . . . . . . . . : 192.168.11.87
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::20d:b9ff:fe29:46fd%17
192.168.11.254

 

C:\Users\bblab>ping -6 google.com

Pinging google.com [2a00:1450:400c:c02::8a] with 32 bytes of data:
Reply from 2a00:1450:400c:c02::8a: time=35ms
Reply from 2a00:1450:400c:c02::8a: time=39ms
Reply from 2a00:1450:400c:c02::8a: time=39ms
Reply from 2a00:1450:400c:c02::8a: time=34ms

Ping statistics for 2a00:1450:400c:c02::8a:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 34ms, Maximum = 39ms, Average = 36ms

 

root@voyage:/etc/wide-dhcpv6# dhcp6c -fdD ppp0 -c /etc/default/wide-dhcpv6-client
Nov/17/2015 18:02:00: get_duid: extracted an existing DUID from /var/lib/dhcpv6/dhcp6c_duid: 00:01:00:01:1c:14:b9:78:00:0d:b9:29:46:fc
Nov/17/2015 18:02:00: cfdebug_print: <3>comment [# Defaults for dhcpv6 client initscript] (39)
Nov/17/2015 18:02:00: cfdebug_print: <3>comment [# Used by /etc/init.d/wide-dhcpv6-client] (40)
Nov/17/2015 18:02:00: cfdebug_print: <3>comment [# Interfaces on which the client should send DHCPv6 requests and listen to] (74)
Nov/17/2015 18:02:00: cfdebug_print: <3>comment [# answers. If empty, the client is deactivated.] (47)
Nov/17/2015 18:02:00: cfdebug_print: <3>[INTERFACES] (10)
Nov/17/2015 18:02:00: yyerror0: /etc/default/wide-dhcpv6-client 6: syntax error
Nov/17/2015 18:02:00: yyerror0: /etc/default/wide-dhcpv6-client 6: fatal parse failure: exiting (1 errors)
Nov/17/2015 18:02:00: main: failed to parse configuration file
root@voyage:/etc/wide-dhcpv6# dhcp6c -fdD ppp0 -c /etc/wide-dhcpv6/dhcp6c.conf
Nov/17/2015 18:02:25: get_duid: extracted an existing DUID from /var/lib/dhcpv6/dhcp6c_duid: 00:01:00:01:1c:14:b9:78:00:0d:b9:29:46:fc
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Default dhpc6c configuration: it assumes the address is autoconfigured using] (78)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# router advertisements.] (24)
Nov/17/2015 18:02:25: cfdebug_print: <3>[interface] (9)
Nov/17/2015 18:02:25: cfdebug_print: <5>[ppp0] (4)
Nov/17/2015 18:02:25: cfdebug_print: <3>begin of closure [{] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Identity Association for Prefix Delegation] (44)
Nov/17/2015 18:02:25: cfdebug_print: <3>[send] (4)
Nov/17/2015 18:02:25: cfdebug_print: <3>[ia-pd] (5)
Nov/17/2015 18:02:25: cfdebug_print: <3>[0] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Identity Association for Non-temporary Addresses] (50)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# send ia-na 2;] (16)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# request domain-name-servers;] (30)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# request domain-name;] (22)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# script “/etc/wide-dhcpv6/dhcp6c-script”;] (42)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of closure [}] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>[id-assoc] (8)
Nov/17/2015 18:02:25: cfdebug_print: <15>[pd] (2)
Nov/17/2015 18:02:25: cfdebug_print: <15>[0] (1)
Nov/17/2015 18:02:25: cfdebug_print: <15>begin of closure [{] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>[prefix-interface] (16)
Nov/17/2015 18:02:25: cfdebug_print: <5>[br0] (3)
Nov/17/2015 18:02:25: cfdebug_print: <3>begin of closure [{] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Assign subnet 1 to eth1] (25)
Nov/17/2015 18:02:25: cfdebug_print: <3>[sla-id] (6)
Nov/17/2015 18:02:25: cfdebug_print: <3>[1] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# IP address “postfix”. if not set it will use EUI-64 address of the interface.] (79)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Combined with SLA-ID’d prefix to create full IP address of interface.] (71)
Nov/17/2015 18:02:25: cfdebug_print: <3>[ifid] (4)
Nov/17/2015 18:02:25: cfdebug_print: <3>[1] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Prefix bits assigned.] (23)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# Take the prefix size you’re assigned (/48 or /56) and subtract it from 64.] (76)
Nov/17/2015 18:02:25: cfdebug_print: <3>comment [# In my case I was being assigned a /56, so 64-56=8] (51)
Nov/17/2015 18:02:25: cfdebug_print: <3>[sla-len] (7)
Nov/17/2015 18:02:25: cfdebug_print: <3>[8] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of closure [}] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of closure [}] (1)
Nov/17/2015 18:02:25: cfdebug_print: <3>end of sentence [;] (1)
Nov/17/2015 18:02:25: configure_pool: called
Nov/17/2015 18:02:25: clear_poolconf: called
Nov/17/2015 18:02:25: dhcp6_reset_timer: reset a timer on ppp0, state=INIT, timeo=0, retrans=794
Nov/17/2015 18:02:26: client6_send: a new XID (2151ef) is generated
Nov/17/2015 18:02:26: copy_option: set client ID (len 14)
Nov/17/2015 18:02:26: copy_option: set elapsed time (len 2)
Nov/17/2015 18:02:26: copyout_option: set IA_PD
Nov/17/2015 18:02:26: client6_send: send solicit to ff02::1:2%ppp0
Nov/17/2015 18:02:26: dhcp6_reset_timer: reset a timer on ppp0, state=SOLICIT, timeo=0, retrans=1039
Nov/17/2015 18:02:26: client6_recv: receive advertise from fe80::a2f3:e4ff:fe78:8630%ppp0 on ppp0
Nov/17/2015 18:02:26: dhcp6_get_options: get DHCP option server ID, len 10
Nov/17/2015 18:02:26: DUID: 00:03:00:01:a0:f3:e4:78:86:30
Nov/17/2015 18:02:26: dhcp6_get_options: get DHCP option client ID, len 14
Nov/17/2015 18:02:26: DUID: 00:01:00:01:1c:14:b9:78:00:0d:b9:29:46:fc
Nov/17/2015 18:02:26: dhcp6_get_options: get DHCP option IA_PD, len 41
Nov/17/2015 18:02:26: IA_PD: ID=0, T1=21600, T2=36000
Nov/17/2015 18:02:26: copyin_option: get DHCP option IA_PD prefix, len 25
Nov/17/2015 18:02:26: copyin_option: IA_PD prefix: 2001:bb6:3a00:1600::/56 pltime=43200 vltime=43200
Nov/17/2015 18:02:26: dhcp6_get_options: get DHCP option DNS, len 32
Nov/17/2015 18:02:26: client6_recvadvert: server ID: 00:03:00:01:a0:f3:e4:78:86:30, pref=-1
Nov/17/2015 18:02:26: client6_recvadvert: reset timer for ppp0 to 0.981993
Nov/17/2015 18:02:27: select_server: picked a server (ID: 00:03:00:01:a0:f3:e4:78:86:30)
Nov/17/2015 18:02:27: client6_send: a new XID (78ff80) is generated
Nov/17/2015 18:02:27: copy_option: set client ID (len 14)
Nov/17/2015 18:02:27: copy_option: set server ID (len 10)
Nov/17/2015 18:02:27: copy_option: set elapsed time (len 2)
Nov/17/2015 18:02:27: copyout_option: set IA_PD prefix
Nov/17/2015 18:02:27: copyout_option: set IA_PD
Nov/17/2015 18:02:27: client6_send: send request to ff02::1:2%ppp0
Nov/17/2015 18:02:27: dhcp6_reset_timer: reset a timer on ppp0, state=REQUEST, timeo=0, retrans=1090
Nov/17/2015 18:02:27: client6_recv: receive reply from fe80::a2f3:e4ff:fe78:8630%ppp0 on ppp0
Nov/17/2015 18:02:27: dhcp6_get_options: get DHCP option server ID, len 10
Nov/17/2015 18:02:27: DUID: 00:03:00:01:a0:f3:e4:78:86:30
Nov/17/2015 18:02:27: dhcp6_get_options: get DHCP option client ID, len 14
Nov/17/2015 18:02:27: DUID: 00:01:00:01:1c:14:b9:78:00:0d:b9:29:46:fc
Nov/17/2015 18:02:27: dhcp6_get_options: get DHCP option IA_PD, len 41
Nov/17/2015 18:02:27: IA_PD: ID=0, T1=21600, T2=36000
Nov/17/2015 18:02:27: copyin_option: get DHCP option IA_PD prefix, len 25
Nov/17/2015 18:02:27: copyin_option: IA_PD prefix: 2001:bb6:3a00:1600::/56 pltime=43200 vltime=43200
Nov/17/2015 18:02:27: dhcp6_get_options: get DHCP option DNS, len 32
Nov/17/2015 18:02:27: info_printf: nameserver[0] 2001:bb0::1
Nov/17/2015 18:02:27: info_printf: nameserver[1] 2001:bb0::2
Nov/17/2015 18:02:27: get_ia: make an IA: PD-0
Nov/17/2015 18:02:27: update_prefix: create a prefix 2001:bb6:3a00:1600::/56 pltime=43200, vltime=43200
Nov/17/2015 18:02:27: ifaddrconf: failed to add an address on br0: File exists
Nov/17/2015 18:02:27: dhcp6_remove_event: removing an event on ppp0, state=REQUEST
Nov/17/2015 18:02:27: dhcp6_remove_event: removing server (ID: 00:03:00:01:a0:f3:e4:78:86:30)
Nov/17/2015 18:02:27: client6_recvreply: got an expected reply, sleeping.

Smart DNS

unlocator Smart DNS, an alternative to the VPN solution for BBC iPlayer which seems to have stopped working.

File containing unlocator DNS servers

cat /etc/resolv.conf.unlocator
#nameserver 127.0.0.1
nameserver 185.37.37.37
nameserver 185.37.37.185

Add line to /etc/dnsmasq.conf

resolv-file=/etc/resolv.conf.unlocator

Monitoring RG using ping script from EC2

This is a script which runs on an Amazon Web Services EC2 instance and pings the RG to see if it is alive. If the ping fails then it sends an e-mail.

[ec2-user@ip-172-31-15-183 ~]$ cat monitor_rgw
#!/bin/bash
# http://www.cyberciti.biz/tips/simple-linux-and-unix-system-monitoring-with-ping-command-and-scripts.html
# -------------------------------------------------------------------------

# add ip / hostname separated by white space
HOSTS="xxxxxxxx.no-ip.org"

# no ping request
COUNT=1

# email report when
SUBJECT="Ping failed"
EMAILID="xxxxxxx@gmail.com"
for myHost in $HOSTS
do
count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
if [ $count -eq 0 ]; then
# 100% failed
echo "Subject: $myHost is down at $(date)" | cat - text | /usr/sbin/sendmail -F ec2-user@ami-t2micro2.com -t $EMAILID
fi
done

Crontab is set to run the script every 30 minutes

[ec2-user@ip-172-31-15-183 ~]$ crontab -e
# Monitor remote host every 30 minutes using monitor_rgw
*/30 * * * * /home/ec2-user/monitor_rgw

On the RG itself, a firewall entry is inserted to allow ICMP.

root@voyage:~# iptables -I INPUT 1 -i ppp0 -p icmp

Hard disk

IDE Hard Disk (320GB) is mounted internally using a special bracket. The HDD will store music for the Squeezebox server, so that the router can act as a standalone music server without needing to turn on the PC.

alix-case-1
The HDD is added to the file /etc/fstab

root@voyage:~# cat /etc/fstab
#/dev/hda1       /       ext2    defaults,noatime,rw     0       0
proc            /proc   proc    defaults                0       0
tmpfs                   /tmp    tmpfs   nosuid,nodev                    0               0
#tmpfs           /rw     tmpfs   defaults,size=32M        0       0

### internal hard disk 320GB ###
/dev/hdb1 /media/internal ext3 defaults 1 1

### swap directory for squeezebox ###
/media/internal/swap swap swap defaults 0 0

### external USB disk ###
#/dev/sda4 /media/music ntfs-3g rw,uid=0,gid=0,dmask=0002,fmask=0003 0 0
#/dev/sda3 /media/windows ntfs-3g rw,uid=0,gid=0,dmask=0002,fmask=0003 0 0

The resulting mounts look as follows

root@voyage:~# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=31112,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=25532k,mode=755)
/dev/disk/by-label/ROOT_FS on / type ext2 (ro,noatime,errors=continue)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,size=127644k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,relatime,size=127644k)
/dev/hdb1 on /media/internal type ext3 (rw,relatime,errors=continue,barrier=1,data=writeback)
tmpfs on /var/log type tmpfs (rw,nosuid,nodev,relatime,size=127644k)
tmpfs on /var/tmp type tmpfs (rw,nosuid,nodev,relatime,size=127644k)
tmpfs on /var/lib/samba type tmpfs (rw,nosuid,nodev,relatime,size=127644k)
tmpfs on /var/cache/ddclient type tmpfs (rw,nosuid,nodev,relatime,size=127644k)

DNS amplification attack

Using OpenDNS has revealed some unusual activity on my network.
dnsattack2
A lot of DNS requests for some dodgy looking domains.
dnsattack
Looks like a DNS amplification attack, read up on it here.
http://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack

Turns out the DNS resolver is open to the Internet. Fix this in the dnsmasq config by setting it to listen on the LAN interface only.

root@voyage:/etc/network/if-up.d# remountrw
root@voyage:/etc/network/if-up.d# vi /etc/dnsmasq.conf

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.

interface=br0

Restart dnsmasq

root@voyage:/etc/network/if-up.d# /etc/init.d/dnsmasq restart

Check it using this site:

http://www.thinkbroadband.com/tools/dnscheck.html

dnsattack3