Changing IPs
FiOS
install notes
FiOS & DSL speed tests
traceroutes
network:
BULLDOG linux firewall, router, dhcp server
DOLPHINS linux web, email, hidden master dns server
BABA solaris dns, ntp, ftp, ssh server
various wired and wireless clients
current internet connection: [2009.01.21]
DSL (3.0mb download / 768kb upload) provided by Verizon
IP address (static) = 68.162.87.191
We are switching over to a....
new internet connection:
FiOS (20mb download / 5mb upload) provided by Verizon
5 static IP addresses =
96.245.72.58
96.245.72.59 baba dns
96.245.72.60 grasshopper
www, email, hidden dns master
96.245.72.61
96.245.72.62
default gateway = 96.245.72.1
subnet mask = 255.255.255.0 = /24
DNS primary server = 71.242.0.12
DNS secondary server = 71.250.0.12
1. Modify our DNS configuration
so that the “replies” it issues have a shorter-than-normal expiration
We do not want external systems to cache our DNS data
for an extended time, as it will soon be invalid!
<expiry reduced from 4 weeks “4W”
to 1 day “1D”, done on 2009.01.21>
2. Modify the firewall rules
to allow DOLPHINS to answer DNS queries while we shut down DNS on BABA
<2009.01.29>
add 2 new rules on DOLPHINS INPUT to allow port 53 queries from external sources
over udp & tcp
add 2 rules on BULLDOG PREROUTING to route port 53 queries from external sources
over udp & tcp to DOLPHINS
add 2 rules on BULLDOG FORWARD to forward port 53 traffic from external sources
over udp & tcp to DOLPHINS
old BULLDOG PREROUTING rules stopped/preempted at 1225K / 59M (udp) &
95 / 3960 (tcp)
old BULLDOG FORWARD rules stopped/preempted at 1236K / 61M (udp) & 0 / 0
(tcp)
Using the FiOS connection, we can test that DOLPHINS is replying to DNS queries
using NSLOOKUP or DIG.
3. configure BABA's 2 interfaces for zone transfers, and add
BABA to the FiOS network
Create NEW DOLPHINS to replace DOLPHINS -> faster,
more RAM, 4x hard disk-mirrored
install latest version of Fedora Core Linux =
version 10 -> install everything minus XEN,
XENNER, KVM, wireless, CD&DVD recording
configure NIC, apache, sendmail, DNS
copy all user files
After NEW DOLPHINS has replaced DOLPHINS on DSL network, add 2nd NIC & RAM?
to DOLPHINS
Load Fedora Core 10 onto DOLPHINS. Load everything. Use Dolphins to temp replace
BULLDOG.
Load Fedora Core 10 onto BULLDOG. Utilize 2nd hard disk already in BULLDOG
to create 18gb mirror
Use BULLDOG as FiOS router. Configure Actiontec.
move DOLPHINS to FioS
disconnect DSL
DOLPHINS becomes spare machine. Make DOLPHINS dual-bootable with Windows 2003
Server
2. Create new network using FiOS and a spare 5-port ethernet
switch.
Configure FiOS router for Static IP NAT.
Devise new IP addressing scheme:
DNS, SSH baba
96.245.72.59
HTTP, SMTP dolphins
96.245.72.60
DHCP, NAT grasshopper
96.245.72.61
3. Log in to the domain name registry service that is used
to manage the domains (Dotster, Go-Daddy, etc...),
and change the IP addresses of the DNS servers for all of
our domains
<it is a good idea to try one first>
4.
1.
I am serving by own DNS, using BIND on Solaris 10 (primary DNS server) &
Linux 2.6.26 (hidden master DNS server).
In the external zone files, the currently configured record “expiration”
value for the records is 4 weeks.
There are many external zone files. They are all configured the same.
Here is an example. We are logged in to the Linux DNS master server:
[root@dolphins gt3rs]#
[root@dolphins gt3rs]# pwd
/var/named/gt3rs
[root@dolphins gt3rs]# cat gt3rsregistry.external
;
; external zone file for gt3rsregistry.com.
;
$TTL 2D
@ IN SOA baba.billhance.com. dnsadmin.billhance.com. (
2008063001 ; serial number
8H ; refresh frequency
2H ; retry frequency
4W ; expiry period
3D ) ; minimum TTL
; IN NS dolphins.billhance.com. ; hidden master nameserver
IN NS baba.billhance.com. ; slave nameserver
IN MX 10 dolphins.billhance.com. ; mail server
;
; host addresses
;
baba IN A 68.162.87.191
IN LOC 39 54 18.412 N 75 23 20.726 W 85m
dolphins IN A 68.162.87.191
IN LOC 39 54 18.412 N 75 23 20.726 W 85m
babaftp IN A 68.162.87.191
IN LOC 39 54 18.412 N 75 23 20.726 W 85m
;
; aliases
;
ftp IN CNAME babaftp
mail IN CNAME dolphins
www IN CNAME dolphins
clock IN CNAME baba
[root@dolphins gt3rs]#
[root@dolphins gt3rs]#
Here is the corresponding file. Now we are logged in to the Solaris 10 slave
DNS server:
#
# pwd
/var/named/gt3rs
#
# cat gt3rsregistry.external
$ORIGIN .
$TTL 172800 ; 2 days
gt3rsregistry.com IN SOA baba.billhance.com. dnsadmin.billhance.com. (
2008063001 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
2419200 ; expire (4 weeks)
259200 ; minimum (3 days)
)
NS baba.billhance.com.
MX 10 dolphins.billhance.com.
$ORIGIN gt3rsregistry.com.
baba A 68.162.87.191
LOC 39 54 18.412 N 75 23 20.726 W 85.00m 1m 10000m 10m
babaftp A 68.162.87.191
LOC 39 54 18.412 N 75 23 20.726 W 85.00m 1m 10000m 10m
clock CNAME baba
dolphins A 68.162.87.191
LOC 39 54 18.412 N 75 23 20.726 W 85.00m 1m 10000m 10m
ftp CNAME babaftp
mail CNAME dolphins
www CNAME dolphins
#
#
The first step is to reduce the expiry period from 4 weeks
“4W” to something much shorter, such as 1 day “1D”.
Edit every domain's external zone file on the master server. Change 4W to 1D,
and update each zone file serial number.
Here is the above zone file, after the required changes have been made. We are
logged on to the master server, where we made the changes.
[root@dolphins gt3rs]#
[root@dolphins gt3rs]# cat gt3rsregistry.external
;
; external zone file for gt3rsregistry.com.
;
$TTL 2D
@ IN SOA baba.billhance.com. dnsadmin.billhance.com. (
2009012101 ; serial number
8H ; refresh frequency
2H ; retry frequency
1D ; expiry period
3D ) ; minimum TTL
; IN NS dolphins.billhance.com. ; hidden master nameserver
IN NS baba.billhance.com. ; slave nameserver
IN MX 10 dolphins.billhance.com. ; mail server
;
; host addresses
;
baba IN A 68.162.87.191
IN LOC 39 54 18.412 N 75 23 20.726 W 85m
dolphins IN A 68.162.87.191
IN LOC 39 54 18.412 N 75 23 20.726 W 85m
babaftp IN A 68.162.87.191
IN LOC 39 54 18.412 N 75 23 20.726 W 85m
;
; aliases
;
ftp IN CNAME babaftp
mail IN CNAME dolphins
www IN CNAME dolphins
clock IN CNAME baba
[root@dolphins gt3rs]#
The slave DNS server answers the queries. The master DNS server simply transfers
zone files to the slave.
Here is the corresponding
file, after it has been updated by the master server. Now we are logged in to
the Solaris 10 slave server:
#
# cat gt3rsregistry.external
$ORIGIN .
$TTL 172800 ; 2 days
gt3rsregistry.com IN SOA baba.billhance.com. dnsadmin.billhance.com. (
2009012101 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
86400 ; expire (1 day)
259200 ; minimum (3 days)
)
NS baba.billhance.com.
MX 10 dolphins.billhance.com.
$ORIGIN gt3rsregistry.com.
baba A 68.162.87.191
LOC 39 54 18.412 N 75 23 20.726 W 85.00m 1m 10000m 10m
babaftp A 68.162.87.191
LOC 39 54 18.412 N 75 23 20.726 W 85.00m 1m 10000m 10m
clock CNAME baba
dolphins A 68.162.87.191
LOC 39 54 18.412 N 75 23 20.726 W 85.00m 1m 10000m 10m
ftp CNAME babaftp
mail CNAME dolphins
www CNAME dolphins
#
#
2.
before turning off DNS on BABA
from a laptop PC on the internal network
C:\>nslookup
Default Server: baba.billhance.com
Address: 192.168.0.4
> www.joe.com
any random website will work
Server: baba.billhance.com
Address: 192.168.0.4
Non-authoritative answer:
Name: www.joe.com
Address: 216.142.204.50
> exit
C:\>
C:\>
after turning off DNS on BABA “svcadm disable network/dns/server”
in Solaris 10...
C:\>
C:\>nslookup
*** Can't find server name for address 192.168.0.4: No response from server
Default Server: UnKnown
Address: 192.168.0.4
>
> exit
C:\>
C:\>
3.
4.
5.
6.
private network address
range hosts
10.0.0.0/8 10.0.0.0
-> 10.255.255.255 16,777,216
172.16.0.0/12 172.16.0.0
-> 172.31.255.255 1,048,576
192.168.0.0/16 192.168.0.0 ->
192.168.255.255 65,536
BULLDOG
Before changing the routing for DOLPHINS www 2009.02.18
FORWARD rule 6 601K
/ 33M -> 192.168.0.8:80
PREROUTING rule 1 601K / 33M ->
dport 80
After changing the routing to GRASSHOPPER 2009.02.19
FORWARD rule 6 602K /
33M
FORWARD rule 11 4653 / 254K ->
192.168.0.14:80
PREROUTING rule 2 601K / 33M
PREROUTING rule 1 3254 / 176K ->
dport 80
GRASSHOPPER
Before changing the routing on BULLDOG above; the Apache server
running 2009.02.18
INPUT rule 2 27144
/ 2257K RELATED,
ESTABLISHED
INPUT rule 4
270 / 12960 --dport
80 NEW
Now directing incoming www connections to GRASSHOPPER
2009.02.19
INPUT rule 2 219K
/ 29M RELATED,
ESTABLISHED
INPUT rule 4 3929
/ 207K --dport
80 NEW
DOLPHINS
After the rules changes, the only thing still being accessed
via port 80 on DOLPHINS is SQUIRRELMAIL 2009.02.19
The counters for DOLPHINS port 80 should change minimally
from the below numbers
INPUT rule 6 417K
/ 23M --dport
80 NEW