DHCP dan DNS
-
Untuk Game Gini aja Coba cek Port Gamenya terus mainkan dech di firewall Rule :D
oke deh tar di coba2 maenin firewall rules nya…
tapi ga salah khan kalo di kasih gimana cara bikin firewall rules... :D :D
secara ane baru nyemplung di pfsense.Oh yaa kalo mau pake DNS-nya freeDNS di pfsense gimana yaakk.. katanya bisa bikin cepet nge-net.
ane pake fatnt yg ip dan dns nya dhcp
Thanks -
wew nt emang ada di mana kalau kita ada di indonesia ngapain pake FreeDNS openDNS itu kan di luar om, kecuali kalau nte ada dluar .. alias bukan di Indonesia, coba aja lo test DNS cache yang ada di Atas .. itu saran gw bro.
Untuk FASTNET (Fast Media) gw rasa percuma bro, kalau kita tweak hasilnya tetep sama, karena semua sudah di batasin di ISP.
Kalau speedy mana ada mereka membatasi .. iya nggak :D
-
wew nt emang ada di mana kalau kita ada di indonesia ngapain pake FreeDNS openDNS itu kan di luar om, kecuali kalau nte ada dluar .. alias bukan di Indonesia, coba aja lo test DNS cache yang ada di Atas .. itu saran gw bro.
Untuk FASTNET (Fast Media) gw rasa percuma bro, kalau kita tweak hasilnya tetep sama, karena semua sudah di batasin di ISP.
Kalau speedy mana ada mereka membatasi .. iya nggak :D
oo gitu ya bro….
klo speedy masih bisa di tweak...ada rencana sihh untuk dua wan tuk load balance. nanti di oprek2 lagi dah klo ketemu speedy.
thanks atas masukannya. -
tapi saya denger dari forum seblah speedy sedang measang speed limiter yang baru …
-
inpo:
pfsense 1.2.2 belum bisa TS dengan multi-wan–->defaultnya
tapi kudu di tweaking di TS->Rules nya, baru isa masuk ke multiwan
inpo tambahan:
high piror tidak menjamin kalo letak queue nya ada di paling bawah...
-
$ top -n 20
last pid: 4725; load averages: 0.05, 0.10, 0.10 up 0+00:48:14 01:01:26
105 processes: 1 running, 104 sleepingMem: 109M Active, 36M Inact, 88M Wired, 44K Cache, 112M Buf, 1255M Free
Swap: 3072M Total, 3072M FreePID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
493 root 1 -8 0 139M 17564K piperd 0:08 0.88% php
476 root 1 4 0 143M 19692K accept 0:01 0.00% php
463 root 1 4 0 141M 17700K accept 0:01 0.00% php
447 root 1 4 0 141M 17700K accept 0:01 0.00% php
443 root 1 4 0 5132K 2900K kqread 0:00 0.00% lighttpd
508 nobody 1 44 0 3156K 2060K select 0:00 0.00% dnsmasq
1154 proxy 1 4 0 3328K 1284K sbwait 0:00 0.00% dnsserver
1155 proxy 1 4 0 3328K 1284K sbwait 0:00 0.00% dnsserver
751 root 1 8 20 3156K 784K nanslp 0:00 0.00% check_reload_status
1156 proxy 1 4 0 3328K 1284K sbwait 0:00 0.00% dnsserver
2410 root 1 8 20 3492K 1412K wait 0:00 0.00% sh
1157 proxy 1 4 0 3328K 1284K sbwait 0:00 0.00% dnsserver
1159 proxy 1 44 0 3328K 1276K select 0:00 0.00% pinger
1158 proxy 1 4 0 3328K 1284K sbwait 0:00 0.00% dnsserver
3993 root 1 44 0 4952K 2028K select 0:00 0.00% sftp-server
3992 root 1 8 0 3492K 1332K wait 0:00 0.00% sh
787 root 1 8 0 3516K 1472K wait 0:00 0.00% login
4116 root 1 8 0 3492K 1332K wait 0:00 0.00% sh
741 root 1 8 0 3492K 1384K wait 0:00 0.00% sh
3900 root 1 44 0 7780K 3304K select 0:00 0.00% sshdkok hasile gini Om,.,.,?
-
^^^
coba command nya ganti :pas -ax atau ps -aux
-
Mungkin untuk masalah DNS pakai Bind9 kayaknya bagus…
Silahkan coba :- install/add package
pkg_add -rv http://files.pfsense.org/packages/dns/bind9-9.3.2.1.tbz
atau
pkg_add -rv http://files.pfsense.org/packages/dns/bind9-sdb-ldap-9.3.2.tbz
atau
pkg_add -rv http://files.pfsense.org/packages/dns/bind9-dlz+postgres-9.3.2+0.7.0.tbz- pilh salah satu saja.
disini saya pakai yang http://files.pfsense.org/packages/dns/bind9-dlz+postgres-9.3.2+0.7.0.tbz
- kemudian delete shorcut filse /etc/resolv.conf –-> direnew pada bootup
dan buat file baru /etc/resolv.conf isikan
nameserver 127.0.0.1
nameserver xxx.xxx.xxx.xxx –--> dns primary ISP anda-
dan jadikan permission file /etc/resolv.conf hasil buatan kita ke 7555 agar bisa dibaca saja dan pada saat booting tidak direnew/didelete oleh system…
-
cek hasil :
$ dig -x facebook.com
; <<>> DiG 9.4.3-P2 <<>> -x facebook.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31969
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0;; QUESTION SECTION:
;com.facebook.in-addr.arpa. IN PTR;; AUTHORITY SECTION:
in-addr.arpa. 343 IN SOA A.ROOT-SERVERS.NET. dns-ops.ARIN.NET. 2009111516 1800 900 691200 10800;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 16 15:39:49 2009
;; MSG SIZE rcvd: 110$ host -a 69.63.179.26
Trying "26.179.63.69.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20103
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;26.179.63.69.in-addr.arpa. IN PTR;; ANSWER SECTION:
26.179.63.69.in-addr.arpa. 2343 IN PTR mx.snc1.tfbnw.net.Received 74 bytes from 127.0.0.1#53 in 0 ms
Mohon koreksinya.
-
bro, coba cek dengan command, daemon yg jalan apakah masih dnsmasq / bind ?
sockstat -4 -l |grep -i 53
untuk settingan bind ada di /etc/namedb/named.conf
-
Ini OM, oh iya;
**nobody dnsmasq 515 3 udp4 :53 :
nobody dnsmasq 515 4 tcp4 :53 :Terus Gmn OM?
di list data g' ada file dan folder /etc/namedb/named.confApa saja yang di setting OM?
isi dari /etc/namedb/named.conf tersebut apa n permissionnya?
dan juga untuk mematikan dnsmasq agar bind saja yg berjalan?Saya tunggu Om, hm… sekarang Q mau masuk kelas dulu,.,.,
-
kalo gak ada, coba di cari dengan command find /|grep named.conf
dnsmasq cukup responsif jika digunakan utk net kecil, namun jika utk network besar, dnsmasq sering bengong, walopun sudah dinaikkan cache-size s/d 256Mb. jika di hajar client banyak tiba2 akan muncul warning dns attack !!!!, solusinya gunakan bind, tambahkan option di named.conf cache-data-size dan max-cache-size cukup di buat 8-64 Mb sudah maknyussagak ribet menjalankan bind di pfsense, ada beberap script tambahan agar bind/named bisa running seteleh di reboot,
langkah2nya panjang, konsepnya seperti ini :
1.buat dnsmasq.conf di /usr/local/etc/dnsmasq.conf dan option utk mengkatifkan dns jangan di pake, hanya gunakan option utk mengkatifkan dhcp server saja, silahkan try to google tentang dnsmasq
2. buat script rc.conf utk mengaktifkan bind, silahkan try to google tentang bind/named utk freebsd -
Hmmmm,,, gagal lagi… gagal lagi...
Malah jadi error nich...
Restor factory default.............
tolongin dong Om grage...
pakai bind-nya...
Q udah nyontoh http://www.freebsd.org/doc/en/books/handbook/network-dns.html tapi malah tambah ngeluh....Q bind-nya ganti pakai http://files.pfsense.org/packages/dns/bind9-9.3.2.1.tbz ribet...
-
http://howtoforge.com/installing-a-freebsd7.0-dns-server-with-bind
http://pbraun.nethence.com/doc/net/named.html
http://repo.fadhly.web.id/downloads/Tutorial/Konfigurasi%20DNS%20Server%20di%20FreeBSD.pdf
-
Ayo yang sudah berhasil install BIND postiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiing, :o :o :o
-
http://files.pfsense.org/packages/dns/bind9-9.3.2.1.tbz
hostname ns2.taqwa.localtambahan /etc/defaults/rc.conf
hostname="ns2.taqwa.local" # Set this!
tambahan di /etc/rc
# Start BIND echo "Starting BIND..." /usr/local/sbin/named echo "done." echo "Bootup complete"
Error saat menjalankan /usr/local/sbin/named
/libexec/ld-elf.so.1: Shared object "libcrypto.so.4" not found, required by "named" what?
/var/named/named.conf
forwarders { 127.0.0.1; 192.168.254.254; }; zone "taqwa.local" { type master; file "master/taqwa.local"; allow-transfer { localhost; }; allow-update { key rndc-key }; }; zone "254.168.192.in-addr.arpa" { type master; file "master/taqwa.local.rev"; allow-transfer { localhost; }; allow-update { key rndc-key }; };
/var/named/master/taqwa.local.rev
$TTL 3600 254.168.192.in-addr.arpa. IN SOA ns2.taqwa.local. root.taqwa.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400) ; Minimum TTL ; DNS Servers 254.168.192.in-addr.arpa. IN NS ns2.taqwa.local. ; Computer IPs 100 IN PTR ns2.taqwa.local. 100 IN PTR www.taqwa.local.
-
heheh versi library crypt gak cocok dengan named
coba cek libraray crypto yang ada versi berapa ?ls /lib/libcypt*
di buat linkcd /lib
ln -s libcrypt.so.5 libcrypt.so.4
ln -s libcrypto.so.6 libcrypto.so.5 -
heheh versi library crypt gak cocok dengan named
coba cek libraray crypto yang ada versi berapa ?ls /lib/libcypt*
di buat linkcd /lib
ln -s libcrypt.so.5 libcrypt.so.4
ln -s libcrypto.so.6 libcrypto.so.5# cd /lib # ln -s libcrypt.so.5 libcrypt.so.4 ln: libcrypt.so.4: File exists # ln -s libcrypto.so.6 libcrypto.so.5 ln: libcrypto.so.5: File exists #
-
hmm sudah ada tapi tdk di kenali sama named
kayanya bind yang ada versi jadul (freebsd 7)
pfsense1-2.3 menggunakan versi freebsd7.2coba install ulang bindnya dari sini
pkg_delet bind\* pkg_add -rv http://dl2.foss-id.web.id/freebsd/ports/i386/packages-7.2-release/dns/bind96-9.6.0.1.tbz rehash
-
hmm sudah ada tapi tdk di kenali sama named
kayanya bind yang ada versi jadul (freebsd 7)
pfsense1-2.3 menggunakan versi freebsd7.2coba install ulang bindnya dari sini
pkg_delet bind\* pkg_add -rv http://dl2.foss-id.web.id/freebsd/ports/i386/packages-7.2-release/dns/bind96-9.6.0.1.tbz rehash
:D :D :D jadul filenya….
-
Untuk konfigurasi bind saya di atas udah complite ta OM grage95?
-
csatu2 dulu, package nya udah bener belum, baru ke config
-
Ini Om, settingannya :
pkg_add -rv http://dl2.foss-id.web.id/freebsd/ports/i386/packages-7.2-release/dns/bind96-9.6.0.1.tbz
/etc/resolv.conf
domain taqwa.local nameserver 127.0.0.1 nameserver 202.134.1.10
/var/named/master/taqwa.local
$TTL 3600 taqwa.local. IN SOA ns2.taqwa.local. root.taqwa.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ;Minimum TTL ; DNS Servers taqwa.local. IN NS ns2.taqwa.local. ; Computer names and records ns2.taqwa.local. IN A 192.168.254.254 ; Aliases www IN CNAME ns2.taqwa.local. ; Mail MX Records taqwa.local. IN MX 10 ns2.taqwa.local.
/var/named/master/taqwa.local.rev
$TTL 3600 254.168.192.in-addr.arpa. IN SOA ns2.taqwa.local. root.taqwa.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400) ; Minimum TTL ; DNS Servers 254.168.192.in-addr.arpa. IN NS ns2.taqwa.local. ; Computer IPs 100 IN PTR ns2.taqwa.local. 100 IN PTR www.taqwa.local.
/usr/local/sbin/rndc-confgen -a
wrote key file "/usr/local/etc/rndc.key"
find / | grep rndc.key
/usr/local/etc/rndc.key
cat /usr/local/etc/rndc.key >> named.conf
/var/named/named.conf
forwarders { 127.0.0.1; }; zone "taqwa.local" { type master; file "master/taqwa.local"; allow-transfer { localhost; }; allow-update { key rndc-key }; }; zone "0.0.127.in-addr.arpa" { type master; file "master/taqwa.local.rev"; allow-transfer { localhost; }; allow-update { key rndc-key }; }; key "rndc-key" { algorithm hmac-md5; secret "JtU+O0PpufgIhsWdA3tSQA=="; };
reboot PF….........
**# sockstat -4l | grep -i 53
nobody dnsmasq 480 3 udp4 :53 :
nobody dnsmasq 480 4 tcp4 :53 :??? ???
-
buat file
/usr/local/etc/dnsmasq.conf
port=54 # increase DNS cache size # cache-size=10000 expand-hosts # Resolve(generated from WAN DHCP) resolv-file=/etc/resolv.conf # # Extra : Blackhole DNS adresses. (NO blackholeDNS, comment next line) # conf-file=/etc/blackhole.conf # #server=208.67.222.222 #server=208.67.220.220 # include another configuration #conf-file=/etc/dnsmasq-adblock.conf
restart dnsmasq dan jalankan bind
named -4
trus cek dg sockstat lagiutk tahap pertama : config named sebagai cache dahulu, untuk zone domain belakangan saja.
ini contoh named.conf hanya utk cache
acl "localnet" {192.168.0.0/16;10.0.0.0/8; localhost;}; options { // Relative to the chroot directory, if any directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; allow-recursion { any; }; //allow-query { any; }; //allow-query-cache { any; }; allow-query { localnet; }; allow-query-cache { localnet; }; minimal-responses yes; datasize 196M; max-cache-size 128M; listen-on { any;}; //listen-on { 127.0.0.1; 192.168.2.1 }; forward first; //forward only; //forwader for block porn //forwarders {203.34.118.12; 203.34.118.10; }; //forwader ip dns spidol forwarders { ; 203.130.196.6; 202.134.2.5;}; }; logging {category lame-servers { null; }; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; zone "localhost" { type master; file "master/localhost-forward.db"; }; zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; }; zone "." { type hint; file "named.root"; }; //include "master/hikmah-teknologi.zone"; //zone block //include "master/zoneblock.zone"; key "rndc-key" { algorithm hmac-md5; secret "Kht7CoEd89/kbjno/KPFkA=="; };
-
buat file
/usr/local/etc/dnsmasq.conf
port=54 # increase DNS cache size # cache-size=10000 expand-hosts # Resolve(generated from WAN DHCP) resolv-file=/etc/resolv.conf # # Extra : Blackhole DNS adresses. (NO blackholeDNS, comment next line) # conf-file=/etc/blackhole.conf # #server=208.67.222.222 #server=208.67.220.220 # include another configuration #conf-file=/etc/dnsmasq-adblock.conf
restart dnsmasq dan jalankan bind
named -4
trus cek dg sockstat lagisetelah restartdnsmasq lewat Web GUI…
terus...**# usr/local/sbin/named
usr/local/sbin/named -4
sockstat -4 -l |grep -i 53
#**
kosong Om g' da yang jalan…..........
-
berarti tinggal named nya
coba di log messages nyatail -f /var/log/messages ada yang aneh enggak
config named.conf gunakan yg seperti contoh yang aku kasih
taruh di /var/named/etc/namedb/named.conf
cek dengan sockstat dan ps -ax
# sockstat -4 -l |grep -i 53
root named 66164 20 tcp4 192.168.1.12:53 :
root named 66164 21 tcp4 127.0.0.1:53 :
root named 66164 22 tcp4 127.0.0.1:953 :
root named 66164 512udp4 192.168.1.12:53 :
root named 66164 513udp4 127.0.0.1:53 :#ps -ax |grep named
66164 ?? Is 0:00.04 named -4#tail -f /var/log/messages
Nov 19 16:48:12 freebsd named[66164]: starting BIND 9.4.3-P2 -4
Nov 19 16:48:12 freebsd named[66164]: command channel listening on 127.0.0.1#953
Nov 19 16:48:12 freebsd named[66164]: running -
zone "localhost" {
type master;
file "master/localhost-forward.db";
};zone "127.in-addr.arpa" {
type master;
file "master/localhost-reverse.db";
};Isinya yg tebal OM?
-
isinya ada di directory master (by default)
/var/named/etc/namedb/master
http://src.gnu-darwin.org/src/etc/namedb/master/
-
named-checkconf
/usr/local/etc/named.conf:32: unknown option 'controls'
/usr/local/etc/named.conf:37: unknown option 'zone'
/usr/local/etc/named.conf:42: unknown option 'zone'
/usr/local/etc/named.conf:47: unknown option 'zone'
/usr/local/etc/named.conf:57: unknown option 'key'
/usr/local/etc/named.conf:61: '}' expected near end of file -
coba paste kesini :
/usr/local/etc/named.conf -
ip server 192.168.254.254
hostname ns2.taqwa.local/usr/local/etc/named.conf
acl "localnet" {192.168.0.0/16;10.0.0.0/8; localhost;};
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-recursion { any; };
//allow-query { any; };
//allow-query-cache { any; };
allow-query { localnet; };
allow-query-cache { localnet; };
minimal-responses yes;
datasize 196M;
max-cache-size 128M;
listen-on { any;};
//listen-on { 127.0.0.1; 192.168.2.1 };forward first;
//forward only;//forwader for block porn
//forwarders {203.34.118.12; 203.34.118.10; };//forwader ip dns spidol
forwarders { 203.130.196.155; 202.134.1.10;};
//logging {category name-servers { null; }; };
controls { inet 127.0.0.1 port 953
allow { 127.0.0.1; };
keys { "rndc-key"; };
};zone "localhost" {
type master;
file "master/localhost-forward.db";
};zone "127.in-addr.arpa" {
type master;
file "master/localhost-reverse.db";
};zone "." {
type hint;
file "named.root";
};//include "master/hikmah-teknologi.zone";
//zone block
//include "master/zoneblock.zone";key "rndc-key" {
algorithm hmac-md5;
secret "JtU+O0PpufgIhsWdA3tSQA==";
}; -
ip server 192.168.254.254
hostname ns2.taqwa.local/usr/local/etc/named.conf
acl "localnet" {192.168.0.0/16;10.0.0.0/8; localhost;};
options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-recursion { any; };
//allow-query { any; };
//allow-query-cache { any; };
allow-query { localnet; };
allow-query-cache { localnet; };
minimal-responses yes;
datasize 196M;
max-cache-size 128M;
listen-on { any;};
//listen-on { 127.0.0.1; 192.168.2.1 };forward first;
//forward only;//forwader for block porn
//forwarders {203.34.118.12; 203.34.118.10; };//forwader ip dns spidol
forwarders { 203.130.196.155; 202.134.1.10;};
//logging {category name-servers { null; }; };
controls { inet 127.0.0.1 port 953
allow { 127.0.0.1; };
keys { "rndc-key"; };
};zone "localhost" {
type master;
file "master/localhost-forward.db";
};zone "127.in-addr.arpa" {
type master;
file "master/localhost-reverse.db";
};zone "." {
type hint;
file "named.root";
};//include "master/hikmah-teknologi.zone";
//zone block
//include "master/zoneblock.zone";key "rndc-key" {
algorithm hmac-md5;
secret "JtU+O0PpufgIhsWdA3tSQA==";
sesuikan dengan ker yang baru
};keynya di sesuaikan
cat /usr/local/etc/rndc.key >> named.conf
btw default directorynya ke /usr/local/etc ???
sedangkan option diatas directory "/etc/namedb";config yang di gunakan named.conf yang mana ?
-
-
ok, tapi di optionya di sesuaikan dengan hasil dari /usr/local/sbin/named-checkconf
defaultnya bind mengunakan bind chroot utk security, terutama ddos, directorynya ada di /var/named/etc/namedb/usr/local/sbin/named-checkconf
/usr/local/etc/named.conf:61: '}' expected near end of file
kayanya ada yang kelewat untuk nutup }; di bagian option
itu terjadi karena option
logging {category name-servers { null; }; };
di kasih //kalau gak mau di pake, tambahkan }; di bawahnya itu
jadinya
//logging {category name-servers { null; }; };
};yang bener itu lame-server seperti dalam contoh saya, bukan name-server, kenapa di rubah ???
logging {category lame-servers { null; }; };
kalau itu di kasih //
berarti kamu mau melog dns, dan ini menurut saya log itu gak penting banget, bikin beban walopun sedikit_lame-servers Lame servers. Mis-configuration in the delegation of domains discovered by BIND 9 when trying to authoritative answers. If the volume of these messages is high many users elect to send them to the null channel e.g. category lame-servers {null;}; statement.
null 'null' writes to /dev/null - the bit bucket, nowhere. It does not produce a log. From the grammar above 'file', 'syslog', 'stderr' and 'null' are mutually exclusive for a 'channel'._
http://www.zytrax.com/books/dns/ch7/logging.html
-
Siiiip, tapi file ini g' ada :
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats"waduh… tambah parah...
-
ganti saja /var/run/named.id
yang ini di //
//dump-file "/var/dump/named_dump.db";
//statistics-file "/var/stats/named.stats"