Now, first things first; you need to run your own dns server. Secondly, the target must be using your dns server for lookups.

The first thing we need is the ip address to kittenwar.com. Thats easy. Its 64.111.96.38. I shouldn’t have even mentioned this part.

Secondly, we need to construct a zone declaration that will claim to be the master for anything. I used the following:

zone "." {
	type master;
	file "kittenwar/all.hosts";
	};

It worked great. See, in dns, all domains end with an usually implied “.”. (Its the one between the quotes) This dot represents the root nameservers and how they’re the start of the domain name system. I claim here to be the master authoritative namerserver for any domain ending in “.”. That is to say, all domains.

Next, is the actual redirection…trickery…dns spoofing…whatever. We now need to match all domains to have an A record of 64.111.96.38. Luckily, this is easy. I used the following:

$TTL	86400
@			IN	SOA	localhost. root.localhost. (
					      2		; Serial
					 604800		; Refresh
					  86400		; Retry
					2419200		; Expire
					  86400 )	; Negative Cache TTL
;
@			IN	NS	localhost.
@			IN	A	64.111.96.38
*			IN	A	64.111.96.38

Which also worked great. Most of that isn’t strictly necessary for a zone like this but, i already had that one mostly made. As you can see, we define “.” to have an A record for kittenwar as well as anything else “*”. Well thats great, your done, your target is now going to kittenwar.com and there’s nothing he can do, right? WRONG!! You still need to select that victim to be the one that feels your wrath.

This next step involves views. If your not using views, well, you should. The tricky thing about them is every zone *must* be in a view if even one is. So, remember that. Bind cries bloody tears of pain everytime you don’t. Sorry just wanted to make that point as graphic as possible. You can add them manually if you want. The way i did it, was with acl’s. I used the following:

acl kittened { 192.168.0.102; 192.168.0.110; };

This matches both my brother (192.168.0.102) and myself (192.168.0.110). I added myself so i could test that its working. I recommend doing this temporarily. Now, add the acl to any views that the hosts may already be matched by.

view "internal" {
    match-clients { !kittened; localnets; };
    recursion yes;
    include "/etc/bind/internal/internal.conf";
};

There i’ve removed the acl “kittened” and all its hosts from normal service because i’m going to add them to a completely separate view. Now, lets create that view. The syntax is fairly simple, really just copy and paste from above where necessary.

view "kittenwar" {
    match-clients { kittened; };
    recursion no;
    include "/etc/bind/kittenwar/kittenwar.conf";
};

And thats it. I turned off recursion for this view because its already authoritative for everything. You don’t need to. Give bind a good restart (it tends to like restarts better for changes like this) and try it out. Now any domain/website that the target attempts to visit will simply bring up the page kittenwar.com.

*Note. Operatings systems and browsers both tend to cache dns lookups. It may take some time for these to expire and the effects to be seen. For best results, have ssh access to the machine and clear the cache yourself/reboot the machine. Also, you can do this for any site for which visiting the ip address takes you to the site. Thats not always true, especially with shared hosting. If you have any questions at all, leave a comment.

*Note 2. When the target goes insane and begins chasing you around the house with a bloody chainsaw (why do the chainsaws always already have blood on them?). And it will happen. Its very easy to reverse this. Just remove the ip address from the acl declaration and restart bind. Then restart the machine/clear caches. Intense “The Shining” style killing urges should subside after a while. If it doesn’t, use your telepathic powers to summon the black guy to his death. Somehow thats relevant and everything ends with you living despite being a retarded 9 year old vs a madman with an axe.

I like managing a webserver. I like manually managing bind and apache from the command line. I like the sense of control i feel when i am able to make any changes i want any time i want. What i don’t like though, is email. Email is evil. Go ahead, take a look at the configuration files for sendmail sometime. Try postfix, not much better. I don’t want to do email but i want to get email. So what did i do? I went with google apps for your domain.

Google apps for your domain is a godsend. I make a few small changed to my dns, which i can easily do; specifying google as my mail exchanger (mx) and i’m done. Below i’ve included the records required for email.

@           IN    MX 1     aspmx.l.google.com.
@           IN    MX 5     alt1.aspmx.l.google.com.
@           IN    MX 5     alt2.aspmx.l.google.com.
@           IN    MX 10    ASPMX2.GOOGLEMAIL.COM.
@           IN    MX 10    ASPMX3.GOOGLEMAIL.COM.
@           IN    MX 10    ASPMX4.GOOGLEMAIL.COM.
@           IN    MX 10    ASPMX5.GOOGLEMAIL.COM.

Google handles all my email for me. I can use their nice, friendly-ish web interface to add up to 100 users for email. I can add mailing lists so that an email sent to, for example, lists@jessecole.org would go to whoever i added to that list. I can tie in my other domains with it so that jesse@jessecole.info works just as well as jesse@jessecole.org and it gets delivered to the same mailbox. On top of all of this, i get google’s fantastic! email filtering. I never get a single spam message through and very rarely do i see a false positive. Google even provides pop, smtp, and imap access to my email.

Another feature that isn’t talked about so much is google talk. Thats right, every user i make can log in to google talk with user@domain.com. The can also use any jabber client to log in. Also, i recently implemented XMPP server dialback as per section 14.4 of RFC 3920 allowing virtually all jabber clients to talk to anyone logged in. Ok, fine. All that is accurate but i just followed google’s instructions here. Incidently, its perfectly legal in dns-ese to paste the following into your zone file or include it globally.

_xmpp-server._tcp   IN SRV  5 0 5269 xmpp-server.l.google.com.
_xmpp-server._tcp   IN SRV 20 0 5269 xmpp-server1.l.google.com.
_xmpp-server._tcp   IN SRV 20 0 5269 xmpp-server2.l.google.com.
_xmpp-server._tcp   IN SRV 20 0 5269 xmpp-server3.l.google.com.
_xmpp-server._tcp   IN SRV 20 0 5269 xmpp-server4.l.google.com.

_jabber._tcp        IN SRV  5 0 5269 xmpp-server.l.google.com.
_jabber._tcp        IN SRV 20 0 5269 xmpp-server1.l.google.com.
_jabber._tcp        IN SRV 20 0 5269 xmpp-server2.l.google.com.
_jabber._tcp        IN SRV 20 0 5269 xmpp-server3.l.google.com.
_jabber._tcp        IN SRV 20 0 5269 xmpp-server4.l.google.com.

Fully qualified domain names are for quitters.

With google apps for your domain you get all this and all of the google apps. Thats right. Your <employee>@jessecole.org account also gets its own google docs, google calendar, google everything!. Its no wonder some businesses are using for their site. The best part about all of this is that its free! You can pay extra and get more users, features, support, etc. Not necessary. This is a great thing for little websites like me.

I hope you enjoyed my little post (post? this is an article!) on google apps. Please, leave me a comment if you liked it/disagree/hate me/whatever.

*Update* I am officially declaring the whitespace stripping in pre text a wordpress bug. I think i’ll actually file one later today. It won’t do it if you step just right through the posting process though so it should look good now.