Krusty Ruffle Babbles

Alright! Today I’m posting about installing and configuring DHCP/DynamicDNS for a local network. This installation will be running inside of a Xen virtual machine, but should work on any server. I will not be doing the chroot environment for the DNS server on this one, if your interested in that you can read about it on the Ubuntu help site. I’m skipping it because I think it’s a lot of effort to go through for a small home server that is running on a minimal system virtual machine with only a base system, firewall (actually packet filter), DHCP server and DNS server. I also do not have anything on this network that I’m ultra afraid of losing, your need may be different, and the chroot environment does add another layer of security. As with all of the examples in this series we need to log in and switch to root for this. If you are running this on a virtual machine there may be several options to logging it, I’m using SSH from my desktop, then sudo -i to switch to root.

First we’re going to need some software. These virtual machines seem to be bare minimum base systems, lacking even the ‘man’ command. I’m installing the UFW for a firewall, the dhcp3 server, and bind9 DNS server:

apt-get install ufw bind9 dhcp3-server

This will pull in everything you need to complete this walk through.NOTE: when this installs the dhcp3 server will fail to start, this is only because it hasn’t been configured yet, it is safe to ignore at this point.

UFW Firewall: I could be really wrong about this, but it seems to me like the forwarding rules I set up on the Xen Dom0 forward everything through to the DomU virtual machines, which is fine with me as it seems that I can set up UFW on each DomU to allow different packets through to different virtual machines depending on what is needed for each. There may be a way to do this all from the Dom0, but I cannot find anything about how to do that so I’m going with installing it on each Dom. The ports we need open on this one are: tcp/22 (SSH), tcp/53 udp/53 (DNS), and udp/67 (DHCP). So, the commands we need to run are :

ufw default deny
ufw allow proto tcp from 192.168.1.0/24 to 192.168.1.xxx port 22
ufw allow proto tcp from 192.168.1.0/24 to 192.168.1.xxx port 53
ufw allow proto udp from 192.168.1.0/24 to 192.168.1.xxx port 53
ufw allow proto udp from 192.168.1.0/24 to 192.168.1.xxx port 67
ufw enable

That should take care of our filtering rules.

DNS Server: Using bind9 for this may be overkill for my little network, but it’s what I’ve learned to setup and it works, so that’s what I’m going with. I’ll be posting my config files, with some heavy commenting to explain the options I’ve put in them and the basic setup. There is tons of documentation at bind9.net for those who are interested in digging further into it.

First we need to stop the server with:

/etc/init.d/bind9 stop

Once the server is stopped we need to create a directory for the zone files. I put mine in /etc/bind/zones just type:

mkdir /etc/bind/zones

Now we need to change some permissions so that DHCP can update these zones:

chgrp bind /etc/bind/zones && chmod g+w /etc/bind/zones

Now we can start editing the configuration files:

vim /etc/bind/named.conf.local

Here’s what mine looks like:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// need these controls for DDNS to work
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

// include the key file for DDNS authorization
include "/etc/bind/rndc.key";

// access control, limit queries to the local network
// and the localhost
acl "yourdomain.name" { 192.168.1.0/24; 127.0.0.1; };

// Local zones
zone "yourdomain.name" {
type master;
file "/var/lib/bind/zones/db.yourdomain.name";
allow-query { yourdomain.name; };
allow-update { key "rndc-key"; };
notify no;
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/zones/db.192.168.1.rev-yourdomain.name";
allow-query { yourdomain.name; };
allow-update { key "rndc-key"; };
notify no;
};

[EDIT] After installing the ubuntu-standard package I had a problem. Apparently the apparmor profile for named expects to have the updateable zone files in /var/lib/bind, or a sub-directory of it. I’ve changed the above configuration to reflect this expectation. If you have the zone files in a different location, such as /etc/bind/zones/ then apparmor will not let the update happen. The easiest way to fix this is to stop bind:

/etc/init.d/bind9 stop

Then move the files, I copied mine first to make sure it was working before removing the old files:

cp -a /etc/bind/zones /lib/var/bind

Now change the config file to point to the new location as in the axample above and restart bind with:

/etc/init.d/bind9 start

Make sure that it’s all working. I had one of my workstations renew it’s DHCP lease and then did:

grep named /var/log/syslog

Assuming that the updates worked and there’s no AUDIT errors it should be safe to delete the zones directory in /etc/bind.

rm -Rv /etc/bind/zones

Sorry for any confusion or problems if you happened to follow this walkthrough before I found this problem… [/EDIT]

Granted, I have changed some names and stuff, you will need to replace them with your own values where needed. Change a couple of options:

vim /etc/bind/named.conf.options

I don’t need IPv6 so I commented out the option to listen on it, I also added my router to the forwarders list, this may work for you, or you may be better off to add the DNS servers your ISP provides for you. If you add more than one ip address here separate them with a semi-colon.

Now to create the zone files:

vim /etc/bind/zones/db.yourdomain.name

This will be the main zone for your domain. Mine looks like:

$ORIGIN .
$TTL 86400	; 1 day
yourdomain.name		IN SOA	yourdomain.name. dns.yourdomain.name. (
200807031  ; serial number (todays date appnded with '1')
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
86400      ; minimum (1 day)
)
NS	dns.yourdomain.name.
$ORIGIN yourdomain.name.
$TTL 86400	; 1 day
; These are the servers set up in Xen, each has a TXT entry to describe it briefly
dns			A	192.168.1.xxx
TXT	"Local name server with DHCP"
install			A	192.168.1.xxx
TXT	"Local install and maintenance server"
lamp			A	192.168.1.xxx
TXT	"Local web server for development"
ldap			A	192.168.1.xxx
TXT	"Local authorization and file sharing server"
master			A	192.168.1.xxx
TXT	"Local virtual machine host"
; This is another computer on the network that has given a static ip by DHCP
; It must be manually set up here because DHCP does not register static addresses
dhcp-static-box			A	192.168.1.xxx
TXT	"Static ip of another computer on the network"
;this is an example of a dynamically assigned ip address that has been inserted
; into DNS by DHCP. You do not want this entry when you first start...
; The TXT entry contains a hash that lets DHCP know that that entry is under its
; control.
$TTL 300	; 5 minutes
dynamic-box			A	192.168.1.xxx
TXT	"00c9ddc5928b204ea81d676dc93bc8f3ac"

Again, this has been commented for explanation and the names have been changed.

Create the reverse lookup zone with:

vim /etc/bind/zones/db.192.168.1.rev-yourdomain.name

Mine looks like:

$ORIGIN .
$TTL 86400	; 1 day
1.168.192.in-addr.arpa	IN SOA	yourdomain.name. dns.yourdomain.name. (
200807035  ; serial number (todays date appended with '1')
28800      ; refresh (8 hours)
14400      ; retry (4 hours)
3024000    ; expire (5 weeks)
86400      ; minimum (1 day)
)
NS	dns.yourdomain.name.
$ORIGIN 1.168.192.in-addr.arpa.
; the xxx entries below represent the last octet of the ip address for that machine
; these first entries are manually entered pointers at the Xen machines set up in the
; forward zone for yourdomain.name...
$TTL 86400	; 1 day
xxx                     PTR     master.yourdomain.name.
xxx                     PTR     dns.yourdomain.name.
xxx                     PTR     ldap.yourdomain.name.
xxx                     PTR     lamp.yourdomain.name.
xxx                     PTR     install.yourdomain.name.
; the following is the reverse lookup pointer for the machine that gets a static address
; from dhcp, this has to be manually entered..
xxx			PTR	dhcp-static-box.yourdomain.name.
; this is an example of a dynamically updated entry, you will not have this one when
; you first start
$TTL 300	; 5 minutes
xxx			PTR	dynamic-box.yourdomain.name.

Before you start the server again you need to check some stuff. The bind9 package comes with a couple of nifty programs for this. Run:

named-checkzone yourdomain.name /etc/bind/zones/db.yourdomain.name

Assuming there are no errors, or after fixing any errors run it again for the reverse zone:

named-checkzone 1.168.192.in-addr.arpa /etc/bind/zones/192.168.1.rev-yourdomain.name

And finally, check the overall configuration with:

named-checkconf /etc/bind/named.conf

Assuming all is well restart the server with:

/etc/init.d/bind9 start

DHCP Server: All we need to do here is edit the config file for the options we need, and then copy the keyfile into the DHCP directory with appropriate permissions. Edit:

vim /etc/dhcp3/dhcpd.conf

Mine looks like:

#
# Sample configuration file for ISC dhcpd for Debian
#
# Attention: If /etc/ltsp/dhcpd.conf exists, that will be used as
# configuration file instead of this file.
#
# $Id: dhcpd.conf,v 1.1.1.1 2002/05/21 00:07:44 peloy Exp $
#

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style 		interim;
ddns-domainname			"yourdomain.name.";
ddns-rev-domainname		"in-addr.arpa.";
ignore				client-updates;

# include the key
include 			"/etc/dhcp3/rndc.key";

# option definitions common to all supported networks...
option domain-name 		"yourdomain.name";
option domain-name-servers 	dns.yourdomain.name;
option ntp-servers		[ip of your ntp server];
option routers			[ip of your router];
option ip-forwarding		off;
default-lease-time 		72000; # I have made these huge, I have a very small
max-lease-time 			72001; # network and feel that this will be ok for me.

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# build a subnet
subnet 192.168.1.0 netmask 255.255.255.0 {
range			192.168.1.xxx 192.168.1.xxx;  # start and end ip of desired range of dynamic ip addresses
option broadcast-address	192.168.1.255;  # broadcast address for dhcp server
zone yourdomain.name. {
primary		192.168.1.xxx; # IP address of your DNS server
key		"rndc-key";
}
zone 1.168.192.in-addr.arpa. {
primary		192.168.1.xxx; # IP address of your dns server
key		"rndc-key";
}
}

# assign a static ip for another computer on the network
host dhcp-static-box { # hostname of static ip machine
hardware ethernet 	00:0f:b5:81:b1:57; # mac address of static IP machine
fixed-address		192.168.1.5; # desired IP address of static IP machine
}

# A bunch of commented examples were cut off for brevity...

Again, I have changed some names and added some comments to explain things. If you need more information there is plenty of documentation at the bind9.net website.

copy the needed keyfile from bind9 to allow dynamic updating:

cp /etc/bind9/rndc.key /etc/dhcp3

Now restart the server:

/etc/init.d/dhcp-server restart

Hopefully all goes well, test by setting up a computer on your network to get DHCP, then use dig, or nslookup to check that DNS has been updated correctly. also try:

grep dhcp /var/log/syslog
grep dhcp /var/log/messages grep named /var/log/syslog

If you are using a network syslog server you can do this on that or on the machine where this install is configured.

Some Notes: If you see a lot of errors about updating not working because permission is denied you may have forgotten to cp the key to the dhcp3 directory, or the key is wrong. You can generate the key with rndc-confgen, there is a man page hosted at linux.die.net that has information on how to use this tool.

If you assign a static IP address to a host in the /etc/dhcp3/dhcpd.conf file then it will not get updated in DNS, to be able to locate it with DNS lookups you will need to enter the information manually.

Once dynamic updates are started you cannot edit the zone files without stopping the updating first, there is a way to do this without stopping the DNS server, but I can’t remember it right now, I usually just stop the server with /etc/init.d/bind9 stop before editing. If you are on a larger network you may not really want to do that…

If you do not want the DNS server to do caching then I believe you should be able to disable it by adding: recursion no somewhere in /etc/bind9/named.conf.options.

I think that does it for DHCP and DynamicDNS. This setup is working for me, and I hope someone else may find it useful. I am considering adding a squid caching proxy server with dansguardian to this, but if I do that will be a while down the road. Next I think I’m going to tackle OpenLDAP/Samba PDC for Linux and Windows clients with file and printer sharing thrown it. I know from previous experience that I’ll be working on that for a while…