Hi, Am Mittwoch, 2. April 2008 schrieben Sie: > I have a web site. I also have 2 web servers. One of them is a mirror site > of the other. These web servers are located in different locations. People > should reach to the web site from closer my web server than my other > webserver for themselves. How can I do that with djbdns ? theoretically, you could do that using location codes. In practice nobody does that - it's a routing problem, not a DNS problem. Bye, Peter -- -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Hi, Actually it's a geolocation dns issue which to my knowledge is not possible with djbdns. Regards Bgs Peter Conrad wrote: > Hi, > > Am Mittwoch, 2. April 2008 schrieben Sie: >> I have a web site. I also have 2 web servers. One of them is a mirror site >> of the other. These web servers are located in different locations. People >> should reach to the web site from closer my web server than my other >> webserver for themselves. How can I do that with djbdns ? > > theoretically, you could do that using location codes. > In practice nobody does that - it's a routing problem, not > a DNS problem. > > Bye, > Peter
On Thu, 3 Apr 2008, Bgs wrote: > Actually it's a geolocation dns issue which to my knowledge is not > possible with djbdns. I believe that you could set up distinct tinydns servers containing data appropriate for "nearby" connecting clients, and then use anycast routing to choose the "nearest" DNS server. Yavuz should google for anycase routing. > Regards > Bgs > > > Peter Conrad wrote: > > Hi, > > > > Am Mittwoch, 2. April 2008 schrieben Sie: > >> I have a web site. I also have 2 web servers. One of them is a mirror site > >> of the other. These web servers are located in different locations. People > >> should reach to the web site from closer my web server than my other > >> webserver for themselves. How can I do that with djbdns ? > > > > theoretically, you could do that using location codes. > > In practice nobody does that - it's a routing problem, not > > a DNS problem. > > > > Bye, > > Peter > -- Charlie Brady charlie_brady <at> mitel.com Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 592 5660 or 592 2122 Fax: +1 (613) 592 1175 A: Because we read from top to bottom, left to right. Q: Why should i start my reply below the quoted text?
Hi all i'm using tinydns for several years now and I love it for it's stability. Yesterday I tried to configure some data with MX records and wildcards, that didn't work as I expected. I have a domain, lets call it foo.bar I defined the Nameserver and a mailserver for the domain. Then a wanted do define MX records for all hosts in my domain which i tried to define with an wildcard The data file looked like: .foo.bar:11.22.33.44:ns.foo.bar.:3600 <at> foo.bar:12.22.33.44:mail.foo.bar:100:3600 <at> *.foo.bar:12.22.33.44:mail.foo.bar:100:3600 =www.foo.bar:13.22.33.44:3600 When I dig'ed MX record for foo.bar I got the expected mail.foo.bar When I then dig'ed MX record for www.foo.bar I got no record as answer. When I dig'ed MX record for nonsense.foo.bar I got mail.foo.bar as answer. What I want to have is: mail.foo.bar as answer for dig'ing MX record for www.foo.bar and no answer for dig'ing MX record for nonsense.foo.bar So how do I configure this? Mit freundlichem Gruß Helmut Weigel DFB Medien GmbH & Co. KG Otto-Fleck-Schneise 6 60528 Frankfurt fon +49 (69) 6788-319 fax +49 (69) 6788-343 email: helmut.weigel <at> dfbnet.de Homepage: www.dfb-medien.de -------------------------------------------- Hermann-Neuberger-Haus | Otto-Fleck-Schneise 6 | 60528 Frankfurt | DFB Medien GmbH & Co. KG | Geschäftsführung: DFB Medien Verwaltungs-GmbH, deren Geschäftsführer: Kurt Gärtner, Tilman Walk |Vorsitzender des Aufsichtsrates: Dr. Theo Zwanziger | HRA 30550 | Registergericht: Frankfurt
Hi,
I have this PHP code to add an alias in a DNS server (djbdns).
<?php
$username = 'foobar';
system('/etc/tinydns/root/add-alias' . ' ' . $username . ' ' . '192.168.1.1);
system ('make');
?>
If I run in the shell as root:
# php dns.php
all is well, the entry is created.
Os course, that running through Apache, it isn't, because Apache is
running under nobody.nobody
Here are the relevant permissions and ownership:
/etc/tinydns -> dtrwxr-sr-t -> root.root.
/etc/tinydns/root -> drwxr-sr-x -> root.root
/etc/tinydns/root/add-alias -> -rwx-r-xr-x -> root.root
/etc/tinydns/root/data -> -rw-r--r-- -> root.root (the file in which
the command add-alias inserts the data)
How do I turn this around so that Apache executes add-alias and make
command without compromising (at least too much) security ?
Any help would be appreciated.
Warm Regards,
Mário Gamito
Hi!
On Fri, Apr 04, 2008 at 11:15:56AM +0100, M?rio Gamito wrote:
> How do I turn this around so that Apache executes add-alias and make
> command without compromising (at least too much) security ?
You can't do this without compromising security. If your PHP script able
to modify DNS zone file, then any other CGI/PHP on same server also able
to modify DNS zone file.
There different ways to setup this:
1) You can just set permissions for /service/tinydns/root/data* to
nobody:nobody (apache's user).
2) You can have copy of tinydns's data file in private directory of your
PHP script, your PHP will modify that data file, and then, every X
minutes cron script (running as root) will copy data file from that
PHP script's private directory to /etc/tinydns/root/ and run
tinydns-data.
3) You can add something like this to /etc/sudoers:
nobody ALL= NOPASSWD: /usr/bin/make -C /service/tinydns/root/
and run this command using sudo from PHP script (you'll need similar
configuration in /etc/sudoers for running add-alias).
4) You can create special SUID script which will modify data file.
Personally I recommend 1) if you don't bother changing permissions on
tinydns data* files OR 3). The 2) is add needless complexity with cron
script, the 4) is more unsecure than others because chances are you'll
have bugs in your SUID script.
If you need secure way to do this - you'll need to run your PHP script
under UID dedicated to that script instead of general apache's user
"nobody". This can be done using apache's SUEXEC or external FastCGI
daemon. This way, plus using 1) or 3), you should be as secure as your PHP
script secure.
--
--
WBR, Alex.
On Fri, Apr 04, 2008 at 12:01:23PM +0200, Helmut Weigel wrote: > The data file looked like: > > .foo.bar:11.22.33.44:ns.foo.bar.:3600 > <at> foo.bar:12.22.33.44:mail.foo.bar:100:3600 > <at> *.foo.bar:12.22.33.44:mail.foo.bar:100:3600 > =www.foo.bar:13.22.33.44:3600 This is not the problem you are describing, but you will end up with duplicate A records for mail.foo.bar here; only one of the <at> lines needs to have an IP address. > When I dig'ed MX record for foo.bar I got the expected mail.foo.bar > When I then dig'ed MX record for www.foo.bar I got no record as answer. > When I dig'ed MX record for nonsense.foo.bar I got mail.foo.bar as answer. That is the expected behavior. tinydns will only match a wildcard if there are no other, more specific records. In other words, it wildcard matches without respect to type, and then looks up the type. This is specifically mentioned in: http://cr.yp.to/djbdns/tinydns-data.html in the section "wildcards." > What I want to have is: > mail.foo.bar as answer for dig'ing MX record for www.foo.bar and > no answer for dig'ing MX record for nonsense.foo.bar > > So how do I configure this? Add an <at> line for www.foo.bar. If you have many such records, consider preprocessing your data file. -Peff
Hi, Am Freitag, 4. April 2008 schrieben Sie: > > The data file looked like: > > .foo.bar:11.22.33.44:ns.foo.bar.:3600 > <at> foo.bar:12.22.33.44:mail.foo.bar:100:3600 > <at> *.foo.bar:12.22.33.44:mail.foo.bar:100:3600 > =www.foo.bar:13.22.33.44:3600 > > When I dig'ed MX record for foo.bar I got the expected mail.foo.bar > When I then dig'ed MX record for www.foo.bar I got no record as answer. > When I dig'ed MX record for nonsense.foo.bar I got mail.foo.bar as answer. > > What I want to have is: > mail.foo.bar as answer for dig'ing MX record for www.foo.bar and > no answer for dig'ing MX record for nonsense.foo.bar > > So how do I configure this? don't use wildcards. Instead, create an <at> line for every MX record you need. Here's an explanation on wildcards in DNS: http://en.wikipedia.org/wiki/Wildcard_DNS_record Hope this helps, Peter -- -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
On Fri, 4 Apr 2008, Alex Efros wrote: > If you need secure way to do this - you'll need to run your PHP script > under UID dedicated to that script instead of general apache's user > "nobody". This can be done using apache's SUEXEC or external FastCGI > daemon. This way, plus using 1) or 3), you should be as secure as your PHP > script secure. You can also do it with a separate instance of apache which runs under a separate uid, and a ProxyPass configured in the main apache. Note, that SUEXEC and FastCGI cannot be used with in-process PHP scripts (which is how PHP is usually used). Personally I think that anyone who mentions PHP and "securely" in the same sentence just hasn't been paying attention... -- Charlie
RSS Feed2 | |
|---|---|
19 | |
38 | |
40 | |
6 | |
27 | |
24 | |
45 | |
100 | |
262 | |
43 | |
61 | |
24 | |
3 | |
28 | |
45 | |
14 | |
10 | |
22 | |
129 | |
66 | |
112 | |
150 | |
80 | |
24 | |
35 | |
44 | |
73 | |
70 | |
46 | |
5 | |
15 | |
26 | |
21 | |
14 | |
96 | |
40 | |
12 | |
18 | |
34 | |
35 | |
6 | |
32 | |
37 | |
16 | |
76 | |
31 | |
43 | |
15 | |
104 | |
19 | |
31 | |
28 | |
16 | |
48 | |
66 | |
43 | |
66 | |
56 | |
56 | |
69 | |
79 | |
68 | |
82 | |
124 | |
59 | |
69 | |
96 | |
89 | |
90 | |
58 | |
63 | |
98 | |
93 | |
92 | |
266 | |
164 | |
98 | |
309 | |
359 | |
243 | |
160 | |
243 | |
346 | |
421 | |
332 | |
487 | |
334 | |
319 | |
353 | |
273 | |
231 | |
292 | |
309 | |
399 | |
436 | |
334 | |
624 | |
331 | |
401 | |
290 | |
214 | |
306 | |
339 | |
560 | |
529 | |
211 |
