OpenDNS: SMF Setup for inadyn
A bit more on my efforts with OpenDNS for home use.
When I setup my OpenDNS account, I enabled statistics collection. I'm curious to see what the stats look like. [ I do have to say though the statistics aren't what I expected ... I know my traffic is greather then what I'm seeing ... may need to open a ticket with the OpenDNS support folks ... ] To utilize this service, OpenDNS has to keep track of my ISP provided DHCP address. To accomplish this, OpenDNS has its users use the inadyn DDNS client.
So I downloaded the v1.99 inadyn source tar ball from OpenDNS and initially compiled it using gcc. I immediately hit a SIGSEGV when testing it out. Annoying I tried recompiling it with Sun's GCC for SPARC Systems ... still got a SIGSEGV. Someone suggested I try using the Sun Studio Runtime Checker feature so I did ... and the problem went away. Not being a strong programmer and having more important things to do, I setup the SMF service to include the LD_FLAGS_32 variable as part of the startup initialization - no more SIGSEGV. Interesting ... but still annoying.
This is my /etc/inadyn.conf file contents:
--username <username>
--password <password>
--alias opendns
--secure
--background
--dyndns_server_name updates.opendns.com
--dyndns_server_url /account/ddns.php?
--verbose 0
Nothing really special here except to note that the --verbose flag is very nice for debugging inadyn when running it manually.
Here is the inadyn SMF manifest I setup in /var/svc/manifest/application/inadyn.xml:
<?xml version="1.0"?>
<!DOCTYPE service_bundle
SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type='manifest' name='inadyn'>
<service
name='application/inadyn'
type='service'
version='1'>
<create_default_instance enabled='false' />
<single_instance />
<dependency
name='multi-user-server'
grouping='optional_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/milestone/multi-user-server' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/svc-inadyn %m'
timeout_seconds='60'>
<method_context>
<method_credential user='nobody' />
</method_context>
</exec_method>
<exec_method
type='method'
name='restart'
exec='/lib/svc/method/svc-inadyn %m'
timeout_seconds='60'>
<method_context>
<method_credential user='nobody' />
</method_context>
</exec_method>
<exec_method
type='method'
name='stop'
exec='/lib/svc/method/svc-inadyn %m'
timeout_seconds='60' >
<method_context>
<method_credential user='nobody' />
</method_context>
</exec_method>
<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='contract' />
</property_group>
</service>
</service_bundle>
Here is the inadyn SMF method I created in /lib/svc/method/svc-inadyn. [ The inclusion of the LD_FLAGS_32 variable is visible at the top of the script. I have no clue at this point if this is necessary for other Solaris versions, just svn_67, or just me ... YMWPV ]
#!/sbin/sh
# Start/stop client inadyn DDNS Client
#
. /lib/svc/share/smf_include.sh
# The LD_FLAGS_32 is only necessary in Solaris 11 svn_67 currently
#
LD_FLAGS_32='preload=watchmalloc.so.1'
export LD_FLAGS_32
LD_LIBRARY_PATH=/usr/lib:/opt/csw/lib
export LD_LIBRARY_PATH
case "$1" in
'start')
if pgrep -x -u nobody inadyn; then
echo "$0: inadyn is already running"
exit 1
fi
/usr/local/bin/inadyn
;;
'restart')
pkill -x -u nobody inadyn
sleep 2
/usr/local/bin/inadyn
;;
'stop')
if pgrep -x -u nobody inadyn; then
pkill -x -u nobody inadyn
fi
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit $SMF_EXIT_OK
And finally, here are the simple steps I used to import the manifest and startup the inadyn service:
# svccfg
svc:> validate /var/svc/manifest/application/inadyn.xml
svc:> import /var/svc/manifest/application/inadyn.xml
svc:> quit
# svcadm enable svc:/application/inadyn:default
And that's that.
Posted at 09:43PM Aug 01, 2007 by ldcubed in Other-Than-Solaris | Comments[1]
OpenDNS - tweak for SunRay at Home Users
In my efforts with trying out OpenDNS, I discovered that my SunRay 2 (which is configured to connect to Sun's internal network) here home suddenly stopped working. After a little effort with Wireshark, I was able to determine that my introduction of OpenDNS into my internal network configuration was the problem.
The SunRay is configured to try a couple of different hostnames when it boots up. The way that OpenDNS work is if it can't satisfy a specific DNS query, it supplies a OpenDNS IP address assuming the original request was for a web page (anyone from OpenDNS can reply correcting me obviously). Assuming the requesting application is a web browser, then the OpenDNS page shown gives suggested alternatives to what the user originally requested and some ads in the right frame of the page (this is how they make money and pay the bills).
The issue is for a SunRay, it needs to try *all* the hostnames it has configured in its PROM and in all the normal combinations that a DNS client will try to resolve a DNS request. But because OpenDNS replies back with an A record on the first failure, the SunRay just locks up when initializing.
So how to configure my /etc/named.conf file to disable the DNS forwarding configuration I have setup for the .sun.com domain (with a little help from the OpenDNS support folks) ?
Like this:
options {
directory "/var/named";
forwarders { 208.67.222.222; 208.67.220.220; };
forward only;
};
zone "." { type hint; file "db.cache"; };
zone "0.0.127.in-addr.arpa" { type master; file "db.127.0.0"; forwarders {}; };
zone "nonroutable.com" { type master; file "db.nonroutable"; forwarders {}; };
zone "0.168.192.in-addr.arpa" { type master; file "db.192.168.0"; forwarders {}; };
zone "sun.com" { type forward; forwarders {}; };
The additional zone entry is for the sun.com DNS domain. Notice the "type" field for this zone is "forward" and it has the "forwarders {}" option like the others. This disables DNS forwarding for that domain. After resetting my named daemon and a power cycle on my SunRay 2, the SunRay booted up just fine and I got my Solaris login screen.
Posted at 11:05PM Jul 26, 2007 by ldcubed in Other-Than-Solaris |
OpenDNS - very kewl
I recently read an article on the New York Times about OpenDNS which describes its service as:
OpenDNS is a safer, faster, smarter and more reliable way to navigate the Internet.
Well, after reading the article on the New York Times I was intrigued to say the least so I started snopping around the OpenDNS web page and got MORE intrigued. One reason I got more and more interested is the services they offer for blocking less-then-savory web sites. What I liked about these value-add services is the price is right ... its free. Its interesting in that they have it setup where you can block various sites based on categories of adult themes: bikini vs nudity vs pornographic etc while using nothing more then DNS. So nothing to download and install on your home machines. I have enough of a selection of machines at home (FreeBSD, Solaris, Mac OS X, and Windows XP) that anything requiring installing a client on each machine type would instantly kill my interest in the service.
( While being very interested in this DNS service technically, in the end, my true motivation is that I have kids getting onto the Internet more these days and I'm looking to avoid for as long as I can the inevitable "Daddy, what are they doing ?!?!?!?!?" .... notice I said "inevitable" )
So I took the plunge and I signed up for an account. You have to signup for an account to activate the adult theme blocking service. Again ... signup is free in case you missed that part above.
One challange I had is I have a DNS server setup here at home for my internal network of machines - Its a Solaris Neveda machine no less (snv_67 currently). So how to setup my DNS server so its still authoritative for my internal domain and then push queries out to OpenDNS for DNS query resolution. The answer = Sun's employee subscription to Safari Books Online -> DNS and BIND, 5th Edition -> Section 10.5 Forwarding. Man, do I love that Safari subscription ...
I tweaked my /etc/named.conf file to look like the following:
options {
|
So the interesting parts are the "forwarders", "forward only", and "forwarders {}" directives. The "forwarders" directives tells bind to forward all queries bound for external resolution to the specified DNS servers (these being the OpenDNS DNS servers). The "forward only" directive means to rely on the forwarded DNS server for everything e.g. never ask any other DNS servers for query resolution. The reason for this is I don't want my DNS cache on my name server polluted with anything that's not from OpenDNS. For each of my master authoritative zones, the empty "forwarders {}" basically disables DNS forwarding for these zones and allows my DNS server to act as an authoritative DNS server like it should for each specific master zone files.
Next issue is how do I get my DHCP clients to get the benefits of OpenDNS now that I've setup my OpenDNS account and tweaked my DNS server ? Simpe update to my DHCP configuration on my LinkSys WRT54G to put my DNS server first in the DNS server list followed by the same two OpenDNS IPs seen in my /etc/named.conf file above.
OpenDNS also supports DDNS for ISPs like mine that provide DHCP to your internet router. Unfortunately, my WRT54G only supports DDNS to DynDNS.org and TZO.com. I can't tweak it to support another DDNS service. This is important because to get the benefits of the adult site filtering from OpenDNS, they have to know the source IP address of where you DNS queries are coming from. If/When the IP provided by your ISP changes and without DDNS letting OpenDNS know your IP address has changed, then you lose your adult filtering services from OpenDNS until you log into your OpenDNS account and tweak your account configuration. Not sure how to resolve this just yet.
Posted at 10:20PM Jul 12, 2007 by ldcubed in Other-Than-Solaris | Comments[5]