[研習] 校園兒童安全瀏覽網路設定 BIND9 RPZ

要讓校園內學生使用的電腦強制開啟 Google 安全搜尋或是啟用 youtube 嚴格搜尋
就需要用到 DNS CNAME 功能
以下就來從無到有做一台學生專用的 DNS 為示範

測試環境

安裝 BIND

sudo apt-get update
sudo apt-get install bind9

( 如果光碟安裝 記得改 /etc/apt/sources.list 把光碟 cdrom 那行註解掉 )

設定 BIND

切換到 bind 設定檔目錄

cd /etc/bind

編輯 named.conf.options

sudo vi named.conf.options
options {
        directory "/var/cache/bind";
        response-policy { zone "rpz"; };

建立 zone.rpz

sudo vi zone.rpz
zone "rpz" IN {
 type master;
 file "/etc/bind/db.rpz.zone";
 allow-query {none;};
};

修改 named.conf.local 讓系統把 zone.rpz 吃進來

sudo vi named.conf.local
//上略
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/zone.rpz";

建立 db.rpz.zone

sudo vi db.rpz.zone
$TTL 1H
$ORIGIN rpz.
@   IN  SOA localhost. nobody.localhost (
            2015103102
            1h
            15m
            30d
            2h )
            NS localhost.

; google safe search
www.google.com          IN CNAME forcesafesearch.google.com.
www.google.com.tw       IN CNAME forcesafesearch.google.com.

BIND 基本操作

啟用服務

sudo systemctl start bind9

停用服務

sudo systemctl stop bind9

或用 sudo rndc stop

重啟服務

sudo systemctl restart bind9

sudo rndc reload

檢測 conf 檔

named-checkconf -z /etc/bind/named.conf

檢測 zone db 檔

named-checkzone -d rpz db.rpz.zone

一開始安裝完預設 BIND 是啟用的
改好設定檔之後檢測無誤 就可以 restart 一下就搞定了

youtube 嚴格(安全)搜尋

依照官方設定可以強迫啟用嚴格搜尋
可以過濾掉大部分的敏感內容

; youtube safe search
www.youtube.com         IN CNAME restrict.youtube.com.
m.youtube.com           IN CNAME restrict.youtube.com.
youtubei.googleapis.com IN CNAME restrict.youtube.com.
www.youtube-nocookie.com    IN CNAME restrict.youtube.com.

阻擋 IP 規則

Policy Trigger (LH name) 採用: prefix.a4.a3.a2.a1.rpz-ip (沒有點.)

例如 阻擋 IP 12.23.34.45 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫

32.45.34.23.12.rpz-ip    IN CNAME .

例如 阻擋 IP 12.23.34.* 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫

24.45.34.23.12.rpz-ip    IN CNAME .

範例

本文的設定檔都放在 github 需要的請自取

google ccTLD 問題

Google 區段要滴水不漏的話 得要把全部的 Google ccTLD subbomains 都吃進來

www.google.com       IN CNAME forcesafesearch.google.com.
www.google.ad        IN CNAME forcesafesearch.google.com.
www.google.ae        IN CNAME forcesafesearch.google.com.
www.google.com.af    IN CNAME forcesafesearch.google.com.
www.google.com.ag    IN CNAME forcesafesearch.google.com.
www.google.com.ai    IN CNAME forcesafesearch.google.com.
www.google.al        IN CNAME forcesafesearch.google.com.
www.google.am        IN CNAME forcesafesearch.google.com.
www.google.co.ao     IN CNAME forcesafesearch.google.com.
www.google.com.ar    IN CNAME forcesafesearch.google.com.
www.google.as        IN CNAME forcesafesearch.google.com.
www.google.at        IN CNAME forcesafesearch.google.com.
www.google.com.au    IN CNAME forcesafesearch.google.com.
www.google.az        IN CNAME forcesafesearch.google.com.
www.google.ba        IN CNAME forcesafesearch.google.com.
www.google.com.bd    IN CNAME forcesafesearch.google.com.
www.google.be        IN CNAME forcesafesearch.google.com.
www.google.bf        IN CNAME forcesafesearch.google.com.
www.google.bg        IN CNAME forcesafesearch.google.com.
www.google.com.bh    IN CNAME forcesafesearch.google.com.
www.google.bi        IN CNAME forcesafesearch.google.com.
www.google.bj        IN CNAME forcesafesearch.google.com.
www.google.com.bn    IN CNAME forcesafesearch.google.com.
www.google.com.bo    IN CNAME forcesafesearch.google.com.
www.google.com.br    IN CNAME forcesafesearch.google.com.
www.google.bs        IN CNAME forcesafesearch.google.com.
www.google.bt        IN CNAME forcesafesearch.google.com.
www.google.co.bw     IN CNAME forcesafesearch.google.com.
www.google.by        IN CNAME forcesafesearch.google.com.
www.google.com.bz    IN CNAME forcesafesearch.google.com.
www.google.ca        IN CNAME forcesafesearch.google.com.
www.google.cd        IN CNAME forcesafesearch.google.com.
www.google.cf        IN CNAME forcesafesearch.google.com.
www.google.cg        IN CNAME forcesafesearch.google.com.
www.google.ch        IN CNAME forcesafesearch.google.com.
www.google.ci        IN CNAME forcesafesearch.google.com.
www.google.co.ck     IN CNAME forcesafesearch.google.com.
www.google.cl        IN CNAME forcesafesearch.google.com.
www.google.cm        IN CNAME forcesafesearch.google.com.
www.google.cn        IN CNAME forcesafesearch.google.com.
www.google.com.co    IN CNAME forcesafesearch.google.com.
www.google.co.cr     IN CNAME forcesafesearch.google.com.
www.google.com.cu    IN CNAME forcesafesearch.google.com.
www.google.cv        IN CNAME forcesafesearch.google.com.
www.google.com.cy    IN CNAME forcesafesearch.google.com.
www.google.cz        IN CNAME forcesafesearch.google.com.
www.google.de        IN CNAME forcesafesearch.google.com.
www.google.dj        IN CNAME forcesafesearch.google.com.
www.google.dk        IN CNAME forcesafesearch.google.com.
www.google.dm        IN CNAME forcesafesearch.google.com.
www.google.com.do    IN CNAME forcesafesearch.google.com.
www.google.dz        IN CNAME forcesafesearch.google.com.
www.google.com.ec    IN CNAME forcesafesearch.google.com.
www.google.ee        IN CNAME forcesafesearch.google.com.
www.google.com.eg    IN CNAME forcesafesearch.google.com.
www.google.es        IN CNAME forcesafesearch.google.com.
www.google.com.et    IN CNAME forcesafesearch.google.com.
www.google.fi        IN CNAME forcesafesearch.google.com.
www.google.com.fj    IN CNAME forcesafesearch.google.com.
www.google.fm        IN CNAME forcesafesearch.google.com.
www.google.fr        IN CNAME forcesafesearch.google.com.
www.google.ga        IN CNAME forcesafesearch.google.com.
www.google.ge        IN CNAME forcesafesearch.google.com.
www.google.gg        IN CNAME forcesafesearch.google.com.
www.google.com.gh    IN CNAME forcesafesearch.google.com.
www.google.com.gi    IN CNAME forcesafesearch.google.com.
www.google.gl        IN CNAME forcesafesearch.google.com.
www.google.gm        IN CNAME forcesafesearch.google.com.
www.google.gp        IN CNAME forcesafesearch.google.com.
www.google.gr        IN CNAME forcesafesearch.google.com.
www.google.com.gt    IN CNAME forcesafesearch.google.com.
www.google.gy        IN CNAME forcesafesearch.google.com.
www.google.com.hk    IN CNAME forcesafesearch.google.com.
www.google.hn        IN CNAME forcesafesearch.google.com.
www.google.hr        IN CNAME forcesafesearch.google.com.
www.google.ht        IN CNAME forcesafesearch.google.com.
www.google.hu        IN CNAME forcesafesearch.google.com.
www.google.co.id     IN CNAME forcesafesearch.google.com.
www.google.ie        IN CNAME forcesafesearch.google.com.
www.google.co.il     IN CNAME forcesafesearch.google.com.
www.google.im        IN CNAME forcesafesearch.google.com.
www.google.co.in     IN CNAME forcesafesearch.google.com.
www.google.iq        IN CNAME forcesafesearch.google.com.
www.google.is        IN CNAME forcesafesearch.google.com.
www.google.it        IN CNAME forcesafesearch.google.com.
www.google.je        IN CNAME forcesafesearch.google.com.
www.google.com.jm    IN CNAME forcesafesearch.google.com.
www.google.jo        IN CNAME forcesafesearch.google.com.
www.google.co.jp     IN CNAME forcesafesearch.google.com.
www.google.co.ke     IN CNAME forcesafesearch.google.com.
www.google.com.kh    IN CNAME forcesafesearch.google.com.
www.google.ki        IN CNAME forcesafesearch.google.com.
www.google.kg        IN CNAME forcesafesearch.google.com.
www.google.co.kr     IN CNAME forcesafesearch.google.com.
www.google.com.kw    IN CNAME forcesafesearch.google.com.
www.google.kz        IN CNAME forcesafesearch.google.com.
www.google.la        IN CNAME forcesafesearch.google.com.
www.google.com.lb    IN CNAME forcesafesearch.google.com.
www.google.li        IN CNAME forcesafesearch.google.com.
www.google.lk        IN CNAME forcesafesearch.google.com.
www.google.co.ls     IN CNAME forcesafesearch.google.com.
www.google.lt        IN CNAME forcesafesearch.google.com.
www.google.lu        IN CNAME forcesafesearch.google.com.
www.google.lv        IN CNAME forcesafesearch.google.com.
www.google.com.ly    IN CNAME forcesafesearch.google.com.
www.google.co.ma     IN CNAME forcesafesearch.google.com.
www.google.md        IN CNAME forcesafesearch.google.com.
www.google.me        IN CNAME forcesafesearch.google.com.
www.google.mg        IN CNAME forcesafesearch.google.com.
www.google.mk        IN CNAME forcesafesearch.google.com.
www.google.ml        IN CNAME forcesafesearch.google.com.
www.google.com.mm    IN CNAME forcesafesearch.google.com.
www.google.mn        IN CNAME forcesafesearch.google.com.
www.google.ms        IN CNAME forcesafesearch.google.com.
www.google.com.mt    IN CNAME forcesafesearch.google.com.
www.google.mu        IN CNAME forcesafesearch.google.com.
www.google.mv        IN CNAME forcesafesearch.google.com.
www.google.mw        IN CNAME forcesafesearch.google.com.
www.google.com.mx    IN CNAME forcesafesearch.google.com.
www.google.com.my    IN CNAME forcesafesearch.google.com.
www.google.co.mz     IN CNAME forcesafesearch.google.com.
www.google.com.na    IN CNAME forcesafesearch.google.com.
www.google.com.nf    IN CNAME forcesafesearch.google.com.
www.google.com.ng    IN CNAME forcesafesearch.google.com.
www.google.com.ni    IN CNAME forcesafesearch.google.com.
www.google.ne        IN CNAME forcesafesearch.google.com.
www.google.nl        IN CNAME forcesafesearch.google.com.
www.google.no        IN CNAME forcesafesearch.google.com.
www.google.com.np    IN CNAME forcesafesearch.google.com.
www.google.nr        IN CNAME forcesafesearch.google.com.
www.google.nu        IN CNAME forcesafesearch.google.com.
www.google.co.nz     IN CNAME forcesafesearch.google.com.
www.google.com.om    IN CNAME forcesafesearch.google.com.
www.google.com.pa    IN CNAME forcesafesearch.google.com.
www.google.com.pe    IN CNAME forcesafesearch.google.com.
www.google.com.pg    IN CNAME forcesafesearch.google.com.
www.google.com.ph    IN CNAME forcesafesearch.google.com.
www.google.com.pk    IN CNAME forcesafesearch.google.com.
www.google.pl        IN CNAME forcesafesearch.google.com.
www.google.pn        IN CNAME forcesafesearch.google.com.
www.google.com.pr    IN CNAME forcesafesearch.google.com.
www.google.ps        IN CNAME forcesafesearch.google.com.
www.google.pt        IN CNAME forcesafesearch.google.com.
www.google.com.py    IN CNAME forcesafesearch.google.com.
www.google.com.qa    IN CNAME forcesafesearch.google.com.
www.google.ro        IN CNAME forcesafesearch.google.com.
www.google.ru        IN CNAME forcesafesearch.google.com.
www.google.rw        IN CNAME forcesafesearch.google.com.
www.google.com.sa    IN CNAME forcesafesearch.google.com.
www.google.com.sb    IN CNAME forcesafesearch.google.com.
www.google.sc        IN CNAME forcesafesearch.google.com.
www.google.se        IN CNAME forcesafesearch.google.com.
www.google.com.sg    IN CNAME forcesafesearch.google.com.
www.google.sh        IN CNAME forcesafesearch.google.com.
www.google.si        IN CNAME forcesafesearch.google.com.
www.google.sk        IN CNAME forcesafesearch.google.com.
www.google.com.sl    IN CNAME forcesafesearch.google.com.
www.google.sn        IN CNAME forcesafesearch.google.com.
www.google.so        IN CNAME forcesafesearch.google.com.
www.google.sm        IN CNAME forcesafesearch.google.com.
www.google.sr        IN CNAME forcesafesearch.google.com.
www.google.st        IN CNAME forcesafesearch.google.com.
www.google.com.sv    IN CNAME forcesafesearch.google.com.
www.google.td        IN CNAME forcesafesearch.google.com.
www.google.tg        IN CNAME forcesafesearch.google.com.
www.google.co.th     IN CNAME forcesafesearch.google.com.
www.google.com.tj    IN CNAME forcesafesearch.google.com.
www.google.tk        IN CNAME forcesafesearch.google.com.
www.google.tl        IN CNAME forcesafesearch.google.com.
www.google.tm        IN CNAME forcesafesearch.google.com.
www.google.tn        IN CNAME forcesafesearch.google.com.
www.google.to        IN CNAME forcesafesearch.google.com.
www.google.com.tr    IN CNAME forcesafesearch.google.com.
www.google.tt        IN CNAME forcesafesearch.google.com.
www.google.com.tw    IN CNAME forcesafesearch.google.com.
www.google.co.tz     IN CNAME forcesafesearch.google.com.
www.google.com.ua    IN CNAME forcesafesearch.google.com.
www.google.co.ug     IN CNAME forcesafesearch.google.com.
www.google.co.uk     IN CNAME forcesafesearch.google.com.
www.google.com.uy    IN CNAME forcesafesearch.google.com.
www.google.co.uz     IN CNAME forcesafesearch.google.com.
www.google.com.vc    IN CNAME forcesafesearch.google.com.
www.google.co.ve     IN CNAME forcesafesearch.google.com.
www.google.vg        IN CNAME forcesafesearch.google.com.
www.google.co.vi     IN CNAME forcesafesearch.google.com.
www.google.com.vn    IN CNAME forcesafesearch.google.com.
www.google.vu        IN CNAME forcesafesearch.google.com.
www.google.ws        IN CNAME forcesafesearch.google.com.
www.google.rs        IN CNAME forcesafesearch.google.com.
www.google.co.za     IN CNAME forcesafesearch.google.com.
www.google.co.zm     IN CNAME forcesafesearch.google.com.
www.google.co.zw     IN CNAME forcesafesearch.google.com.
www.google.cat       IN CNAME forcesafesearch.google.com.

常見錯誤

IPv6 查詢錯誤

Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:200:5f::f#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:303:a27::2:30#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:abc::35#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:def::53#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:7cc::1#53

這就直接把 bind 強制用 IPv4 模式跑
編輯 /lib/systemd/system/bind9.service

上略
[Service]
ExecStart=/usr/sbin/named -f -4 -u bind
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
systemctl daemon-reload
systemctl restart bind9

RRSIG 問題

如果沒有時間不對 可能造成簽章驗證檢查不過

Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: no valid signature found
Nov 12 02:44:57 tt named[2114]: error (no valid RRSIG) resolving './NS/IN': 123.234.123.234#53
Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: verify failed due to bad signature (keyid=62530): RRSIG validity period has not begun

解決方法: 把時間修正
以下兩步驟

  • 檢查時區設定

    dpkg-reconfigure tzdata

  • 網路校時

    sudo apt-get install ntpdate
    ntpdate clock.stdtime.gov.tw

error (no valid DS) 問題

關閉 DNSSEC
編輯 /etc/bind/named.conf.options

//dnssec-validation auto;
dnssec-validation no;

ref:
http://www.cwssoft.com/?p=1577
https://support.google.com/websearch/answer/186669
https://www.nic.ad.jp/ja/materials/iw/2011/proceedings/d1/d1-07.pdf
http://dnsops.jp/event/20130718/20130718-kume-jipo-blocking-kume-1.pdf

[debian] 一堆 mpt raid status change on 的信

用 vm 跑 debian 收到一堆 mpt-status RAID 狀態的信
很煩

>N  1 root@ggggg  Tue Sep 01 14:37   20/684   info: mpt raid status change on 
 N  2 root@ggggg  Tue Sep 01 16:37   20/684   info: mpt raid status change on 
 N  3 root@ggggg  Tue Sep 01 18:37   20/684   info: mpt raid status change on 
 N  4 root@ggggg  Tue Sep 01 20:37   20/684   info: mpt raid status change on 

這似乎是 RAID 監控的東西 似乎沒用到 把他停用好了
因為是跑 Debian Jessie 用 systemd
所以要用 systemctl 處理

先看一下狀態

systemctl status mpt-statusd.service

果然有在動
立即停止

systemctl stop mpt-statusd.service

開機不啟動

systemctl disable mpt-statusd.service

搞定收工

Apache 更新至 2.4 幾個小問題

Debian 更新 Jessie 之後 Apache 也順道升級到 Apache 2.4
不過因為之前的設定不符新版本的規範 要修正幾個地方

a2ensite 啟動錯誤

$ sudo a2ensite blog

ERROR: Site blog does not exist!

這是因為設定檔必須加副檔名 .conf

mv /etc/apache2/sites-available/blog /etc/apache2/sites-available/blog.conf

啟動爆炸

$ sudo service apache2 start
Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.

然後去找一下問題

sudo systemctl status apache2.service                                                  1 ↵
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
   Active: failed (Result: exit-code) since Mon 2015-04-27 14:49:01 CST; 2min 59s ago
  Process: 13061 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 10368 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
  Process: 13114 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Apr 27 14:49:01 de apache2[13114]: Starting web server: apache2 failed!
Apr 27 14:49:01 de apache2[13114]: The apache2 configtest failed. ... (warning).
Apr 27 14:49:01 de apache2[13114]: Output of config test was:
Apr 27 14:49:01 de apache2[13114]: AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/blog.conf:
Apr 27 14:49:01 de apache2[13114]: Either all Options must start with + or -, or no Option may.
Apr 27 14:49:01 de apache2[13114]: Action 'configtest' failed.
Apr 27 14:49:01 de apache2[13114]: The Apache error log may have more information.
Apr 27 14:49:01 de systemd[1]: apache2.service: control process exited, code=exited status=1
Apr 27 14:49:01 de systemd[1]: Failed to start LSB: Apache2 web server.
Apr 27 14:49:01 de systemd[1]: Unit apache2.service entered failed state.

解決方式 把設定檔裡面的 Option 後面加上 + –

Options +FollowSymLinks -Indexes

權限也爆炸了

終於啟動了 但是怎麼看都是 Forbidden

回頭看一下log

You don't have permission to access / on this server.
[Mon Apr 27 14:40:44.662774 2015] [authz_core:error] [pid 12400] [client 192.168.1.199:50394] 
AH01630: client denied by server configuration: /home/web/htdocs/index.php

因為我 DocumentRoot 沒有放在 /var/www/html 下面
所以爆炸了
解決方式是在 Directory 區段內加入 Require all granted
例如

<Directory />
 Options +FollowSymLinks -Indexes
 Require all granted
</Directory>

再重新啟動就好了

apache2.4文件是這麼寫的


2.2 configuration:

Order allow,deny
Allow from all

2.4 configuration:

Require all granted