[研習] 校園兒童安全瀏覽網路設定 BIND9 RPZ

要讓校園內學生使用的電腦強制開啟 Google 安全搜尋或是啟用 youtube 嚴格搜尋
就需要用到 DNS CNAME 功能
以下就來從無到有做一台學生專用的 DNS 為示範

測試環境

安裝 BIND

sudo apt-get update
sudo apt-get install bind9

( 如果光碟安裝 記得改 /etc/apt/sources.list 把光碟 cdrom 那行註解掉 )

設定 BIND

切換到 bind 設定檔目錄

cd /etc/bind

編輯 named.conf.options

sudo vi named.conf.options
options {
        directory "/var/cache/bind";
        response-policy { zone "rpz"; };

建立 zone.rpz

sudo vi zone.rpz
zone "rpz" IN {
 type master;
 file "/etc/bind/db.rpz.zone";
 allow-query {none;};
};

修改 named.conf.local 讓系統把 zone.rpz 吃進來

sudo vi named.conf.local
//上略
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/zone.rpz";

建立 db.rpz.zone

sudo vi db.rpz.zone
$TTL 1H
$ORIGIN rpz.
@   IN  SOA localhost. nobody.localhost (
            2015103102
            1h
            15m
            30d
            2h )
            NS localhost.

; google safe search
www.google.com          IN CNAME forcesafesearch.google.com.
www.google.com.tw       IN CNAME forcesafesearch.google.com.

BIND 基本操作

啟用服務

sudo systemctl start bind9

停用服務

sudo systemctl stop bind9

或用 sudo rndc stop

重啟服務

sudo systemctl restart bind9

sudo rndc reload

檢測 conf 檔

named-checkconf -z /etc/bind/named.conf

檢測 zone db 檔

named-checkzone -d rpz db.rpz.zone

一開始安裝完預設 BIND 是啟用的
改好設定檔之後檢測無誤 就可以 restart 一下就搞定了

youtube 嚴格(安全)搜尋

依照官方設定可以強迫啟用嚴格搜尋
可以過濾掉大部分的敏感內容

; youtube safe search
www.youtube.com         IN CNAME restrict.youtube.com.
m.youtube.com           IN CNAME restrict.youtube.com.
youtubei.googleapis.com IN CNAME restrict.youtube.com.
www.youtube-nocookie.com    IN CNAME restrict.youtube.com.

阻擋 IP 規則

Policy Trigger (LH name) 採用: prefix.a4.a3.a2.a1.rpz-ip (沒有點.)

例如 阻擋 IP 12.23.34.45 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫

32.45.34.23.12.rpz-ip    IN CNAME .

例如 阻擋 IP 12.23.34.* 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫

24.45.34.23.12.rpz-ip    IN CNAME .

範例

本文的設定檔都放在 github 需要的請自取

google ccTLD 問題

Google 區段要滴水不漏的話 得要把全部的 Google ccTLD subbomains 都吃進來

www.google.com       IN CNAME forcesafesearch.google.com.
www.google.ad        IN CNAME forcesafesearch.google.com.
www.google.ae        IN CNAME forcesafesearch.google.com.
www.google.com.af    IN CNAME forcesafesearch.google.com.
www.google.com.ag    IN CNAME forcesafesearch.google.com.
www.google.com.ai    IN CNAME forcesafesearch.google.com.
www.google.al        IN CNAME forcesafesearch.google.com.
www.google.am        IN CNAME forcesafesearch.google.com.
www.google.co.ao     IN CNAME forcesafesearch.google.com.
www.google.com.ar    IN CNAME forcesafesearch.google.com.
www.google.as        IN CNAME forcesafesearch.google.com.
www.google.at        IN CNAME forcesafesearch.google.com.
www.google.com.au    IN CNAME forcesafesearch.google.com.
www.google.az        IN CNAME forcesafesearch.google.com.
www.google.ba        IN CNAME forcesafesearch.google.com.
www.google.com.bd    IN CNAME forcesafesearch.google.com.
www.google.be        IN CNAME forcesafesearch.google.com.
www.google.bf        IN CNAME forcesafesearch.google.com.
www.google.bg        IN CNAME forcesafesearch.google.com.
www.google.com.bh    IN CNAME forcesafesearch.google.com.
www.google.bi        IN CNAME forcesafesearch.google.com.
www.google.bj        IN CNAME forcesafesearch.google.com.
www.google.com.bn    IN CNAME forcesafesearch.google.com.
www.google.com.bo    IN CNAME forcesafesearch.google.com.
www.google.com.br    IN CNAME forcesafesearch.google.com.
www.google.bs        IN CNAME forcesafesearch.google.com.
www.google.bt        IN CNAME forcesafesearch.google.com.
www.google.co.bw     IN CNAME forcesafesearch.google.com.
www.google.by        IN CNAME forcesafesearch.google.com.
www.google.com.bz    IN CNAME forcesafesearch.google.com.
www.google.ca        IN CNAME forcesafesearch.google.com.
www.google.cd        IN CNAME forcesafesearch.google.com.
www.google.cf        IN CNAME forcesafesearch.google.com.
www.google.cg        IN CNAME forcesafesearch.google.com.
www.google.ch        IN CNAME forcesafesearch.google.com.
www.google.ci        IN CNAME forcesafesearch.google.com.
www.google.co.ck     IN CNAME forcesafesearch.google.com.
www.google.cl        IN CNAME forcesafesearch.google.com.
www.google.cm        IN CNAME forcesafesearch.google.com.
www.google.cn        IN CNAME forcesafesearch.google.com.
www.google.com.co    IN CNAME forcesafesearch.google.com.
www.google.co.cr     IN CNAME forcesafesearch.google.com.
www.google.com.cu    IN CNAME forcesafesearch.google.com.
www.google.cv        IN CNAME forcesafesearch.google.com.
www.google.com.cy    IN CNAME forcesafesearch.google.com.
www.google.cz        IN CNAME forcesafesearch.google.com.
www.google.de        IN CNAME forcesafesearch.google.com.
www.google.dj        IN CNAME forcesafesearch.google.com.
www.google.dk        IN CNAME forcesafesearch.google.com.
www.google.dm        IN CNAME forcesafesearch.google.com.
www.google.com.do    IN CNAME forcesafesearch.google.com.
www.google.dz        IN CNAME forcesafesearch.google.com.
www.google.com.ec    IN CNAME forcesafesearch.google.com.
www.google.ee        IN CNAME forcesafesearch.google.com.
www.google.com.eg    IN CNAME forcesafesearch.google.com.
www.google.es        IN CNAME forcesafesearch.google.com.
www.google.com.et    IN CNAME forcesafesearch.google.com.
www.google.fi        IN CNAME forcesafesearch.google.com.
www.google.com.fj    IN CNAME forcesafesearch.google.com.
www.google.fm        IN CNAME forcesafesearch.google.com.
www.google.fr        IN CNAME forcesafesearch.google.com.
www.google.ga        IN CNAME forcesafesearch.google.com.
www.google.ge        IN CNAME forcesafesearch.google.com.
www.google.gg        IN CNAME forcesafesearch.google.com.
www.google.com.gh    IN CNAME forcesafesearch.google.com.
www.google.com.gi    IN CNAME forcesafesearch.google.com.
www.google.gl        IN CNAME forcesafesearch.google.com.
www.google.gm        IN CNAME forcesafesearch.google.com.
www.google.gp        IN CNAME forcesafesearch.google.com.
www.google.gr        IN CNAME forcesafesearch.google.com.
www.google.com.gt    IN CNAME forcesafesearch.google.com.
www.google.gy        IN CNAME forcesafesearch.google.com.
www.google.com.hk    IN CNAME forcesafesearch.google.com.
www.google.hn        IN CNAME forcesafesearch.google.com.
www.google.hr        IN CNAME forcesafesearch.google.com.
www.google.ht        IN CNAME forcesafesearch.google.com.
www.google.hu        IN CNAME forcesafesearch.google.com.
www.google.co.id     IN CNAME forcesafesearch.google.com.
www.google.ie        IN CNAME forcesafesearch.google.com.
www.google.co.il     IN CNAME forcesafesearch.google.com.
www.google.im        IN CNAME forcesafesearch.google.com.
www.google.co.in     IN CNAME forcesafesearch.google.com.
www.google.iq        IN CNAME forcesafesearch.google.com.
www.google.is        IN CNAME forcesafesearch.google.com.
www.google.it        IN CNAME forcesafesearch.google.com.
www.google.je        IN CNAME forcesafesearch.google.com.
www.google.com.jm    IN CNAME forcesafesearch.google.com.
www.google.jo        IN CNAME forcesafesearch.google.com.
www.google.co.jp     IN CNAME forcesafesearch.google.com.
www.google.co.ke     IN CNAME forcesafesearch.google.com.
www.google.com.kh    IN CNAME forcesafesearch.google.com.
www.google.ki        IN CNAME forcesafesearch.google.com.
www.google.kg        IN CNAME forcesafesearch.google.com.
www.google.co.kr     IN CNAME forcesafesearch.google.com.
www.google.com.kw    IN CNAME forcesafesearch.google.com.
www.google.kz        IN CNAME forcesafesearch.google.com.
www.google.la        IN CNAME forcesafesearch.google.com.
www.google.com.lb    IN CNAME forcesafesearch.google.com.
www.google.li        IN CNAME forcesafesearch.google.com.
www.google.lk        IN CNAME forcesafesearch.google.com.
www.google.co.ls     IN CNAME forcesafesearch.google.com.
www.google.lt        IN CNAME forcesafesearch.google.com.
www.google.lu        IN CNAME forcesafesearch.google.com.
www.google.lv        IN CNAME forcesafesearch.google.com.
www.google.com.ly    IN CNAME forcesafesearch.google.com.
www.google.co.ma     IN CNAME forcesafesearch.google.com.
www.google.md        IN CNAME forcesafesearch.google.com.
www.google.me        IN CNAME forcesafesearch.google.com.
www.google.mg        IN CNAME forcesafesearch.google.com.
www.google.mk        IN CNAME forcesafesearch.google.com.
www.google.ml        IN CNAME forcesafesearch.google.com.
www.google.com.mm    IN CNAME forcesafesearch.google.com.
www.google.mn        IN CNAME forcesafesearch.google.com.
www.google.ms        IN CNAME forcesafesearch.google.com.
www.google.com.mt    IN CNAME forcesafesearch.google.com.
www.google.mu        IN CNAME forcesafesearch.google.com.
www.google.mv        IN CNAME forcesafesearch.google.com.
www.google.mw        IN CNAME forcesafesearch.google.com.
www.google.com.mx    IN CNAME forcesafesearch.google.com.
www.google.com.my    IN CNAME forcesafesearch.google.com.
www.google.co.mz     IN CNAME forcesafesearch.google.com.
www.google.com.na    IN CNAME forcesafesearch.google.com.
www.google.com.nf    IN CNAME forcesafesearch.google.com.
www.google.com.ng    IN CNAME forcesafesearch.google.com.
www.google.com.ni    IN CNAME forcesafesearch.google.com.
www.google.ne        IN CNAME forcesafesearch.google.com.
www.google.nl        IN CNAME forcesafesearch.google.com.
www.google.no        IN CNAME forcesafesearch.google.com.
www.google.com.np    IN CNAME forcesafesearch.google.com.
www.google.nr        IN CNAME forcesafesearch.google.com.
www.google.nu        IN CNAME forcesafesearch.google.com.
www.google.co.nz     IN CNAME forcesafesearch.google.com.
www.google.com.om    IN CNAME forcesafesearch.google.com.
www.google.com.pa    IN CNAME forcesafesearch.google.com.
www.google.com.pe    IN CNAME forcesafesearch.google.com.
www.google.com.pg    IN CNAME forcesafesearch.google.com.
www.google.com.ph    IN CNAME forcesafesearch.google.com.
www.google.com.pk    IN CNAME forcesafesearch.google.com.
www.google.pl        IN CNAME forcesafesearch.google.com.
www.google.pn        IN CNAME forcesafesearch.google.com.
www.google.com.pr    IN CNAME forcesafesearch.google.com.
www.google.ps        IN CNAME forcesafesearch.google.com.
www.google.pt        IN CNAME forcesafesearch.google.com.
www.google.com.py    IN CNAME forcesafesearch.google.com.
www.google.com.qa    IN CNAME forcesafesearch.google.com.
www.google.ro        IN CNAME forcesafesearch.google.com.
www.google.ru        IN CNAME forcesafesearch.google.com.
www.google.rw        IN CNAME forcesafesearch.google.com.
www.google.com.sa    IN CNAME forcesafesearch.google.com.
www.google.com.sb    IN CNAME forcesafesearch.google.com.
www.google.sc        IN CNAME forcesafesearch.google.com.
www.google.se        IN CNAME forcesafesearch.google.com.
www.google.com.sg    IN CNAME forcesafesearch.google.com.
www.google.sh        IN CNAME forcesafesearch.google.com.
www.google.si        IN CNAME forcesafesearch.google.com.
www.google.sk        IN CNAME forcesafesearch.google.com.
www.google.com.sl    IN CNAME forcesafesearch.google.com.
www.google.sn        IN CNAME forcesafesearch.google.com.
www.google.so        IN CNAME forcesafesearch.google.com.
www.google.sm        IN CNAME forcesafesearch.google.com.
www.google.sr        IN CNAME forcesafesearch.google.com.
www.google.st        IN CNAME forcesafesearch.google.com.
www.google.com.sv    IN CNAME forcesafesearch.google.com.
www.google.td        IN CNAME forcesafesearch.google.com.
www.google.tg        IN CNAME forcesafesearch.google.com.
www.google.co.th     IN CNAME forcesafesearch.google.com.
www.google.com.tj    IN CNAME forcesafesearch.google.com.
www.google.tk        IN CNAME forcesafesearch.google.com.
www.google.tl        IN CNAME forcesafesearch.google.com.
www.google.tm        IN CNAME forcesafesearch.google.com.
www.google.tn        IN CNAME forcesafesearch.google.com.
www.google.to        IN CNAME forcesafesearch.google.com.
www.google.com.tr    IN CNAME forcesafesearch.google.com.
www.google.tt        IN CNAME forcesafesearch.google.com.
www.google.com.tw    IN CNAME forcesafesearch.google.com.
www.google.co.tz     IN CNAME forcesafesearch.google.com.
www.google.com.ua    IN CNAME forcesafesearch.google.com.
www.google.co.ug     IN CNAME forcesafesearch.google.com.
www.google.co.uk     IN CNAME forcesafesearch.google.com.
www.google.com.uy    IN CNAME forcesafesearch.google.com.
www.google.co.uz     IN CNAME forcesafesearch.google.com.
www.google.com.vc    IN CNAME forcesafesearch.google.com.
www.google.co.ve     IN CNAME forcesafesearch.google.com.
www.google.vg        IN CNAME forcesafesearch.google.com.
www.google.co.vi     IN CNAME forcesafesearch.google.com.
www.google.com.vn    IN CNAME forcesafesearch.google.com.
www.google.vu        IN CNAME forcesafesearch.google.com.
www.google.ws        IN CNAME forcesafesearch.google.com.
www.google.rs        IN CNAME forcesafesearch.google.com.
www.google.co.za     IN CNAME forcesafesearch.google.com.
www.google.co.zm     IN CNAME forcesafesearch.google.com.
www.google.co.zw     IN CNAME forcesafesearch.google.com.
www.google.cat       IN CNAME forcesafesearch.google.com.

常見錯誤

IPv6 查詢錯誤

Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:200:5f::f#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:303:a27::2:30#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:abc::35#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:def::53#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:7cc::1#53

這就直接把 bind 強制用 IPv4 模式跑
編輯 /lib/systemd/system/bind9.service

上略
[Service]
ExecStart=/usr/sbin/named -f -4 -u bind
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
systemctl daemon-reload
systemctl restart bind9

RRSIG 問題

如果沒有時間不對 可能造成簽章驗證檢查不過

Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: no valid signature found
Nov 12 02:44:57 tt named[2114]: error (no valid RRSIG) resolving './NS/IN': 123.234.123.234#53
Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: verify failed due to bad signature (keyid=62530): RRSIG validity period has not begun

解決方法: 把時間修正
以下兩步驟

  • 檢查時區設定

    dpkg-reconfigure tzdata

  • 網路校時

    sudo apt-get install ntpdate
    ntpdate clock.stdtime.gov.tw

error (no valid DS) 問題

關閉 DNSSEC
編輯 /etc/bind/named.conf.options

//dnssec-validation auto;
dnssec-validation no;

ref:
http://www.cwssoft.com/?p=1577
https://support.google.com/websearch/answer/186669
https://www.nic.ad.jp/ja/materials/iw/2011/proceedings/d1/d1-07.pdf
http://dnsops.jp/event/20130718/20130718-kume-jipo-blocking-kume-1.pdf

[ESXi] 增加虛擬硬碟容量

警語:
操作前請先將快照(snapshot)清除掉
不然會造成快照與原磁碟的容量差異 而gg

步驟:

因為需要使用 command line 所以先打開 sshd 和 防火牆

使用 vSphere Client 連到你的 ESXi server

  • 組態/安全性設定檔/服務/內容… SSH 選項 啟動
  • 組態/安全性設定檔/防火牆/內容… 勾選 SSH Server

然後用 ssh 連線進去
查看一下你要擴展的 vmdk 放在哪裡

# cd /vmfs/volumes/
# ls

一般會是一堆編碼的字串資料夾和 datastore1, 如果你有做 iscsi 或是其他掛載則會多出其他資料夾
我這邊先以 datastore1 為例

# cd datastore1
# ls
# cd vm_win01 (這是你虛擬機器的名稱)
# ls

找到裡面的 vmdk 應該會有兩個, 像是 vm_win01.vmdkvm_win01-flat.vmdk
沒有 flat 的是設定檔
有 flat 的是真正的資料檔
不過操作部分還是會操作 沒有 flat 的 vmdk , 系統會自己去處理真正的 flat 檔
接下來使用 vmkfstools 這工具操作
用法為 vmkfstools -X --extendvirtualdisk newSize [kK|mM|gG]
( X為大寫 )
以下以擴增為 200GB 為例(記得喔 這是擴展完的大小 不是新增的大小)

# vmkfstools -X 200g vm_win01.vmdk (不是flat那個喔)

這邊作完之後你的 vm 磁碟就會擴展到你要的大小
當然你還是要操作你的 guest os 去吃你新增的空間 ( windows 在 磁碟管理 的 延伸磁碟區 )

tmux powerline boot time 出不來

螢幕快照 2015-09-22 下午7.20.01

今天重裝環境 tmux + powerline 出現

ERROR:tmux:uptime:Exception while computing segment: 'module' object has no attribute 'BOOT_TIME'

原來是因為 psutil 版本更新到 3 而 boot_time 是 2 版才有

螢幕快照 2015-09-22 下午7.20.57

解決方式很簡單 就是砍了新版 指定裝舊版

sudo pip uninstall psutil
sudo pip install 'psutil==2.2.1'

搞定收工

[debian] 一堆 mpt raid status change on 的信

用 vm 跑 debian 收到一堆 mpt-status RAID 狀態的信
很煩

>N  1 root@ggggg  Tue Sep 01 14:37   20/684   info: mpt raid status change on 
 N  2 root@ggggg  Tue Sep 01 16:37   20/684   info: mpt raid status change on 
 N  3 root@ggggg  Tue Sep 01 18:37   20/684   info: mpt raid status change on 
 N  4 root@ggggg  Tue Sep 01 20:37   20/684   info: mpt raid status change on 

這似乎是 RAID 監控的東西 似乎沒用到 把他停用好了
因為是跑 Debian Jessie 用 systemd
所以要用 systemctl 處理

先看一下狀態

systemctl status mpt-statusd.service

果然有在動
立即停止

systemctl stop mpt-statusd.service

開機不啟動

systemctl disable mpt-statusd.service

搞定收工

portmaster re-install 問題

The following actions will be taken if you choose to proceed:
Re-install db48-4.8.30.0_2
Re-install ruby20-2.0.0.645,1


portmaster -av|grep moved 1 ↵
===>>> The databases/db42 port moved to databases/db48
===>>> The databases/db42 port moved to databases/db48
===>>> The lang/ruby19 port moved to lang/ruby20
===>>> The lang/ruby19 port moved to lang/ruby20

portmaster -o databases/db48 databases/db42
portmaster -o lang/ruby20 lang/ruby19

sftp chroot

/etc/ssh/sshd_config

#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem   sftp    internal-sftp

Match User user1, user2
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

然後 vipw 把 user1, user2 的 shell 改為 /bin/false
再把該使用者家目錄設為 root 擁有

chown root:root /home/user1
chown root:root /home/user2

最後重啟 sshd

製作 OSX Yosemite DVD iso image

筆記一下

hdiutil attach /Applications/Install\ OS\ X\ Yosemite.app/Contents/SharedSupport/InstallESD.dmg -noverify -nobrowse -mountpoint /Volumes/install_app
hdiutil convert /Volumes/install_app/BaseSystem.dmg -format UDSP -o /tmp/Yosemite
hdiutil resize -size 8g /tmp/Yosemite.sparseimage
hdiutil attach /tmp/Yosemite.sparseimage -noverify -nobrowse -mountpoint /Volumes/install_build
rm /Volumes/install_build/System/Installation/Packages
cp -rp /Volumes/install_app/Packages /Volumes/install_build/System/Installation/
cp -rp /Volumes/install_app/BaseSystem.chunklist /Volumes/install_build
cp -rp /Volumes/install_app/BaseSystem.dmg /Volumes/install_build
hdiutil detach /Volumes/install_app
hdiutil detach /Volumes/install_build
hdiutil resize -size `hdiutil resize -limits /tmp/Yosemite.sparseimage | tail -n 1 | awk '{ print $1 }'`b /tmp/Yosemite.sparseimage
hdiutil convert /tmp/Yosemite.sparseimage -format UDTO -o /tmp/Yosemite
rm /tmp/Yosemite.sparseimage
mv /tmp/Yosemite.cdr ~/Desktop/Yosemite.iso

不用再按 reload 了: LiveReload

每次網頁改來改去要一直按 reload 真的很麻煩
還是來裝一下 LiveReload 好了

瀏覽器安裝外掛

依照瀏覽器安裝 LiveReload 外掛
不要去瀏覽器官網列表裝 可能會是舊版的

Sublime Text3

到 Package 資料夾使用 git 安裝

OSX

cd ~/Library/Application\ Support/Sublime\ Text\ 3/Packages/
rm -rf LiveReload
git clone -b devel https://github.com/dz0ny/LiveReload-sublimetext2.git LiveReload

Windows

須先安裝 git (不然自己下載檔案 放進 package 也是可以)

執行 cmd

cd "C:\Users\使用者\AppData\Roaming\Sublime Text 3\Packages"
rd /s /q LiveReload
git clone -b devel https://github.com/dz0ny/LiveReload-sublimetext2.git LiveReload

啟動

如果裝完之後不會連動
打開 sublime
cmd(ctrl)+shift+p
LiveReload: Enable/disable plugins
Enable – SimpleReload
應該就可以做動了

參考資料
http://livereload.com/extensions/
https://github.com/dz0ny/LiveReload-sublimetext2
https://github.com/dz0ny/LiveReload-sublimetext2/issues/78