Last week-end, I was finally able to dedicate some free time to play a little bit with the Raspberry Pi again, so I decided to plug it on my TV and try RISC OS Open using the prebuilt RISC OS Pi (RC14) SD card image.
In fact, I already had a brief encounter with RISC OS running on Acorn hardware (most likely a Risc PC) a while ago at a French demoparty in the late nineties. I’m not sure how popular those machines were in the UK, but in France, it was as exotic as it can get.
Here is a screenshot showing the desktop running a few applications : BBC Basic, StrongEd text editor, and the NetSurf Web browser pointed at my ASCii and ANSi Gallery :
This capture was taken using Snapper and converted from sprite to PNG using ConvImgs.
As a rule of thumb, an application server should never face the Internet directly, unless of course Nginx (or OpenResty) is being used as such. This is not only for performance reasons, although this is not much of a concern anymore with modern runtimes such as Go or Node, but mostly for flexibility and security reasons.
Here are some key points to consider :
At this point, Nginx is a proven and battle-tested HTTP server
This allows keeping the application as simple as possible : Nginx will handle logging, compression, SSL, and so on
In case the application server goes down, Nginx will still serve a 50x page so visitors know that something is wrong
Nginx has built-in load-balancing features, it also allows running several application servers on the same IP address
Nginx has built-in caching features (with on-disk persistence)
Nginx has rich rate-limiting features, which are especially useful for APIs
Nginx helps protecting against some DoS attacks (such as low-bandwidth Application Layer attacks)
Lastly, one aspect which tend to be forgotten these days is the importance of server logs. While in some cases it might be an accepable solution to use Google Analytics or Piwik, for measuring APIs traffic however, there is no better option. For a modern real-time log analyzer, I heartily recommend GoAccess.
Given NetBSD focus on portability, it’s only logical that pkgsrc is also available on systems other than NetBSD, including Darwin (Mac OS X). Here are some notes showing to bootstrap pkgsrc in unprivileged mode, which means that everything can easily be installed in the user home directory.
Before starting, we need to install Xcode Command Line Tools to get a working compiler.
Fetching and extracing latest pkgsrc stable release
This will create a ~pkgsrc directory :
tar xfz pkgsrc.txz
Launching the bootstrap script and setting the ABI to 64-bit :
After running Fink in 2009 on my Mac mini, and then Homebrew since late 2011 on my MacBook Pro, it’s nice to explore alternatives especially since they are not mutually exclusive. It’s in fact a nice idea to combine pkgsrc and Homebrew to get the best of both worlds and access to even more packages.
Lastly, for a comprehensive searchable database of packages, please check the excellent pkgsrc.se.
As an experiment, I’ve been using fpdns (version 0.10.0 on FreeBSD/amd64) to fingerprint DNS servers authoritative for the top 1 million domains (according to Alexa).
At first, I had plans to use adnshost to resolve name servers first and then feed the resolved list to fpdns, in order to speed up things and avoid fingerprinting the same host several times. Unfortunately, it seems adnshost doesn’t work that well on large batches and I experienced numerous timeouts and crashes.
Extracting a list of domains from the CSV file
As the fingerprinting process will require resolving name servers for each domain in the list, I will be using a local Unbound instance in order to avoid hitting my ISP name servers too aggressively.
Configuring the system to use Unbound as local resolver
After adding our local resolver to resolv.conf :
echo"nameserver 127.0.0.1" > /etc/resolv.conf
We can verify that we are indeed using our Unbound instance :
Fingerprinting using fpdns
Here is a list of fpdns options we will be using :
I used awk here instead of cut as the latest doesn’t allow using more than one character as a delimiter.
Here are the results :
6 sheerdns [Old Rules]
2 3Com Office Connect Remote [Old Rules]
57 DJ Bernstein TinyDNS 1.04 [Old Rules]
5199 DJ Bernstein TinyDNS 1.05 [Old Rules]
13 Dan Kaminsky nomde DNS tunnel [Old Rules]
3 Fasthosts Envisage DNS server [Old Rules]
2 Meilof Veeningen Posadis [Old Rules]
2 Men & Mice QuickDNS for MacOS Classic [Old Rules]
4 Michael Tokarev rbldnsd [Old Rules]
29 Microsoft ? [Old Rules]
387 Microsoft Windows DNS 2000 [New Rules]
50 Microsoft Windows DNS 2000 [Old Rules]
88 Microsoft Windows DNS 2003 R2 [New Rules]
6373 Microsoft Windows DNS 2003 [New Rules]
87 Microsoft Windows DNS 2003 [Old Rules]
1278 Microsoft Windows DNS 2008 R2 [New Rules]
25 Microsoft Windows DNS 2008 [New Rules]
2 Microsoft Windows DNS NT4 [Old Rules]
12 NLnetLabs NSD 1.0 alpha [Old Rules]
12046 NLnetLabs NSD 3.1.0 -- 3.2.8 [New Rules]
6 NLnetLabs Unbound 1.4.10 -- 1.4.12 [New Rules]
220751 No match found
25 Simon Kelley dnsmasq [Old Rules]
18 Sourceforge JDNSS [Old Rules]
1 TZO Tzolkin DNS [Old Rules]
4863 Unlogic Eagle DNS 1.0 -- 1.0.1 [New Rules]
88 Unlogic Eagle DNS 1.1.1 [New Rules]
18 ValidStream ValidDNS [Old Rules]
1 WinGate Wingate DNS [Old Rules]
1 XBILL jnamed (dnsjava) [Old Rules]
40 Yutaka Sato DeleGate DNS [Old Rules]
13 javaprofessionals javadns/jdns [Old Rules]
As often with these kind of experiments, results aren’t really exploitable to produce reliable statistics : apparently, it seems that BIND has totally disappeared from the Internet ;)
However, I believe the process is still useful and demonstrates how easy it can be to quickly produce DNS surveys using simple UNIX tools.