I want to modify the DNS query answer that PowerDNS returns by replacing the IP of the domain with the IP of a static page. I know the place to do this modification is in the startDoResolve function in pdns_recursor.cc. However I am having trouble figuring out where exactly the IP gets inserted into the response packet. Anyone having experience working with PowerDNS who can help me out with this?
It seems, you are using PowerDNS Recursor.
The standard way of doing this is via the lua extensions.
Depending on the criteria, when you want to spoof, you probably want to use one of the query interceptor function specified in the lua scripting documentation
You may also be interested in the spoofing capabilities mentioned in the dnsdist Packet Policies documentation. For example: addAction(domain, SpoofAction({IP[,…]}))
Related
I need to use fail2ban due to many attack attempts on my server, I also have filters that I had to activate/create to block attack attempts.
But now I'm pretty sure that some google ip ends up in the jail of my fail2ban...
I added some ip in the ignoreip directive in the jail.local file, but they are only the ones that I managed to identify as real google ip in my access.log (I also have many fake google)
It would be nice to be able to give a list of ip to ignore to fail2ban, but google does not release its ip list, google says: https://support.google.com/webmasters/answer/80553?hl=en
So the question is: is it possible to do a reverse dns to understand if an ip belongs to google and tell fail2ban to ignore it?
Can it be done via fail2ban? Do you need any external script? Could it be too heavy, long and tiring for the server?
yes, you can identify google bots using reverse IP lookup.
all crawler bots will end with xxxxxx.google.com or xxxxxxx.googlebot.com
for e.g. crawl-203-208-60-1.googlebot.com
but it is not possible to identify in fail2ban, but you can whitelist the IP address once you know if its a Googlebot.
there are many ways to perform for reverse IP look.
you can use Python, Ruby or bash to find out. check the following article.
http://searchsignals.com/tutorials/reverse-dns-lookup/
there are websites that can find you reverse IP lookup.
https://dnschecker.org/reverse-dns.php
http://reverseip.domaintools.com/
if you can code in python, you easily dump reverse IP data in a file from a list of IP addresses.
Google does have a page about verifying GoogleBot addresses by doing a reverse-lookup on the IP address and verifying that it comes from a specific hostname (you'd then get the IP of that host, to double-check it comes back to the appropriate source IP).
There are also DNS TXT records that specify IP ranges for SPF (emails), Google Compute Cloud, and the wider Google IP addresses that can be used (many of which would be in use by GCP user's VMs and other services).
dig #8.8.8.8 +short TXT _spf.google.com
dig #8.8.8.8 +short TXT _cloud-netblocks.google.com
dig #8.8.8.8 +short TXT _cloud-netblocks.googleusercontent.com
The first query will return something like this:
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
And you would then parse it to get the IP address ranges, or do a sub-query on the include:_netblocks.google.com etc to get other sets.
The information these records are not fixed, and can regularly change. (AWS publishes a .JSON file with several updates per week, for example).
I'm working on a system to automatically detect 'lying user-agents', with these, and some other techniques.
I am using AMP (McMyAdmin3) as control panel for my minecraft and the servers are located at a secret address, except my bungeecord (proxy so multiple minecraft servers can be connected) ofcourse. Now I am trying to have a control panel for my admins, but I want them not to see the IP.
I was thinking of an SRV record, but I am not sure if this even CAN work or HOW it even works.
(Well I have an idea of how it works but I don't know if I am correct)
So I have pointed my domain 'manage.mydomain.com' to the IP I want, I put cloudflare protection on it, so if they resolve the IP, they cannot see the real IP. However, with this done they cannot type in the URL bar 'manage.mydomain.com:[port]' because cloudflare does not allow you to do that, because of the protection. So I tried setting up an SRV record like this:
_mcmyadmin._tcp.manage POINTS TO SRV 0 0 [port] manage.mydomain.com
I waited for 2 days now, and it still did not work, so I am sure that is not the case.
Is there any way to make this work? Or is not even possible with domain stuff :p
Or is there another way to fix this?
Kind regards,
Runefist
DNS is the public phone book of the internet. Its purpose is to take a domain name and map it to an IP Address. It is simply not possible to put anything in DNS and keep it secret.
When you put an address into your browser the first thing it does is find out the IP address associated with it.
In order to use a SRV record the application that uses it needs to be written to use them. Unless you are writing the frontend yourself, there are very few applications that will use SRV records. You can't just put data in there and expect it to be used.
If your intention here is to provide extra security to your servers, this isn't going to do you a lot of good. If you look at your server logs you are already being probed just by being online. The addition of a domain name won't do much change that.
You will be far better off understanding and hardening the security of your server than hiding it and hoping that nobody finds it, because it is almost guaranteed that they will if they have the inclination to do so.
Minecraft SRV records are _minecraft._tcp, you can't change the service name or the client won't be able to resolve it.
That being said, Michael B is right, what you're doing is implementing security by obscurity (which, as we all know, is no security). Instead, you should be using iptables to block all IPs except for the bungee from being able to reach the backend.
I've searched around on SO, and found a few questions that ask about this, but most of the answers that I've come across all seem to suggest either filtering via IP range or introducing conditional code to the engine powering the site; neither of these options are viable for me. If this does turn out to be a duplicate where this an answer that fits in to my use case, then I apologize in advance, but I just can't seem to find anything.
My original method of filtering myself out from Google Analytics was to simply redirect requests to google-analytics.com and the https version of GA to localhost in my hosts file. This works just fine on my desktop, but it is useless when testing on mobile devices like an iPhone (unless somebody knows how to finagle the iPhone's hosts file without jailbreaking).
My setup for local testing is to use pow with .dev domains for the local project directories, and then when I need to see the development version of sites on mobile devices I use Xip.io in conjunction with Adobe Shadow.
I can't filter by IP range because I frequently work from home, and my ISP doesn't provide static addresses for residential accounts.
I tried to set up a Custom exclude filter in my Google Analytics profile to filter out traffic originating from these domains, but they either don't work or I have a really bad misunderstanding of how the Exclude filters work (which is entirely possible). I have Custom Filters set up to Exclude based on the Hostname, matching the patterns \.dev and .*xip\.io/.* but these filters do absolutely nothing. I believe this is because this filter is, technically, looking for the hostname of the originating domain and not the hostname being requested, but I'm really not sure because the language is vague and differs depending on which help document you're looking at.
Short of manually removing the GA tracking codes from the site during local dev then going back and adding them back in, does anybody have any suggestions or can anybody tell me what I'm doing wrong with my Exclude filters?
I've been using a variation on the analytics tracking code to prevent page views from being tracked on our staging server -- something like:
if (!/\.dev|xip\.io/.test(window.location.hostname)) _gaq.push(['_trackPageview']);
Alternatively, you could apply this to the _setAccount call. If you do this and look at the tracking requests, the web property ID shows up as 'UA-XXXXX-X'
You could rely on
window['ga-disable-UA-XXXXXX-Y'] = true;
where UA-XXXXXX-Y is the account ID. (details here).
Like creating a page or webserver directive that sets a cookie (page reserved to developers to be excluded from ga), and in your code that loads ga:
if (hasDeveloperCookie()) {
window['ga-disable-UA-XXXXXX-Y'] = true;
}
I currently have my own domain name and dedicated server and I offer different packages to my clients. What I want to be able to do is have them sign up with my website and create a package automatically that they can access via their username as a subdomain e.g.
http://yourusername.mywebsite.com
I currently have DNS entries set up for various subdomains with real information for my website e.g.
Name Type IP Address
# A 1.2.3.4
bugs A 1.2.3.4
support A 1.2.3.4
However, if a new customer signs up at the moment I have to go and manually create an entry for them with their username in it.
I'm sure I've seen websites that manage to do this automatically, does anyone have any ideas how, or any other methods that I should be using?
Thanks,
Mark
Since you apparently do not control the name servers, your choices are quite limited. One possibility is to use a wildcard DNS record:
* A 192.0.2.1
where the star will replace every name. Not ideal (inexisting domains will also appear).
The details depend on which DNS server you're using.
One approach is to have some code that opens the DNS zone file and adds the desired records. On Linux with Bind, you will then need to signal the server to get it re-read the zone file.
With Simple DNS Plus, you can easily add such a DNS record through the included HTTP API. For example:
http://127.0.0.1:8053/updatehost?host=yourusername.mywebsite.com&data=1.2.3.4
Since you apparently do not control the name servers, your choices are quite limited. Nevertheless, every serious DNS hoster provide you with a API (see for instance Slicehost's API). So, you may use this API and write a small program to update the DNS data.
(Foot note: handling paying customers when you do not even control the name servers seem... bad)
I was wondering if it's possible to dynamically add subdomains that point to dynamic IP addresses, and how I would go about doing that? In other words, "how is dyndns/no-ip implemented" :-)? (The part I don't get is adding/changing the DNS entries... I understand how the client sends a packet every few minutes -___-). I can tell all my users to just use DynDNS/No-IP, of course, but having it integrated with the application would be much cooler.
Thanks,
Robert
To be able to directly update/control where a domain/subdomain resolves to, you must have your own name server. When you register a domain under a TLD (for example, .com), that TLD has a nameserver. Anytime a client needs to look up the IP to something.com, they ask the .com nameserver where to find the nameserver for something. That nameserver in turn returns data about the domain or subdomain.
When you register a domain at a place like GoDaddy or Network Solutions, and you use their online tools to point your various subdomains to IP addresses, you are creating entries on their nameserver. When a client requests your domain, the root nameserver tells them to check with GoDaddy's nameserver. If you look through the configuration options of your registrar, you'll generally find a place to specify your own nameserver instead of entering domain IPs. Setting that will tell the chain of nameservers to defer resolution of your subdomains to that nameserver. Obviously at that point, having direct control over the mechanism of name-address resolution, you can do whatever you like.
Here's one list of open-source name servers. There are many others, ranging from free OSS to custom, proprietary and very expensive. Technically you could also write your own, as BIND is a public, standard format.
As you've partially said, the way DynDNS and other dynamic IP services work is that they update their server's DNS records based on a heartbeat from a client every few minutes.
The trick is that they use extremely short TTL times so that caches for the record expire very quickly and need to re-query the DynDNS server (which makes dynamic IP changes propagate quickly).
If you wanted to implement this, either find a DNS host that offers an API, or programatically update the DNS on your own server with a short TTL.