Month: September 2011

How to install the BIND DNS Server using Webmin, so Asterisk extensions (hopefully) will work even when your Internet connection fails

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

If you run Asterisk you may have encountered this issue: Your Internet connection goes down, and so does your ability to call from extension to extension, even between extensions on your local network. This is a long-standing bug in Asterisk (exactly the sort of bug that drives people to try alternatives such as FreeSWITCH) but let’s say that for whatever reason you need to stick with Asterisk, so you’d like to find a way to make that bug go away.  Without going into all the technical details, the reason that calls fail is that Asterisk can’t access a DNS server.  I’ve read several reports that say the easiest solution is to install the BIND DNS server  on the same machine as your Asterisk server.  If you are also running Webmin on the server, installing and configuring BIND is a relative piece of cake.  So here’s how it’s done.  Please note that most of the images below can be enlarged by clicking on them, and that I have installed the StressFree theme in Webmin, so if it looks a little different from what you’re used to seeing, that’s probably why.

To start with, log into Webmin, click on “Servers”, then click on “BIND DNS Server” (if you don’t find it there, try looking in “Un-used Modules”):

Webmin Servers page — click on "BIND DNS Server"

Assuming you have not previously installed BIND, you’ll get a screen like this.  Just click where it says “Click here”:

Webmin BIND DNS Server error page — click where it says "Click here"

You will then see this screen come up as BIND is installed. Just let it run to completion and (assuming it installs successfully) click on “Return to BIND DNS Server” at the bottom of the page:

Webmin "Install Package" page — click on "Return to BIND DNS Server"

Next, because you don’t yet have an /etc/named.conf file, you’ll see this page.  Click the button for “Setup nameserver for internal non-internet use only” (don’t worry, we’ll fix it in the next steps), then click the bar that says “Create Primary Configuration File and Start Nameserver”:

Webmin — click "Setup nameserver for internal non-internet use only"

At this point BIND is installed and running, but it probably isn’t doing what you want it to, and your system isn’t using it. So the first thing we need to do is tell it where to go when it needs to do a DNS lookup. You should be seeing a page that looks like this — click on “Forwarding and Transfers”:

Webmin BIND DNS Server page — click on "Forwarding and Transfers"

When you get to the following screen, check “Yes” next to “Lookup directly if forwarders cannot?”  You also need to enter one or more addresses of DNS servers that BIND can access when it needs to pull a DNS record.  You might want to give some thought to which DNS servers you want to use, and in what order, before you start entering them. You can enter up to three IP addresses of DNS servers, and then click “Save”. This will throw you out to the previous screen, and if by some chance you want to enter even more DNS servers, you can click on “Forwarding and Transfers” again to come back and enter up to three more servers, until you are finished.  In this example, I have already entered the IP addresses of my router’s DNS Server as the top priority pick,  followed by two Google DNS Server addresses.

Webmin — BIND DNS Server — Forwarding and Transfers page

Once you have done this, you are through configuring BIND directly, but there are two more things we need to do. The first is to make sure that the BIND server starts each time we restart the machine. To do that, go to Webmin’s “System” page and then click on “Bootup and Shutdown”:

Webmin System page — click on "Bootup and Shutdown"

This is a long page so I’m not showing all of it — what you have to do is find the entry for named and check the box next to it:

Webmin Bootup and Shutdown page — check the box next to "named"

Then go to the bottom of the page and click “Start on Boot”:

Bottom of Webmin Bootup and Shutdown page — click "Start on Boot"

At this point BIND is running, and should be using the correct DNS servers, and is set to start at bootup, but your server still isn’t using it for its DNS queries. To get it to do that, go to Webmin’s “Networking” page and click on “Network Configuration”:

Webmin Networking page — click on "Network Configuration"

Once on the Network Configuration page, click on “Hostname and DNS Client”:

Webmin Network Configuration page — click on "Hostname and DNS Client"

Once on the Hostname and DNS Client page, what you need to do is make the first entry in the DNS Servers list 127.0.0.1. If you trust BIND to always be operating, that’s the only entry you need. I didn’t quite trust BIND that much (actually, what I didn’t trust was my ability to set this up correctly) so I set the DNS server in the router as the secondary DNS address. You could use any DNS server as the secondary, or you could choose to just enter the 127.0.0.1 address to use BIND and let it go at that. Personally, I feel a lot more comfortable having a “fallback” DNS. Don’t forget to click “Save” when you are finished making changes here:

Webmin Hostname and DNS Client page - 127.0.0.1 must be first DNS server

That’s all there is to it, as far as I know (if you think I’ve missed anything or done something wrong, the comment section is open!). If you’re like me, the next question you will have is, “How do I know it’s working?” And the easiest way to do that is to go to a Linux command prompt and “dig” some site you have not been to recently twice in a row. Here’s an example, using cnn.com — the part we are interested in is in red:

dig cnn.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> cnn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8274
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 9

;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                287     IN      A       157.166.224.25
cnn.com.                287     IN      A       157.166.224.26
cnn.com.                287     IN      A       157.166.226.25
cnn.com.                287     IN      A       157.166.226.26
cnn.com.                287     IN      A       157.166.255.18
cnn.com.                287     IN      A       157.166.255.19

;; AUTHORITY SECTION:
.                       76691   IN      NS      i.root-servers.net.
.                       76691   IN      NS      j.root-servers.net.
.                       76691   IN      NS      k.root-servers.net.
.                       76691   IN      NS      l.root-servers.net.
.                       76691   IN      NS      m.root-servers.net.
.                       76691   IN      NS      a.root-servers.net.
.                       76691   IN      NS      b.root-servers.net.
.                       76691   IN      NS      c.root-servers.net.
.                       76691   IN      NS      d.root-servers.net.
.                       76691   IN      NS      e.root-servers.net.
.                       76691   IN      NS      f.root-servers.net.
.                       76691   IN      NS      g.root-servers.net.
.                       76691   IN      NS      h.root-servers.net.

;; ADDITIONAL SECTION:
b.root-servers.net.     386178  IN      A       192.228.79.201
d.root-servers.net.     402826  IN      A       128.8.10.90
d.root-servers.net.     230000  IN      AAAA    2001:500:2d::d
f.root-servers.net.     370827  IN      A       192.5.5.241
g.root-servers.net.     463754  IN      A       192.112.36.4
h.root-servers.net.     374116  IN      A       128.63.2.53
h.root-servers.net.     517382  IN      AAAA    2001:500:1::803f:235
j.root-servers.net.     185528  IN      A       192.58.128.30
j.root-servers.net.     578747  IN      AAAA    2001:503:c27::2:30

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 16 12:45:41 2011
;; MSG SIZE  rcvd: 512

# dig cnn.com

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> cnn.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8277
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 9

;; QUESTION SECTION:
;cnn.com.                       IN      A

;; ANSWER SECTION:
cnn.com.                223     IN      A       157.166.255.19
cnn.com.                223     IN      A       157.166.224.25
cnn.com.                223     IN      A       157.166.224.26
cnn.com.                223     IN      A       157.166.226.25
cnn.com.                223     IN      A       157.166.226.26
cnn.com.                223     IN      A       157.166.255.18

;; AUTHORITY SECTION:
.                       76627   IN      NS      c.root-servers.net.
.                       76627   IN      NS      d.root-servers.net.
.                       76627   IN      NS      e.root-servers.net.
.                       76627   IN      NS      f.root-servers.net.
.                       76627   IN      NS      g.root-servers.net.
.                       76627   IN      NS      h.root-servers.net.
.                       76627   IN      NS      i.root-servers.net.
.                       76627   IN      NS      j.root-servers.net.
.                       76627   IN      NS      k.root-servers.net.
.                       76627   IN      NS      l.root-servers.net.
.                       76627   IN      NS      m.root-servers.net.
.                       76627   IN      NS      a.root-servers.net.
.                       76627   IN      NS      b.root-servers.net.

;; ADDITIONAL SECTION:
b.root-servers.net.     386114  IN      A       192.228.79.201
d.root-servers.net.     402762  IN      A       128.8.10.90
d.root-servers.net.     229936  IN      AAAA    2001:500:2d::d
f.root-servers.net.     370763  IN      A       192.5.5.241
g.root-servers.net.     463690  IN      A       192.112.36.4
h.root-servers.net.     374052  IN      A       128.63.2.53
h.root-servers.net.     517318  IN      AAAA    2001:500:1::803f:235
j.root-servers.net.     185464  IN      A       192.58.128.30
j.root-servers.net.     578683  IN      AAAA    2001:503:c27::2:30

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 16 12:46:45 2011
;; MSG SIZE  rcvd: 512

Notice how on the first run, it takes 26 msec to do the lookup, because BIND doesn’t have that address cached yet, whereas on the second run it only takes 1 msec to do the lookup!  Could that perhaps improve system performance?  I’ll bet it could! And the SERVER line tells us that it is indeed using our BIND server (127.0.0.1) – if it were using, say, our router’s DNS server then that line would show this:

;; SERVER: 192.168.0.1#53(192.168.0.1)

The idea here is that when your Internet connection takes a dive, Asterisk will still be finding a working DNS server and therefore won’t tank.  That, at least, is the theory I’ve seen on several web sites.  The ONLY thing I am showing here is how to set up BIND using Webmin, and I won’t even guarantee that I’m doing that 100% correctly.  I definitely do not guarantee that it will actually work as intended — you’ll have to test that yourself.  Doing a real test would mean disconnecting your cable or DSL modem, etc. from your router for several hours or days to see if the phones continue to work, and in most households or businesses that idea will go over like a lead balloon.  However, feel free to give it a good test if you like and report the results in the comments.

You may wonder why I selected “Setup nameserver for internal non-internet use only” in the fourth screenshot.  Obviously, that description is not entirely accurate.  The real difference is that if you select that instead of the default “Setup as an internet name server, and download root server information”, it won’t create a “root” DNS zone, which you simply don’t need for this application.  You can use the other option if you want to, but it will download additional information and increase the complexity of your setup.  Either way, you should be able to access the Internet, because we set up DNS forwarding.  If by some chance this BIND server is going to act as a nameserver for your entire network, and you don’t mind the additional traffic and complexity (and it’s the additional traffic that scares me the most, since I have no idea what it’s actually downloading nor how often it’s doing it), then by all means feel free to use the second option.  All I will say is that I used the first. and it works fine, and I’ve seen at least one instance where this same thing is set up using a method other than Webmin, and except for the order of statements it uses an /etc/named.conf file that is identical to what Webmin produces when configured as I have shown here (in other words, no “zones” at all).  I’m just waiting for some Linux purist to say this isn’t the “right” way to do this but keep the goal in mind here — all we are trying to do is work around a bug in Asterisk that should have been fixed years ago, not set up a DNS server to feed an entire subnet.  But again, you can feel free to use whichever of the options you like — it should work either way.

(By the way, if after reading the above you have “setup remorse” — you know, that feeling you get after you’ve installed something that you should have picked a different option — you can get a “do-over” by simply deleting or moving/renaming /etc/named.conf.  If you then exit Webmin’s BIND module and come back in, it should see that named.conf doesn’t exist and start you over at the fourth screen shown above.  Of course, you will lose anything you have already configured from within that module.  If you originally selected the option to download the root server information, I think that’s at least partly stored in the file /etc/db.cache, so you could move or remove that file to make sure it’s not used, however I’m not sure if any other files are or were also downloaded.  That particular file is very small so I’m not worried about that one per se, it’s just that the way things are worded on a couple of pages I read, I don’t know if that’s all it downloads, or if at some point in the middle of the night it rises up and tried to cache all the DNS information for the Internet, or just exactly what it does.  Sometimes I wish people would just give a sentence or two of additional information, so you have a better idea of what’s the right thing to do when you’re setting up something like this.)

Now, if you are a True Linux Geek who somehow stumbled across this article, and are disappointed that it isn’t much more complicated, I’ll refer you to this page.  If you can figure all THAT out, you should be getting paid the big bucks as the networking expert that you are! 🙂

A real help for Linux users with bad memories: Aliaser — take control of your aliases on Linux

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Tux, the Linux penguin
Image via Wikipedia

Here’s a program that may be useful for those of you who, like me, sometimes find ourselves at a Linux command prompt trying to recall the syntax of a command we use frequently (because, you know, it would never have occurred to the designers of Linux to actually implement commands with names that have a clear meaning in plain English):

Alias are a great tool to help increment your productivity on the terminal with bash (or any shell program you’re using), but usually we are too lazy to think at what are the most common, or long commands that we use frequently and prepare an alias for them.

And so someone has done a small piece of software to do this job: aliaser

Aliaser helps you identify frequently typed commands and creates bash aliases for them. Aliaser analyses your bash history and helps you identify commands that you use frequently.

Full article (with installation instructions) here.

One thing they forgot to mention is that once you’ve added an alias, it won’t actually be available for use until you log out and then log back in.  Also, you can delete the aliaser file and temporary directory from your /tmp directory once installation is complete.  If you ever want to uninstall aliaser, just remove the three lines added to your .bashrc file, remove the ~/.aliaser directory, and remove the /usr/bin/aliaser file.

One way I find this useful is to make commands I can’t remember into ones that that I can remember.  For example, I did this:

aliaser add processes “ps awx”

The Linux purists are probably rushing to comment that I just turned a six character command into a nine character one.  Yes, BUT, I can actually remember the word “processes”, whereas I cannot remember the options I need to use after “ps” to get the output I want. The designers of Linux seem to not realize that some of us users have really bad memories.  Another use for this is turning arcane Linux commands into the equivalent Windows commands that you’re familiar with.  You could do this:

aliaser add dir “ls -al”

So that when you type “dir”, you get a directory listing similar to what you are used to.

If you can’t even remember the aliases you’ve created (yeah, my memory really is that bad some days), just use aliaser show to see all the aliases you’ve added.

How to give a particular extension or group of extensions access to a specific trunk or group of trunks for outgoing calls in FreePBX

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Dial Patterns that will use this Route
Dial Patterns section of new FreePBX Outbound Route

I’m going to lift a bit of preliminary text from a page on the FreePBX site entitled “How to give a particular extension different or restricted trunk access for outgoing calls“:

IMPORTANT: When implementing any sort of restrictions on extensions, using the method described here or any other method, please be absolutely certain that you do not inadvertently restrict access to emergency services numbers (such as 911 in the U.S./Canada)!

There is a recurring question that comes up every so often, regarding how to give one particular extension (or a group of extensions) access to a different trunk for specific outgoing calls, or perhaps to restrict access to a particular trunk. Usually this involves an extension that is accessible to people that might want to make calls that cost money, and you don’t want them to do that. But there are many other reasons to route calls differently for different extensions, while still keeping all extensions on the same system so they can call each other.

Usually when someone asks about this, a common suggestion is to use the unsupported third-party Custom Contexts module. While this module is very versatile and lets you have a high degree of control over what each extension may access, there are at least two downsides. One is that it’s not part of the official distribution and therefore, a future upgrade of FreePBX might “break” it.

(This is probably less likely now, because it appears some of the FreePBX developers have taken an interest in maintaining it, but it’s still not beyond the realm of possibility.)

The other issue is that you have to go through and check (and maybe change) all the priority dropdowns if you add, remove, or move a route, and that can get to be a pain in the butt very quickly if you are in the habit modifying your routes with any frequency.

The problem with this page is that although it discusses several alternatives to using Custom Contexts (and you may wish to read it just to learn about those other possibilities), it is getting rather dated and therefore does not mention the use of the fourth field in Outbound Routes, a.k.a the “CallerID” field, which is by far the easiest way to implement this.

Let’s say you have an existing outbound route, over which your outbound calls normally travel, and it has a particular selection of trunks.  But you also have an extension, let’s say it’s extension 234, and you want it to use a different trunk or group of trunks.  In FreePBX 2.9 or later, all you have to do is this:

  • Go to the settings page for the Outbound Route that is currently used for outgoing calls.
  • At the bottom of the page, next to the “Submit Changes” button, there is a new “Duplicate Route” button.  Click on “Duplicate Route”.
  • Move the duplicated route to be higher in priority than the original route (it should appear just above the original route in the right-hand column).
  • Optionally rename the duplicated route to something more to your liking.
  • In the duplicated route, under “Dial Patterns that will use this Route“, add the extension number (or pattern matching a group of extensions) to the fourth (CallerID) field of EVERY dial pattern on the list.  Or, if using the Swiss Army Knife Module and you have checked the “Turn On Old (Pre 2.8) Dial Plan Textbox” checkbox (EDIT: or if you have FreePBX 12 or later, and under Settings | Advanced Settings, in the “GUI Behavior” section you have set Enable The Old Style FreePBX Dial Patterns Textarea to True), then add the extension number or pattern to the end of every existing pattern, separated by a forward slash.  As an example, an existing pattern of 1+NXXNXXXXXX would become 1+NXXNXXXXXX/234.  Again, you must do this to every pattern in the pattern list.
  • And finally, in the duplicated route, change the the “Trunk Sequence for Matched Routes” to include only those trunks that you want that extension or group of extensions to use.

If there are additional Outbound Routes for which you want to change the trunk selection for the same extension, repeat the above, starting with the other outbound route(s).  If you have additional extensions and you want one or more of them to have different trunk usage, repeat the above, using the different extension number(s) in the CallerID field and the different trunk selections.

If you want to block an extension’s ability to make toll calls, use the same procedure but only give them access to an ENUM trunk.  ENUM is pretty broken then days, it it would be rare for a call to actually complete, but if it does it’s not going to cost you anything.  This particular usage is discussed in more detail in “How to block a single extension’s ability to make outgoing toll calls in FreePBX“. (EDIT: In the most recent versions of FreePBX you can simply not select any trunks at all in the “Trunk Sequence for Matched Routes” section of the Outbound Route, and then optionally select a failure announcement or whatever treatment you want to give the call in the “Optional Destination on Congestion” section.)

And again, please note that you can use a single extension number OR a pattern in the CallerID field.  For example, if you had a pattern like 1NXXNXXXXXX, you could do something like:

  • 1NXXNXXXXXX/100 – match on the pattern only if the call is from extension 100
  • 1NXXNXXXXXX/2[45]X – match on the pattern only if the call is from an extension in the range 240-259
  • 1NXXNXXXXXX/3XX – match on the pattern only if the call is from an extension in the range 300-399

And if you wanted to allow the call only if it came from extension 100, 240-259, or an extension in the 300’s then you could use all three of the above rules in the same outbound route.

I will offer my opinion that using the Swiss Army Knife Module and checking “Turn On Old (Pre 2.8) Dial Plan Textbox” is the only way to go if you happen to have several hundred dial patterns!  Well, maybe not the only way (you could export a .CSV file, edit it, and import it back in), but definitely the easiest, because you can simply cut all the patterns from the textbox and paste them into a text editor, then use search-and-replace to add the extension numbers, then copy the changed patterns from the text editor and paste them back into the textbox in the Outbound Route.  If the search-and-replace function supports regex matching then it’s easy – set the find string to n and set the replace string to /234n (assuming 234 is the extension number you want to add), and replace all occurrences (be sure to check the first and last lines to make sure they look as they should, in case there was a missing or extra newline character somewhere).

EDIT: We have been informed that the old-style textboxes are once again available in FreePBX 12 and later. You have to click on the Settings tab, then Advanced Settings, then find the “GUI Behavior” section and change the Enable The Old Style FreePBX Dial Patterns Textarea setting to True.

Related Articles:

The Linux equivalent of Little Snitch, ZoneAlarm, and similar per-application firewalls?

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

EDIT: This article is very old and outdated. For more current information, see OpenSnitch: The Little Snitch application like firewall tool for Linux.

If you are a Mac user, you’ve probably heard of Little Snitch.  It’s a commercial (as in, not free) program that lets you allow or deny connections to the Internet from individual applications.  One reason for using such a program is to detect software that should have no reason to connect to the Internet nevertheless attempting to do so.  For example, you download a free screensaver (dumb move to start with) and it sends all the personal information it can find on you to some group of hackers on the other side of the world.  A program like Little Snitch would let you know that the screensaver  is trying to connect to the Internet, and allow you to deny that connection.  In the Windows world, I believe that ZoneAlarm has a similar capability, and it’s also a commercial (as in, not free) program.

Leopard Flower personal firewall for Linux OS screenshot
Leopard Flower personal firewall for Linux OS screenshot

It appears that these is a similar program for Linux users, and it IS free!  It’s called Leopard Flower and it’s described as a “Personal firewall for Linux OS (based on libnetfilter_queue) which allows to allow or deny Internet access on a per-application basis rather than on a port/protocol basis.”

Looking at the screenshot it appears to have very much the same per-application blocking functionality you’d get in one of those other programs.  I have not personally tried it yet, but I wanted to create a post about it so if someday in the future I am trying to remember the name of this program, I’ll know where to find it (yes, this blog does sort of serve as my long-term memory!).  🙂

Since this article was originally published, I have been made aware of another similar application called Douane: Linux personal firewall with per application rule controls – here are a couple of screenshots:

Douane personal firewall for GNU/Linux screenshot
Douane personal firewall for GNU/Linux screenshot
Duane configurator screenshot
Duane configurator screenshot

The only downside to this one is that as of this writing the only available package is for Arch Linux but if you want to try to build it for a Ubuntu or Debian system, they provide a page showing the needed dependencies.

There is an older similar program called TuxGuardian but apparently is hasn’t been updated since 2006, so I have no idea if it will even work with current versions of Linux. And as for you Android users, try the NoRoot Firewall app.