Journey to new DNS servers

Photo by Taylor Vick on Unsplash

I have been managing my own DNS servers for a long time now, most of the time using ISPConfig to manage two to three BIND instances. It has been fun, but I got tired of ISPConfig’s limitations in some areas, and I want to have my own definition of servers.

I have tried that before, several times, but I did the mistake so many did before, trying to solve everything in one shot. And learning from my paid work experience, it isn’t worth the time. So I am going on a new journey to build my own infrastructure, starting with my self-hosted DNS servers, one piece of the infrastructure at a time.

It might take time, and I am aware that sometimes it’ll be days and weeks between progresses, but it is a journey of learning and sharing. So let’s begin.

My considerations

  1. Quick response
  2. Quick refresh (of changes)
  3. Support many resource records types and security measures
  4. Ability to support DDNS
  5. Active maintainers

Quick response

If I am in the US and the server is in Europe, a 100ms response time in the server itself is really slow. The server must respond very quickly to each request.

Quick refresh

When a change is introduced, a 60 seconds to update is slow, think about APIs updating DNS records for verification purposes, it needs to go to the next step within that timeframe. So my goal is up to 20 seconds to implement record changes.

Support many RR types and security

I expect the server to support most of the RR types, namely support:

  • DNAME
  • Implement some ANAME behavior (Like CNAME, but can be used for the apex domain)
  • CAA

It should fully support DNSSEC with the latest practices

Active maintainers

The program I will choose should be actively maintained, otherwise any bug report, feature request or merge request might just remain in limbo, and I will either have to fork it or move to another solution.

Options

  • BIND 9 (9.16.n for now, it has ESV)
  • PowerDNS

These are the only two after filtering the common available options, given that I already use IPv6 in both serving and records, wild card records and want to use DNSSEC.

I’ll state the obvious, I need the software to be open and free source, be tested and run smoothly on Linux server (I can manage with BSD if that will become a requirement).

Other options

  • Develop my own server

Well, a lovely idea, I always like to consider it in every project, but this isn’t on the table for now, sorry me.

Bu, as a consolation, I will be working on all integration and admin interfaces, and with the slightest hint of trouble using available solutions I’ll just write up my own.

That’s it for now, hitting the road for new DNS servers.

Run tcpdump for a given time using timeout

Lately I needed to run tcpdump on several servers for a given time, and then download the pcap fiels, all in a programmatic way.

So I got to know the useful timeout command, simple and straight-forward.

timeout 120s tcpdump -s 0 -A dst port 80

Remember that if you are not running as root and using sudo, you will need to put sudo before the timeout command, so it can actually send the SIGTERM without getting Permission denied.

sudo timeout 120s tcpdump -s 0 -A dst port 80

If you want to learn more about timeout:
https://explainshell.com/explain?cmd=timeout+120s+tcpdump+-s+0+-A+dst+port+80

nginx dynamic settings – part 2

In my previous post re. nginx dynamic settings, I’ve put an example of using variables in the index directive for serving a dynamic main file. This time I want to talk about try_files directive.

In the official examples, linked above, there is a one showing how to provide default place holder image, which is nice, and useful for hard set configurations. Most of the other examples are around internal rewrites to language interpreters.

Now say you host a Drupal multi-site, or WordPress multi-site and want to provide different favicon.ico files or robots.txt per domain, this can come handy. Here is an example:

location /favicon.ico {
    try_files $http_host.favicon.ico favicon.ico =404;
    log_not_found off;
    access_log off;
}

This way you can provide a default file for all, and specify a unique one for some.

Notice that for favicon.ico this doesn’t really cover it, since themes provide “shortcut icon” tags that override the default favicon. But for robots.txt this is very useful.

How to set dynamic nginx settings using variables

Looking through solutions on the internet, I found that for nginx there are plenty solution for dynamic root directories, headers and environment variables out there.

Today I was asked about using the same application directory with various cached index files, in this case, the determination is based on the domain accessed.

The previous solution used was to create spearate root directories with copies of the same system, which is wrong, just a waste of deployment time and configuration.

A more elegant solution, is to use the $http_host variable, and define a dynamic index file, like this:

index index.$http_host.php index.php index.html;

Now, be aware, this might not always be the best solution. also, most of the times, this will not be the specific setting or variable to use, but the idea is there.

Short variable swap in PHP > 5.4.x

Following this great old post from David Walsh’s post Tweet for Code #2, here is a PHP adaptation for this JavaScript Var Swap tweet:

$b = [$a, $a = $b][0];

Works on PHP 5.4 and up.

I know this is not very practical, for daily work, but it can come handy in a job interview.

♦ ♦ ♦

[Update:June 16, 2016]

In PHP 7.1.x it will finally be possible to use a cleaner swap short-code:

[$a, $b] = [$b, $a];

[/Update]

Gitlab / Github set custom branch as default

When using Gitlab / Github for development with large development groups, with or without branch per feature, you probably would want to use a development branch, and setting it as a default is a good idea. so when making a new clone you will automatically be in the development branch.

You need to keep in mind that deploying will now require the usage of -b master in the clone command (unless you are using tags, which is really a better idea, but just to be fair, in old installations you can’t clone into tags, so you can… no, just upgrade)

I attached screenshots from both Gitlab and Github’s settings page, just change the “Default branch”.

Gitlab:

Github:

Bash A to Z and 0 to 9

When you run a bash command, e.g. grep, and you need to take in account the letters A to Z and 0 to 9, you can use the following syntax:

for i in {{a..z},{A..Z},{0..9}}; do echo $i; done

From here you can take it further.

It came in hand when I was searching for a value in the session directory and the grep could not accept the * value because there were too many files, so I ran this:

for i in {{a..z},{0..9}}; do grep "something" sess_$i*; done

And I got my results as expected.

Installing ODBTP on Linux with PHP 5.4

Hi,
Lately I encountered several opportunities to try and install the ODBTP library, at first I was working on new systems, so when i encountered errors when simply doing pecl install odbtp I tried installing from source, encountering errors during the make command I came to my senses and managed just fine using the basic MSSQL library in PHP.
Then a few weeks ago I needed to upgrade an existing system relying on ODBTP with tight coupling, so i had no choice but to find a way to overcome the errors.
After research on the Internet I came to solution but had no time to document the final solution, until today when I installed a test zone on a separate system and remembered only vaguely what I was looking for.
Follow the instructions here except for this: After moving the php/ext content, patch the php_odbtp.c file using the attached file.
Sources:
This patch was checked on Gentoo linux, Ubuntu server 12.04.1 and Linux mint 14, the variable as far that I could gather from the complaints is the PHP version.

Apache and mime types

A few days ago I started a project of upgrading a CRM system written in PHP.

Now, the current server is using Apache 1.3.33 and PHP 5.1.6, old, right?, and, hold on, the server has a dual core x86 CPU, 4Gb of memory, which holds it for day to day use, but starts to squeak every now and then.

The new server has 8 cores, 8Gb of memory which can be upgraded since it is a Virtual Machine, a 64bit version of gentoo linux installed, and it runs Apache 2.2.24 with PHP 5.4.13 as a mod and is constantly updated.

I thought that the PHP syntax and function changes would be a pain, apparently that was nothing, Apache upgrade and non-planned configurations in the php code and file namings, they made the transfer more difficult.

The problem was that one specific file, a JS dictionary file with the name dict.hebrew.utf-8.js was being served with the encoding iso-8859-8 (Visual Hebrew), what made all the content seem like gibberish, funny, hu?

Snooping and searching the web, I tried simply setting the AddDefaultCharset UTF-8, but that did nothing, so I looked at my wall and saw the page saying RTFM, and so I did…

http://httpd.apache.org/docs/2.2/mod/mod_mime.html

Then it hit me, the setting AddCharset iso-8859-8 .hebrew is set before AddCharset UTF-8 .utf8 .utf-8 (I added the last one for compatibility) so I commented out the utf8 line and copied it to be the first AddCharset line, and WALLA, it did it.

So, to conclude my messy post… Remember Remember

  • First come first served
  • Name static files with language or encoding names thoughtfully
  • Try and read what the plans are for the technologies you are using for the system you are building
  • If your system has some hiccups, try to RTFM
  • The fifth of November

Yehuda