On Wed, Dec 27, 2006 at 01:26:55PM -0500, Marc Ravensbergen wrote:
> Hi, I have a little home network that I am trying to protect from the
> nasty outside world.
>
> What I would like to do is add the following features...
> 1) DNS server (for my private network only) so that my computers can
> use kiwi instead of the ISP dns servers (which change from time to
> time and are really, really slow at times). If kiwi could cache the
> addresses it would save a _lot_ of time reaching my common websites.
> This feature doesn't sound difficult, I just need a few tips here and
> there (package name, sample config)
bind/named is in base, patched and runs chroot, look no further.
Something like this should get you going:
$ fgrep named /etc/rc.conf.local
named_flags=""
$ sudo cat /var/named/etc/named.conf
acl clients {
localnets;
localhost;
};
acl int-xfers {
localhost;
};
options {
version "";
listen-on { int.ip.add.ress; };
listen-on-v6 { none; };
minimal-responses yes;
notify no;
allow-transfer { none; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
match-clients { clients; };
recursion yes;
zone "example.local" {
type master;
file "master/example.internal";
notify yes;
allow-transfer { int-xfers; };
};
zone "x.168.192.in-addr.arpa" {
type master;
file "master/x.168.192.in-addr.arpa";
notify yes;
allow-transfer { int-xfers; };
};
zone "doubleclick.net" { type master; file "master/dummy-block.internal"; };
zone "adtech.de" { type master; file "master/dummy-block.internal"; };
};
$ cat /var/named/master/example.local
$TTL 7D ; client caching [RFC 1035]
@ SOA (
kiwi ; master name server
hostmaster ; zone maintainer's email [RFC 2142]
2006124000 ; serial, todays date + todays serial #
1D ; refresh
2H ; retry
5W ; expire
2D ) ; client negative caching [RFC 2308]
NS kiwi
MX 0 kiwi
kiwi A 192.168.x.1
monaro A 192.198.x.2
torana A 192.198.x.3
corncob A 192.198.x.4
$GENERATE 50-200 192-168-x-$.dhcp A 192.168.x.$
photos CNAME corncob
blog CNAME monaro
squid CNAME kiwi
localhost A 127.0.0.1
$ cat /var/named/master/x.168.192.in-addr.arpa
$TTL 7D ; client caching [RFC 1035]
@ SOA (
kiwi.example.local. ; master name server
hostmaster.example.local. ; zone maintainer's email [RFC
2142]
2006121000 ; serial, todays date + todays
serial #
1D ; refresh
2H ; retry
5W ; expire
2D ) ; client negative caching [RFC
2308]
NS kiwi.example.local.
1 PTR kiwi.example.local.
2 PTR monaro.example.local.
3 PTR torana.example.local.
4 PTR corncob.example.local.
$GENERATE 50-200 $ PTR 192-168-x-$.dhcp.example.local.
$ cat /var/named/master/dummy-block.internal
; Zone file for dummy-block
; http://www.deer-run.com/~hal/sysadmin/dns-advert.html
; http://www.holland-consulting.net/tech/imblock.html
$TTL 7D ; client caching [RFC 1035]
@ SOA (
kiwi.exapmle.local. ; master name server
hostmaster.example.local. ; zone maintainer's email [RFC 2142]
2006120200 ; serial, todays date + todays serial #
1D ; refresh
2H ; retry
5W ; expire
2D ) ; client negative caching [RFC 2308]
A 127.0.0.1
NS kiwi.example.local
* A 127.0.0.1
$ tail -f /var/log/daemon &
$ sudo named
> 2) transparent web proxy; something along the lines of squid (I
> believe this is used by ipcop) to cache my frequent websites. I've
> never set this up by itself before, but again, probably manageable.
A squid config like this should get you started:
$ fgrep -v \# /etc/squid/squid.conf | grep -v ^$
http_port localhost:3128
http_port internal-dns-name:3128
cache_dir ufs /var/squid/cache 500 16 256
ftp_user [EMAIL PROTECTED]
ftp_list_width 80
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl our_networks src 192.168.x.x/24 127.0.0.1/32
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/squid/cache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND
squid really needs to have its own disk slice, or better yet, its own
disk. The disk will only spin while you're surfin':
$ fgrep squid /etc/fstab
/dev/wd0k /var/squid ffs rw,nodev,nosuid,noexec,noatime,async 0 2
