Yavuz Maslak | 2 Apr 12:53 2008
Picon

Mirror web servers.

Hello
I use djbdns.
I have a web site. I also have 2 web servers. One of them is a mirror site of the other. These web servers are located in different locations.
People should reach to the web site from closer my web server than my other webserver for themselves.
How can I do that with djbdns ?
 
Peter Conrad | 3 Apr 09:03 2008
Picon

Re: Mirror web servers.

Hi,

Am Mittwoch, 2. April 2008 schrieben Sie:
> I have a web site. I also have 2 web servers. One of them is a mirror site
> of the other. These web servers are located in different locations. People
> should reach to the web site from closer my web server than my other
> webserver for themselves. How can I do that with djbdns ?

theoretically, you could do that using location codes.
In practice nobody does that - it's a routing problem, not
a DNS problem.

Bye,
	Peter
--

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany

Bgs | 3 Apr 11:00 2008
Picon

Re: Mirror web servers.


  Hi,

  Actually it's a geolocation dns issue which to my knowledge is not 
possible with djbdns.

Regards
Bgs

Peter Conrad wrote:
> Hi,
> 
> Am Mittwoch, 2. April 2008 schrieben Sie:
>> I have a web site. I also have 2 web servers. One of them is a mirror site
>> of the other. These web servers are located in different locations. People
>> should reach to the web site from closer my web server than my other
>> webserver for themselves. How can I do that with djbdns ?
> 
> theoretically, you could do that using location codes.
> In practice nobody does that - it's a routing problem, not
> a DNS problem.
> 
> Bye,
> 	Peter

Charlie Brady | 3 Apr 14:51 2008

Re: Mirror web servers.


On Thu, 3 Apr 2008, Bgs wrote:

>   Actually it's a geolocation dns issue which to my knowledge is not 
> possible with djbdns.

I believe that you could set up distinct tinydns servers containing data 
appropriate for "nearby" connecting clients, and then use anycast routing 
to choose the "nearest" DNS server.

Yavuz should google for anycase routing.

> Regards
> Bgs
> 
> 
> Peter Conrad wrote:
> > Hi,
> > 
> > Am Mittwoch, 2. April 2008 schrieben Sie:
> >> I have a web site. I also have 2 web servers. One of them is a mirror site
> >> of the other. These web servers are located in different locations. People
> >> should reach to the web site from closer my web server than my other
> >> webserver for themselves. How can I do that with djbdns ?
> > 
> > theoretically, you could do that using location codes.
> > In practice nobody does that - it's a routing problem, not
> > a DNS problem.
> > 
> > Bye,
> > 	Peter
> 

--
Charlie Brady                         charlie_brady <at> mitel.com
Mitel Networks Corporation      http://www.mitel.com/
Phone: +1 (613) 592 5660 or 592 2122  Fax: +1 (613) 592 1175

A: Because we read from top to bottom, left to right.
Q: Why should i start my reply below the quoted text?

Helmut Weigel | 4 Apr 12:01 2008
Picon

MX records for all hosts

Hi all

i'm using tinydns for several years now and I love it for
it's stability.

Yesterday I tried to configure some data with MX records
and wildcards, that didn't work as I expected. 

I have a domain, lets call it foo.bar
I defined the Nameserver and a mailserver for the domain.
Then a wanted do define MX records for all hosts in my domain
which i tried to define with an wildcard

The data file looked like:

.foo.bar:11.22.33.44:ns.foo.bar.:3600
 <at> foo.bar:12.22.33.44:mail.foo.bar:100:3600
 <at> *.foo.bar:12.22.33.44:mail.foo.bar:100:3600
=www.foo.bar:13.22.33.44:3600

When I dig'ed MX record for foo.bar I got the expected mail.foo.bar
When I then dig'ed MX record for www.foo.bar I got no record as answer.
When I dig'ed MX record for nonsense.foo.bar I got mail.foo.bar as answer.

What I want to have is:
mail.foo.bar as answer for dig'ing MX record for www.foo.bar and
no answer for dig'ing MX record for nonsense.foo.bar

So how do I configure this?

Mit freundlichem Gruß

Helmut Weigel

DFB Medien GmbH & Co. KG
Otto-Fleck-Schneise 6
60528 Frankfurt

fon +49 (69) 6788-319
fax +49 (69) 6788-343
email: helmut.weigel <at> dfbnet.de

Homepage: www.dfb-medien.de

--------------------------------------------

Hermann-Neuberger-Haus | Otto-Fleck-Schneise 6 | 60528 Frankfurt | DFB Medien GmbH & Co. KG |
Geschäftsführung: DFB Medien Verwaltungs-GmbH, deren Geschäftsführer: Kurt Gärtner, Tilman
Walk |Vorsitzender des Aufsichtsrates: Dr. Theo Zwanziger | HRA 30550 | Registergericht: Frankfurt

Mário Gamito | 4 Apr 12:15 2008
Picon

Problems with permissions

Hi,

I have this PHP code to add an alias in a DNS server (djbdns).

<?php

$username = 'foobar';
system('/etc/tinydns/root/add-alias' . ' ' . $username . ' ' . '192.168.1.1);
system ('make');

?>

If I run in the shell as root:

# php dns.php

all is well, the entry is created.

Os course, that running through Apache, it isn't, because Apache is
running under nobody.nobody

Here are the relevant permissions and ownership:

/etc/tinydns -> dtrwxr-sr-t -> root.root.
/etc/tinydns/root -> drwxr-sr-x -> root.root
/etc/tinydns/root/add-alias -> -rwx-r-xr-x -> root.root
/etc/tinydns/root/data -> -rw-r--r-- -> root.root (the file in which
the command add-alias inserts the data)

How do I turn this around so that Apache executes add-alias and make
command without compromising (at least too much) security ?

Any help would be appreciated.

Warm Regards,
Mário Gamito

Alex Efros | 4 Apr 12:32 2008

Re: Problems with permissions

Hi!

On Fri, Apr 04, 2008 at 11:15:56AM +0100, M?rio Gamito wrote:
> How do I turn this around so that Apache executes add-alias and make
> command without compromising (at least too much) security ?

You can't do this without compromising security. If your PHP script able
to modify DNS zone file, then any other CGI/PHP on same server also able
to modify DNS zone file.

There different ways to setup this:
1)  You can just set permissions for /service/tinydns/root/data* to
    nobody:nobody (apache's user).
2)  You can have copy of tinydns's data file in private directory of your
    PHP script, your PHP will modify that data file, and then, every X
    minutes cron script (running as root) will copy data file from that
    PHP script's private directory to /etc/tinydns/root/ and run
    tinydns-data.
3)  You can add something like this to /etc/sudoers:
	nobody ALL= NOPASSWD: /usr/bin/make -C /service/tinydns/root/
    and run this command using sudo from PHP script (you'll need similar
    configuration in /etc/sudoers for running add-alias).
4)  You can create special SUID script which will modify data file.

Personally I recommend 1) if you don't bother changing permissions on
tinydns data* files OR 3). The 2) is add needless complexity with cron
script, the 4) is more unsecure than others because chances are you'll
have bugs in your SUID script.

If you need secure way to do this - you'll need to run your PHP script
under UID dedicated to that script instead of general apache's user
"nobody". This can be done using apache's SUEXEC or external FastCGI
daemon. This way, plus using 1) or 3), you should be as secure as your PHP
script secure.

--

-- 
			WBR, Alex.

Jeff King | 4 Apr 12:38 2008
Picon

Re: MX records for all hosts

On Fri, Apr 04, 2008 at 12:01:23PM +0200, Helmut Weigel wrote:

> The data file looked like:
> 
> .foo.bar:11.22.33.44:ns.foo.bar.:3600
>  <at> foo.bar:12.22.33.44:mail.foo.bar:100:3600
>  <at> *.foo.bar:12.22.33.44:mail.foo.bar:100:3600
> =www.foo.bar:13.22.33.44:3600

This is not the problem you are describing, but you will end up with
duplicate A records for mail.foo.bar here; only one of the  <at>  lines needs
to have an IP address.

> When I dig'ed MX record for foo.bar I got the expected mail.foo.bar
> When I then dig'ed MX record for www.foo.bar I got no record as answer.
> When I dig'ed MX record for nonsense.foo.bar I got mail.foo.bar as answer.

That is the expected behavior. tinydns will only match a wildcard if
there are no other, more specific records. In other words, it wildcard
matches without respect to type, and then looks up the type.

This is specifically mentioned in:

  http://cr.yp.to/djbdns/tinydns-data.html

in the section "wildcards."

> What I want to have is:
> mail.foo.bar as answer for dig'ing MX record for www.foo.bar and
> no answer for dig'ing MX record for nonsense.foo.bar
> 
> So how do I configure this?

Add an  <at>  line for www.foo.bar. If you have many such records, consider
preprocessing your data file.

-Peff

Peter Conrad | 4 Apr 12:19 2008
Picon

Re: MX records for all hosts

Hi,

Am Freitag, 4. April 2008 schrieben Sie:
>
> The data file looked like:
>
> .foo.bar:11.22.33.44:ns.foo.bar.:3600
>  <at> foo.bar:12.22.33.44:mail.foo.bar:100:3600
>  <at> *.foo.bar:12.22.33.44:mail.foo.bar:100:3600
> =www.foo.bar:13.22.33.44:3600
>
> When I dig'ed MX record for foo.bar I got the expected mail.foo.bar
> When I then dig'ed MX record for www.foo.bar I got no record as answer.
> When I dig'ed MX record for nonsense.foo.bar I got mail.foo.bar as answer.
>
> What I want to have is:
> mail.foo.bar as answer for dig'ing MX record for www.foo.bar and
> no answer for dig'ing MX record for nonsense.foo.bar
>
> So how do I configure this?

don't use wildcards. Instead, create an  <at>  line for every MX 
record you need.

Here's an explanation on wildcards in DNS:
http://en.wikipedia.org/wiki/Wildcard_DNS_record

Hope this helps,
			Peter
--

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany

Charlie Brady | 4 Apr 16:00 2008

Re: Problems with permissions


On Fri, 4 Apr 2008, Alex Efros wrote:

> If you need secure way to do this - you'll need to run your PHP script
> under UID dedicated to that script instead of general apache's user
> "nobody". This can be done using apache's SUEXEC or external FastCGI
> daemon. This way, plus using 1) or 3), you should be as secure as your PHP
> script secure.

You can also do it with a separate instance of apache which runs under a 
separate uid, and a ProxyPass configured in the main apache.

Note, that SUEXEC and FastCGI cannot be used with in-process PHP scripts 
(which is how PHP is usually used).

Personally I think that anyone who mentions PHP and "securely" in the same 
sentence just hasn't been paying attention...

--
Charlie


Gmane