Strange DNS queries when Google Chrom(ium) is running

August 10th, 2011 Comments off

I noticed something strange lately, when Google Chrom(ium) 12.0.742.112 (90304) on my up-to-date Ubuntu 11.04 is running, it sends in 10 seconds interval always DNS queries out similar to these:

09:28:54.892711 IP linux.home.lan.52626 > ipv4gw.home.lan.domain: 55443+ AAAA? www.google.com. (32)
09:28:54.899660 IP linux.home.lan.33455 > ipv4gw.home.lan.domain: 13122+ PTR? 1.1.168.192.in-addr.arpa. (42)
09:28:54.900955 IP ipv4gw.home.lan.domain > linux.home.lan.33455: 13122* 1/0/0 PTR ipv4gw.home.lan. (74)
09:28:54.901153 IP linux.home.lan.50369 > ipv4gw.home.lan.domain: 21436+ PTR? 229.1.168.192.in-addr.arpa. (44)
09:28:54.902997 IP ipv4gw.home.lan.domain > linux.home.lan.50369: 21436* 1/0/0 PTR linux.home.lan. (75)
09:28:54.944839 IP ipv4gw.home.lan.domain > linux.home.lan.52626: 55443 1/0/0 CNAME www.l.google.com. (52)
09:28:54.945042 IP linux.home.lan.41788 > ipv4gw.home.lan.domain: 60563+ A? www.google.com. (32)
09:28:55.003016 IP ipv4gw.home.lan.domain > linux.home.lan.41788: 60563 3/0/0 CNAME www.l.google.com., A 209.85.143.99, A 209.85.143.104 (84)

09:28:55.894074 IP linux.home.lan.52008 > ipv4gw.home.lan.domain: 29437+ AAAA? mmxavuhjug.home.lan. (40)
09:28:55.894357 IP linux.home.lan.35436 > ipv4gw.home.lan.domain: 521+ AAAA? vhskgbyarv.home.lan. (40)
09:28:55.894595 IP linux.home.lan.45136 > ipv4gw.home.lan.domain: 53766+ AAAA? ksufeyycxa.home.lan. (40)
09:28:55.895823 IP ipv4gw.home.lan.domain > linux.home.lan.52008: 29437 NXDomain 0/0/0 (40)
09:28:55.895963 IP linux.home.lan.36059 > ipv4gw.home.lan.domain: 12946+ A? mmxavuhjug.home.lan. (40)
09:28:55.897602 IP ipv4gw.home.lan.domain > linux.home.lan.35436: 521 NXDomain 0/0/0 (40)
09:28:55.897676 IP ipv4gw.home.lan.domain > linux.home.lan.45136: 53766 NXDomain 0/0/0 (40)
09:28:55.897765 IP linux.home.lan.44839 > ipv4gw.home.lan.domain: 64206+ A? ksufeyycxa.home.lan. (40)
09:28:55.897835 IP linux.home.lan.41554 > ipv4gw.home.lan.domain: 45782+ A? vhskgbyarv.home.lan. (40)
09:28:55.899852 IP ipv4gw.home.lan.domain > linux.home.lan.36059: 12946 NXDomain 0/0/0 (40)
09:28:55.899993 IP ipv4gw.home.lan.domain > linux.home.lan.44839: 64206 NXDomain 0/0/0 (40)
09:28:55.900277 IP linux.home.lan.37840 > ipv4gw.home.lan.domain: 24605+ AAAA? ksufeyycxa.home.lan. (40)
09:28:55.900530 IP linux.home.lan.38511 > ipv4gw.home.lan.domain: 59521+ AAAA? mmxavuhjug.home.lan. (40)
09:28:55.902077 IP ipv4gw.home.lan.domain > linux.home.lan.41554: 45782 NXDomain 0/0/0 (40)
09:28:55.902148 IP ipv4gw.home.lan.domain > linux.home.lan.37840: 24605 NXDomain 0/0/0 (40)
09:28:55.902503 IP linux.home.lan.36729 > ipv4gw.home.lan.domain: 26133+ AAAA? vhskgbyarv.home.lan. (40)
09:28:55.902630 IP linux.home.lan.37400 > ipv4gw.home.lan.domain: 39639+ A? ksufeyycxa.home.lan. (40)
09:28:55.904271 IP ipv4gw.home.lan.domain > linux.home.lan.38511: 59521 NXDomain 0/0/0 (40)
09:28:55.904344 IP ipv4gw.home.lan.domain > linux.home.lan.36729: 26133 NXDomain 0/0/0 (40)
09:28:55.904469 IP linux.home.lan.38786 > ipv4gw.home.lan.domain: 4130+ A? mmxavuhjug.home.lan. (40)
09:28:55.904570 IP linux.home.lan.42703 > ipv4gw.home.lan.domain: 52825+ A? vhskgbyarv.home.lan. (40)
09:28:55.906403 IP ipv4gw.home.lan.domain > linux.home.lan.37400: 39639 NXDomain 0/0/0 (40)
09:28:55.906547 IP ipv4gw.home.lan.domain > linux.home.lan.38786: 4130 NXDomain 0/0/0 (40)
09:28:55.907959 IP ipv4gw.home.lan.domain > linux.home.lan.42703: 52825 NXDomain 0/0/0 (40)

I had a play what is causing this, and I figured that it is definitely Chrome. I closed down all the tabs, and it was still happening. The queries are always different, they never repeat themselves. I wonder what would happen if one of these resolves to an actual internal IP….

Categories: Security Tags:

How do I test my IPv6 capable mailserver?

August 9th, 2011 Comments off

Just a quick tip: You have Postfix running and want to enable IPv6 for your email as well? After quite some playing around I finally got it right:

inet_interfaces = 127.0.0.1, 94.229.77.82, 2a01:348:6:315::2, ::1
inet_protocols = ipv4, ipv6

This makes Postfix listen only where you actually need it to – I dont like daemons listening on interfaces where they are not serving any requests.

How do I test IPv6 enabled mail?

Just go to here and off you go. Dont forget to put a fancy text in there what you can show off with… *g

Categories: IPv6 Tags:

Nginx, PHP-FPM and APC – and your server will love you

August 9th, 2011 Comments off

I have to admit, I really loved Apache with ModSecurity (with the CoreRuleSet), it gave me “peace at night”. But then I noticed that this actually eats quite a lots of memory… and as a heavy TinyTinyRSS user I noticed that TTRSS  is sometimes quite sluggish loading articles. So I had another look on Nginx again. I did have a look at it in the past, but I gave up on it, as the provided version from Debian Lenny didnt support IPv6, the version for Squeeze does though.

So initially I installed Nginx with PHP-FASTCGI. It was good, fast, memory problems were sorted. The sluggishness with TTRSS was solved as well. (Now after some weeks running it, I still notice “phew, memory isnt used at all, how does this work actually?”.)

(Preface: I wont be posting configuration details on here, just my experience and some pointers. I dont like repetition and with the search engine of your choice speckled with some common “sysadmin sense”, you will find what you need.)

I already found some hints that PHP-FPM is much better than PHP-FASTCGI. (I was surprised that this was not good enough.) And so I came recently across dotdeb.org (again), which gives you the ability

  1. to install a more recent Nginx than Debian Squeeze one
  2. Update PHP to 5.3.6
  3. install PHP-FPM

which is even better. I also enabled APC as an PHP opcode cache which helps further (I actually configured the latter one that it does write a logfile (I still want to know when something goes wrong), but the actual service is not restarted, just the new logfile is opened. You can do this by sending SIGUSR1 to the php5-fpm master process. This doesnt empty the cache. At the time of writing I have 473362 Hits vs. 656 Misses (99.9% / 0.1%), I wonder when I have 100%.).

Tests and results

If I did some tests to show you some fancy numbers which prove that this is faster? I am sorry, but I have to disappoint you.

I can give you some hard facts:

  1. The system never ran out of memory  with Nginx and it is now running for maybe 5+ weeks.
  2. The sluggishness with TTRSS (ie. browsing quickly through different RSS articles is much faster, as TTRSS is loading everytime the article and if I did this fast enough, TTRSS was locked up for some time, as Apache didnt deliver the actual article fast enough). On a subjective note: it is definitely faster.

I am happy with my choice. Anything on the internet should be kept up2date anyway – despite the fact you are running ModSec.

And it is faster and uses less memory – what more does a sysadmin want?

PS: I forgot: Next step is enabling the Caching plugin in Nginx this should speed it up even further. When you are serving a lots of static objects, like pictures, Varnish is your friend and very easy to configure.

Post-PS: WordPress optimizations are the next thing! CDN – here I come!

Categories: New technology Tags:

Extending the wireless range of a WRT54GL with Solwise powerline adapters and another WRT54GL

July 24th, 2011 Comments off

I just fixed a quite common problem what most of us have at home – the wireless signal is not that great in other places in the house. I wanted to do two things initially:

  1. Using Solwise powerline adapters, I dont want to drill in walls to install long ethernet cables. (a friend of mine pointed me in that direction)
  2.  Use a second Linksys/now Cisco WRT54GL, as I definitely want to run OpenWRT on it.

Item 1 doesnt need further explanation I suppose. In regards to item 2, I just love OpenWRT, it is slick, fast, easy to configure, very minimalistic, shortly: it does its job perfectly fine.

Solwise powerline adapters

I had a bit mixed feelings whether these work fine, that I get decent througput without errors and such. Now they are here, installed and work perfectly fine…

  1. They come preconfigured with a common Private Network Name. I didnt really like that, so I randomized that, what was really easy todo: press “Connect” for 10s on one unit, then “Connect” for 2s on the other unit.
  2. The connection rate was initially only “good” over a longer distance, when I had the in the same room the connection rate was “best”, as it shared the same electrical circuit. After some time (hours) the connection rate is now “best” even on a longer distance, which is very good.
  3. They introduce a latency of 3 to 4 ms…

Using a second WRT54GL to extend wireless

So initially I went with the most obvious setup, WRT54GL number 2 (W2) is connected via its WAN port to a LAN port on WRT54GL number 1 (W1). This gave me various headaches, a different network behind W2 and as such a separate DNS namespace, so I would have to query both routers to get the IP of a connected client. There are various other hacks to get around this issue, but none of them was good enough.

Then I figured on the second thread of this post that is actually very easy to achieve what I want to have:
  1. Connect W2 and W1 via LAN ports on each side.
  2. Configure the LAN interface of W2 as a normal client in the LAN of W1 – I used a static IP in this case.
  3. No need to configure the WAN interface on W2 – just leave it unconfigured.
  4. Disable DHCP on W2 – /etc/init.d/dnsmasq stop && /etc/init.d/dnsmasq disable
  5. To enable “roaming”, just put the same wireless configuration on W2 as on W1. It is not really roaming, as you need to reconnect the client when you want to connect to the other one. At least it works perfectly when one wireless signal goes away, the client automatically reconnects to the other one (as long automatic reconnection is enabled).
  6. Make sure the firewall is also disabled on W2 /etc/init.d/firewall stop && /etc/init.d/firewall disable
  7. Reboot W2.

After this you have only one network, where one DHCP and DNS is doing its thing.

Tests

I have not really done any speed tests or whether the Solwise powerline adapaters are really doing what they promise. The reason is quite simple: I got 200Mbps Solwise adapters and none of my machines have a Gbit NIC in it, so… *g I mentioned earlier that the Solwise introduce 3 to 4 ms latency between directly connected devices. Thats good enough for me, I am not a Gamer or crave for zero latency.

I actually just tried a speed test, but the problem is that on both ends are WRT54GLs, ie. embedded devices, and the speed I got was just about 4Mbps.

PS: One thing to note, just when I started writing this article I reinstalled W2, ie. plugged everything into the power socket again. The connection rate was shown as “good” the whole time, and just now it has gone to “best”. The speed between the routers has not improved.

PPS: I completely forgot – IPv6 just-works with this setup as well… *g

Categories: New technology Tags:

Maybe yet another #BSidesLondon and a big London security conference this autumn #infosec

April 29th, 2011 Comments off

Alec Muffett mentions in his article “The Security Backlog” that there may be another B-Sides later in the year, and we can expect a big London security conference this autumn.

Thanks for linking, Alec.

Categories: Events Tags: