An AS112 Setup with Linux Ubuntu Server and NSD
In this page we describe an AS112 server setup with Linux Ubuntu Server, NSD name server daemon, and Quagga routing software
To install ubuntu system you will need the following:
- The Ubuntu 6.06 LTS Server installation CD, available here: http://www.ubuntu.com/download One of these supported architectures: Intel x86, AMD64, UltraSPARC T1 and PowerPC
- An internet connection
Recommended Minimum Requirements for server edition: RAM 64 megabytes and Hard drive space 500 megabytes.
At the first step of the installation, the installer checks the installation CD, your hardware component, and configures the network with DHCP if there is a DHCP server in the network, then you have to partition your hard disk. You have to select your hard drive, create the partitions and write the changes on disk. In particolar, in our as112 instance we have:
Filesystem Size Used Avail Use% Mounted on /dev/sda2 1.8G 192M 1.5G 12% / /dev/sda1 89M 23M 61M 28% /boot /dev/sdb2 15G 1.4G 13G 10% /data /dev/sda7 2.1G 124M 1.9G 7% /home /dev/sda6 897M 19M 831M 3% /tmp /dev/sda3 4.6G 408M 4.0G 10% /usr /dev/sda5 7.4G 366M 6.7G 6% /var
After the installer ends the installation you have to reboot your system.
After the installation you have to configure the system base and install the as112 component.
Install ssh server. Ubuntu does not install OpenSSH by default. Run the command:
noc@as112:~$ apt-get install ssh openssh-server
Configuring network interfaces alias editing the file /etc/network/interfaces.
eth0 Link encap:Ethernet HWaddr 00:D0:A8:00:65:68 inet addr: address Bcast: broadcast Mask: mask inet6 addr: fe80::2d0:a8ff:fe00:6568/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:533742372 errors:0 dropped:0 overruns:0 frame:0 TX packets:464584645 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1129765850 (1.0 GiB) TX bytes:2127926434 (1.9 GiB) eth0:0 Link encap:Ethernet HWaddr 00:D0:A8:00:65:68 inet addr:184.108.40.206 Bcast:220.127.116.11 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:1 Link encap:Ethernet HWaddr 00:D0:A8:00:65:68 inet addr:18.104.22.168 Bcast:22.214.171.124 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:2 Link encap:Ethernet HWaddr 00:D0:A8:00:65:68 inet addr:126.96.36.199 Bcast:188.8.131.52 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Now you have to configure the firewall. Ubuntu install iptables by default. An example of iptables layout is shown below.
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT tcp -- anywhere anywhere tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:169 flags:FIN,SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Now you have to install quagga routine suite, nsd dns, and apache daemon for running web statistics. Run
noc@as112:~$ apt-get install quagga nsd apache
The system installation and configuration is now completed. See next sessions for configuring quagga routing suite and nsd.
Routing daemon (Quagga) setup
Information about Quagga software routing suite can be found here.
Basically, Quagga's architecture is based made of several modules, the fundamental one is the zebra daemon, which takes care of updating kernel routing tables with information retrieved by specific routing daemons; at the moment, Quagga has supporto for RIP,OSPF and BGP, via ripd, ospfd and bgpd daemons.
In order to run our AS112 instance, we just need zebra and bgpd daemons.
Zebra configuration is straightforward, we just need to configure our public interface:
! log file /var/log/quagga/zebra.log log stdout log record-priority service password-encryption ! interface eth0 ip address [your ip address here] !
BGP process can be easily configured by specifying the network we're serving (i.e.: 184.108.40.206/24) and some simple route maps:
hostname as112 log file /var/log/quagga/bgpd.log ! router bgp 112 bgp router-id 220.127.116.11 network 18.104.22.168/24 neighbor transit-peers peer-group neighbor transit-peers route-map AS112_OUT out neighbor [a_neighbour_here] remote-as [a_remote_as_here] neighbor [a_neighbour_here] peer-group transit-peers neighbor [another_neighbour_here] remote-as [another_remote_as_here] neighbor [another_neighbour_here] peer-group transit-peers ! ip prefix-list as112 seq 5 permit 22.214.171.124/24 ip prefix-list as112 seq 10 deny 0.0.0.0/0 le 32 ! ip as-path access-list AS112 permit ^$ ! route-map AS112_OUT permit 10 match ip address prefix-list as112 match as-path AS112 !
in this case, we defined a peer-group (i.e.: transit-peers) in order to apply the same routing policy to all peers belonging to that group.
Name server (NSD) setupNSD is an authoritative only, high performance, simple and open source name server. Source tarballs can be downloaded here.
NSD is straightforward in its use, configuration is quite simple; NSD takes advantage of a single binary database file into which all zones are pre-compiled, the database is loaded in memory at program startup, thus enabling faster response times. Whenever adding a new DNS zone, you should take care of recompiling the database.
Compiling and installingWe begin by extracting sources to a directory:
in order to run an AS112 server, we don't need to specify any particular configure option, so we can just run:noc@as112:~/download$ tar xvfz nsd-3.0.6.tar.gz
noc@as112:~/download$ cd nsd-3.0.6; ./configure; make; sudo make install
Configuring the server
NSD configuration resides in /etc/nsd/nsd.conf, let's see some important parameters:
server: # uncomment to specify specific interfaces to bind (default all). ip-address: 126.96.36.199 ip-address: 188.8.131.52 ip-address: 184.108.40.206 # enable debug mode for nsd, does not fork daemon process. # (debug mode disables slave zone functionalities) # debug-mode: no # listen only on IPv4 connections ip4-only: yes # listen only on IPv6 connections # ip6-only: no # the database to use database: "/path/to/nsd/nsd.db" # identify the server (CH TXT ID.SERVER entry). identity: "your_server_identity" # log messages to file. Default to stderr and syslog. logfile: "/path/to/nsd/log/nsd.log" # Number of NSD servers to fork. server-count: 1 # Maximum number of concurrent TCP connections per server. # tcp-count: 10 # File to store pid for nsd in. pidfile: "/path/to/nsd/nsd.pid" # port to answer queries on. default is 53. # port: 53 # statistics are produced every number of seconds. # statistics: 3600 # Run NSD in a chroot-jail. # make sure to have pidfile and database reachable from there. chroot: "/path/to/nsd" # After binding socket, drop user privileges. # can be a username, id or id.gid. username: nsd # The directory for zonefile: files. zonesdir: "/path/to/nsd/zones" # The file where incoming zone transfers are stored. # run nsd-patch to update zone files, then you can safely delete it. difffile: "/path/to/nsd/ixfr.db" # The file where secondary zone refresh and expire timeouts are kept. # If you delete this file, all secondary zones are forced to be # 'refreshing' (as if nsd got a notify). xfrdfile: "/path/to/nsd/xfrd.state" # Number of seconds between reloads triggered by xfrd. # xfrd-reload-timeout: 10 # Verbosity level. # verbosity: 0
it is very important that you specify each and every IP address you want your server to bind on (configuration shows the three anycast addresses for AS112), otherwise NSD will end up binding on any interface, which can cause the server erroneously responding to queries using its unicast IP address as source address.
You can choose to run NSD in a chroot jail, in this case make sure all files specified in your configuration are reachable from inside the jail.
Next step is to tell NSD what zones to serve and where to find zones data:
zone: name: "localhost" zonefile: "localhost.zone" zone: name: "0.0.127.in-addr.arpa" zonefile: "0.0.127.zone" zone: name: "10.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "16.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "17.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "18.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "19.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "20.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "21.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "22.172.in-addr.arpa" zone: name: "23.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "24.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "25.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "26.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "27.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "28.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "29.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "30.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "31.172.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "168.192.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "254.169.in-addr.arpa" zonefile: "RFC-1918.zone" zone: name: "hostname.as112.net" zonefile: "hostname.as112.net.zone"
we use the same zone file for each IP range in RFC1918, plus a zone file for hostname.as112.net and two for localhost/127.0.0.0/24 zones
Basically, file RFC-1918.zone contains no records:
$TTL 300 @ IN SOA prisoner.iana.org. hostmaster.root-servers.org. ( 2007092600 ; serial 30m 15m 1w 1w ) NS blackhole-1.iana.org. NS blackhole-2.iana.org.
Zone file for hostname.as112.net is:
$TTL 300 @ IN SOA your.name.server. your.server.contact. ( 2007092600 ; serial 1H ; refresh 10M ; retry 4w2d ; expiry 15S ) ; minimum TXT "Your info here ..." TXT "multiple lines are allowed." NS blackhole-1.iana.org. NS blackhole-2.iana.org.