debian:pdns_dnsdist

Розбіжності

Тут показані розбіжності між вибраною ревізією та поточною версією сторінки.

Посилання на цей список змін

Порівняння попередніх версій Попередня ревізія
Наступна ревізія		 Попередня ревізія
debian:pdns_dnsdist [09/10/2022 12:19] – [DNSDIST BLACK LIST] Methoddebian:pdns_dnsdist [13/09/2024 14:09] (поточний) – [Нотатки] Method
Рядок 51: Рядок 51:
 <code bash> <code bash>
 apt-get update -y apt-get update -y
-apt-get install -y dnsdist+apt-get install -y dnsdist dnstop 
 +cp -r /etc/dnsdist/ /etc/dnsdist.orig/
 </code> </code>
  
Рядок 70: Рядок 71:
 addAction(AllRule(), PoolAction('auth')) addAction(AllRule(), PoolAction('auth'))
 </code> </code>
 +
 +<code bash>
 +pip  install  dnsdist_console
 +
 +python3 -c "from dnsdist_console import HashPassword as H;print(H().generate(\"mysupersecret\"))"
 +</code>
 +
 +  $scrypt$ln=10,p=1,r=8$rY9YB+QnTOkxKOBlNUUYaw==$4C4Hm5IFiOTluLkjGtPMl4FtYQIwJvSA/eb7uqAlFg4=
 +
  
 Якщо хочемо відкрити рекурсію для всіх, то прибираємо всі правила і додаємо recursive_ips:addMask('0.0.0.0/0'). Якщо хочемо відкрити рекурсію для всіх, то прибираємо всі правила і додаємо recursive_ips:addMask('0.0.0.0/0').
Рядок 97: Рядок 107:
  
 <code bash> <code bash>
-/etc/init.d/pdns-recursor restart +service pdns-recursor restart 
-/etc/init.d/pdns restart+service pdns restart
 </code> </code>
  
Рядок 110: Рядок 120:
  
  
-===== SNMP ===== 
  
-До основних репозиторіїв необхідно в кінець кожного додати "non-free", інакше деякі пакунки не буде знайдено для встановлення. +===== DNSDIST BLACK LIST =====
- +
-<code bash> +
-nano /etc/apt/sources.list +
-</code> +
- +
-<code bash> +
-# deb cdrom:[Debian GNU/Linux 11.4.0 _Bullseye_ - Official amd64 NETINST 20220709-10:31]/ bullseye main +
- +
-deb http://deb.debian.org/debian/ bullseye main non-free +
-deb-src http://deb.debian.org/debian/ bullseye main non-free +
- +
-deb http://security.debian.org/debian-security bullseye-security main non-free +
-deb-src http://security.debian.org/debian-security bullseye-security main non-free +
- +
-# bullseye-updates, to get updates before a point release is made; +
-# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports +
-deb http://deb.debian.org/debian/ bullseye-updates main non-free +
-deb-src http://deb.debian.org/debian/ bullseye-updates main non-free +
-</code> +
- +
- +
-<code bash> +
-apt update && apt install -y snmp-mibs-downloader snmp snmpd +
-</code> +
- +
-comment line "mibs :" for snmp-mibs-downloader +
-<code bash> +
-nano /etc/snmp/snmp.conf +
-</code> +
- +
-<code bash> +
-nano /etc/snmp/snmpd.conf +
-</code> +
- +
-<code bash> +
-master  agentx +
-agentxperms 0700 0700 _dnsdist _dnsdist +
-rocommunity dnsdist42 +
-</code> +
- +
-<code bash> +
-cd /usr/share/snmp/mibs +
-wget https://raw.githubusercontent.com/PowerDNS/pdns/master/pdns/dnsdistdist/DNSDIST-MIB.txt +
-wget https://www.circitor.fr/Mibs/Mib/F/FLOAT-TC-MIB.mib +
-</code> +
- +
-<code bash> +
-chown -R _dnsdist:root  /etc/dnsdist/ +
-chown -R pdns:root /etc/powerdns/ +
-chmod 775 /var/agentx/ +
-</code> +
- +
-Для активації SNMP потрібно в кінець файлу +
-<code bash> +
-nano /etc/dnsdist/dnsdist.conf +
-</code> +
-додати рядок +
-<code bash> +
-snmpAgent(true,"/var/agentx/master"+
-</code> +
- +
-<code bash> +
-systemctl restart snmpd +
-systemctl restart dnsdist +
-journalctl -xe +
-</code> +
- +
-Перевірити працездатність SNMP можна наступними командами +
-<code bash> +
-snmpwalk -v2c -c dnsdist42 127.0.0.1 .1.3.6.1.4.1.43315 +
-snmpwalk -v2c -m DNSDIST-MIB -c dnsdist42 127.0.0.1 1.3.6.1.4.1.43315 +
-</code> +
- +
-Ось вивід останньої +
-<code bash> +
-DNSDIST-MIB::queries.0 = Counter64: 18 +
-DNSDIST-MIB::responses.0 = Counter64: 1 +
-DNSDIST-MIB::servfailResponses.0 = Counter64: 0 +
-DNSDIST-MIB::aclDrops.0 = Counter64: 0 +
-DNSDIST-MIB::ruleDrop.0 = Counter64: 0 +
-DNSDIST-MIB::ruleNXDomain.0 = Counter64: 0 +
-DNSDIST-MIB::ruleRefused.0 = Counter64: 0 +
-DNSDIST-MIB::selfAnswered.0 = Counter64: 17 +
-DNSDIST-MIB::downstreamTimeouts.0 = Counter64: 0 +
-DNSDIST-MIB::downstreamSendErrors.0 = Counter64: 0 +
-DNSDIST-MIB::truncFailures.0 = Counter64: 0 +
-DNSDIST-MIB::noPolicy.0 = Counter64: 0 +
-DNSDIST-MIB::latency01.0 = Counter64: 17 +
-DNSDIST-MIB::latency110.0 = Counter64: 0 +
-DNSDIST-MIB::latency1050.0 = Counter64: 0 +
-DNSDIST-MIB::latency50100.0 = Counter64: 0 +
-DNSDIST-MIB::latency1001000.0 = Counter64: 1 +
-DNSDIST-MIB::latencySlow.0 = Counter64: 0 +
-DNSDIST-MIB::latencyAVG100.0 = STRING: "2404.139327" +
-DNSDIST-MIB::latencyAVG1000.0 = STRING: "263.185870" +
-DNSDIST-MIB::latencyAVG10000.0 = STRING: "26.556655" +
-DNSDIST-MIB::latencyAVG1000000.0 = STRING: "0.265830" +
-DNSDIST-MIB::uptime.0 = Counter64: 33051 +
-DNSDIST-MIB::realMemoryUsage.0 = Counter64: 73154560 +
-DNSDIST-MIB::nonCompliantQueries.0 = Counter64: 0 +
-DNSDIST-MIB::nonCompliantResponses.0 = Counter64: 0 +
-DNSDIST-MIB::rdQueries.0 = Counter64: 18 +
-DNSDIST-MIB::emptyQueries.0 = Counter64: 0 +
-DNSDIST-MIB::cacheHits.0 = Counter64: 0 +
-DNSDIST-MIB::cacheMisses.0 = Counter64: 0 +
-DNSDIST-MIB::cpuUserMSec.0 = Counter64: 18324 +
-DNSDIST-MIB::cpuSysMSec.0 = Counter64: 60627 +
-DNSDIST-MIB::fdUsage.0 = Counter64: 97 +
-DNSDIST-MIB::dynBlocked.0 = Counter64: 0 +
-DNSDIST-MIB::dynBlockNMGSize.0 = Counter64: 0 +
-DNSDIST-MIB::ruleServFail.0 = Counter64: 0 +
-DNSDIST-MIB::securityStatus.0 = Counter64: 1 +
-DNSDIST-MIB::specialMemoryUsage.0 = Counter64: 55439360 +
-DNSDIST-MIB::ruleTruncated.0 = Counter64: 0 +
-DNSDIST-MIB::backendName.0 = STRING: 127.0.0.1:5300 +
-DNSDIST-MIB::backendName.1 = STRING: 127.0.0.1:5301 +
-DNSDIST-MIB::backendLatency.0 = Counter64: 0 +
-DNSDIST-MIB::backendLatency.1 = Counter64: 2 +
-DNSDIST-MIB::backendWeight.0 = Counter64: 1 +
-DNSDIST-MIB::backendWeight.1 = Counter64: 1 +
-DNSDIST-MIB::backendOutstanding.0 = Counter64: 0 +
-DNSDIST-MIB::backendOutstanding.1 = Counter64: 0 +
-DNSDIST-MIB::backendQPSLimit.0 = Counter64: 0 +
-DNSDIST-MIB::backendQPSLimit.1 = Counter64: 0 +
-DNSDIST-MIB::backendReused.0 = Counter64: 0 +
-DNSDIST-MIB::backendReused.1 = Counter64: 0 +
-DNSDIST-MIB::backendState.0 = STRING: up +
-DNSDIST-MIB::backendState.1 = STRING: up +
-DNSDIST-MIB::backendAddress.0 = STRING: "127.0.0.1:5300" +
-DNSDIST-MIB::backendAddress.1 = STRING: "127.0.0.1:5301" +
-DNSDIST-MIB::backendPools.0 = STRING: auth +
-DNSDIST-MIB::backendPools.1 = STRING: recursor +
-DNSDIST-MIB::backendQPS.0 = Counter64: 0 +
-DNSDIST-MIB::backendQPS.1 = Counter64: 0 +
-DNSDIST-MIB::backendQueries.0 = Counter64: 0 +
-DNSDIST-MIB::backendQueries.1 = Counter64: 1 +
-DNSDIST-MIB::backendOrder.0 = Counter64: 1 +
-DNSDIST-MIB::backendOrder.1 = Counter64: 1 +
-</code> +
- +
-   +
-====== DNSDIST BLACK LIST ======+
  
 [[https://github.com/enilfodne/dnsdist-adblock/blob/master/dagg/dagg.lua]] [[https://github.com/enilfodne/dnsdist-adblock/blob/master/dagg/dagg.lua]]
Рядок 268: Рядок 135:
 nano /etc/dnsdist/dnsdist.conf nano /etc/dnsdist/dnsdist.conf
 </code> </code>
-додавши в кінець рядок+додавши після рядків з "newServer()"
 <code bash> <code bash>
 includeDirectory("/etc/dnsdist/conf.d") includeDirectory("/etc/dnsdist/conf.d")
Рядок 469: Рядок 336:
 tee /etc/systemd/system/dnsdist.service.d/override.conf<<EOF tee /etc/systemd/system/dnsdist.service.d/override.conf<<EOF
 [Service] [Service]
-ExecStartPost=-/usr/bin/sleep 5 && /usr/bin/env dig @127.0.0.1 reload.blacklist.local+ExecStartPost=-/usr/bin/sleep 5 
 +ExecStartPost=-/usr/bin/env dig @127.0.0.1 reload.blacklist.local
 EOF EOF
 </code> </code>
Рядок 569: Рядок 437:
 perl /etc/dnsdist/get_black_list.pl perl /etc/dnsdist/get_black_list.pl
 </code> </code>
 +
 +<code json>
 +[
 +   "*.lohotron.shop",
 +   "porn.xxx",
 +   "xn--80ayhh.xn--c1avg"
 +]
 +</code>
 +
 +  cp /etc/dnsdist/get_black_list.pl /etc/cron.hourly/get_black_list
 +  chmod +x /etc/cron.hourly/get_black_list
 +
 +===== SNMP =====
 +
 +До основних репозиторіїв необхідно в кінець кожного додати "non-free", інакше деякі пакунки не буде знайдено для встановлення.
  
 <code bash> <code bash>
 +nano /etc/apt/sources.list
 </code> </code>
 +
 +<code bash>
 +# deb cdrom:[Debian GNU/Linux 11.4.0 _Bullseye_ - Official amd64 NETINST 20220709-10:31]/ bullseye main
 +
 +deb http://deb.debian.org/debian/ bullseye main non-free
 +deb-src http://deb.debian.org/debian/ bullseye main non-free
 +
 +deb http://security.debian.org/debian-security bullseye-security main non-free
 +deb-src http://security.debian.org/debian-security bullseye-security main non-free
 +
 +# bullseye-updates, to get updates before a point release is made;
 +# see https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_updates_and_backports
 +deb http://deb.debian.org/debian/ bullseye-updates main non-free
 +deb-src http://deb.debian.org/debian/ bullseye-updates main non-free
 +</code>
 +
 +
 +  apt install software-properties-common
 +   apt-add-repository non-free
  
  
 <code bash> <code bash>
 +apt update && apt install -y snmp-mibs-downloader snmp snmpd
 </code> </code>
  
 +comment line "mibs :" for snmp-mibs-downloader
 +<code bash>
 +nano /etc/snmp/snmp.conf
 +</code>
  
 +<code bash>
 +nano /etc/snmp/snmpd.conf
 +</code>
 +
 +<code bash>
 +master  agentx
 +agentxperms 0700 0700 _dnsdist _dnsdist
 +rocommunity dnsdist42
 +</code>
 +
 +<code bash>
 +cd /usr/share/snmp/mibs
 +wget https://raw.githubusercontent.com/PowerDNS/pdns/master/pdns/dnsdistdist/DNSDIST-MIB.txt
 +wget https://www.circitor.fr/Mibs/Mib/F/FLOAT-TC-MIB.mib
 +</code>
 +
 +<code bash>
 +chown -R _dnsdist:root  /etc/dnsdist/
 +chown -R pdns:root /etc/powerdns/
 +chmod 775 /var/agentx/
 +</code>
 +
 +Для активації SNMP потрібно в кінець файлу
 +<code bash>
 +nano /etc/dnsdist/dnsdist.conf
 +</code>
 +додати рядок
 +<code bash>
 +snmpAgent(true,"/var/agentx/master")
 +</code>
 +
 +<code bash>
 +systemctl restart snmpd
 +systemctl restart dnsdist
 +journalctl -xe
 +</code>
 +
 +Перевірити працездатність SNMP можна наступними командами
 +<code bash>
 +snmpwalk -v2c -c dnsdist42 127.0.0.1 .1.3.6.1.4.1.43315
 +snmpwalk -v2c -m DNSDIST-MIB -c dnsdist42 127.0.0.1 1.3.6.1.4.1.43315
 +</code>
 +
 +Ось вивід останньої
 +<code bash>
 +DNSDIST-MIB::queries.0 = Counter64: 18
 +DNSDIST-MIB::responses.0 = Counter64: 1
 +DNSDIST-MIB::servfailResponses.0 = Counter64: 0
 +DNSDIST-MIB::aclDrops.0 = Counter64: 0
 +DNSDIST-MIB::ruleDrop.0 = Counter64: 0
 +DNSDIST-MIB::ruleNXDomain.0 = Counter64: 0
 +DNSDIST-MIB::ruleRefused.0 = Counter64: 0
 +DNSDIST-MIB::selfAnswered.0 = Counter64: 17
 +DNSDIST-MIB::downstreamTimeouts.0 = Counter64: 0
 +DNSDIST-MIB::downstreamSendErrors.0 = Counter64: 0
 +DNSDIST-MIB::truncFailures.0 = Counter64: 0
 +DNSDIST-MIB::noPolicy.0 = Counter64: 0
 +DNSDIST-MIB::latency01.0 = Counter64: 17
 +DNSDIST-MIB::latency110.0 = Counter64: 0
 +DNSDIST-MIB::latency1050.0 = Counter64: 0
 +DNSDIST-MIB::latency50100.0 = Counter64: 0
 +DNSDIST-MIB::latency1001000.0 = Counter64: 1
 +DNSDIST-MIB::latencySlow.0 = Counter64: 0
 +DNSDIST-MIB::latencyAVG100.0 = STRING: "2404.139327"
 +DNSDIST-MIB::latencyAVG1000.0 = STRING: "263.185870"
 +DNSDIST-MIB::latencyAVG10000.0 = STRING: "26.556655"
 +DNSDIST-MIB::latencyAVG1000000.0 = STRING: "0.265830"
 +DNSDIST-MIB::uptime.0 = Counter64: 33051
 +DNSDIST-MIB::realMemoryUsage.0 = Counter64: 73154560
 +DNSDIST-MIB::nonCompliantQueries.0 = Counter64: 0
 +DNSDIST-MIB::nonCompliantResponses.0 = Counter64: 0
 +DNSDIST-MIB::rdQueries.0 = Counter64: 18
 +DNSDIST-MIB::emptyQueries.0 = Counter64: 0
 +DNSDIST-MIB::cacheHits.0 = Counter64: 0
 +DNSDIST-MIB::cacheMisses.0 = Counter64: 0
 +DNSDIST-MIB::cpuUserMSec.0 = Counter64: 18324
 +DNSDIST-MIB::cpuSysMSec.0 = Counter64: 60627
 +DNSDIST-MIB::fdUsage.0 = Counter64: 97
 +DNSDIST-MIB::dynBlocked.0 = Counter64: 0
 +DNSDIST-MIB::dynBlockNMGSize.0 = Counter64: 0
 +DNSDIST-MIB::ruleServFail.0 = Counter64: 0
 +DNSDIST-MIB::securityStatus.0 = Counter64: 1
 +DNSDIST-MIB::specialMemoryUsage.0 = Counter64: 55439360
 +DNSDIST-MIB::ruleTruncated.0 = Counter64: 0
 +DNSDIST-MIB::backendName.0 = STRING: 127.0.0.1:5300
 +DNSDIST-MIB::backendName.1 = STRING: 127.0.0.1:5301
 +DNSDIST-MIB::backendLatency.0 = Counter64: 0
 +DNSDIST-MIB::backendLatency.1 = Counter64: 2
 +DNSDIST-MIB::backendWeight.0 = Counter64: 1
 +DNSDIST-MIB::backendWeight.1 = Counter64: 1
 +DNSDIST-MIB::backendOutstanding.0 = Counter64: 0
 +DNSDIST-MIB::backendOutstanding.1 = Counter64: 0
 +DNSDIST-MIB::backendQPSLimit.0 = Counter64: 0
 +DNSDIST-MIB::backendQPSLimit.1 = Counter64: 0
 +DNSDIST-MIB::backendReused.0 = Counter64: 0
 +DNSDIST-MIB::backendReused.1 = Counter64: 0
 +DNSDIST-MIB::backendState.0 = STRING: up
 +DNSDIST-MIB::backendState.1 = STRING: up
 +DNSDIST-MIB::backendAddress.0 = STRING: "127.0.0.1:5300"
 +DNSDIST-MIB::backendAddress.1 = STRING: "127.0.0.1:5301"
 +DNSDIST-MIB::backendPools.0 = STRING: auth
 +DNSDIST-MIB::backendPools.1 = STRING: recursor
 +DNSDIST-MIB::backendQPS.0 = Counter64: 0
 +DNSDIST-MIB::backendQPS.1 = Counter64: 0
 +DNSDIST-MIB::backendQueries.0 = Counter64: 0
 +DNSDIST-MIB::backendQueries.1 = Counter64: 1
 +DNSDIST-MIB::backendOrder.0 = Counter64: 1
 +DNSDIST-MIB::backendOrder.1 = Counter64: 1
 +</code>
 +
 +Для відкриття доступу до SNMPD з мережі потрібно відкрити порт в файрволі
 +  nft add rule ip filter input ct state new udp dport 161 counter accept comment "SNMPD"
 +та змінити параметр agentaddress в /etc/snmp/snmpd.conf з 127.0.0.1 на іп адресу, за якою можна звернутись до хоста з мережі, або на 0.0.0.0 для глобального досупу
  
 ===== Нотатки ===== ===== Нотатки =====
 +
 ++[[https://dnsdist.org/guides/cache.html|DnsDist Query cache]]
  
 [[https://www.ylsoftware.com/news/712|Установка DNSCrypt-сервера]] [[https://www.ylsoftware.com/news/712|Установка DNSCrypt-сервера]]
Рядок 594: Рядок 617:
   /etc/init.d/pdns-recursor status   /etc/init.d/pdns-recursor status
  
 +[[https://www.iana.org/assignments/enterprise-numbers/assignment/apply/| Зареєструвати свій номер (SNMP ENTERPRISE VENDOR NUMBER)]]
  • debian/pdns_dnsdist.1665317953.txt.gz
  • Востаннє змінено: 09/10/2022 12:19
  • повз Method