bert hubert ahupowerdns

## restricted.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ahupowerdns
                / restricted.md
            
            
              Last active
              August 29, 2015 14:14
            
          
    Get your own restricted shell!
$ grep restricted /etc/passwd
restricted:x:1001:1001:bert hubert,,,:/home/restricted:/home/ahu/git/secfilter/shwrap

$ cat shwrap
#!/bin/sh
/home/ahu/git/secfilter/secfilt --no-outbound-network=1 /bin/bash


## gist:6595302
We often get requests for a PowerDNS package repository to ease updating. This is our idea on how we'll implement this.

There will be a repository that always gives you
  1) auth and recursor from the tip of master or other branches ("scary-master", "scary-oneshot")
  2) auth and recursor from 3.3.x, where we promise that updates within 3.3.x will never break ("auth-3.3, recursor-3.5")
  3) auth and recursor "highest released version" ("auth-release", "recursor-release")

So to upgrade to a newer version, either:
  1) just update and get whatever pain we want to inflict on you
  2) update and get something that Should Just Work

## gist:19f2ee9c73f98f017888
1: blogspot.com
2: test.blogspot.com
3: blogspot.co.uk

Now we get a lookup for zzz.blogspot.com: is it on the list? We do a binary search and end up between 2 and 3. So how do we decide if zzz.blogspot.com is on the list?

Walk backwards until an entry matches? When do we stop?

This setup only works if we do 4 lookups, one for zzz.blogspot.com., blogspot.com., com., .. which is exactly what we don't want.

## adblock.lua
adservers=newDS()
adservers:add(dofile("blocklist.lua"))

function preresolve(dq)
    if(not adservers:check(dq.qname) or (dq.qtype ~= pdns.A and dq.qtype ~= pdns.AAAA)) then
        return false
    end

    dq:addRecord(pdns.SOA,
        "fake."..dq.qname:toString().." fake."..dq.qname:toString().." 1 7200 900 1209600 86400",

## make-650k-ips.sh
  (echo return{;
  for z in {1..10}
  do for a in {1..255}
  do for b in {1..255}
  do echo \"10.$z.$a.$b\",
  done ; done; done
  echo } ) > filtercustomers.lua

## addmac-dnsdist.conf
addLocal("0.0.0.0")
newServer("192.168.5.123:5300")
addAction(AllRule(), MacAddrAction(65001))
-- using LuaAction, the MAC address could be hashed or truncated, for increased privacy

## macfilter.lua
filter={}
filter["192.168.5.24"]={["b8:27:eb:0c:88:27"]=1, ["00:0d:b9:36:6f:79"]= 1}
filter["10.0.0.1"]={["06:31:25:7a:84:6b"]=1}

-- note that the filtering could be more than binary, but specify lots of categories
-- see https://i.imgur.com/wGwNHl7.png for inspiration
baddomains=newDS()
baddomains:add("xxx")

## try-it-out
pi@raspberrypi ~ $ /sbin/ifconfig eth0 | head -1
eth0      Link encap:Ethernet  HWaddr b8:27:eb:0c:88:27
pi@raspberrypi ~ $ dig www.ds9a.xxx @192.168.5.24 +short
blockingserver.powerdns.com.

ahu@ahucer:~$ /sbin/ifconfig eth0 | head -1
eth0      Link encap:Ethernet  HWaddr 90:fb:e9:3b:61:dc
ahu@ahucer:~$ dig www.ds9a.xxx @192.168.5.24
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10412

## populate-sqlite3
# sqlite3 /etc/powerdns/powerdns.sqlite3 < /usr/share/doc/pdns-backend-sqlite3/schema.sqlite3.sql

## master-pdns-conf
local-address=0.0.0.0
launch=gsqlite3
gsqlite3-database=/etc/powerdns/powerdns.sqlite3
master
daemon
guardian
	We often get requests for a PowerDNS package repository to ease updating. This is our idea on how we'll implement this.

	There will be a repository that always gives you
	1) auth and recursor from the tip of master or other branches ("scary-master", "scary-oneshot")
	2) auth and recursor from 3.3.x, where we promise that updates within 3.3.x will never break ("auth-3.3, recursor-3.5")
	3) auth and recursor "highest released version" ("auth-release", "recursor-release")

	So to upgrade to a newer version, either:
	1) just update and get whatever pain we want to inflict on you
	2) update and get something that Should Just Work
	1: blogspot.com
	2: test.blogspot.com
	3: blogspot.co.uk

	Now we get a lookup for zzz.blogspot.com: is it on the list? We do a binary search and end up between 2 and 3. So how do we decide if zzz.blogspot.com is on the list?

	Walk backwards until an entry matches? When do we stop?

	This setup only works if we do 4 lookups, one for zzz.blogspot.com., blogspot.com., com., .. which is exactly what we don't want.
	adservers=newDS()
	adservers:add(dofile("blocklist.lua"))

	function preresolve(dq)
	if(not adservers:check(dq.qname) or (dq.qtype ~= pdns.A and dq.qtype ~= pdns.AAAA)) then
	return false
	end

	dq:addRecord(pdns.SOA,
	"fake."..dq.qname:toString().." fake."..dq.qname:toString().." 1 7200 900 1209600 86400",
	(echo return{;
	for z in {1..10}
	do for a in {1..255}
	do for b in {1..255}
	do echo \"10.$z.$a.$b\",
	done ; done; done
	echo } ) > filtercustomers.lua
	addLocal("0.0.0.0")
	newServer("192.168.5.123:5300")
	addAction(AllRule(), MacAddrAction(65001))
	-- using LuaAction, the MAC address could be hashed or truncated, for increased privacy
	filter={}
	filter["192.168.5.24"]={["b8:27:eb:0c:88:27"]=1, ["00:0d:b9:36:6f:79"]= 1}
	filter["10.0.0.1"]={["06:31:25:7a:84:6b"]=1}

	-- note that the filtering could be more than binary, but specify lots of categories
	-- see https://i.imgur.com/wGwNHl7.png for inspiration
	baddomains=newDS()
	baddomains:add("xxx")
	pi@raspberrypi ~ $ /sbin/ifconfig eth0 \| head -1
	eth0 Link encap:Ethernet HWaddr b8:27:eb:0c:88:27
	pi@raspberrypi ~ $ dig www.ds9a.xxx @192.168.5.24 +short
	blockingserver.powerdns.com.

	ahu@ahucer:~$ /sbin/ifconfig eth0 \| head -1
	eth0 Link encap:Ethernet HWaddr 90:fb:e9:3b:61:dc
	ahu@ahucer:~$ dig www.ds9a.xxx @192.168.5.24
	;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10412
	local-address=0.0.0.0
	launch=gsqlite3
	gsqlite3-database=/etc/powerdns/powerdns.sqlite3
	master
	daemon
	guardian