1
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-11-27 11:23:37 +01:00

Rearrainge stuff

This commit is contained in:
Jon Lundy 2015-01-01 12:34:15 -07:00
parent 7f8596236e
commit 2c3ff41fed
9 changed files with 716 additions and 0 deletions

View File

@ -0,0 +1,199 @@
# Internal services
You are asked to show some creativity in terms of network usage and content. ;)
More ideas inspiration is collected on another [page](/ideas).
[[_TOC_]]
## Internal SSL CA
Internal.dn42 is signed by an internally maintained CA that is only allowed to sign *.dn42 domains or 172.22.0.0/15 ip addresses. If you would like to trust the certificate import the following:
```
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIJALhBYKXcLej6MA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
BAMTHURONDIgSW50ZXJuYWwgQ0EgKFVOVkVSSUZJRUQpMB4XDTE0MTIyMDE4NDAw
NVoXDTI0MTIxNzE4NDAwNVowKDEmMCQGA1UEAxMdRE40MiBJbnRlcm5hbCBDQSAo
VU5WRVJJRklFRCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDViXIb
VcWw+tnZCbZuy3ME4vQJsiX5ik5WkqkBaj5vk7zt+Ca8XvaM8cqppb8kEOCkC+MV
/qp5R2BAukKAAcmACQ9FHx6XYGxMQztU9tTMUuAqWH8JihWjBSoEfBQ9UpJHbgvo
7AAY382rcaLQJs3QgxtNiUjeblPlAy6AE3TUBEiNwa7MTZ7f2YHbVF/9DpvUZee6
KytOalzgbKcuFsquf4vIBtcKav1Qwmdr8eehQHdo8Nxv32uZqd272Q+EInFmzDPu
KpJdhwc/7S/+ohL/fs6RQphnJvLR572cXTzwEIkFAGqym3Fx30Q7Keoq6Cx46yez
lwL2k7C82bE4c+//AgMBAAGjgbMwgbAwHQYDVR0OBBYEFNeJoQrHPqh2SMplqb1V
ac9OWmkiMFgGA1UdIwRRME+AFNeJoQrHPqh2SMplqb1Vac9OWmkioSykKjAoMSYw
JAYDVQQDEx1ETjQyIEludGVybmFsIENBIChVTlZFUklGSUVEKYIJALhBYKXcLej6
MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMBQGA1UdHgQNMAugCTAH
ggUuZG40MjANBgkqhkiG9w0BAQsFAAOCAQEAMqVN55ruWA70znyWMB9+A4BcsFgI
uFVZIOnJEy72Nsz0VvfEEW/3rxKs0UnLcnfBHlx2WHdD2zUJLiTAf6ziRhXpFPXY
Ys3RJFE/8ZDVH3+dGOBekJusDX0YQcwXA/NVO2ogM6WIRIz7QabvOIJBaYXu71ZB
ci29iKFLJ4dsUG69hoeDghwkij2mCR2G/tP+xbrb7xGM73tDjuzmESYlUAVgKtlH
gfcWBU6anZMFJV9Y2lkNhxw5G7JMDSYsfONskzPet9HeHrmu67EnXMapELCjZL3O
X0KmpxYGil6Ly5xImaVqwxnm7wlDiNT6vd0cPgtKd/YynPFNw9Eh+MSamw==
-----END CERTIFICATE-----
```
If you would like to have a certificate signed by this CA send a CSR to dn42@xuu.cc
## Network-related
* Polynome has some nice scripts and visualizations here: http://dataviz.polynome.dn42
* http://172.23.174.1
* See [[Looking Glasses]] for more network diagnostic tools
### DNS tunnel
This DNS tunnel service uses [Iodine](http://code.kryo.se/iodine/), and provides access to the dn42 network. Useful when you're on a shitty network (airport, train station) that still allows DNS.
Use the anycast DNS servers (172.22.0.53) inside your tunnel.
| Hostname / IP | Password |
|:------------------------------------------------- |:-------- |
| t.polyno.me (172.23.185.193) | dn42 |
### DNS Tools
This tool allows you to lookup your dn42 domain name and check to see if your name servers are all working and have the correct information.
Select "Disable Recursion" to check only entries found in the registry or leave it off to check all (both are useful tests).
Currently this system only supports IPv4.
http://mwd.dn42/dns.php
MWD will also provide a secondary DNS server and/or cacti monitoring of your devices. Just ask on IRC. More info: http://mwd.dn42
## IRC
| Hostname / IP | Remarks |
|:------------------------------------------------- |:--------- |
| irc://irc.hackint.dn42/dn42 (172.22.24.1) | DN42 |
| irc://irc.hackint.hack/dn42 (172.31.0.30) | ChaosVPN |
## Search engines
* [Web search engine](http://search.dn42) (172.23.184.1) - a few chosen HTTP domains are crawled (taken from the wiki). The previous method, "crawl everything available from the wiki", generated too much data because of FTPs.
* [YaCy search engine](http://yacy.dn42) - Indexing local nets
## Images and Media
| Hostname / IP | Remarks |
|:------------------------------------------------- |:-------------------------------------------------------- |
| http://img.dn42 | Imagehoster |
| http://chan.dn42 | DN42-Chan, an imageboard |
| http://media.dn42 | A Mediagoblin instance (Login: dn42:dn42dn42) |
| https://dev.0l.dn42/tvheadend/ | Digital Video Recorder (TVHeadend frontend) |
| ftp://dev.0l.dn42/Videos/Recordings/ | Digital Video Recorder (Recorded files) |
## Radio and Video Streaming
| Hostname / IP | Remarks |
|:------------------------------------------------- |:-------------------------------------------------------- |
| http://10.11.10.30:8000 | Freimusik |
| http://stream.laxu.dn42:8000 | [xenim Streams](http://streams.xenim.de) |
| http://sprawl.smrsh.dn42:8000/ | [smrsh radio](http://smrsh.net/radio) |
| http://10.112.0.6:8000/mpd.ogg, http://radio.ffhh:8000/mpd.ogg | Freifunk Hamburg radio, yeay 8bit music! |
| http://172.23.136.65:8000/ | haxMPD |
## File sharing
**FIXME**: Please add info about (approximate) bandwidth of the servers.
### FTP / HTTP
| Hostname / IP | Space | Speed | Remarks |
|:------------------------------------------------- |:----- |:----------- |:----------------------------------------------- |
| ftp://dev.0l.dn42 | 10 TB | max 5MBit/s | writable incoming |
| http://filer.nihilus.dn42, http://172.22.92.2 | | ~60kbps | mostly up |
| ftp://cochimetl.tim.dn42, nfs://cochimetl.tim.dn42/data/ftp | ~3TB | ~700kbps | |
| http://seafile.dn42 | | | Opensource Dropbox, yay! |
| http://files.feuerrot.dn42 | 6TB | 1Gbit | http, ftp, nfs, rsync |
| ftp://vsynology.dev.ffc (10.8.6.13) | 150G | 20Mbit/s | just drop your nzb/torrent file and be patient |
| http://filer1.grmml.dn42 (172.23.149.21) | 4TB | 200Mbit/s | download only |
| sftp://anonsftp:Iich0zieC3retaid@files.crest.dn42:2212/ | 12TB | 1Gb/s | incoming writable |
| http://172.23.136.33 | | 100Mbit/s | some mediafiles/software |
| http://files.martin89.dn42/ | | max 2Mbit/s | download only |
#### Down?
| Hostname / IP | Space | Speed | Remarks | Down Since |
|:------------------------------------------------- |:------ |:-------- |:------------------------------- |:---------- |
| http://turing.il.maxx.dn42, http://172.22.42.2 | ~6.5TB | ~400kbit | WebDAV enabled, up 24/7z | 01.01.2015 |
| ftp://descent.derf.dn42 (172.23.225.35) | 3TB | 60kbit/s | download only | 01.01.2015 |
## Proxies
See http://wiki.hamburg.ccc.de/ChaosVPN:Proxy
### Tor
| Hostname / IP | Bandwidth | Nickname |
| ------------------------------------------------- | ----------- | ------------ |
| socks5://lian.0l.dn42:9050 | 600 kb/s | [nulll](https://atlas.torproject.org/#details/84F41A116AD7F1E038781413E0B4ADE4494BA38A)
### Hochschulbibliothekszentrum des Landes Nordrhein-Westfalen
Bodems (AS76124) is announcing 193.30.112.0/24 via his DFN-Node, so you can access the "[Digibib](http://www.digibib.net/jumpto?LOCATION=Bi10&D_SERVICE=TEMPLATE&D_SUBSERVICE=DIGILINK_BROWSE&DP_FUNC=CategoryView&DP_FILTER=All&DP_CID=14211)" through DN42 with a valid IP. For some parts (like VDE norms) you will need Citrix Receiver.
## NTP
| Hostname / IP | Remarks |
|:------------------------------------------------- |:----------------------------------- |
| ntp.e-utp.dn42 (172.22.165.50) | Stratum 1, GPS+NMEA |
| ntp1.nixnodes.dn42 (172.22.177.123) | |
| ntp2.nixnodes.dn42 (172.22.177.124) | |
| ntp.martin89.dn42 | more than one A records/server |
## Crypto coins
| Hostname / IP | Remarks |
|:------------------------------------------------- |:----------------------------------- |
| bitcoin.e-utp.dn42 (172.22.165.50, 172.22.165.34) | 8333 for Bitcoin, 9333 for Litecoin |
## Gaming
| Hostname / IP | Game | Remarks |
|:------------------------------------------------- |:---------------------- |:-------------------------- |
| cs.nixnodes.dn42 (172.22.177.179) | Counter-Strike 1.6 | v48 Non-Steam [Deathmatch] |
## Misc
| Hostname / IP | Remarks |
| ------------------------------------------------- | ------------------------------------------------------------------------------ |
| http://nowhere.ws/dn42 | Some random stuff concerning dn42, packages for Debian, e.g. Quagga |
| https://paste.synhacx.dn42 | AES-encrypted pastebin-like ([zerobin](https://github.com/sebsauvage/ZeroBin)) |
| http://ip.synhacx.dn42 | Basic "whatismyip" service ([description](http://synhacx.dn42/showmyip)) |
| http://tor.mirror.martin89.dn42 | Tor Project Homepage mirror |
| http://tor.e-utp.dn42 | Tor Project Homepage mirror |
| http://freebsd.e-utp.dn42 | FreeBSD Homepage mirror |
| http://debian.mirror.martin89.dn42 | Debian Wheezy mirror |
| nntp://news.blacksheep.dn42 | Martin's newsgroup server (ping MB-DN42 for a rw account or a nntp/uucp feed) |
| mumble://shard.smrsh.dn42:64738 | [Mumble](http://mumble.sourceforge.net/) Voice Chat |
| http://wiki.dn42, http://internal.dn42 | This wiki! Web Hosted by [xuu](https://xuu.dn42). Git Repo hosted by welterde |
# Other networks
## Public Internet
* https://mirror.frubar.net 100MBit
* https://frucman.frubar.net
## AnoNet
A wiki page dedicated to the AnoNet Network: http://wiki.qontrol.nl/Anonet
## ChaosVPN
* Anybody can add services to this list, which will be monitored for uptime: http://10.100.44.1
* Check your IP and reverse lookup: [ifconfig.hack](http://ifconfig.hack)
* View of the network: http://vpnhub1-intern.hamburg.ccc.de/chaosvpn.png
* List of nodes: http://vpnhub1-intern.hamburg.ccc.de/chaosvpn.nodes.html
## Freifunk
### Augsburg
We have a plugin that enables us to announce services in the mesh. So instead of listing them here again just have a look at http://10.11.0.8/cgi-bin/luci/freifunk/services to see what we have to offer.
(Upload is not fast, most probably DSL speed only)

View File

@ -0,0 +1,133 @@
# Forwarder setup
Configuration of common resolver softwares, to forward DNS queries for `.dn42` (and reverse DNS) to `172.22.0.53`.
## BIND
If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
by adding the following to /etc/bind/named.conf.local
```
zone "dn42" {
type forward;
forwarders { 172.22.0.53; };
};
zone "22.172.in-addr.arpa" {
type forward;
forwarders { 172.22.0.53; };
};
zone "23.172.in-addr.arpa" {
type forward;
forwarders { 172.22.0.53; };
};
```
## dnsmasq
If you are running dnsmasq under openwrt, you just have to add
```
config dnsmasq
option boguspriv '0'
option rebind_protection '1'
list rebind_domain 'dn42'
list server '/dn42/172.22.0.53'
list server '/22.172.in-addr.arpa/172.22.0.53'
list server '/23.172.in-addr.arpa/172.22.0.53'
```
to `/etc/config/dhcp` and run `/etc/init.d/dnsmasq` restart. After that you are able to resolve `.dn42`
with the anycast DNS-Server, while your normal requests go to your standard DNS-resolver.
Attention: If you go with the default config you'll have to disable "boguspriv" in the first dnsmasq config section.
For normal dnsmasq use
```
server=/dn42/172.22.0.53
server=/22.172.in-addr.arpa/172.22.0.53
server=/23.172.in-addr.arpa/172.22.0.53
```
in `dnsmasq.conf`.
## PowerDNS recursor
Add this to /etc/powerdns/recursor.conf (at least in Debian)
```
dont-query=127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
forward-zones= dn42=172.22.0.53,22.172.in-addr.arpa=172.22.0.53,23.172.in-addr.arpa=172.22.0.53
```
## MaraDNS
Put this in your mararc:
```
ipv4_alias["dn42_root"] = "172.22.0.53"
root_servers["dn42."] = "dn42_root"
root_servers["22.172.in-addr.arpa."] = "dn42_root"
root_servers["23.172.in-addr.arpa."] = "dn42_root"
```
## Unbound
`unbound.conf` for forwarding requests to `172.22.0.53`.
```
server:
domain-insecure: "dn42"
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "d.f.ip6.arpa." nodefault
forward-zone:
name: "dn42"
forward-addr: 172.22.0.53
forward-zone:
name: "22.172.in-addr.arpa"
forward-addr: 172.22.0.53
forward-zone:
name: "23.172.in-addr.arpa"
forward-addr: 172.22.0.53
forward-zone:
name: "d.f.ip6.arpa"
forward-addr: 172.22.0.53
```
## JunOS (SRX 12.1X46)
Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
```
restart named-service
```
Config (vlan.0 is presumed to be your LAN/Trust interface)
```
system {
services {
dns {
dns-proxy {
interface {
vlan.0;
}
default-domain dn42 {
forwarders {
172.22.0.53;
}
}
default-domain 22.172.in-addr.arpa {
forwarders {
172.22.0.53;
}
}
default-domain 23.172.in-addr.arpa {
forwarders {
172.22.0.53;
}
}
}
}
}
}
```

39
services/Services-DNS.md Normal file
View File

@ -0,0 +1,39 @@
# DNS
*(tl;dr)* We have a TLD for dn42, which is `.dn42`. The anycast resolver for `.dn42` runs on `172.22.0.53`.
**DNS is build from [[whois database|Services Whois]]. So please edit your DNS-records there.**
## Using the DNS service
Below are several ways to use the `dn42` DNS service, from easiest to more challenging. The recommended method is the second one.
### Using the anycast resolver directly
Please be aware that this method sends **all** your DNS queries (e.g. `google.com`) to a random DNS server inside dn42. The server could fake the result and point you towards the russian mafia. They probably won't, but think about what you are doing. At the end of the day, your ISP could be evil as well, so it always boils down to a question of trust.
To do this, just use `172.22.0.53` as your resolver, for instance in `/etc/resolv.conf`.
### Forwarding `.dn42` queries to the anycast resolver
If you run your own resolver (`unbound`, `dnsmasq`, `bind`), you can configure it to forward dn42 queries to the anycast DNS resolver. See [[DNS forwarder configuration|Services DNS Configuration]].
### Recursive resolver
You may also want to configure your resolver to recursively resolve dn42 domains. For this, you need to find authoritative DNS servers for the `dn42` zone (and for the reverse zones). See [[Recursive DNS resolver]].
### Building the dn42 zones from the registry
Finally, you may want to host your own authoritative DNS server for the `dn42` zone and the reverse zones. The zone files are built from the monotone repository: scripts are provided in the repository itself.
## Register a `.dn42` domain name
The root zone for `dn42.` is built from the [[whois registry|Services Whois]]. If you want to register a domain name, you need to add it to the registry (of course, you also need one or two authoritative nameservers).
## DNS services for other networks
Other networks are interconnected with dn42 (ChaosVPN, Freifunk, etc). Some of them also provide DNS service, you can configure your resolver to use it. See [[External DNS]].
## Providing DNS service
See [[Providing Anycast DNS]].

View File

@ -0,0 +1,51 @@
# What's FreePhone?
Where's the point in using a phone flat just for a single person? !FreePhone is a project aimed to develop a VPN wide SIP phone service. Calling german landline is possible at the moment, as well as local participants (eg. maxx).
## How does this work?
### Public proxy
Set up your softphone or hardware implementation to use:
* SIP-Proxy/Proxy domain: maxx.spaceboyz.net (SRV-Record)
* Username/Account/Login: vpn
* Password: vpn
The proxy is strictly outbound, registration is impossible and unintended.
## Special needs
Just contact me if you like to use your SIP hardware (eg. Fritz!Box FON). You'll get a special account allowing registrations plus a local extension.
## Restrictions
* Any call under the terms of the flatrate is allowed, so to speak: no mobile phones or pr0n calls
* One call at a time for FreePhone users (stupid bandwidth restrictions :/).
* Internal calls are more or less unrestricted.
* alaw/ulaw are disallowed for bandwidth reasons
## Additional extensions
| **Extension** | **Target** |
|---|---|
| maxx | myself, almost anywhere wireless lan is availiable |
| grim | sometimes, sometimes not |
| equinox | i think nokia prevents but you may try |
| helios | did not connect for some time now |
If you like listening to german news, dial 787326353 (Vanity: STREAMDLF). Just contact me in case you want more.
## Configuration examples
Just look at the german version, you'll get the idea.
## What's next?
### Real dn42 phone system
If i'm bored some day i might implement the following:
* SIP extensions for every participant
* Voicemail
* Funny games
* FreePhone integration (maybe with redundancy)
* ...
If someone is willing to experiment we could try allowing reinvites. This way all SIP endpoints inside the VPN could connect their media streams directly, thus saving bandwidth and raising call quality.
## Latest changes
* G.729 now is the preferred codec because of bandwith issues
* My "Homezone" works perfectly, moving with me
* Phone #: +493727/959023
* Sipgate: 5884293
* SIP: maxx(at)maxx.spaceboyz.net
* Transcoding from/into G.729 works fine now, thanks to some precompiled versions for asterisk.

18
services/Services-IRC.md Normal file
View File

@ -0,0 +1,18 @@
# IRC
We have several [hackint](http://www.hackint.eu/)-IRC-Servers, reachable via internet, but also via dn42.
## irc.spaceboyz.net
* IPv6: 2001:8d8:81:5c0::1
* dn42: 172.22.24.1
* IPv4: 87.106.131.203
* Ports: 6666-6669 & SSL 6697,9999
## irc.chaostreff-dortmund.de
* irc.chaostreff-dortmund.de (195.160.168.7, 6666-6669 & ssl: 6697, 9999)
## lechuck.darmstadt.ccc.de
* lechuck.darmstadt.ccc.de (via dn42: 172.31.98.1)
Usage with SSL (6697/tcp) is preferred.
**Please join #dn42.**

13
services/Services-News.md Normal file
View File

@ -0,0 +1,13 @@
# List of Usenet servers
| **Person** | **Status** | **Address** | **Posting** | **Newsgroups** | **Binaries** |
|----|----|----|----|----|----|
| welterde | _up_ | news.welterde.dn42 | _yes_ | Big 8, de.\*, alt.\* | _no_ |
| UFO | _up_ | core.ucis.dn42 | _yes_ | anonet, dn42 | _no_ |
| blacksheep | _up_ | news.blacksheep.dn42 | _ask_ | Big 8, de.\*, alt.\*, uk.\*, etc. | _no_ |
# List of Usenet WebFrontends
| **Person** | **Status** | **Address** | **Posting** | **Newsgroups** | **Binaries** |
|----|----|----|----|----|----|
| cronix | _down_ | news.crystalnet.dn42 | _yes_ | as requested | _no_ |
| UFO | _up_ | [UCIS.ano news](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/www.ucis.ano/news/) | _no_ | anonet, dn42 | _limited_ |
| SeekingFor | _up_ | [AnoNet News](http://cgiproxy.ucis.dn42/nph-proxy.cgi/00/http/news.sfor.ano/) | _yes_ | anonet, dn42 | _no_ |

View File

@ -0,0 +1,111 @@
# Statistics
Please add your public statistics.
## Scripts
### Number of prefixes for collectd
#### collectd.conf
```
LoadPlugin exec
<Plugin exec>
Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
</Plugin>
```
collectd refuses to exec scripts as root. On Debian vtysh is compiled with PAM support: adding nobody to the quaggavty group suffices.
#### bgp_prefixes-quagga.sh
```
#!/bin/bash
INTERVAL=10
HOSTNAME=dn42.hq.c3d2.de
while true; do
n4=$(vtysh -d bgpd -c "show ip bgp"|grep Total|sed -e 's/Total number of prefixes //')
n6=$(vtysh -d bgpd -c "show ipv6 bgp"|grep Total|sed -e 's/Total number of prefixes //')
echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv4 interval=$INTERVAL N:$n4"
echo "PUTVAL $HOSTNAME/quagga-bgpd/routes-IPv6 interval=$INTERVAL N:$n6"
sleep $INTERVAL
done
```
#### Number of prefixes per neighbour for bird
```
#!/bin/sh
#
# Collectd script for collecting the number of routes going through each
# BGP neighour. Works for bird.
#
# See https://dn42.net/Services-Statistics
INTERVAL=60
HOSTNAME=mydn42router
[ -n "$COLLECTD_HOSTNAME" ] && HOSTNAME="$COLLECTD_HOSTNAME"
while true
do
birdc 'show protocols "*"' | grep ' BGP' | cut -d ' ' -f 1 | while read neighbour
do
nbroutes=$(birdc "show route protocol $neighbour primary count" | grep -v 'BIRD' | cut -d ' ' -f 1)
echo "PUTVAL $HOSTNAME/bird-bgpd/routes-$neighbour interval=$INTERVAL N:$nbroutes"
done
# FIXME: we probably count non-BGP routes here
totalroutes=$(birdc "show route primary count" | grep -v 'BIRD' | cut -d ' ' -f 1)
echo "PUTVAL $HOSTNAME/bird-bgpd/routes-all interval=$INTERVAL N:$totalroutes"
sleep $INTERVAL
done
```
### munin plugin
* add the following to /etc/munin/plugin-conf.d/munin-node
```
[quagga_bgp]
user root
```
* place the script as quagga_bgp in /etc/munin/plugins
```
#!/bin/sh
#
#
# Munin Plugin to show quagga bgp4 routes
# Standard Config Section Begin ##
if [ "$1" = "autoconf" ]; then
echo yes
exit 0
fi
if [ "$1" = "config" ]; then
echo 'graph_title Quagga BGP4 Routes'
echo 'graph_args --base 1000 -l 0'
echo 'graph_scale yes'
echo 'graph_vlabel Received routes via BGP4'
echo 'graph_category Network'
echo 'bgproutes.label Routes'
echo 'graph_info Route information provided by quagga daemon via vtysh'
exit 0
fi
# Standard Config Section End ####
# Measure Section Begin ##########
data=($(vtysh -c "show ip bgp"|grep Total|cut -d" " -f5))
if [ "$data" = "" ]; then
echo bgproutes.value 0
else
echo bgproutes.value $data
fi
# Measure Section ##########
```
* restart munin-node

View File

@ -0,0 +1,7 @@
# Virtual Machines
| Person | RAM | HDD | Net | CPU | Description |
|:------------- |:----- |:---- |:--------- |:-------- |:--------------------- |
| otih | | | | | KVM/OpenVZ (AS64608)
| siska | 384Mb | 40Gb | 10/10Mbit | 1x2.9Ghz | KVM/QEMU (VNC) (AS76103)
| thomasdotde | | | | | HyperV-Server

145
services/Services-Whois.md Normal file
View File

@ -0,0 +1,145 @@
# Whois registry
**aka** _The registry_ contains:
* AS numbers assignations
* Subnet assignations
* DNS root zone for `dn42.`
## Names and numbers
dn42 uses some names and numbers, which are declared in the registry. Whenever possible, we try to stick to names and numbers that do not conflict with the ICANN-net or other networks similar to dn42, for instance by using private numbers space.
### Address space
dn42 uses **172.22.0.0/15** for IPv4.
For IPv6, we use both ULA (that is, **fd00::/8**) and globally unique PI/PA address space of participants. ULA is prefered for various reasons, see the [FAQ](Frequently-Asked-Questions#What-about-IPv6-in-DN42?).
### AS numbers
Since June 2014, dn42 is using the **4242420000-4242429999** ASN range for allocations. This range is further subdivided:
* **4242420000-4242423999** for end-users allocations
* **4242424000-4242426999** reserved for future use
* **4242427000-4242429999** for sub-allocations
If you are running a project similar to dn42, please use another range of ASN. The "sub-allocations" range is meant for dn42 users willing to have administrative control over a small, consecutive range of ASN (e.g. to use them directly or to distribute them).
Note that currently, most AS are using one of the legacy ASN range (and will probably continue to do so, as renumbering is painful). See the [FAQ](Frequently-Asked-Questions#Why-are-you-using-ASN-in-the-76100-76199-range?) for a discussion on AS ranges.
### DNS zones
dn42 uses the `dn42.` TLD, which is not present in the root DNS zone of the ICANN-net. For details, see [DNS](Services-DNS).
Note that other TLDs should also be usable from dn42, most notably from Freifunk and ChaosVPN. A tentative list is available at [External DNS](External-DNS).
## Web interface
Nixnodes provides a nice web interface, that allows you to **add/edit records** easily. It is available at https://io.nixnodes.net/?registry. A full guide is available at [Getting started](Getting-started-with-dn42#Fill-in-the-registry).
### Authentication
To add or edit records with the web interface, authentication is done thanks to **maintainer objects**. Each maintainer object has a password associated to it.
The password are not stored in cleartext in the registry: a hash is computed from the password and the name of the maintainer object. To generate such a hash (e.g. in case you forgot your password), use https://io.nixnodes.net/nctlio.php?m=dnr&gen=mypassword&mnt=MYMAINTAINER-MNT
### Misc
A read-only interface is also available at http://ix.ucis.dn42/dn42/ ([public](http://ix.ucis.nl/dn42/) or 172.22.166.3). The used PHP scripts are available from UFO a.k.a. Ivo at request.
## DNS interface
There is also a DNS-based interface to query AS information from the registry. The DNS zone is `asn.dn42`. Example:
$ dig +short AS76103.asn.dn42 TXT
"76103 | DN42 | dn42 | | NIXNODES-IX - NixNodes CORE Network"
The Python code for generating the zone from the registry is available on the monotone repository.
The idea comes from the guys at cymru.com, who provide this service for the Internet (e.g. `AS1.asn.cymru.com`), see https://www.team-cymru.org/Services/ip-to-asn.html#dns
## Address space
There is nice 3djs visualisation showing current address space usage: http://dataviz.polynome.dn42/dn42-netblock-visu/registry.html ([public](http://109.24.208.244:8888/dn42-netblock-visu/registry.html) or 172.23.184.98). The input data is taken from the registry.
Another visualisation shows the prefixes seen by BGP: http://dataviz.polynome.dn42/dn42-netblock-visu/index.html ([public](http://109.24.208.244:8888/dn42-netblock-visu/index.html) or 172.23.184.98).
## Software
* [[lglass]] is a python implementation for working with the registry. It features a whois server, tools to manipulate the data (DNS zone generation, etc).
## Whois daemons
| **person** | **dns** | **ip** |
|------------|---------------------------|-----------------|
| welterde | thinkbase.srv.welterde.de | 46.4.248.201 |
| fritz | whois.fritz.dn42 | 172.22.119.139 |
| nixnodes | whois.nixnodes.dn42 | 172.22.177.77 |
### Usage
```sh
whois -h $host $query
```
### Using a whois config
```sh
$ cat /etc/whois.conf
\.dn42$ 172.22.177.77
\-DN42$ 172.22.177.77
# dn42 range 64512-65534
^as6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9]{2})|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-4])))$ 172.22.177.77
# dn42 range 76100-76199
^as761[0-9][0-9]$ 172.22.177.77
# dn42 range 4242420000-4242429999
^as424242[0-9]{4}$ 172.22.177.77
# dn42 ipv4 address space
^172\.2[2-3]\.[0-9]{1,3}\.[0-9]{1,3}(/(1[56789]|2[0-9]|3[012]))?$ 172.22.177.77
# dn42 ula ipv6 address space
fd**:****:****:****:****:****:****:**** 172.22.177.77
```
You can then use whois without specifying the server. Works at least with Marco d'Itri's whois client.
### Running your own whoisd
```sh
cd /home/some/path/to/store/branch
sudo aptitude install ruby rubygems
sudo gem install netaddr
cd whoisd/ruby
sudo ruby whoisd.rb nobody
```
## Monotone
Monotone is an distributed revision control system. Monotone tracks revisions to files, groups sets of revisions into changesets, and tracks history across renames. The design principle is distributed operation making heavy use of cryptographic primitives to track file revisions (via the SHA-1 secure hash) and to authenticate user actions (via RSA cryptographic signatures). Each participant maintains their own revision history store in a local SQLite database. Monotone is especially strong in its support of a diverge/merge workflow, which it achieves in part by always allowing commit before merge. Revisions are exchanged using the custom netsync protocol which shares some conceptual ground with rsync and cvs.
* [Website](http://monotone.ca/)
* [Tutorial](http://monotone.ca/docs/Tutorial.html)
### Monotone servers
| Person | Address | Status |
|----------|----------------------------------------|--------|
| crest | mtn.crest.dn42 | UP |
| dracoling | dn42.smrsh.net (net.smrsh.dn42) | UP |
| siska | mtn.nixnodes.net / mtn.nixnodes.dn42 (172.22.177.77) | UP |
| xuu | mtn.xuu.dn42 (172.22.141.248) | UP |
| zorun | mtn.polyno.me / mtn.polynome.dn42 (172.23.184.71| UP |
### Monotone branches
* net.dn42.registry: Contains the registry and some related code
### Client setup
```sh
mtn genkey you@domain.tld
mtn pubkey you@domain.tld # send the output to some $monotone_server operator (do NOT send the keypair!)
mtn clone 'mtn://$monotone_server/?net.dn42.*' --branch net.dn42.registry
cd net.dn42.registry
$add_your_objects
mtn add --unknown
mtn ci -k you@domain.tld
mtn sync
```
### Server setup
Debian has a package "monotone-server", with config located in "/etc/monotone".
Pro-tip: monotone seems to use `SO_V6ONLY`, which is annoying. To bind to both IPv4 and IPv6, use `ADDRESS=":: --bind 0.0.0.0"` in `/etc/default/monotone`.