Hurricane Electric's IPv6 Tunnel Broker Forums

IPv6 Certification Program Topics => General Discussion => Topic started by: UltraZero on June 12, 2011, 06:50:17 PM

Title: Cert continuation
Post by: UltraZero on June 12, 2011, 06:50:17 PM
Well, I am back on track with the cert. I  have a question.

When moving from Explorer to Enthusiast, and ongoing, I see a DNS server is needed.

What would you suggest be the best platform when it comes to creating one.

There is some form of DNS on the Cisco IOS.  Not sure how extensive it is.
There is also a DNS server under Microsoft Windows Server XXX.  Not sure I want to use.
There is also a DNS server in Redhat Linux Enterprise and Ubuntu Server.

Anyone know which would be the best.

Also keep in mind, I guess form Enthusiast to Admin, looks like I need a mail transfer agent, Professional I need Reverse DNS and Guru, I need to use AAAA records.  

I would image all would work under Linux, but, my experience with setting UP DNS and mail server was when Linux first came out.  Remember back when you had to compile the Operating system with the features you wanted and it took an hour to compile??  So, that being said.  

I want my Sage T-Shirt

What say you.   ;D ;D

Thanks
Title: Re: Cert continuation
Post by: cholzhauer on June 12, 2011, 06:56:19 PM
You should use whatever you're more comfortable with.  I did the whole thing on freebsd, but aside from ios, any of the os's you listed would work fine
Title: Re: Cert continuation
Post by: croikle on June 12, 2011, 07:05:35 PM
It's possible to make the last couple of tests quite simple if you use dns.he.net to host your DNS, though I'm sure it's not that bad to do it yourself.
Title: Re: Cert continuation
Post by: UltraZero on June 12, 2011, 07:14:29 PM
Is its possible to have to router perform the whole thing??
Title: Re: Cert continuation
Post by: broquea on June 12, 2011, 07:16:46 PM
enth = AAAA + HTTP
admin = MX + SMTP
prof = MX's IPv6 address having PTR
guru = AAAA + DNS software listening on IPv6
Title: Re: Cert continuation
Post by: UltraZero on June 12, 2011, 07:17:04 PM
Downloading Ubuntu and just finished installing Redhat.

I don't think at this point it really matters.  I don't really know any of the above. I always gamed though to try anything.  (well... Something about eating live large hissing cockroaches is out of the question...)

LOL..
Title: Re: Cert continuation
Post by: UltraZero on June 12, 2011, 07:18:09 PM
Is it  possible that a Cisco router can perform the tasks at hand??

thanks
Title: Re: Cert continuation
Post by: cholzhauer on June 12, 2011, 07:25:23 PM
AFAIK IOS can't do email or DNS.
Title: Re: Cert continuation
Post by: UltraZero on June 12, 2011, 07:59:49 PM
Bummer...

Oh well.  I guess Linux it is. 

Now... What flavor... Hmmmm.......  too many free bees to choose from.

I guess it's going to be Ubuntu or Redhat..


Thanks much..

Off to installations we go...

Title: Re: Cert continuation
Post by: lynxus on June 15, 2011, 01:28:44 AM
yeah thats correct, the router cant do either service.

Id recommend redhat / fedora. But whatever your most comfortable with..

Id also suggest the following software:

Bind for DNS.
Qmail or Exim ( probably Exim ) for email.

If you understand the above software then your more than good for any job ( as the majority of people in linux will use this software )
Title: Re: Cert continuation
Post by: johnpoz on June 15, 2011, 09:37:24 AM
As mentioned and linux distro could do your dns or email.. But if your more familiar with windows then sure you could use that as well.

Bind runs on windows just fine - so you could use that as dns.  Or if you have windows server then yeah you could use windows dns.  Not really a fan, Bind is a much better option IMHO.  But it works and could get you past the tests.

As to email server, a free one you could use on windows to just get past the test is http://www.hmailserver.com/
Title: Re: Cert continuation
Post by: Quill on June 16, 2011, 02:45:10 AM
You could also use Apache James (http://james.apache.org/) as a mail server for Windows. Very simple to set-up.
Title: Re: Cert continuation
Post by: UltraZero on June 16, 2011, 12:20:59 PM
Thanks much for the info.

I haven't done DNS since the early 90s when Bind was in versions 4.x I think. I actually was able to recover some copies of my old configs.  (could not believe my floppy diskettes were readable from back then.

Anyway.  My problem now is this.

Can someone tell me how many files are generally used for a Simple DNS config for what we are doing with IPv6?? 

I, being Rip Van Winkle, have found things have changed. 
I was going to run an older verions of Redhat, but, the software seems to have security issues.  So, I blew the redhat box away and installed Ubuntu 11.04.  This version of Linux at least seems to be running a more current version of Bind and Sendmail.  Bind installed no problem and I think sendmail did as well.  (No GUI, Xwindows but, was able to install it)

Now that at least the machine is online and with IPv4 and IPv6 addresses on it, I need to start the configuration of Bind.

I am trying it figure if Bind 9x has basically 2 files or 3. 

I think there is still a named files and at least 1 .db file. 

Please let me know or if anyone has some examples, I would appreciate it.

I don't want a direct answer as I don't mind having to figure it out, but, I would not mind some guidance in the right direction.

Thanks much..
Title: Re: Cert continuation
Post by: pcreager on June 16, 2011, 09:25:53 PM
At the very minimum, BIND needs just two files: named.conf and a zone file for your domain.  

When I installed BIND 9.7.1-P2 on Ubuntu, the build gave me 4 conf files (main file + 3 include files) plus 4 or 5 sample db files (zone files).  You don't have to use any of the extras if you don't want to.
Title: Re: Cert continuation
Post by: mikesampson on June 17, 2011, 12:12:29 AM
I have used bind and powerdns in the past however I recently setup dns for my local lan and went with unbound. A single <30 line config handled everything including ipv4/6 lan clients and forwarding google requests to he's white listed name servers.
Title: Re: Cert continuation
Post by: UltraZero on June 17, 2011, 12:24:42 PM
WOW...

HOLLY CRAP BATMAN......

sorry for shouting.  I hope I didn't hurt your ear drums.
I already have created 17 config files and that is just the IPv4 side.
I knew some day having way too many segments would bite me in the butt.

Tell me there is a better way to consolidate reverse zone files.
and is there a way to consolidate IPv4 and IPv6 in Bind9???

This would be nice.  Maybe in the long run, it's easier to read when each segment is
broken down per file..
Title: Re: Cert continuation
Post by: johnpoz on June 17, 2011, 01:54:11 PM
You clearly do not need to setup all your segments to pass the ipv6 cert tests.  Im at a lost to what your trying to accomplish?  You only need to setup dns for 1 domain and your ipv6 segment if you want pass your cert tests.

This would be your conf file, and 2 zone files.

Are you moving your whole networks dns to bind to pass some cert tests here on HE?

BTW -- I did not have to do anything on my local dns to get through the tests.  I just created a subdomain on my webhosts dns (which does dns for my public domains) and pointed the NS records to HE dns.  This is all that is required, you can then create your AAAA records and PTRs on their servers.

You actually have no need to actually run your own on your own network.
Title: Re: Cert continuation
Post by: UltraZero on June 17, 2011, 05:17:39 PM
Well, I guess since this is a test (practice) I understand what you are saying, but, I kinda feel in the real world, the He.net type setup might not be there and knowing both sides makes me a more rounded person.  Even if I don't actually finish it this way, at least I have some knowledge of dealing with it. 

As to what I need to setup??  My network is a practice lab.  So, screwing it up is always an option (Except when my wife wants to use her computer and I have totally isolated her to a local segment)
(LOL)   ;D ;D or when a heavy gaming session is going on..  LOL

Most people have 1 segment which is why I think most people are able to finish the test rapidly.  No subnets to worry about, no additional routes, less ACLs to worry about and not routing protocols.   I have all that in place as well.

Re what I am doing.  I am only setting up a few segments.

Something the average bear will never experience is I actually cought a person with an IP address (from China)  trying to hack into my router.  Bonehead was actually trying to run a dictionary brute force attack on my router.  My Passwords are longer than normal.  He's not going to get in anytime soon.  This happened when I was changing he configs on the router so I didn't have an ACL up at the time.  Most people at home won't get to experience that.  Not to mention, I had another person try to crash my webserver from Russia. I blocked the whole IP range.  (based on the IP addresses)

Anyway...  back to the task at hand.

Is there a way to consolidate the reverse address zone files to consolidate the segments IPv4 and IPv6. 

Thanks
Title: Re: Cert continuation
Post by: UltraZero on June 17, 2011, 05:50:57 PM
O.K.  After thinking about this. 

Lets ask this question.

Need I create a full DNS meaning,  and I think this is what you were saying.

Instead of me creating an IPv4 and IPv6 configs, maybe I should just create an IPv6 only.

Is that what you were basically saying about trying to chop a tree down with the blunt side of the

axe??  Why keep beating at it when a chain saw or dynamite is available??

LOL... ;D ;D
Title: Re: Cert continuation
Post by: kamratanders on June 17, 2011, 07:33:42 PM
You don't need to seperate them. Just make sure your zonefile has an AAAA record for IPv6.

In bind:
$ORIGIN example.com.
test           IN A IPv4-Address here
               IN AAAA  IPv6-Address here
Title: Re: Cert continuation
Post by: johnpoz on June 17, 2011, 07:54:47 PM
Ok I am even more confused now, you have 17 segments on your home/lab network?  WTF???

And hey if you want to get into bind for you local dns more power to you, I run it as a secondary server on my local network as well.. But have been using unbound package on pfsense for a while because its pretty much rocks, if he would just finish the ipv6 portion of it so I don't have to edit the unbound.inc file ;)

Are you going to be using your /48 to route multiple /64's on your network?  If so great - more power to you, just don't see the need to play with that, ie think 1 /64 has enough address to do me ;)  Couple prob give every atom of paint in my computer room its own ip with a /64 ;) hehehe

As to your hacking experiences?  Again not getting it sorry, my SSH gets attempted brute multiple times a day..  Its noise you see on the net..  Thats why you setup public key auth only, and setup fail2ban.  And yeah all kinds of worms will hit any webserver, again just noise!

As to consolidation..  Um not sure I am understanding your ?, if you have a 192.168.1.0/24 it would need its own zone file.   If you have 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 etc.. you could put them all in zone file for 192.168.0.0/16 if you wanted.  But your not going to be able to combine ipv4 and ipv6 zones no.
Title: Re: Cert continuation
Post by: UltraZero on June 18, 2011, 12:20:37 PM
17 segments??  Well... There are a few..

After thinking about it, I am only going to setup 2 or 3.  Just wanted to work with more than 1.  I figure if I want to do them all, I can perform that later.

multiple /64s.  Yes.  I actually with the distribution of IPv6 number were a lot less numbers for nodes.  I feel with the amount of wasted numbers that are being given out, we will at some point see the same problem with IPv4 and the is we will run out of numbers.  Yes.  I know the 340 Undececillion is a crazy large number, but, with millions of IP addresses given out at a shot so some person like me who wants to play, it's crazy.  A million her a billion there.  It all adds up.   Anyway.. (theory of mine)

I don't claim any glory for being hacked.  I also know companies get hacked all the time. I just don't think the average home user has it happen to them because the average user has 1 segment, a couple of pcs and each workstation has firewall software and a hardware firewall.  Most ISPs don't allow ftp/http/smtp to occur.   I was an admin many years ago and I never saw this.  I was pretty much a server guy with Novell, Windows NT 3.5 and Windows 4.0.  No hackers tried to get into our network as per the NOC I talked to on a daily basis.   Funny though, I had more processing power back then, more back capacity, and a faster network the the 2 billion dollar company I worked for.  Go figure.  I use to run a Bulletin Board with a bunch of workstations.  That's how I got into it.  I use to own a 100 user license of Novell to support my Bulletin Board.  (OK> ) Don't get me started...

LOL..

Consolidation.   I was referring to consolidation zone information in a .db file.  Can I consolidate
segments (example) 10.10.0.0 with 10.10.40.0 with 10.10.100.0 in one zone file and not  have to break the segments out per zone file.  I have only seen sample files and read the Bind9 docs which reference 1 segment.  (I don't like docs that don't give examples of real world situations, always an single sided example and not a companies example)

As for the IPv6 zone information, It is not possible to insert A record for a nameserver and
underneath that line insert an AAAA record for the same system without having to create a seperate
AAAA zone record?

If not, I take it that also means I need a seperate Reverse zone file to boot..

Thanks
Title: Re: Cert continuation
Post by: UltraZero on June 18, 2011, 12:33:19 PM
Did I see 2 posts..

One person said I can combine them and one person said I can't???

thanks


Johnpoz - If  you think I am crazy, go onto Youtube and type in home data center..

It's amazing what some folks have in their homes.  

I don't have anything near what some folks have.   I've talked to a person who has 30 servers in his home.  He had to install a new service panel to bring in more cooling capacity.   I've known people who  use to  have t1s in their house.  

You would be amazed   :o at what people have in their homes in the San Jose hills.  I use to work at
a computer store in San Jose and I've had customers like Compaq Executives and corporate executives who lived in the San Jose hills.  They don't play when it comes to having connection to the net.  Our little DSL or Cable modems can't compare to a person sitting on a T3 at home.   I wish I could afford it.  I'd certainly have one.  Heck, I'd have an OC192 if I could pay for it.  ::)  (1/2 a million dollars per month to have..  Could I use it??

Hmm.  I'd have one heck of a website and one heck of a game server farm..  I'd think I'd have to
create a mini co-location in my house to help pay for it.   LOL...  If i had it, HE could hook me up..

;D ;D  LOL...
Title: Re: Cert continuation
Post by: pcreager on June 18, 2011, 01:22:20 PM
I'm not clear what you're talking about, but the term "network segment" just means a section of a LAN.  What does that have to do with DNS?  It sounds like your concern is the reverse zones; you mentioned you're using 10.x RFC 1918 space.  Reverse DNS for IPv4 goes by classful addressing.  The 10.x RFC 1918 space is a class A (10.0.0.0/8). 

If that's not enough of a clue, since the address space you are using is class A, the answer is: Yes you can do all of the 10.x network using just one single reverse zone.
Title: Re: Cert continuation
Post by: johnpoz on June 18, 2011, 02:26:04 PM
^ exactly..

As to your IPv6 reverse working, does HE allow you to point to your own dns for the /64 they give you?  Or do you have to use theirs - when I did the test I just used their dns.

"As for the IPv6 zone information, It is not possible to insert A record for a nameserver and
underneath that line insert an AAAA record for the same system without having to create a seperate
AAAA zone record?"

what IPv6 zone??  The only time there would be an IPv6 zone is for reverse zone.  Forward zones would be based on the name, and have NOTHING to do with IPv6, other then maybe your AAAA record if you want to look at it that way.

Yes if you want a A record and AAAA record you would need to create both records in the zone file for your domain.
Title: Re: Cert continuation
Post by: UltraZero on June 18, 2011, 05:30:29 PM
Re segments, sorry, maybe the term subnet is a better word.  Also, I used IPv4 because I wanted to see if those who worked with IPv4 DNS could answer if the two IPv4 and IPv6 could co exist in the same config files. (zone files and config files.)  Looks like in a generic installation of Bind9 under ubuntu 11.04, there is an entry for IPv6 in the named.config.local file for reverse lookup.  IPv4 is also in the same location.  That is why I was asking..

From what I was told when I emailed HE.net, the task was to create one's  own DNS server and not use theirs.  Their is there to use, but, they would prefer to us your own which is what I am trying to do.

I figured if I had to set this up with a company that didn't have HE.net, I would have more of a hands on experience seeing I have not setup DNS since the early 90s.  You know, back when there were 2 internets?  (most people don't know that)  Funny enough, I have the DNS and  BIND book which is revision 1 which doesn't discuss IPv6. 
Title: Re: Cert continuation
Post by: pcreager on June 18, 2011, 06:05:51 PM
For reverse DNS, no you cannot combine IPv4 and IPv6.  The address formats are completely different, which you learn by going through this program.  An IPv4 reverse zone is separate from an IPv6 reverse zone.

For forward DNS, yes you can combine IPv4 and IPv6.  One forward zone can have both A and AAAA records, no problem.  Hope that helps.
Title: Re: Cert continuation
Post by: pcreager on June 18, 2011, 06:09:02 PM
Here's an example from my own domain.  I have one zone file for my forward zone (pcv6.net), and it contains the following records:

pcv6.net.      IN   A         75.51.146.71
pcv6.net.      IN   AAAA   2001:470:1F04:1AF2::2

Title: Re: Cert continuation
Post by: johnpoz on June 18, 2011, 10:55:26 PM
yeah I just looked on my tunnel, and yup you can delegate rDNS for your tunnel network.  But to be honest does not matter which dns answers it.. Even if you use HE dns, you still have to go in and create the zone, and the records.

The tests are not meant to test your dns setup skills, the test is to verify that you understand the principles and know how to accomplish what it is required.

If your doing IPv6 with some other company, they they would have to delegate the reverse zones to you.  Or enter in the records you need, normally end user does not have control of the reverse zone.  This is normally handled by the ISP.  HE giving you the ability to delegate to your own dns is great, and also allowing you to use their dns is also great!!

But the test is more in testing your ability to understand the principles and make it happen, does not matter if you serve it up on your own dns, or some other service.. You could just as easy delegate the zone to dnsmadeeasy.  I run a reverse zone for a public /16 using them, I get 10million requests a month for $60 a year -- there is no way I could run my own servers for anywhere close to that cost ;)

Its great you have setup dns back in the 90s,  its hasn't changed much ;)  a A record is still an A record, a PTR record is still a PTR record.. Sure AAAA are new, but thats about it ;)
Title: Re: Cert continuation
Post by: UltraZero on June 19, 2011, 01:29:14 PM
Exactly what I thought you could do. 

Now..

Can this be done..

pcv6.net.      IN   A         75.51.146.71/24
pcv12.net.     IN   A         75.71.100.100/24               ;numbers are just made up
pcv6.net.      IN   AAAA   2001:470:1F04:1AF2::2
pcv12.net.     IN   AAAA   2001:470:1f04:1AC2::64      ;numbers are just made up

The question is that the two different IPv4 and IPv6 numbers are on differnt segment
(subnets) and I was wondering if having different subnets affects the outcome of what is
placed in a zone files or do you need to break the zone files down by subnets.

Example:  a company has 200 different networks.  Would there need to be 200 different zone files
or can all info be place in 1 file for ease of management.  (IPv4 and IPv6) 

Thanks
Title: Re: Cert continuation
Post by: UltraZero on June 19, 2011, 01:46:27 PM
Johnpoz - I fogot it.. That's the problem.

Looks familiar, but, looks are deceiving.

I agree.  the DNS part (other than understanding the entries) is not part of what we are here for.

I guess since I have been out of this industry, I tend to want to act like a sponge and try to learn all aspects of a task in order to get my skills back to current.  I'm sure many folks have done this over and over and I think that's cool. I wish i were in that position. 

So as far as what I gather..

In the zone file, combinations of IPv4 and IPv6 are o.k..
In a reverse zone, IPv4 and IPv6 are kept separate files.    Yes??
Title: Re: Cert continuation
Post by: pcreager on June 19, 2011, 08:35:59 PM
Quote from: UltraZero on June 19, 2011, 01:29:14 PM
Can this be done..
pcv6.net.      IN   A         75.51.146.71/24
pcv12.net.     IN   A         75.71.100.100/24               ;numbers are just made up
pcv6.net.      IN   AAAA   2001:470:1F04:1AF2::2
pcv12.net.     IN   AAAA   2001:470:1f04:1AC2::64      ;numbers are just made up
No, but not for the reason you think.  You seem to be hung up on segments - a forward zone file can have any number of IPv4 and IPv6 address spaces.  But a zone file containing records for a different domain will do nothing; it will ignore those extraneous entries.

So you can have this:
pcv6.net.      IN   A         75.51.146.71
pcv6.net.      IN   A         75.71.100.100
pcv6.net.      IN   AAAA   2001:470:1f04:1AF2::2
pcv6.net.      IN   AAAA   2607:f388:2:6000:ee:d2:e6:c0     

But you can't have this:
pcv6.net.      IN   A         75.51.146.71
pcv7.net.      IN   A         75.71.100.100
pcv8.net.      IN   AAAA   2001:470:1f04:1AF2::2
pcv12.net.      IN   AAAA   2607:f388:2:6000:ee:d2:e6:c0
Title: Re: Cert continuation
Post by: UltraZero on June 20, 2011, 11:37:33 AM
So.   You can have different IP/ipv6 addresses referenced by  the same zone, but,  you can not have
different zones referencing different IP addresses??

Title: Re: Cert continuation
Post by: pcreager on June 20, 2011, 12:17:07 PM
Not quite - the addresses have nothing to do with it.

If my zone is xyz.com, then the only records I can have in the zone file for xyz.com are xyz.com records.

abc.xyz.com - good
abc.notmydomain.com - not good

This is straight DNS.  Since you have that O'Reilly book, check Chapter 2.    ;)
Title: Re: Cert continuation
Post by: UltraZero on June 20, 2011, 06:49:34 PM
O.K.  Maybe I'm totally wording this all wrong...  I'm sorry.


I understand you, but, I guess I'm no relaying what I mean back.

sorry.  

Hmm.  

Lets try again.

So you can have this:
pcv6.net.      IN   A         75.51.146.71
pcv6.net.      IN   A         75.71.100.100
pcv6.net.      IN   AAAA   2001:470:1f04:1AF2::2
pcv6.net.      IN   AAAA   2607:f388:2:6000:ee:d2:e6:c0    

Above all are in the same domain so all is good.

But you can't have this:
pcv6.net.      IN   A         75.51.146.71
pcv7.net.      IN   A         75.71.100.100
pcv8.net.      IN   AAAA   2001:470:1f04:1AF2::2
pcv12.net.      IN   AAAA   2607:f388:2:6000:ee:d2:e6:c0

Above.  Multiple domains and this won't work.  Need 4 different zones correct ??  IP/IPv6 addresses have nothing to do with this per say..

Title: Re: Cert continuation
Post by: UltraZero on June 20, 2011, 07:07:13 PM
quick question.

on the dns website. there are three section. 

New domain  this is straigt forward.

slave           Error - At least one master must resolve to a valid IPv4 address.  any idea what
                  message means.


reverse  - havent gotten to this yet.

I would appreciate your comments.
Title: Re: Cert continuation
Post by: johnpoz on June 20, 2011, 08:00:56 PM
Seems pretty straight forward to me, atleast 1 nameserver for your domain need to be reachable via Ipv4.

What forward domain are you trying to use?  From a whois for this domain, what nameservers do they point too? ns1.yourdomain.tld for example.. Does this NS have a normal A record, ie can you reach it via ipv4, or do you only have AAAA for it, ie ipv6?

Title: Re: Cert continuation
Post by: UltraZero on June 22, 2011, 08:30:55 AM
Hi. 

All straightened out.  Too many service providers were in the mix. I had to consolidate my
internet providers.

Thought about it,  Had too many systems in the mix.

Made some changes/eliminations (made things simple)

Called HE to confirm, had a short conversation.  Thanks HE.

All is well.

Almost like scuba diving in Hawaii and bing about 130 feet down.  Crystal Clear all around
but looking for the right direction can totally be a mystery..

;D ;D
Title: Re: Cert continuation
Post by: chandro on June 23, 2011, 09:00:38 AM
pcreager

scuba diving, i like it ! im advanced :D
Title: Re: Cert continuation
Post by: UltraZero on June 23, 2011, 11:30:18 AM
I was at black rock one time trying to take a picture of the long eel.  There were so many people
I couldn't get the shot.  So.  I the bright idea to invert myself over all the other people in order to get
the shot of this long massive eel.  When I took the picture, I was actually head to head in between to other people.  Wish someone had taken the picture of  us.  (lOL)

Never go to do any cave diving... I wish I could play in the worlds deepest swiming pool..

Yesss We are talking about Scuba Certifications.

Still Certs right?????

LOL>.