Arvy's questions

I had a DNS record (ex: test.example.com) pointing to a single IP:

test.example.com IN A 192.0.2.1

Working fine. Now I have +30 IPs answering for it, example:

teste.example.com IN A 192.0.2.1
teste.example.com IN A 192.0.2.2
(...)
teste.example.com IN A 192.0.2.31

And now it's unstable ("can't find host" errors). Using dig I got a warning "Truncated, retrying in TCP mode". After some Google searches, I found out that a multi-IP query must have no more than 512 bytes to guarantee that UDP will be used, and avoid an extra query (or problems with no-tcp dns clients or providers, old dns sw, etc).

So, how can I know how many v4 IPs can I have in a single dns entry to guarantee a maximum of 512 bytes UDP answer?

or

Is it possible to configure ISC Bind to return only one IP in a multi-IP query? I know that the IP can be cycled with rrset-order { order cyclic; };.

Like:

> test.example.com
Server: x.x.x.x
Address: x.x.x.x:53

Name: test.example.com
Address: 192.0.2.6

so, only one of them? Thanks.

I want to protect all Wordpress admin interfaces (wp-login.php/wp-admin) in my server. To do this, I want to create a global config in Apache, asking for a fixed user/password (HTTP basic authentication), before reach the real WordPress login page. This will avoid overload PHP from password scan bots.

<FilesMatch "wp-login.php">
 AuthUserFile /etc/wordpress.passwd
 AuthName "TYPE USER wp AND PASSWORD wp"
 AuthType Basic
 require valid-user
</FilesMatch>

Works, any file named wp-login.php will ask for the password.

But when I run in a Wordpress site, its .htaccess has some kind of "priority" over the global config. When I access wp-login.php I just receive a 404 error. If I remove/rename .htaccess, FilesMatch works, but I lost the "path mask" feature, that is necessary.

Wordpress .htaccess is:

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

I'm looking for a way to FilesMatch directive has priority over the .htaccess (Rewrite module): ask for the password, not rewrite the URL (giving 404).

Any ideas?

I'm having problems using a VPN connection on Ubuntu, as a client. Works well on Windows. Ubuntu does not receive the route table...

Scenario:

Server: Centos 7 with Strongswan (Ipsec, IKEv2)

Static IP set to 10.0.77.1

/etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=static
IPADDR=10.0.77.1
NETMASK=255.255.255.0

VPN config - ipsec.conf (only the main piece):

auto=add
compress=yes
type=tunnel
keyexchange=ikev2
ike=...
esp=...
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=10.0.77.0/24
leftsourceip=10.0.77.1/32
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.0.77.2-10.0.77.9
rightdns=10.0.77.1
rightsendcert=never
eap_identity=%identity

So, the server is 10.0.77.1 and clients will receive an IP between 10.0.77.2 and 10.0.77.9 (same subnet).

Client: Windows 10

Native client, connects and pings 10.0.77.1 fine.

Route table:

      10.0.0.0        255.0.0.0      10.0.77.17     26
    10.0.77.17  255.255.255.255      10.0.77.17    281
10.255.255.255  255.255.255.255      10.0.77.17    281

Client: Ubuntu 20.04 with Strongswan installed

Can connect normally, but cannot ping 10.0.77.1 and has no route entries to 10.*

Any ideas? Thanks a lot.

Update

No related to route table. Thanks to @ecdsa: ip route list table 220

Solution

I realized that the problem was related to the server firewall. A single iptables rule fixed the problem:

iptables -I INPUT -m policy --pol ipsec --dir in -j ACCEPT