DNS Resolver

Da Helpedia.

Indice

Utilizzo

infrastruttura di resolver DNS per dyndns.it

architettura

2 Master Director con tutti gli IP virtuali del servizio N slave real server che forniscono le risposte

l'archittura bilanciata è del tipo direct response (DR)


Director Configuration

On the director software is

packages installation

yum install keepalived ipvsadm

network configuration

nothing particular: keepalive adds virtual IPs on the fly

iptables configuration

limit DNS requests - sol A (untested)

#!/bin/bash
# This script limits the queries per second to 5/s
# with a burst rate of 15/s and does not require
# buffer space changes

# Requests per second
RQS="15"

# Requests per 5 seconds
RQF="50"

iptables --flush
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSQF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 1 --hitcount ${RQS} --name DNSQF --rsource -j DROP
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --set --name DNSHF --rsource
iptables -A INPUT -p udp --dport 53 -m state --state NEW -m recent --update --seconds 5 --hitcount ${RQF} --name DNSHF --rsource -j DROP

limit DNS requests - sol B (production)

-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -m hashlimit --hashlimit 10/sec --hashlimit-mode srcip --hashlimit-name rate_53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -m hashlimit --hashlimit 10/sec --hashlimit-mode srcip --hashlimit-name rate_53 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j DROP

solution B requires lots of buffer space

keepalived configuration

global_defs {
   notification_email {
     fabrizio.frosali@impulso.it
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id PROXYDNS_DEVEL
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass aiaosidh0
    }
    virtual_ipaddress {
        109.232.88.22
    }
}

virtual_server 109.232.88.22 53 {
    delay_loop 6
    lb_algo rr
    lb_kind DR
    protocol UDP

    real_server 109.232.88.4 53 {
        weight 1
        TCP_CHECK {
                connect_timeout 2
        }
    }

    real_server 109.232.88.3 53 {
        weight 1
        TCP_CHECK {
                connect_timeout 2
        }
    }   
}
virtual_server 109.232.88.22 53 {
    delay_loop 6
    lb_algo rr
    lb_kind DR
    protocol TCP

    real_server 109.232.88.4 53 {
        weight 1
        TCP_CHECK {
                connect_timeout 2
        }
    }

    real_server 109.232.88.3 53 {
        weight 1
        TCP_CHECK {
                connect_timeout 2
        }
    }  
}

DNS server configuration

network configuration

buffers...

net.core.rmem_max=8388608
net.core.wmem_max=8388608
net.core.rmem_default=262144
net.core.wmem_default=262144

net.ipv4.udp_mem=8388608 12582912 16777216
net.ipv4.udp_rmem_min=16384
net.ipv4.udp_wmem_min=16384

unbound conf

#my localdata
local-zone: "dyndns.org" redirect
local-data: "dyndns.org A 81.29.198.108"
local-zone: "dyndns.com" redirect
local-data: "dyndns.com A 81.29.198.108"
local-zone: "checkip.dyndns.org" redirect
local-data: "checkip.dyndns.org A 81.29.198.109"
local-zone: "checkip.dyndns.com" redirect
local-data: "checkip.dyndns.com A 81.29.198.109"
local-zone: "checkip.dyn.com" redirect
local-data: "checkip.dyn.com A 81.29.198.109"

#noip
local-zone: "dynupdate.no-ip.com" redirect
local-data: "dynupdate.no-ip.com A 81.29.198.108"

#redirect broken services
local-zone: "cmyip.com" redirect
local-data: "cmyip.com A 81.29.198.109"
local-zone: "findmyip.com" redirect
local-data: "findmyip.com A 81.29.198.109"

#shat.net 20140612
local-zone: "shat.net" redirect
local-data: "shat.net A 81.29.198.109"
local-zone: "ipid.shat.net" redirect
local-data: "ipid.shat.net A 81.29.198.109"

#deny
local-zone: "ripe.net" redirect
local-data: "ripe.net A 193.0.6.139"
local-zone: "doc.gov" redirect
local-data: "doc.gov A 170.110.225.194"
local-zone: "zapto.org" redirect
local-data: "zapto.org A 0.0.0.0"
local-zone: "directdat.asia" redirect
local-data: "directdat.asia A 0.0.0.0"
local-data: "directdat.asia NS 0.0.0.0"
local-zone: "directedat.asia" redirect
local-zone: "1rip.com" redirect
local-zone: "ddos.cat" redirect
local-zone: "com.ua" redirect
local-zone: "mydnsscan.us" redirect
local-zone: "lineage2-game.ru" redirect 
local-zone: "sema.cz" redirect
local-zone: "qha.cc" redirect
local-zone: "fkfkfa.com" redirect
local-zone: "fkfkfkfa.com" deny
local-zone: "isc.org" deny
local-zone: "9aq.com" deny
local-zone: "n876.com" deny
local-zone: "jd176.com" deny
local-zone: "192cq.com" deny
local-zone: "dafa888678.com" deny
local-zone: "lyxxz.com" deny
local-zone: "ohhr.ru" deny
local-zone: "httrack.com" deny
local-zone: "1x1.cz" deny
local-zone: "infoblox.com" deny
local-zone: "app-softwares.com" deny
local-zone: "amplists.com" deny

Strumenti personali
Namespace
Varianti
Azioni
Navigazione
Strumenti