AS112 Setup with Ubuntu Server and NSD

An AS112 Setup with Linux Ubuntu Server and NSD

In this page we describe an AS112 server setup with Linux Ubuntu Server, NSD name server daemon, and Quagga routing software

Server installation

1. Requirements

To install ubuntu system you will need the following:

  • The Ubuntu 6.06 LTS Server installation CD, available here: http://www.ubuntu.com/download
  • One of these supported architectures: Intel x86, AMD64, UltraSPARC T1 and PowerPC
  • An internet connection

Recommended Minimum Requirements for server edition: RAM 64 megabytes and Hard drive space 500 megabytes.

2. Installation

At the first step of the installation, the installer checks the installation CD, your hardware component, and configures the network with DHCP if there is a DHCP server in the network, then you have to partition your hard disk. You have to select your hard drive, create the partitions and write the changes on disk. In particolar, in our as112 instance we have:

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda2             1.8G  192M  1.5G  12% /
/dev/sda1              89M   23M   61M  28% /boot
/dev/sdb2              15G  1.4G   13G  10% /data
/dev/sda7             2.1G  124M  1.9G   7% /home
/dev/sda6             897M   19M  831M   3% /tmp
/dev/sda3             4.6G  408M  4.0G  10% /usr
/dev/sda5             7.4G  366M  6.7G   6% /var

After the installer ends the installation you have to reboot your system.

3. Configuration

After the installation you have to configure the system base and install the as112 component.

Install ssh server. Ubuntu does not install OpenSSH by default. Run the command:

noc@as112:~$ apt-get install ssh openssh-server

Configuring network interfaces alias editing the file /etc/network/interfaces.

eth0      Link encap:Ethernet  HWaddr 00:D0:A8:00:65:68  
          inet addr: address  Bcast: broadcast  Mask: mask
          inet6 addr: fe80::2d0:a8ff:fe00:6568/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:533742372 errors:0 dropped:0 overruns:0 frame:0
          TX packets:464584645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1129765850 (1.0 GiB)  TX bytes:2127926434 (1.9 GiB)

eth0:0    Link encap:Ethernet  HWaddr 00:D0:A8:00:65:68  
          inet addr:192.175.48.1  Bcast:192.175.48.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:1    Link encap:Ethernet  HWaddr 00:D0:A8:00:65:68  
          inet addr:192.175.48.6  Bcast:192.175.48.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

eth0:2    Link encap:Ethernet  HWaddr 00:D0:A8:00:65:68  
          inet addr:192.175.48.42  Bcast:192.175.48.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


Now you have to configure the firewall. Ubuntu install iptables by default. An example of iptables layout is shown below.

target prot opt source   destination         
ACCEPT all -- anywhere anywhere            
ACCEPT icmp -- anywhere anywhere icmp any 
ACCEPT tcp -- anywhere anywhere tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN 
ACCEPT udp -- anywhere anywhere udp dpt:domain 
ACCEPT tcp -- anywhere anywhere tcp dpt:169 flags:FIN,SYN,RST,ACK/SYN 
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 

Now you have to install quagga routine suite, nsd dns, and apache daemon for running web statistics. Run

noc@as112:~$ apt-get install quagga nsd apache

The system installation and configuration is now completed. See next sessions for configuring quagga routing suite and nsd.

Routing daemon (Quagga) setup

Information about Quagga software routing suite can be found here.

Basically, Quagga's architecture is based made of several modules, the fundamental one is the zebra daemon, which takes care of updating kernel routing tables with information retrieved by specific routing daemons; at the moment, Quagga has supporto for RIP,OSPF and BGP, via ripd, ospfd and bgpd daemons.

In order to run our AS112 instance, we just need zebra and bgpd daemons.

Zebra configuration

Zebra configuration is straightforward, we just need to configure our public interface:

!
log file /var/log/quagga/zebra.log
log stdout
log record-priority
service password-encryption
!
interface eth0
 ip address [your ip address here]
!

BGPD configuration

BGP process can be easily configured by specifying the network we're serving (i.e.: 192.175.48.0/24) and some simple route maps:

hostname as112
log file /var/log/quagga/bgpd.log
!
router bgp 112
 bgp router-id 192.175.48.254
 network 192.175.48.0/24
 neighbor transit-peers peer-group
 neighbor transit-peers route-map AS112_OUT out
 neighbor [a_neighbour_here] remote-as [a_remote_as_here]
 neighbor [a_neighbour_here] peer-group transit-peers
 neighbor [another_neighbour_here] remote-as [another_remote_as_here]
 neighbor [another_neighbour_here] peer-group transit-peers
!
ip prefix-list as112 seq 5 permit 192.175.48.0/24
ip prefix-list as112 seq 10 deny 0.0.0.0/0 le 32
!
ip as-path access-list AS112 permit ^$
!
route-map AS112_OUT permit 10
 match ip address prefix-list as112
 match as-path AS112
!

in this case, we defined a peer-group (i.e.: transit-peers) in order to apply the same routing policy to all peers belonging to that group.

Name server (NSD) setup

NSD is an authoritative only, high performance, simple and open source name server. Source tarballs can be downloaded here.

NSD is straightforward in its use, configuration is quite simple; NSD takes advantage of a single binary database file into which all zones are pre-compiled, the database is loaded in memory at program startup, thus enabling faster response times. Whenever adding a new DNS zone, you should take care of recompiling the database.

Compiling and installing

We begin by extracting sources to a directory:
noc@as112:~/download$ tar xvfz nsd-3.0.6.tar.gz
in order to run an AS112 server, we don't need to specify any particular configure option, so we can just run:
noc@as112:~/download$ cd nsd-3.0.6; ./configure; make; sudo make install

Configuring the server

NSD configuration resides in /etc/nsd/nsd.conf, let's see some important parameters:

server:
        # uncomment to specify specific interfaces to bind (default all).
        ip-address: 192.175.48.1
        ip-address: 192.175.48.6
        ip-address: 192.175.48.42

        # enable debug mode for nsd, does not fork daemon process.
        # (debug mode disables slave zone functionalities)
        # debug-mode: no

        # listen only on IPv4 connections
        ip4-only: yes

        # listen only on IPv6 connections
        # ip6-only: no

        # the database to use
        database: "/path/to/nsd/nsd.db"

        # identify the server (CH TXT ID.SERVER entry).
        identity: "your_server_identity"

        # log messages to file. Default to stderr and syslog.
        logfile: "/path/to/nsd/log/nsd.log"

        # Number of NSD servers to fork.
        server-count: 1

        # Maximum number of concurrent TCP connections per server.
        # tcp-count: 10

        # File to store pid for nsd in.
        pidfile: "/path/to/nsd/nsd.pid"

        # port to answer queries on. default is 53.
        # port: 53

        # statistics are produced every number of seconds.
        # statistics: 3600
        # Run NSD in a chroot-jail.
        # make sure to have pidfile and database reachable from there.
        chroot: "/path/to/nsd"

        # After binding socket, drop user privileges.
        # can be a username, id or id.gid.
        username: nsd

        # The directory for zonefile: files.
        zonesdir: "/path/to/nsd/zones"

        # The file where incoming zone transfers are stored.
        # run nsd-patch to update zone files, then you can safely delete it.
        difffile: "/path/to/nsd/ixfr.db"

        # The file where secondary zone refresh and expire timeouts are kept.
        # If you delete this file, all secondary zones are forced to be
        # 'refreshing' (as if nsd got a notify).
        xfrdfile: "/path/to/nsd/xfrd.state"

        # Number of seconds between reloads triggered by xfrd.
        # xfrd-reload-timeout: 10

        # Verbosity level.
        # verbosity: 0

it is very important that you specify each and every IP address you want your server to bind on (configuration shows the three anycast addresses for AS112), otherwise NSD will end up binding on any interface, which can cause the server erroneously responding to queries using its unicast IP address as source address.

You can choose to run NSD in a chroot jail, in this case make sure all files specified in your configuration are reachable from inside the jail.

Next step is to tell NSD what zones to serve and where to find zones data:

zone:
        name: "localhost"
        zonefile: "localhost.zone"
zone:
        name: "0.0.127.in-addr.arpa"
        zonefile: "0.0.127.zone"
zone:
        name: "10.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "16.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "17.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "18.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "19.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "20.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "21.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "22.172.in-addr.arpa"
zone:
        name: "23.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "24.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "25.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "26.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "27.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "28.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "29.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "30.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "31.172.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "168.192.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "254.169.in-addr.arpa"
        zonefile: "RFC-1918.zone"
zone:
        name: "hostname.as112.net"
        zonefile: "hostname.as112.net.zone"

we use the same zone file for each IP range in RFC1918, plus a zone file for hostname.as112.net and two for localhost/127.0.0.0/24 zones

Basically, file RFC-1918.zone contains no records:

$TTL 300
@ IN SOA prisoner.iana.org. hostmaster.root-servers.org. (
                                2007092600 ; serial
                                30m
                                15m
                                1w
                                1w )
        NS blackhole-1.iana.org.
        NS blackhole-2.iana.org.

Zone file for hostname.as112.net is:

$TTL 300
@ IN SOA your.name.server. your.server.contact. (
                2007092600 ; serial
                        1H ; refresh
                        10M ; retry
                        4w2d ; expiry
                        15S ) ; minimum

        TXT "Your info here ..."
        TXT "multiple lines are allowed."

        NS blackhole-1.iana.org.
        NS blackhole-2.iana.org.

server status

 NSD server is running

 BGP daemon is not running

01:26:52 up 55 days, 10:03, 0 users, load average: 0.00, 0.00, 0.00

statistics