When I try to ping or retrieve an invalid domain, I get redirect to default domain on my local server.
ex:
trying to ping www.invaliddomainnameexample.com from my server s1.mylocaldomain.com
~: ping www.invaliddomainnameexample.com
PING www.invaliddomainnameexample.com.mylocaldomain.com (67.877.87.128) 56(84) bytes of data.
64 bytes from mylocaldomain.com (67.877.87.128): icmp_seq=1 ttl=64 time=0.040 ms
64 bytes from mylocaldomain.com (67.877.87.128): icmp_seq=2 ttl=64 time=0.039 ms
or using curl
~: curl -I www.invaliddomainnameexample.com
HTTP/1.1 301 Moved Permanently
Date: Mon, 26 Nov 2012 16:09:57 GMT
Content-Type: text/html
Content-Length: 223
Connection: keep-alive
Keep-Alive: timeout=10
Location: http://mylocaldomain.com/
my resolve.conf
~: cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
Could it be that your /etc/resolv.conf also contains a
search mylocaldomain.com
statement and there's an „*“ DNS A RR for your domain?
Because then the searchlist is applied, the * record matches, and voilà!
Try ping www.invaliddomainnameexample.com. with a dot appended to mark the domain name as a FQDN which prevents applying the searchlist.
It looks like the only way to fix this is to disallow unknown hosts to be processed by Http server. Though I did that only for local IPs
I use Nginx so the config would be
#list of server and local IPs
geo $local {
default 0;
34.56.23.0/21 1;
127.0.0.1/32 1;
}
#Deny access to any host other
server {
listen 80 default_server;
server_name _;
if ( $local = 1 ){
return 405;
}
rewrite ^(.*) http://mylocaldomain.com$1 permanent;
}
Related
On my single DNS server, bind9 (version 9.11.5-P4-5.1), I have configured a Response Policy Zone (RPZ) to block certain domains. The IP of the DNS server is 192.168.1.5
Now I am going to put the relevant parts to the configuration of the different files and commands:
On the server:
In /etc/bind/named.conf.options
acl trusted {
localhost; # this server
192.168.1.0/24; #my net
}
Also
// Only allows trusted client to use the service
allow-query { trusted; };
forwarders {
The IP of the NS1 of IPS#1;
The IP of the NS2 of IPS#1;
The IP of the NS1 of IPS#2;
The IP of the NS2 of IPS#2;
8.8.8.8;
8.8.4.4;
1.1.1.1;
};
And also
// For Ad-Blocking/Blacklisting/Whitelisting
response-policy {
zone "rpz.blacklist";
zone "office.local" policy passthru;
zone "1.168.192.in-addr.arpa" policy passthru;
};
In /etc/bind/named.conf.local
zone "rpz.blacklist" {
typemaster;
file "/etc/bind/zones/rpz.blacklist.db";
allow-query { trusted; };
allow-transfer { localhost; };
};
And finally in /etc/bind/zones/rpz.blacklist.db
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
# IN SOA localhost. root.localhost. (
1 ; Serial
604800; Refresh
86400; Retry
2419200; expire
86400); Negative Cache TTL
;
# IN NS localhost.
;.:#====================#:.
; Blacklist Domains
;.:#====================#:.
ads2000.hw.net IN A 127.0.0.1
There are more domains but I leave one only for the example.
The commands [named-checkconf] and [named-checkconf "rpz.blacklist" /etc/bind/zones/rpz.blacklist.db] return OK and the service starts successfully
Now if I ping ads2000.hw.net from the same server it works fine
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.037 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.201 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.034 ms
--- ads2000.hw.net ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 105ms
rtt min/avg/max/mdev = 0.034/0.069/0.201/0.066ms
Now if I do it from a linux client, it does not :
ping -c 5 ads2000.hw.net
PING ads2000.hw.net (65.8.181.28) 56(84) bytes of data.
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=1 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=2 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=3 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=4 ttl=246 time=131 ms
64 bytes from server-65-8-181-28.mia3.r.cloudfront.net (65.8.181.28): icmp_seq=5 ttl=246 time=131 ms
This is my dns settings on that computer
cat /etc/resolv.conf
## Generated by NetworkManager
domain office.local
search office.local
nameserver 192.168.1.5
nameserver 1.1.1.1
nameserver 8.8.8.8
Now if I do it from a windows client, it does not work either:
ping ads2000.hw.net
Ping ads2000.hw.net [65.8.181.28] with 32 bytes of data:
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Response from 65.8.181.28: bytes=32 time=131ms TTL=246
Ping statistics for 65.8.181.28:
Packets: sent = 4, received = 4, lost = 0
(0% lost),
Approximate round trip times in milliseconds:
Minimum = 131ms, Maximum = 131ms, Average = 131ms
This is my dns settings on that computer
Ethernet Ethernet Adapter:
Specific DNS suffix for the connection. . : office.local
DNS servers. . . . . . . . . . . . . . : 192.168.1.5
1.1.1.1
8.8.8.8
If I remove the servers "1.1.1.1" and "8.8.8.8" from the clients, it works but from them I lose Internet (I can not resolve names from internet domains from the clients.)
What am I doing wrong?
I thank you in advance for your help.
PS: Sorry for my bad English
Try :
sudo systemd-resolve --flush-caches
sudo systemctl restart systemd-resolved
Incase it didn't help,
Please add the input return from -
dig hw.net
I setup 2 centos7 machines(A & B) with hostname and static ip address. logged into machine A. then tried to ping with hostname of machine A. it is pinging. Logged into machine B. then tried to ping with hostname of machine B. but it is not pinging. not sure whether any configuration missed.
Below is the output from A machine
[rmdev01#inches-rmdev01 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<ip address> inches-rmdev01.aaitg.com
[rmdev01#inches-rmdev01 ~]$ cat /etc/hostname
inches-rmdev01
[rmdev01#inches-rmdev01 ~]$ ping inches-rmdev01
PING inches-rmdev01 (<ip address>) 56(84) bytes of data.
64 bytes from inches-rmdev01.aaitg.com (<ip address>): icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from inches-rmdev01.aaitg.com (<ip address>): icmp_seq=2 ttl=64 time=0.082 ms
64 bytes from inches-rmdev01.aaitg.com (<ip address>): icmp_seq=3 ttl=64 time=0.050 ms
64 bytes from inches-rmdev01.aaitg.com (<ip address>): icmp_seq=4 ttl=64 time=0.050 ms
Below is the output from B machine.
[rmtest01#inches-rmtest01 ~]$ cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
<ip address> inches-rmtest01.aaitg.com
[rmtest01#inches-rmtest01 ~]$ cat /etc/hostname
inches-rmtest01
[rmtest01#inches-rmtest01 ~]$ ping inches-rmtest01
ping: unknown host inches-rmtest01
From A machine
[rmdev01#inches-rmdev01 ~]$ hostname
inches-rmdev01
[rmdev01#inches-rmdev01 ~]$ hostname -f
inches-rmdev01
From B machine
[rmtest01#inches-rmtest01 ~]$ hostname
inches-rmtest01
[rmtest01#inches-rmtest01 ~]$ hostname -f
inches-rmtest01.aaitg.com
You should modify /etc/hosts and add to the last line short hostname like that:
...
<ip address> inches-rmtest01.aaitg.com inches-rmtest01
Or you have to specify search domain to aaitg.com by modifying /etc/resolv.conf
I have a list of banners which are at this format:
Hostname: []
IP: xxx.xxx.xxx.xxx
Port: xx
HTTP/1.0 301 Moved Permanently
Location: /login.html
Content-Type: text/html
Device-Access-Level: 255
Content-Length: 3066
Cache-Control: max-age=7200, must-revalidate
I have used the following grep statement in order to grab the ip:
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
What do I have to add to the statement in order to grab the port also? (while still getting the IP.).
Thank you for the answers..!
Why not use awk
awk '/IP:/ {ip=$2} /Port:/ {print ip,$2}' file
When it find line with IP: it stores the IP in variable ip
When it find port, print ip and port number.
Example
cat file
Hostname: []
IP: 163.248.1.20
Port: 843
HTTP/1.0 301 Moved Permanently
Location: /login.html
Content-Type: text/html
Device-Access-Level: 255
Content-Length: 3066
Cache-Control: max-age=7200, must-revalidat
awk '/IP:/ {ip=$2} /Port:/ {print ip,$2}' file
163.248.1.20 843
I want to sort and calculate how much clients downloaded files (3 types) from my server.
I installed tshark and ran followed command that should capture GET requests:
`./tshark 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -R'http.request.method == "GET"'`
so sniffer starts to work and every second I get new row, here is a result:
0.000000 144.137.136.253 -> 192.168.4.7 HTTP GET /pids/QE13_593706_0.bin HTTP/1.1
8.330354 1.1.1.1 -> 2.2.2.2 HTTP GET /pids/QE13_302506_0.bin HTTP/1.1
17.231572 1.1.1.2 -> 2.2.2.2 HTTP GET /pids/QE13_382506_0.bin HTTP/1.0
18.906712 1.1.1.3 -> 2.2.2.2 HTTP GET /pids/QE13_182406_0.bin HTTP/1.1
19.485199 1.1.1.4 -> 2.2.2.2 HTTP GET /pids/QE13_302006_0.bin HTTP/1.1
21.618113 1.1.1.5 -> 2.2.2.2 HTTP GET /pids/QE13_312106_0.bin HTTP/1.1
30.951197 1.1.1.6 -> 2.2.2.2 HTTP GET /nginx_status HTTP/1.1
31.056364 1.1.1.7 -> 2.2.2.2 HTTP GET /nginx_status HTTP/1.1
37.578005 1.1.1.8 -> 2.2.2.2 HTTP GET /pids/QE13_332006_0.bin HTTP/1.1
40.132006 1.1.1.9 -> 2.2.2.2 HTTP GET /pids/PE_332006.bin HTTP/1.1
40.407742 1.1.2.1 -> 2.2.2.2 HTTP GET /pids/QE13_452906_0.bin HTTP/1.1
what I need to do to store results type and count like /pids/*****.bin in to other file.
Im not strong in linux but sure it can be done with 1-3 rows of script.
Maybe with awk but I don't know what is the technique to read result of sniffer.
Thank you,
Can't you just grep the log file of your webserver?
Anyway, to extract the lines of captured http traffic relative to your server files, just try with
./tshark 'tcp port 80 and \
(((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' \
-R'http.request.method == "GET"' | \
egrep "HTTP GET /pids/.*.bin"
My nameserver isn't working properly, and I can't figure out why.
When I do a 'whois cfconsulting.ca', it shows the correct nameservers, with ns1.signupsystems.com being the primary. If you do a "dig #ns1.signupsystems.com cfconsulting.ca" you get the right IP.
But if you just do an 'nslookup cfconsulting.ca' it fails.
I'm baffled.
You probably don't have the appropriate server in /etc/resolv.conf if you're using a UNIX (as opposed to a Windows) system. There are numerous ports of Dig to Windows; if using Windows please RTFM (or, if needed, UTSL) to see how they get their default servers.
You may wish to read the report:
http://www.dnsvalidation.com/reports/4d2458e07d79ee0c8b00000a
Your secondary nameserver (ns2.signupsystems.com) is not responding to DNS queries regarding domain cfconsulting.ca, it may be a nameserver misconfiguration (check zone configuration and ACLs) or a firewall issue (allow UDP packets to port 53) :
[vitalie#silver ~]$ dig #ns2.signupsystems.com cfconsulting.ca
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> #ns2.signupsystems.com cfconsulting.ca
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
Nameserver seems to be online, ns2.signupsystems.com is responding to ping requests:
[vitalie#silver ~]$ ping -c 3 ns2.signupsystems.com
PING ns2.signupsystems.com (69.31.163.69) 56(84) bytes of data.
64 bytes from 69.31.163.69: icmp_seq=1 ttl=53 time=222 ms
64 bytes from 69.31.163.69: icmp_seq=2 ttl=53 time=218 ms
64 bytes from 69.31.163.69: icmp_seq=3 ttl=53 time=212 ms
--- ns2.signupsystems.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 212.463/217.812/222.049/4.028 ms