Tag Archives: linux

OpenWRT: Spinning up Authoritative DNS server

Introduction

During last few months my small home infrastructure has grown in numbers. First there came a beefe virtualization host with 2x AMD Opteron CPUs and 48 GB RAM which runs all labs and is awesome for learning. I named it Sonic after the hedgehog. Then the idea for centralized storage was born, and Synology DS213J together with 2x WD 3TB REDs came on board and is packed with features. My popular ones are Download Station, File Station and Integrated IPSec VPN Server.

As the Internet of Things rises, I bought couple of Raspberry Pi, which one of them runs Openelec as home media center. The others are waiting for new exciting projects that will soon come.

Besides the physical infrastructure, the virtual one have grown even faster with more and more complex labs. Overall there was a need to manage all this stuff more easily and provide layer of abstraction, and home DNS service would make that happen.

After reading number of resources that explained the basics about DNS such as what is the difference between Authoritative, Cache and Forward server, I was confident enough to begin the process of changing the default combined DHCP+DNS service (dnsmasq) in my home router running Openwrt with more capable software. I have chosen bind for the job.

Installing packages

The installation process is very easy, first log into your router via SSH. I am running Barrier Breaker 14.07 on TP-LINK TL-WR941ND. Then using the package manager, install bind-server, bind-tools and isc-dhcp-server-ipv4.

By default, Openwrt includes vi test editor by default, if you are more a nano person, install that package as well. We will use to edit the configuration files later.

BusyBox v1.22.1 (2014-09-20 22:01:35 CEST) built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

  _______                     ________        __
 |       |.—–.—–.—–.|  |  |  |.—-.|  |_
 |   –   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 —————————————————–
 BARRIER BREAKER (14.07, r42625)
 —————————————————–
  * 1/2 oz Galliano         Pour all ingredients into
  * 4 oz cold Coffee        an irish coffee mug filled
  * 1 1/2 oz Dark Rum       with crushed ice. Stir.
  * 2 tsp. Creme de Cacao
 —————————————————–

root@soultrap:~# opkg update
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_base.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/luci/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_luci.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_packages.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/routing/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_routing.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/telephony/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_telephony.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/management/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_management.
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/Packages.gz.
Updated list of available packages in /var/opkg-lists/barrier_breaker_oldpackages.

root@soultrap:~# opkg install bind-server bind-tools Installing bind-server (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-server_9.9.4-1_ar71xx.ipk. Installing bind-libs (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/oldpackages/bind-libs_9.9.4-1_ar71xx.ipk. Installing libopenssl (1.0.2-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/pa ckages/base/libopenssl_1.0.2-1_ar71xx.ipk. Installing zlib (1.2.8-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/base/zlib_1.2.8-1_ar71xx.ipk. Installing bind-tools (9.9.4-1) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/bind-tools_9.9.4-1_ar71xx.ipk. Configuring zlib. Configuring libopenssl. Configuring bind-libs. Configuring bind-tools. Configuring bind-server.
root@soultrap:~# opkg install isc-dhcp-server-ipv4 Installing isc-dhcp-server-ipv4 (4.2.4-3) to root... Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/isc-dhcp-server-ipv4_4.2.4-3_ar71xx.ipk. Configuring isc-dhcp-server-ipv4.

root@soultrap:~# opkg install nano
Installing nano (2.3.6-1) to root...
Downloading http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/packages/nano_2.3.6-1_ar71xx.ipk.
Configuring nano.

Dnsmasq is a combined DHCP and DNS server and it would interfere with bind by default. To still have DHCP capabilities, we will configure the isc-dhcp server. But first uninstall dnsmasq. Clean up by removing the old dhcp leases file.

root@soultrap:~# /etc/init.d/dnsmasq stop
root@soultrap:~# opkg remove dnsmasq
Removing package dnsmasq from root...
Not deleting modified conffile /etc/config/dhcp.
root@soultrap:~# mv /etc/config/dhcp /etc/config/dhcp.backup
root@soultrap:~# rm /var/dhcp.leases

Configuring dhcp and bind

After package installation, we are going to configure dhcpd daemon, and the right place to do that is at /etc/dhcpd.conf.

root@soultrap:~# nano /etc/dhcpd.conf
# dhcpd.conf

authoritative;

default-lease-time 3600;
max-lease-time 86400;

option domain-name-servers 10.0.2.1, 8.8.8.8;
option domain-search “papuckovo.home”;

subnet 10.0.2.0 netmask 255.255.255.0 {
  range 10.0.2.128 10.0.2.191;
  option routers 10.0.2.1;
}

Then enable automatic service start after reboot and start the service.

root@soultrap:~# /etc/init.d/dhcpd enable
root@soultrap:~# /etc/init.d/dhcpd start

We will now focus on bind configuration and the main file to look at is located under /etc/bind/ directory.  The file named.conf will be in our particular interest.

First we will configure DNS forwarders that will be used when looking for something outside our authoritative domain. Popular choices are OpenDNS servers or Google Public DNS Servers, I will use the later one.

Next, we will add one forward and one reverse zone for our home domain papuckovo.home. As you can see they will point to files that will hold our records, and we need to create them.

root@soultrap:~# cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
acl “RFC1918” {
        10.0.0.0/8;
};

options {
        directory “/tmp”;
        recursion yes;
        allow-recursion { RFC1918; };
        allow-transfer { none; };
        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing
        // the all-0’s placeholder.

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        auth-nxdomain no;    # conform to RFC1035
};
// prime the server with knowledge of the root servers
zone “.” {
        type hint;
        file “/etc/bind/db.root”;
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone “localhost” {
        type master;
        file “/etc/bind/db.local”;
};
zone “papuckovo.home” {
        type master;
        file “/etc/bind/zones/db.papuckovo.home”;
};
zone “127.in-addr.arpa” {
        type master;
        file “/etc/bind/db.127”;
};
zone “0.in-addr.arpa” {
        type master;
        file “/etc/bind/db.0”;
};
zone “255.in-addr.arpa” {
        type master;
        file “/etc/bind/db.255”;
};
zone “2.0.10.in-addr.arpa” {
        type master;
        file “/etc/bind/zones/db.2.0.10”;
}

Now we will create new folder zones and copy example files from main bind directory.

root@soultrap:~# mkdir /etc/zones
root@soultrap:~# cp /etc/bind/db.local /etc/bind/zones/db.papuckovo.home
root@soultrap:~# cp /etc/bind/db.127 /etc/bind/zones/db.2.0.10

Edit the copied files to suit your needs. The SOA record needs to include domain name and the administrator’s email. You should also increment the Serial number after each change to zone files.

root@soultrap:~# nano /etc/bind/zones/db.papuckovo.home
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      soultrap.papuckovo.home.
@       IN      A       10.0.2.1
soultrap        IN     A       10.0.2.1
www01           IN     A       10.0.2.2

Do the same thing for reverse zone

root@soultrap:~# nano /etc/bind/zones/db.2.0.10
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     papuckovo.home. root.papuckovo.home. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      soultrap.papuckovo.home.
1       IN      PTR     soultrap.papuckovo.home.
2       IN      PTR     www01.papuckovo.home.

Finally, enable automatic service start after boot and start the service

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
root@soultrap:~# /etc/init.d/named enable

Verification

You can verify the operations of DHCP server by jumping on an internal client and issues ipconfig /renew. Or directly from the router listing dhcpd leases.

root@soultrap:~# head /var/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.4

lease 10.0.2.129 {
  starts 1 2015/02/23 08:19:57;
  ends 1 2015/02/23 08:21:57;
  tstp 1 2015/02/23 08:21:57;
  cltt 1 2015/02/23 08:19:57;
  binding state free;
  hardware ethernet 14:7d:c5:11:19:7f;

You can also verify that DNS server is operating correctly using nslookup or dig.

root@soultrap:~# dig ANY papuckovo.home @localhost
; <<>> DiG 9.9.4 <<>> ANY papuckovo.home @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53030
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;papuckovo.home.                        IN      ANY

;; ANSWER SECTION:
papuckovo.home.         604800  IN      SOA     papuckovo.home. root.papuckovo.home. 5 604800 86400 2419200 604800
papuckovo.home.         604800  IN      NS      soultrap.papuckovo.home.
papuckovo.home.         604800  IN      A       10.0.2.1

;; ADDITIONAL SECTION:
soultrap.papuckovo.home. 604800 IN      A       10.0.2.1

;; Query time: 74 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 24 16:04:56 CET 2015
;; MSG SIZE  rcvd: 139

Troubleshooting

Sometimes, things do not go as we expected, it would be great to narrow down the problem.

root@soultrap:~# /etc/init.d/named start
Starting isc-bind
  isc-bind failed to start

The default error message is not very useful and you can investigate further in log file. In this case I have mistyped the allow-transfer keyword in the main configuration file.

root@soultrap:~# logread
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: BIND 9 is maintained by Internet Systems Consortium,
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: corporation.  Support and training for BIND 9 are
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: available at https://www.isc.org/support
Tue Feb 24 16:20:30 2015 daemon.notice named[13361]: —————————————————-
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using 1 UDP listener per interface
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: using up to 4096 sockets
Tue Feb 24 16:20:30 2015 daemon.info named[13361]: loading configuration from ‘/etc/bind/named.conf’
Tue Feb 24 16:20:30 2015 daemon.err named[13361]: /etc/bind/named.conf:10: unknown option ‘allow-trasfer’
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: loading configuration: failure
Tue Feb 24 16:20:30 2015 daemon.crit named[13361]: exiting (due to fatal error)

MACs – Moved Adds and Changes

When adding new records in reverse and forward zone files it is needed to increase the serial number and then reload bind with new configuration.

root@soultrap:~# /etc/init.d/named reload
Stopping isc-bind
Starting isc-bind

Conclusion

Adding name resolution service to your home router will give you great flexibility and easy to use, your everyday users won’t need to be bothered with IP addresses, they can simple type names.

Further Reading

https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts

Saving time with VM templates

Image that you need to provision 1000 virtual machines for new web server farm. Doing this manually can be boring and can take long time answering all installation questions, patching and updating base OS to get it in right shape.

There is a better way by utilizing VM templates. Templates are like golden images, you install the OS once, do all changes you need to and than you convert it into a template that can be later used to create identical clones.

There is however one problem with clones, and that is that they are same in almost every way. We need to modify these clones to include some uniqueness such as hostnames, ip addresses, public/private keys. Some operating system such as Windows support sysprep which are set of scripts that can modify the Operating System as it being deployed, which makes it easy to perform changes during deployment.

The support for most linux operating systems customization wizard was discontinued in vSphere 5. So you need to look at another way like Puppet or Chef.

Converting a virtual machine into a template is easy, just right click on it and select Clone to Template.  In this example I am using the previously updated Debian 7.8 guest that has open VM tools installed.

vm-templates

The vCenter will mark the virtual machine as a template and will remove it from the main Hosts and Clusters window to VMs and Templates. Browser to that location and highlight the newly created template.

You will now have an option to either Deploy Virtual Machine form this Template or Convert back to Virtual Machine.

vm-templates-1

We are going to select the first option, and after answering questions like how to name the new VM, and where to place it, validation check occurs and the new guest will be deployed.

This is also the one of the places to make changes virtual disk, such as migrating from Thick to Thin provisioning.

After switching to new VM Console, you will be be presented by deb01 login prompt. You can use the following script to rename the box to deb02. Execute and then do a quick reboot.

#!/bin/bash
# 
usage() {
   echo "usage : $0 <new hostname>"
   exit 1
}

[ "$1" ] || usage

old=$(hostname)
new=$1

for file in \
   /etc/exim4/update-exim4.conf.conf \
   /etc/printcap \
   /etc/hostname \
   /etc/hosts \
   /etc/ssh/ssh_host_rsa_key.pub \
   /etc/ssh/ssh_host_dsa_key.pub \
   /etc/motd \
   /etc/ssmtp/ssmtp.conf
do
   [ -f $file ] && sed -i.old -e "s:$old:$new:g" $file
done
Depending on our network configuration, you may also need to change IP addresses if you are not using DHCP to avoid collisions. And also shuffling SSH keys would be a good idea too.
Anyway, this is a great way for home lab when you want to create lots of test machines and test features like load balancing. You can create various flavors from the vanilla template like web server or database server.
Resources

Open VM Tools on Debian 7

Introduction

Open VM tools are a set of open source programs based on original VMware Tools that greatly enhanced the performance and experience when interacting with virtual machine. They are also required when you want to use  features like balloon driver to reclaim non-used guest memory and optimize resource usage.

VMware states that the reason of this open version is to allow the community and vendors can now include tools when releasing their virtual appliances so there is no need to install tools separately after installation.

There are following packages available

  • open-vm-tools – includes core tools, user space binaries and libraries
  • open-vm-tools-dekstop – includes additional user-space programs and features such as resizing guest display, copy and paste between guest and host, drag and drop operation between guest and hosts
  • open-vm-tools-devel – includes libraries for developing vmtoolsd plugins and documentation

Supported operating systems are

  • Fedora 19 and later
  • Debian 7.x and later
  • OpenSUSE 11x and later
  • Ubuntu 12.04 LTS, 13.10 and later
  • RHEL 7.0 and later
  • CentOS 7
  • Oracle Linux 7

The base open-vm-tools package is already included in Debain default repository, so installation is super easy.

  1. Log into Guest VM and simple type
root@deb01:~# apt-get install open-vm-tools

The package size is around 171 MB, after downloading you can verify that it is indeed running by checking the running processes and software version.

root@deb01:~# ps ax|grep vmtools
 2096 ?        Sl     0:00 /usr/bin/vmtoolsd
 2654 pts/0    S+     0:00 grep vmtools
root@deb01:~# lsmod| grep vm
vmsync                 12721  0
vmhgfs                 52556  0
vmw_balloon            12606  0
vmwgfx                 99436  0
ttm                    53664  1 vmwgfx
drm                   183952  2 ttm,vmwgfx
vmci                   74044  1 vmhgfs
root@deb01:~# vmtoolsd -v
VMware Tools daemon, version 9.3.0.13625 (build-724730)

In Guest Summary page, you can also see that VM is running VMware tools.

Open VM Tools

Open VM Tools

Conclusion

It is good to see that VMware is opening their software a little bit so many people can now contribute to improve the code. Vendors can use tools during product development and enhance the interoperability when running on virtual infrastructure.

Resources

 

Unix Utils

If felt in love with many of unix system utilities such as head, cat, less, sed, wc, or grep, and you are missing them in Windows, there is a package of tools that can run natively called Unix Utils. After you download the zip file from sourceforge unzip the contents to your System32 directory. Wget and curl are not part of the package, but you can get those at here and here.

curl