Re: [swinog] DNS Admin tool

2016-02-06 Diskussionsfäden Rainer Duffner 

> Am 06.02.2016 um 20:42 schrieb Stanislav Sinyagin :
> 
> Second that, and... Have a look at incognito.com  Name 
> Commander. It's a commercial tool that governs BIND servers.
> 
> Another option would be to outsource the whole DNS service to a team which 
> knows what they're doing :)
> 
> 


That’s sometimes a difficult decision.
Though few will count DNS as being a core-business, a lot of stuff depends on 
it.

And unless it’s a core-business, you will certainly not be able to run it as 
well as somebody like dyn.com or easydns.com .

It really depends on how much of an „ISP“ you consider yourself and how many 
zones you maintain (and how many queries you get to those zones).



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] DNS Admin tool

2016-02-06 Diskussionsfäden Silvan Gebhardt 


On 06.02.2016 17:34, Kägi Adrian wrote:
> We're looking for a web based Admin Tool, to manage our zone files on two 
> Bind DNS (Master, slave) Servers. If any possible, this tool should support 
> zone based admin rights for external customers.

I do this the following way - haven't found anything better yet:

- Webmin
- Add the Slaves into the Webmin Master within "Other Servers"
- This way, we have single sign on

Step 2: Go to bind settings
Webmin>Servers>Bind>Cluster slave Servers
Add the other Slaves (3 in my case)
Create secundary on slave: yes
create all existing master zones on slave: yes
name for NS record: show the ns2.yourname.ch

make sure to not have a trailing . or it might double .. on the end in
the zone


now put virtualmin over it (don't get fooled into having to use the
commercial cloudmin)

now you have delegated access. you still see all zones as sudo user ;)
Perfect imho.


I created a package (Service definition) that only allowed dns changes)
I then use whmcs to manage my client- my clients can order their own
free DNS management via a "free package" on WHMCS which then provisions
on these dns.

Do not let a provisioning system auto-accept orders. Otherwise, someone
will create gmail.com on your dns and hijack all the emails of the
people which use your dns to resolve (that's one reason one should keep
resolvers and authoritative DNS Split)


I hope that was some input, it took me quite some time to figure out the
best solution.


ps: Tested even to have clients order reverse v6 zones. it worked! The
client might be even on this ML ;)


Silvan



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] DNS Admin tool

2016-02-06 Diskussionsfäden DUCHET Rémy 
Hi, 

You can have a look on ISPConfig. It's working well with Bind, web interface, 
for admin, users and resellers. Many option, and full open source. 

Rémy
 


Le 6 févr. 2016 à 17:46, Kägi Adrian  a écrit :

Hi Swinog
I guess all of us is in touch to administrate DNS Servers. And I guess Bind 
will be a popular one.
In our situation, different admins, with different skill make changes on zone 
files. And some guys (. I cannot understand why.), don't like vi as 
administration tool.
We're looking for a web based Admin Tool, to manage our zone files on two Bind 
DNS (Master, slave) Servers. If any possible, this tool should support zone 
based admin rights for external customers.

What kind of tool do you use? Webmin? Plesk? vi?

I found a lot of outdated and unmaintained tools, quite frustrating.

Thank you very much! 
Cheers Adrian


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


smime.p7s
Description: S/MIME cryptographic signature

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] Strange Messages on Linux

2016-02-06 Diskussionsfäden Roger 

there is no ipv6 involved, not on dns nor on the server
its a physical machine with an MSI Board
i even see sometimes doubled packets.
I will have a talk with the Hoster as well ;)
but question is why it does only happen when there is CGN in the game ?

btw, here Embratel changed existing client to CGN and broke there 
securitycams System (not reachable from the road)

There are several complain already pending at the Regulators office ;)
it was asked to investigate and even reduce the monthly fee for the time 
of non 100% working Service.

It seems the regulator will soon add some rules regarding CGN.

Roger





On 06/02/2016 12:58, Jeroen Massar wrote:

On 2016-02-06 16:45, Roger wrote:


Hi Swinogers
since a few weeks i see following messages
on a server in Europe
kernel:nf_ct_sip: dropping packetIN=eth0 OUT=
MAC=00:23:54:d7:7c:12:80:71:1f:e2:71:81:08:00 SRC=191.189.9.153
DST=62.75.177.146 LEN=513 TOS=0x00 PREC=0x00 TTL=115 ID=27879 PROTO=UDP
SPT=29012 DPT=5060 LEN=493

There are various IP´s causing this problem.
In common: all IP´s causing those Messages are originating from a CGN
Gateway
The example  above is an Brazilian Cableprovider.

Client behind those networks complaining getting sometimes dropped
calls, or one way speech in some cases not able to Register some of
Sip-devices while others work. mostly in times the Kernel drop packets.

SIP requires state, well, the RTP part of a SIP call requires state.

Some device is dropping state somewhere for you.

Welcome to the wonderful world of forced NAT.

Did you deploy IPv6 already? It is 2016, aka 201_IPv6_



Does someone have any idea what is causing this ? even why the hell an
invalid  MAC address could made it so far.

Linux tends to show all the MAC addresses in a stack of packets, eg 802.1Q

00:23:54:d7:7c:12 is likely the switch you are connected to.

00:23:54 ASUSTek COMPUTER INC -- the VM bridge you are using?

80:71:1f:e2:71:81
80:71:1f Juniper Networks -- your actual router

08:00 just shows it is IPv4.

Greets,
  Jeroen



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog




___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] Strange Messages on Linux

2016-02-06 Diskussionsfäden Jeroen Massar 
On 2016-02-06 19:00, Roger wrote:
> there is no ipv6 involved, not on dns nor on the server

Of course not, otherwise there would not be any NAT issue.

> its a physical machine with an MSI Board
> i even see sometimes doubled packets.

Explain 'double packets', did you do a non-CGN test for that, do you see
them then.

> I will have a talk with the Hoster as well ;)
> but question is why it does only happen when there is CGN in the game ?

Likely as they balance their outbound load.

And then the source address changes maybe even in the middle of a session.

The only way to find out what happens is to be on both sides of that CGN
and monitor packets coming in/out of it. Or better: ask the people who
operate the CGN (and then also ask if they are deploying IPv6...)

> btw, here Embratel changed existing client to CGN and broke there
> securitycams System (not reachable from the road)

Same is happening to UnityMedia all over Europe. And the people who are
signing up to new contracts with Cablecom do not even have the word "IP"
in their contacts, these will soon have a nice 500/10mbit CGN'd pipe too.

> There are several complain already pending at the Regulators office ;)
> it was asked to investigate and even reduce the monthly fee for the time
> of non 100% working Service.
> It seems the regulator will soon add some rules regarding CGN.

That is a good precedent. Unfortunately as I note above, they already
have changed the contracts, hence folks "changing" their subscription
agree with the new one which does not even do "IP", just "Internet"
which is rather vague.

Greets,
 Jeroen


> 
> Roger
> 
> 
> 
> 
> 
> On 06/02/2016 12:58, Jeroen Massar wrote:
>> On 2016-02-06 16:45, Roger wrote:
>>>
>>> Hi Swinogers
>>> since a few weeks i see following messages
>>> on a server in Europe
>>> kernel:nf_ct_sip: dropping packetIN=eth0 OUT=
>>> MAC=00:23:54:d7:7c:12:80:71:1f:e2:71:81:08:00 SRC=191.189.9.153
>>> DST=62.75.177.146 LEN=513 TOS=0x00 PREC=0x00 TTL=115 ID=27879 PROTO=UDP
>>> SPT=29012 DPT=5060 LEN=493
>>>
>>> There are various IP´s causing this problem.
>>> In common: all IP´s causing those Messages are originating from a CGN
>>> Gateway
>>> The example  above is an Brazilian Cableprovider.
>>>
>>> Client behind those networks complaining getting sometimes dropped
>>> calls, or one way speech in some cases not able to Register some of
>>> Sip-devices while others work. mostly in times the Kernel drop packets.
>> SIP requires state, well, the RTP part of a SIP call requires state.
>>
>> Some device is dropping state somewhere for you.
>>
>> Welcome to the wonderful world of forced NAT.
>>
>> Did you deploy IPv6 already? It is 2016, aka 201_IPv6_
>>
>>
>>> Does someone have any idea what is causing this ? even why the hell an
>>> invalid  MAC address could made it so far.
>> Linux tends to show all the MAC addresses in a stack of packets, eg
>> 802.1Q
>>
>> 00:23:54:d7:7c:12 is likely the switch you are connected to.
>>
>> 00:23:54 ASUSTek COMPUTER INC -- the VM bridge you are using?
>>
>> 80:71:1f:e2:71:81
>> 80:71:1f Juniper Networks -- your actual router
>>
>> 08:00 just shows it is IPv4.
>>
>> Greets,
>>   Jeroen
>>
>>
>>
>> ___
>> swinog mailing list
>> swinog@lists.swinog.ch
>> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
> 
> 
> 
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] DNS Admin tool

2016-02-06 Diskussionsfäden Rainer Duffner 

> Am 06.02.2016 um 17:34 schrieb Kägi Adrian :
> 
> Hi Swinog
> I guess all of us is in touch to administrate DNS Servers. And I guess Bind 
> will be a popular one.
> In our situation, different admins, with different skill make changes on zone 
> files. And some guys (. I cannot understand why.), don't like vi as 
> administration tool.
> We're looking for a web based Admin Tool, to manage our zone files on two 
> Bind DNS (Master, slave) Servers. If any possible, this tool should support 
> zone based admin rights for external customers.
> 
> What kind of tool do you use? Webmin? Plesk? vi?
> 
> I found a lot of outdated and unmaintained tools, quite frustrating.



Hi,

we use NicTool (http://www.nictool.com , 
https://github.com/msimerson/NicTool/releases 
 )
Though, it’s web interface is currently not public-facing.

The only thing it doesn’t do right now is DNSSEC.
Also, its privilege-system granularity stops at the zone level.
So, you can assign the rights for a complete forward- or reverse-zone, but not 
for a single IP of a reverse-zone.

The web interface itself is usable, but lacks i18n.

People can still shoot themselves in the foot - but the tool does a lot of 
checks in advance.


The cool thing is, it supports all kinds of DNS-servers, not just bind.



Rainer
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] Strange Messages on Linux

2016-02-06 Diskussionsfäden Roger 



Hi Swinogers
since a few weeks i see following messages
on a server in Europe
kernel:nf_ct_sip: dropping packetIN=eth0 OUT=
MAC=00:23:54:d7:7c:12:80:71:1f:e2:71:81:08:00 SRC=191.189.9.153
DST=62.75.177.146 LEN=513 TOS=0x00 PREC=0x00 TTL=115 ID=27879 PROTO=UDP
SPT=29012 DPT=5060 LEN=493

There are various IP´s causing this problem.
In common: all IP´s causing those Messages are originating from a CGN
Gateway
The example  above is an Brazilian Cableprovider.

Client behind those networks complaining getting sometimes dropped
calls, or one way speech in some cases not able to Register some of
Sip-devices while others work. mostly in times the Kernel drop packets.

Does someone have any idea what is causing this ? even why the hell an
invalid  MAC address could made it so far.





___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] DNS Admin tool

2016-02-06 Diskussionsfäden Stanislav Sinyagin 
Second that, and... Have a look at incognito.com Name Commander. It's a
commercial tool that governs BIND servers.

Another option would be to outsource the whole DNS service to a team which
knows what they're doing :)
On 6 Feb 2016 20:19, "Per Jessen"  wrote:

> Kägi Adrian wrote:
>
> > Hi Swinog
> > I guess all of us is in touch to administrate DNS Servers. And I guess
> > Bind will be a popular one. In our situation, different admins, with
> > different skill make changes on zone files. And some guys (. I cannot
> > understand why.),
>
> Anyone who has not managed to work with vi, should not be let near a
> nameserver.
>
>
>
> --
> Per Jessen, Zürich (4.8°C)
> http://www.dns24.ch/ - your free DNS host, made in Switzerland.
>
>
>
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] Strange Messages on Linux

2016-02-06 Diskussionsfäden Jeroen Massar 
On 2016-02-06 16:45, Roger wrote:
> 
> 
> Hi Swinogers
> since a few weeks i see following messages
> on a server in Europe
> kernel:nf_ct_sip: dropping packetIN=eth0 OUT=
> MAC=00:23:54:d7:7c:12:80:71:1f:e2:71:81:08:00 SRC=191.189.9.153
> DST=62.75.177.146 LEN=513 TOS=0x00 PREC=0x00 TTL=115 ID=27879 PROTO=UDP
> SPT=29012 DPT=5060 LEN=493
>
> There are various IP´s causing this problem.
> In common: all IP´s causing those Messages are originating from a CGN
> Gateway
> The example  above is an Brazilian Cableprovider.
> 
> Client behind those networks complaining getting sometimes dropped
> calls, or one way speech in some cases not able to Register some of
> Sip-devices while others work. mostly in times the Kernel drop packets.

SIP requires state, well, the RTP part of a SIP call requires state.

Some device is dropping state somewhere for you.

Welcome to the wonderful world of forced NAT.

Did you deploy IPv6 already? It is 2016, aka 201_IPv6_


> Does someone have any idea what is causing this ? even why the hell an
> invalid  MAC address could made it so far.

Linux tends to show all the MAC addresses in a stack of packets, eg 802.1Q

00:23:54:d7:7c:12 is likely the switch you are connected to.

00:23:54 ASUSTek COMPUTER INC -- the VM bridge you are using?

80:71:1f:e2:71:81
80:71:1f Juniper Networks -- your actual router

08:00 just shows it is IPv4.

Greets,
 Jeroen



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog