[MaraDNS list] Configuring MaraDNS and Deadwood to work together

Harlan H. Bloom harlan at bloomenterprises.org
Sat Oct 8 14:38:02 EDT 2011


Thanks Sam!

That seems to have digs working correctly now!

Harlan...

----- Original Message -----
From: "Sam Trenholme" <strenholme.usenet at gmail.com>
To: "maradns list" <list at maradns.org>
Sent: Saturday, October 8, 2011 10:46:32 AM
Subject: Re: [MaraDNS list] Configuring MaraDNS and Deadwood to work together

Oh, yeah, that's right.  You're VPN addresses, of course, will be
RFC1918 addresses.

Please add the following line to your dwood3rc file:

filter_rfc1918 = 0

This should solve your problem.  If it doesn't, please let us know.  I
really need to make this a FAQ; you're the second person on this list
to have this issue.

The reason why we filter these IPs is because there are some
interesting Javascript cross-site-scripting security exploits that
have been done by having a given host name resolve to a local IP like
"192.168.1.1".  I don't know if black hats in the wild do it, or if
newer browsers have protection, but it's a known academic attack.

- Sam

2011/10/7 Harlan H. Bloom <harlan at bloomenterprises.org>:
> Hi Sam,
>  This suggestion didn't work either.  I have several runs of dig below.
>
> Thanks,
>
> Harlan...
>
> dwoodrc:
> bind_address="127.0.0.1" # IP we bind to
> chroot_dir = "/etc/maradns" # Directory we run program from (not used in Win32)
>
> root_servers = {}
> root_servers["."]="198.41.0.4, 192.228.79.201, 192.33.4.12, 128.8.10.90,"
> root_servers["."]+="192.203.230.10, 192.5.5.241, 192.112.36.4, 128.63.2.53, "
> root_servers["."]+="192.36.148.17, 192.58.128.30, 193.0.14.129, 199.7.83.42, "
> root_servers["."]+="202.12.27.33"
> root_servers["vpn."]="127.0.0.2"
> recursive_acl = "127.0.0.1/16" # Who is allowed to use the cache
>
> maxprocs = 8 # Maximum number of pending requests
> handle_overload = 1 # Send SERVER FAIL when overloaded
>
> maradns_uid = 99 # UID Deadwood runs as
> maradns_gid = 99 # GID Deadwood runs as
>
> maximum_cache_elements = 60000
>
> cache_file = "dw_cache"
> resurrections = 1
>
> mararc:
> hide_disclaimer="YES"
>
> csv2 = {}
> csv2["vpn."] = "db.vpn"
>
> ipv4_bind_addresses = "127.0.0.2"
> chroot_dir = "/etc/maradns"
>
> command:
> dig @127.0.0.1 mail.vpn
>
> output:
> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 mail.vpn
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62025
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;mail.vpn.                      IN      A
>
> ;; AUTHORITY SECTION:
> mail.vpn.               0       IN      SOA     z.mail.vpn. y.mail.vpn. 1 1 1 1 1
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Oct  7 23:10:35 2011
> ;; MSG SIZE  rcvd: 66
>
> command:
> dig @127.0.0.2 mail.vpn
>
> what output should be:
> ; <<>> DiG 9.7.3 <<>> @127.0.0.2 mail.vpn
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21770
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;mail.vpn.                      IN      A
>
> ;; ANSWER SECTION:
> mail.vpn.               86400   IN      CNAME   mailtmp1.vpn.
> mailtmp1.vpn.           86400   IN      A       10.8.1.25
>
> ;; AUTHORITY SECTION:
> vpn.                    86400   IN      NS      synth-ip-7f000002.vpn.
>
> ;; ADDITIONAL SECTION:
> synth-ip-7f000002.vpn.  86400   IN      A       127.0.0.2
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.2#53(127.0.0.2)
> ;; WHEN: Fri Oct  7 23:17:39 2011
> ;; MSG SIZE  rcvd: 113
>
> command:
> dig @127.0.0.1 www.yahoo.com
>
> output:
> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 www.yahoo.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51381
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;www.yahoo.com.                 IN      A
>
> ;; ANSWER SECTION:
> www.yahoo.com.          3542    IN      CNAME   fp3.wg1.b.yahoo.com.
> fp3.wg1.b.yahoo.com.    3542    IN      CNAME   any-fp3-lfb.wa1.b.yahoo.com.
> any-fp3-lfb.wa1.b.yahoo.com. 3542 IN    CNAME   any-fp3-real.wa1.b.yahoo.com.
> any-fp3-real.wa1.b.yahoo.com. 3542 IN   A       67.195.160.76
> any-fp3-real.wa1.b.yahoo.com. 3542 IN   A       209.191.122.70
> any-fp3-real.wa1.b.yahoo.com. 3542 IN   A       98.139.180.149
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Oct  7 23:19:41 2011
> ;; MSG SIZE  rcvd: 160
>


More information about the list mailing list