Syed Jahanzaib Personal Blog to Share Knowledge !

September 27, 2018

DNSMASQ Short Notes to self

Filed under: Linux Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 10:15 AM

dnsmasq.jpg

Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.

As compared to `​BIND`​, which is a bit complex to configure for beginners, `DNSMASQ` is very easy and requires minimum configuration. This post is just a reference guide for myself.


Install DNSMASQ in Ubuntu !

sudo apt-get install dnsmasq

After this edit /etc/dnsmasq.conf file ,  For Shorter version, I am pasting required important options only, (by removing all lines & using these one only …)

domain-needed
#IF you want to listen on multiple interface, add them (by duplicating following line)
interface=enp6s0
bogus-priv
strict-order
expand-hosts
cache-size=10000

After every change in the config, make sure to restart DNSMASQ service.

service dnsmasq restart


Forwarding Queries to Upstream DNS

By default, DNSMASQ forwards all requests which are not able to be resolved in /etc/hosts to the upstream DNS servers defined in /etc/resolve.conf like below

cat /etc/resolv.conf

nameserver 127.0.0.1
nameserver 8.8.8.8

Make Sure to setup 127.0.0.1 in your network adapter as well example

dns-nameservers 127.0.0.1 8.8.8.8



Add DNS Records (static dns entries if required for local servers like media sharing etc)

Adding customized domain entries, dns spoofing i guess. Add the records in /etc/hosts file

cat /etc/hosts

127.0.0.1 localhost
1.2.3.4 zaib.com

 


Restart DNSMASQ Service

After every change in the config, make sure to restart dnsmasq service.

service dnsmasq restart

Monitor DNS traffic

DSNTOP is your best friend. for full details read

http://dns.measurement-factory.com/tools/dnstop/dnstop.8.html


# ACL / Secure you DNS from open relay / flooding

To allow only specific ip series to query your dns server, you can use following bash script.

We have multiple ip pools, and we have made a small text file , we can small bash script to read from the file and add iptables rules accordingly

Sample of /temp/localips.txt

10.0.0.0/8
172.16.0.0/16
192.168.0.0/16

Now you can execute the bash script manually or add it in /etc/rc.local file to execute on every reboot.

cat /etc/fw.sh

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Very Basic Level of Firewall to allow DNS only for some ip range
# Script by Syed Jahanzaib
# 26-SEP-2018
#set -x

# Setting various Variables

#Local IP files which contains ip/ranges
IPFILE="/temp/localip.txt"

#Destination Port we want to restrict
DPORT="53"

#Destination Port type we want to restrict
DPORT_TYPE1="udp"
DPORT_TYPE2="tcp"

# Flush all previous iptables Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allow localhost access to query DNS service
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT

# LOOP - Read from localip.txt file , and apply iptables rules
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE1 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT; done
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE2 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT; done

# DROP all other requests going to DNS service
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP

# Script ends here
# Syed Jahanzaib

add this in /etc/rc.local so that it can run on every reboot!

Also note that if you have large ip pool, its better to use IPSET which is more efficient

SIMPLE QUEUE for traffic going to/from DNS Server

/queue simple
add max-limit=10M/10M name="NS1 DNS Traffic 10mb limit" target=X.X.X.X/32

NSLOOKUP with details on Windows BOX

nslookup -all - 8.8.8.8

Regard’s
Syed Jahanzaib

September 24, 2018

FREERADIUS WITH MIKROTIK – Part #20 – Enforcement of lowercase in username

Filed under: freeradius — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:43 AM

uppwer lower logo

FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s Click here to read more on FR tutorials …


Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Regard’s
Syed Jahanzaib~


Scenario:

  • We have a generic FreeRADIUS Version 2.2.8 as a billing system in Ubuntu 16.04.3 LTS Server.
  • Freeradius is installed by apt-get default repository.
  • Mikrotik ver 6.43.x is being used as NAS.

Problem:

By default freeradius allows upper/lowercase in username, so If user configures  username in upper/lower mix case in his dialer/router then it will be logged same in RADACCT table. This is not a problem by design, but since we are using some external bash scripts to perform various operations like sending COA for bandwidth change on the fly/disconnection etc & the script is picking usernames from our user able which has all lowercase , the NAS does not recognize it for user who have uppercase defined.

Task:

We would like to restrict that all usernames must be entered in lowercase at user side , if not then reject the authentication to enforce our policy forcefully.

Solution:

Edit dialup.conf

nano /etc/freeradius/sql/mysql/dialup.conf

& search following … Comment below lines, this code allows upper/lower case in user names …

# The default queries are case insensitive. (for compatibility with
# older versions of FreeRADIUS)
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"

Now UN-COMMENT following …

# Use these for case sensitive usernames.
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = BINARY '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = BINARY '%{SQL-User-Name}' \
ORDER BY id"

So after editing it would be something like …

case sensitive.PNG

Now restart freeradius service one time

service freeradius restart

After this all users authentication with uppercase will be rejected by freeradius. Use it with caution !

This is all done by default in v3…
Alan DeKok.


 

September 7, 2018

COA with Radclient workaround for RM 4.1 with Mikrotik 6.4x

Filed under: freeradius, Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 1:12 PM

dealing-with-dynamic-change-2

Scenario:

  • Dmasoftlab Radius Manager 4.1 with multiple services. Some of services have dynamic dynamic bandwidth scheduling for day & night. Example some services have double up mode for day , some for evening, and some for night.
  • Mikrotik 6.42.7 server with hotspot or pppoe authentication services for LAN users

Problem:

DMA Radius Manager 4.1 ‘s API functionality is broken for Mikrotik RouterOS newer versions. The 4.1 code is relying on modifying dynamic queues which had worked on 5.x version (& in some 6.2x series as well e.g: v6.29) . Any circumstances where that was doable were bugs that MikroTik has since fixed. And relying on bugs is generally a bad practice. This can be solved by using CoA instead of modifying dynamic queues which I have used in this post.

It is highly recommended that you must upgrade radius manager to latest 4.2 version which works good with new ROS.


Workaround for RM 4.1:

If for some reasons you want to stick with 4.1 version for whatsoever reason, example 4.2 version have some strict licensing policies so if still wants to use ROS latest series like 6.42.7 (as of writing this post)  , , & if you still wants to avail dynamic bandwidth changes on the fly for particular services , you can schedule following script which will run on hourly basis and will send bandwidth change request to mikrotik according to the service time.



Limitations of the Script:

  • This is a lab testing version of the script. You must modify and tune it for production use. Example the script is doing lots of sql queries, you can minimize it by creating single combined query to fetch all data from the tables, and then read values in next cmd from local file which will be much faster then querying from MySQL.
  • The service must have single time schedule. example from 08:00:00 to 20:00:00 , Multiple times for single service is not supported.
  • The time must consists of single day, it cannot overlap to next day,
  • Script will run as per cron schedule , despite you have selected specific days or not.
  • In lab I have configured it to run every hour , It will query services and its associated users. If the Start time matches , it will send bandwidth change request to the NAS, and if end time matches it will send user original package values to NAS. You can overcome repeating issue by adding additional column in the respective table and update it every time script runs which will check if it have already sent or not.
  • You should disable echoing the outputs, it will save some resources.

the Scheduler!

Either use @hourly in CRONTAB or make separate file under /etc/crond

Create new file name bw in /etc/crond/ with following contents

touch /etc/cron.d/bw
nano /etc/cron.d/bw

& add following line in it,

1 * * * * root /temp/bw.sh

Save & Exit …


the Script!

mkdir /temp
touch /temp/bw.sh
chmod +x /temp/bw.sh
nano /temp/bw.sh

& add following …

WordPress is not letting full code pasting here dueto [ ] limitation. therefore I have copied to my google drive. You can see it here.

https://drive.google.com/drive/folders/1BRIvT6lr9s66nzPP2tRsBV6G-0YA-Zkw


Results:

radius bw poller result.PNG


### ./bw.sh

- Script Start Time - 10:23:39

- INFO: mysql service is accessible. Proceeding further ... OK
- INFO: radius database exist. Proceeding further ... OK
- INFO: Total number of services with Dynamic bandwidth enabled = 11 / No.s ... OK
- INFO: Total number of users with Dynamic bandwidth enabled = 2300 / No.s ...
- INFO: Checking for Dynamic Bandwidth Policies and implement change on the fly for online users , if any ...
- DOWNGRADE ** - XXX1 / 1Mb_day_2mb_night is eligible for DOWNGRADE but NOT online, Ignoring ...
- DOWNGRADE ** - XXX2 / 1Mb_day_2mb_night / 172.16.12.52 / 80702383 is online on NAS 10.0.0.100, and eligible for DOWNGRADE to 1024k/1024k

- DOWNGRADE ** - XXX3 / 1Mb_day_2mb_night is eligible for DOWNGRADE but NOT online,Ignoring...
- DOWNGRADE ** - XXX4 / 1Mb_day_2mb_night / 172.16.6.209 / 80702352 is online on NAS 10.0.0.100, and eligible for DOWNGRADE to 1024k/1024k
- DOWNGRADE ** - XXX5 / 1Mb_day_2mb_night is eligible for DOWNGRADE but NOT online, Ignoring ...
- DOWNGRADE ** - XXX6 / 1Mb_day_2mb_night is eligible for DOWNGRADE but NOT online, Ignoring ...
- DOWNGRADE ** - XXX7 / 1Mb_day_2mb_night is eligible for DOWNGRADE but NOT online, Ignoring ...
^C
- Script Ends Here
- EXITING peacefully ...
- Script Start Time - 10:23:39
- Script End Time - 10:23:40
- Total Number of users packages changed on NAS for UP-GRADE = 0
- Total Number of users packages changed on NAS for DOWN-GRADE = 4

Bandwidth poller script ended @ 10:23:40 ... Powered by SYED.JAHANZAIB

Regard’s
Syed Jahanzaib

%d bloggers like this: