Author Topic: HOWTO local authoritive dns with dhcp updates  (Read 2251 times)

royw

  • Guru
  • ****
  • Posts: 261
    • View Profile
HOWTO local authoritive dns with dhcp updates
« on: February 03, 2008, 11:29:28 pm »
Howdy,

I was wanting an authoritative name server for my local intranet.  I also wanted any dynamic IP's to be visible to the name server.  The name server included with linuxmce is configured as a recursive name server.  Here's the changes I did to configure my core's name server to be authoritative and support dynamic IPs.  Note, the machines on my intranet are private, i.e., not known to the outside world.

I named my intranet "wright.local".  Using a "local" top level domain (TLD) is recommended for private intranets.  Some may prefer to use "lan".  You do not want to use any of the standard TLDs like "com", "net", "org",...

I used the core's default intranet addresses, 192.168.80.0/24 with the core at 192.168.80.1.

I've attempted to verbosely document each config file.  :)

The directions for adapting the config files are included in the named.conf file.

If you want to try this, I would suggest building the config in new directories then swapping with the originals when you are ready (I had a little mess when my core hung and I had to restart with only half the configs ready  :)

So start with creating two directories:
Code: [Select]
  sudo mkdir /etc/bind.new
  sudo mkdir /etc/dhcp3.new

Now copy the contents of the original directories:
Code: [Select]
  sudo cp -arp /etc/bind/* /etc/bind.new
  sudo cp -arp /etc/dhcp3/* /etc/dhcp3.new

Also create a new resolve.conf file:
Code: [Select]
  sudo touch /etc/resolv.conf.new

Then add/change the config files below. 

To create a key for use in rndc.key and dhcpd.conf:
Code: [Select]
  sudo dnssec-keygen -a HMAC-MD5 -b 256 -n user rndc

now get the key from the private file:
Code: [Select]
  sudo cat Krndc.*.private
  Private-key-format: v1.2
  Algorithm: 157 (HMAC_MD5)
  Key: 3+GnSWV5FKxcUu57k7QFxbpvv/xr4fXj2wBVGtdGifI=
  Bits: AAA=

now cut the key which is to the right of "Key: " and paste where needed (replace "<paste your key here>" with the key in the config files).  So an example using the above key would look like:
Code: [Select]
key "linuxmce-dhcp" {
        algorithm hmac-md5;
        secret "<paste your key here>";
};

becomes:
Code: [Select]
key "linuxmce-dhcp" {
        algorithm hmac-md5;
        secret "3+GnSWV5FKxcUu57k7QFxbpvv/xr4fXj2wBVGtdGifI=";
};

Make the logging directory:
Code: [Select]
  sudo mkdir /var/log/named
  sudo chown bind:bind /var/log/named
  sudo chmod 755 /var/log/named

Change all the file permissions per instructions in named.conf. 

Double check everything.   ::)

Then when you are feeling lucky, rename the original directories and then rename the new directories to take there place:
Code: [Select]
  sudo mv /etc/bind /etc/bind.original
  sudo mv /etc/bind.new /etc/bind
  sudo mv /etc/dhcp3 /etc/dhcp3.original
  sudo mv /etc/dhcp3.new /etc/dhcp3
  sudo mv /etc/resolve.conf /etc/resolve.conf.original
  sudo mv /etc/resolve.conf.new /etc/resolve.conf

Finally restart the bind and dhcpd services:
Code: [Select]
  sudo rndc reload
  sudo /etc/init.d/dhcp3-server restart

Check the syslog for any errors:
Code: [Select]
  grep named /var/log/syslog
  grep dhcpd /var/log/syslog

Here's the config files.

/etc/bind/named.conf
Code: [Select]
// This is the primary configuration file for the BIND DNS server named.
//
// This configuration supports an authoritative local zone (wright.local on
// 192.168.80.0/24) and allows DHCP to update the local zone. 
// To customize to your setup:
// 1) replace "wright.local" with your internal domain name.
// 2) edit db.wright.local.zone and db.wright.local.rev and replace
//    my static names/addresses with your network's static names/addresses.
//    Make sure to increment the serial number of any file edited. 
//    Note, format of serial number is:  YYYYMMDDNN where YYYY is year,
//    MM is month, DD is day, NN is update number for that day (i.e., 01,
//    02, 03,...)
// 3) rename db.wright.local.zone to match your domain name.
// 4) rename db.wright.local.rev to match your domain name.
// 5) If you changed the internal network IP from the LinuxMCE default of
//    192.168.80.0/24, then replace "192.168.80" with your network
//    ip and replace it's reverse "80.168.192" wity your network ip's
//    reverse.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
//
// references:
// http://www.arda.homeunix.net/dnssetup.html
// http://www.madboa.com/geek/soho-bind/
//
// notes:
// 1) The following command should be ran about twice a year to keep
//    the root servers current:
//      dig @a.root-servers.net . ns > /etc/bin/db.root
//    Root name servers don’t change very often so updating this file more
//    than twice a year is probably overkill. Frequent updates also put undo
//    load on the root name servers; they have enough to do as it is.
//
// 2) File permissions:
//    /etc/bind/named.conf   root:root   644
//    /etc/bind/rndc.key     root:bind   640
//    /etc/bind/rndc.conf    root:root   600
//    /etc/resolv.conf       root:root   644
//    /etc/bind              root:bind   775, chmod g+s => drwxrwsr-x
//    /etc/dhcp3             root:root   755
//    /etc/dhcp3/dhcpd.conf  root:root   644
//
// Manually Updating Zone Files
// 1. Use rndc to stop BIND.
//      sudo rndc stop
// 2. Remove any .jnl files from the zone file directory.
//      sudo rm /etc/bind/*.jnl
// 3. Edit the zone files as necessary. Make sure to increment the serial
//    number of any file edited.  Note, format of serial number is:
//    YYYYMMDDNN where YYYY is year, MM is month, DD is day, NN is update
//    number for that day (i.e., 01, 02, 03,...)
// 4. Start BIND using its startup script.
//      sudo /etc/init.d/bind9 start


// secret must be the same as in /etc/bind/rndc.conf
include "/etc/bind/rndc.key";

// access control list used to limit queries to local net
acl "internal-net" { 192.168.80/24; 127.0.0.1; };

controls {
    inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
};

include "/etc/bind/named.conf.options";

// The single dot (.) is the root of all DNS namespace, so
// this zone tells named where to start looking for any
// name on the Internet
zone "." IN {
type hint;
file "/etc/bind/db.root";
};

// local intranet zones and reverse zones
// intranet is wright.local and 192.168.80.0/24
// the DHCP servers is on linuxmce-dhcp
// an optional second nameserver would be on linuxmce-ns2

zone "wright.local" IN {
type master;
file "/etc/bind/db.wright.local.zone";
// both allow-update and update-policy can enable DHCP updates,
// but update-policy allows more control over what kinds of
// updates DHCP can perform on a zone.
// allow-update { none; };
update-policy { grant linuxmce-dhcp subdomain wright.local. A TXT; };
// allow-transfer { key "linuxmce-ns2"; };
// notify on zone transfers
notify yes;
};

zone "80.168.192.in-addr.arpa" IN {
type master;
file "/etc/bind/db.wright.local.rev";
// allow-update { none; };
update-policy { grant linuxmce-dhcp subdomain 80.168.192.in-addr.arpa. PTR TXT; };
// allow-transfer { key "linuxmce-ns2"; };
notify yes;
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912 (http://www.ietf.org/rfc/rfc1912.txt)

// Where the localhost hostname is defined
zone "localhost" IN {
// a master type means that this server needn't look
// anywhere else for information; the localhost buck
// stops here.
type master;
file "/etc/bind/db.local";
// don't allow dynamic DNS clients to update info
// about the localhost zone
allow-update { none; };
};

// Where the 127.0.0.0 network is defined
zone "127.in-addr.arpa" IN {
type master;
file "/etc/bind/db.127";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "/etc/bind/db.0";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "/etc/bind/db.255";
allow-update { none; };
};


// Include logging config file
include "/etc/bind/logging.conf";

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies delegation-only
//  logic to all top level domains, and to the root domain.  An exception list
//  should be specified, including "MUSEUM" and "DE", and any other top level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";

/etc/bind/named.conf.options
Code: [Select]
options {
// tell named where to find files mentioned below
directory "/var/cache/bind";

// file that contains the process id when bind is running
pid-file "/var/run/bind/run/named.pid";

// enable statistics
statistics-file "/var/named/named.stats";
zone-statistics yes;

dump-file "/var/named/named.dump";

// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below.  Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders. 
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// The forwarders option tells BIND to not use iterative queries itself
// for information it doesn’t already know about but to forward a
// recursive query to the name servers specified instead.
include "/etc/bind/named.conf.forwarders";

// conform to RFC1035
auth-nxdomain no;

// on a multi-homed host, you might want to tell named
// to listen for queries only on certain interfaces
listen-on-v6 { any; };
listen-on { "internal-net"; };

// to allow only specific hosts to use the DNS server:
allow-query { "internal-net"; };

// sets BIND’s default behaviour to refuse all zone transfers.
// Without setting this option, anyone can transfer any zone.
allow-transfer { none; };

// do not generate notify messages for all zones on a restart.
// override for authorative zones
notify no;
};

/etc/bind/logging.conf
Code: [Select]
logging {

channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};


category lame-servers {
lame-servers_file;
};
category dnssec {
dnssec_file;
};
category dispatch {
dispatch_file;
};
category update {
update_file;
};
category network {
network_file;
};
category queries {
queries_file;
};
category unmatched {
unmatched_file;
};
category client {
client_file;
};
category notify {
notify_file;
};
category xfer-out {
xfer-out_file;
};
category xfer-in {
xfer-in_file;
};
category resolver {
resolver_file;
};
category config {
config_file;
};
category security {
security_file;
};
category database {
database_file;
};
category general {
general_file;
};
category default {
default_file;
};
};

/etc/bind/rndc.conf
Code: [Select]
options {
default-server  localhost;
default-key     "rndc-key";
default-port 953;
};

server localhost {
key     "rndc-key";
};

key "rndc-key" {
algorithm       hmac-md5;
secret "<paste your key here>";
};

/etc/bind/rndc.key
Code: [Select]
key "rndc-key" {
        algorithm hmac-md5;
        secret "<paste your key here>";
};

key "linuxmce-dhcp" {
        algorithm hmac-md5;
        secret "<paste your key here>";
};

key "linuxmce-ns2" {
        algorithm hmac-md5;
        secret "<paste your key here>";
};

/etc/bind/db.wright.local.zone
Code: [Select]
;
; BIND data file for wright.local
; ref. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html
;
$TTL 86400 ; time to live : 86400s = 1 day
; Start Of Authority record, proclaims important authoritative information
; about a namespace to the nameserver.
@               IN SOA  dcerouter.wright.local        roy@wright.org (
                2008013101      ;serial (YYYYMMDDNN where N = 01,02,03,...)
                10800           ;refresh (3 hours)
                7200            ;retry (2 hours)
                36000000        ;expire (10,000 hours = 416 2/3 days)
                86400)          ;default minimum ttl
;
; NameServer record, which announces the authoritative nameservers for a particular zone.
;
                IN NS   dcerouter.wright.local.
;
; Address records specify an IP address to assign to a name
;
dcerouter       IN A            192.168.80.1
dad-kubuntu     IN A            192.168.80.21
royw-gentoo IN A 192.168.80.20
;
; Canonical name records, maps one name to another.
;
linuxmce        IN CNAME        dcerouter

/etc/bind/db.wright.local.rev
Code: [Select]
;
; BIND reverse data file for wright.local
; ref. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html
;
$ORIGIN 80.168.192.in-addr.arpa.
$TTL 86400 ; time to live : 86400s = 1 day
; Start Of Authority record, proclaims important authoritative information
; about a namespace to the nameserver.
@               IN SOA  dcerouter.wright.local        roy@wright.org (
                2008013101      ;serial (YYYYMMDDNN where N = 01,02,03,...)
                10800           ;refresh (3 hours)
                7200            ;retry (2 hours)
                36000000        ;expire (10,000 hours = 416 2/3 days)
                86400)          ;default minimum ttl
;
; NameServer record, which announces the authoritative nameservers for a particular zone.
;
                IN NS   dcerouter.wright.local.
;
; PTR — PoinTeR record, designed to point to another part of the namespace.
;
1               IN PTR  dcerouter.wright.local.
21              IN PTR  dad-kubuntu.wright.local.
20 IN PTR royw-gentoo.wright.local.

/etc/dhcp3/dhcpd.conf
Code: [Select]
option domain-name-servers 192.168.80.1;
authoritative;

option routers 192.168.80.1;
option subnet-mask 255.255.255.0;

# lease IPs for 1 day, maximum 1 week
default-lease-time 86400;
max-lease-time 604800;

# dynamic DNS updates
ddns-updates on;
ddns-update-style interim;
ddns-domainname "wright.local.";
ddns-rev-domainname "in-addr.arpa.";
ddns-ttl 14400;

# don't let clients modify their own A records
ignore client-updates;

key "linuxmce-dhcp" {
algorithm       hmac-md5;
secret "<paste your key here>";
};

zone wright.local {
primary 192.168.80.1;
key "linuxmce-dhcp";
}

zone 80.168.192.in-addr.arpa {
primary 192.168.80.1;
key "linuxmce-dhcp";
}


option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;

subnet 192.168.80.0 netmask 255.255.255.0 {
next-server 192.168.80.1;
filename "/tftpboot/pxelinux.0";
option pxelinux.reboottime = 30;

option domain-name "wright.local";
option domain-name-servers 192.168.80.1;
option routers 192.168.80.1;

default-lease-time 86400;
max-lease-time 604800;
pool {
allow unknown-clients;
range 192.168.80.129 192.168.80.254;
}
}

# PXE booting machines
group {
next-server 192.168.80.1;
filename "/tftpboot/pxelinux.0";
option pxelinux.reboottime = 30;

}

# regular machines
group {
}

# CORE (1) has bad mac address:


/etc/resolv.conf
Code: [Select]
domain wright.local
nameserver localhost

I'm not sure where to go from here.  Is there enough desire to make this a feature in LinuxMCE?  If so, how?

Have fun,
Roy

Matthew

  • Douchebag
  • Addicted
  • *
  • Posts: 567
    • View Profile
Re: HOWTO local authoritive dns with dhcp updates
« Reply #1 on: February 04, 2008, 03:09:29 am »
This config is really handy. Do you want to make a wiki article out of it, and maybe link it from Network Settings and DHCP articles?

royw

  • Guru
  • ****
  • Posts: 261
    • View Profile
Re: HOWTO local authoritive dns with dhcp updates
« Reply #2 on: February 04, 2008, 03:43:24 am »

PeteK

  • Guru
  • ****
  • Posts: 408
    • View Profile
Re: HOWTO local authoritive dns with dhcp updates
« Reply #3 on: March 12, 2008, 05:27:23 pm »
Gang--

I'm a little behind on my networking knowledge, so excuse my questions if they're lame, but I've got a couple of windows PCs on my network getting their IPs from the core's DHCP server.  The windows PCs are configured on the linuxmce workgroup.  Currently, while the core seems to always be visible to the windows PCs, but  i've got intermittent problems resolving names from one windows PC to another.  Modifying the hosts file on the windows PCs corrects it, but it's obviously a pain to maintain, especially as I play with LMCE and reinstall it.

Could this modification help to correct the name resolution issues I'm having or am I barking up the wrong tree?

royw

  • Guru
  • ****
  • Posts: 261
    • View Profile
Re: HOWTO local authoritive dns with dhcp updates
« Reply #4 on: March 12, 2008, 11:25:06 pm »
Yes for IP name resolution.  CIFS/SMB I haven't tried as I run a mostly windows-free home (sewing machine s/w requires windows and I haven't moved it to a vm yet) so haven't looked at wins under LMCE.

IIRC, windows boxes normally use WINS to find each other, so a simpler solution might be configure one of the windows boxes as a wins server or configure a samba server to be a wins server.  I haven't looked at LMCE's default samba config so don't know if it is suppose to be a wins server or not.

HTH,
Roy.

1audio

  • Addicted
  • *
  • Posts: 552
    • View Profile
Re: HOWTO local authoritive dns with dhcp updates
« Reply #5 on: March 17, 2008, 08:18:41 am »
I find this interesting but I lack the fundamental knowledge to appreciate it. Why would I want an authoritative name server? (It sounds pretty pompous but so does a lot of networking jargon.)

I'm having a problem with intermittent DNS resolution and I'm not sure where the problem is. I think its a Comcast issue but I have not found a good way to test or confirm. Would this improve the DNS issues somehow?

royw

  • Guru
  • ****
  • Posts: 261
    • View Profile
Re: HOWTO local authoritive dns with dhcp updates
« Reply #6 on: March 17, 2008, 07:31:38 pm »
Say you are running several computers in your home LAN or have frequent visitors.  Say some have static IPs and some have dynamic IPs.  Now say you want to be able to access each computer by name.  You have a few options.  You can:
* manually maintain each computer's host file
* use zero-conf
* use WINS
* use DNS

Personally when the number of computers in the home LAN gets up to 5 or more, I find manually  maintaining the host files starts to become tedious.  Zero-conf is one major security flaw IMO, so forget that.  WINs requires either a windows server os or samba.  As I run a mostly windows-free home LAN, I prefer DNS.

Since the LMCE core is a 24/7 box and already is the DHCP server, it is a natural to be the DNS server for the home LAN.

I agree on the jargon.  :)  In this case all it really means is a DNS server for your home LAN.  The names of your home computers are not visible from outside of your home LAN.

Resolving names outside of your home LAN is a totally different issue.  Basically by default LMCE just passes any DNS lookup request from a machine on your local LAN to your IPS's DNS server.  Intermittent lookup problems are usually transport problems.  You might want to verify that DNS server IPs are correct and current, them maybe swap the primary and secondaries.  If you have a router between your LMCE and internet connection and the router uses a dynamic IP from your ISP, you may want to force a release/renew of the IP.

HTH,
Roy