DNS/DHCP server

From Egbert's Wiki

Standalone server

At first on of the WYSE terminals was set up as DNS/DHCP server. Later the services weer also installed on the main server which became the master. The DHCP server on the WYSE was switched off and the DNS server was migrated to a slave server.

Packages needed

For DNS the bind9 package is needed; for DHCP install dhcp3-server with the standard command 'sudo aptitude install <package>'. For IPv6 address assignments wide-dhcp6-server was installed with the standard command 'sudo aptitude install wide-dhcp6-server'. This server will assign DNS server addresses and more readable host adresses.

DNS master server config

The DNS server configuration resides in /etc/bind. All localy added zones should go into 'named.conf.local'. All zone files are also in this directory. REMARK: dynamic zones (updated by the DHCP server) are placed in /var/lib/bind. In this way permissions can be better tuned. Also AppArmor knows about this location by default. This is a 'split' DNS server; it also supplies information to an external (public) DNS server: ns.hobby.nl. This is called 'Hidden Master'.

Named.conf is very simple:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.logging";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";

In the named.conf.logging all locations of the logs are defined

logging {

        channel security_channel {
                file "/var/log/named/security.log" versions 4 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
        };

        channel default_channel {
                file "/var/log/named/default.log" versions 4 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel xfer-in_channel {
                file "/var/log/named/xfer-in.log" versions 4 size 10m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel xfer-out_channel {
                file "/var/log/named/xfer-out.log" versions 4 size 10m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel update_channel {
                file "/var/log/named/update.log" versions 4 size 10m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel notify_channel {
                file "/var/log/named/notify.log" versions 4 size 10m;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

        channel "querylog" {
                file "/var/log/named/query.log" versions 4 size 10m;
                print-time yes;
        };

        category queries { querylog; };
        category security { security_channel; };
        category default { default_channel; };
        category xfer-in { xfer-in_channel; };
        category xfer-out { xfer-out_channel; };
        category notify { notify_channel; };
        category update { null; };
        category lame-servers { null; };
        category edns-disabled { default_channel; };
        category "delegation-only" { "null" ; };

};

The gobal options are defined in 'named.conf.options'. Forwarders are the OpenDNS servers.

options {
        directory "/var/cache/bind/";
        pid-file "/var/run/named/named.pid";
        dump-file "/var/cache/bind/named.dump";
        listen-on { trusted_networks; };
        allow-query { trusted_networks; };
        allow-transfer { none; };
        notify no;

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                208.67.222.222;
                208.67.220.220;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        transfer-format many-answers;
};

The named.conf.local config file on the master

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization.

//include "/etc/bind/zones.rfc1918";
include "/etc/bind/rndc.key";
include "/etc/bind/dhcp.key";

acl "trusted_networks"  { 127.0.0.1; 192.168.178.0/24; 192.168.10.0/24; 192.168.20.0/24; 192.168.30.0/24; };
acl "hobbynet"          { 212.72.224.8; 212.72.224.9; };
acl "gisnet"            { 213.154.241.137; };
acl "sidn"              { 193.176.144.128/28; };

controls {
        inet 127.0.0.1 port 953
        allow { trusted_networks; } keys { "rndc-key"; };
};

view "internal" IN {

        match-clients { trusted_networks; };
        allow-query { trusted_networks; };
        allow-transfer { trusted_networks; };
        recursion yes;
        notify explicit;
        also-notify { 192.168.10.40; 192.168.10.41; };

        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };

        zone "vandenbussche.nl" {
                type master;
                file "/var/lib/bind/db.vandenbussche.nl";
                update-policy { grant dhcp-key subdomain vandenbussche.nl. A TXT; };
        };
        zone "roebus.nl" {
                type master;
                file "/etc/bind/db.roebus.nl";
        };
        zone "scouthout.nl" {
                type master;
                file "/etc/bind/db.scouthout.nl";
        };
        zone "178.168.192.in-addr.arpa" {
                type master;
                file "/etc/bind/db.192.168.178";
        };
        zone "10.168.192.in-addr.arpa" {
                type master;
                file "/var/lib/bind/db.192.168.10";
                update-policy { grant dhcp-key subdomain 10.168.192.in-addr.arpa. PTR TXT; };
        };
        zone "20.168.192.in-addr.arpa" {
                type master;
                file "/etc/bind/db.192.168.20";
        };
        zone "0.1.0.0.0.4.7.1.8.8.8.0.1.0.0.2.ip6.arpa" {
                type master;
                file "/etc/bind/db.2001.888.1740.10";
        };
};

view "external" IN {

        match-clients  { hobbynet; trusted_networks; };
        allow-transfer { hobbynet; trusted_networks; };
        allow-query { hobbynet; trusted_networks; };
        recursion no;
        notify explicit;
        also-notify { 212.72.224.8; 192.168.10.40; 192.168.10.41; };

        zone "vandenbussche.nl" {
                type master;
                file "/etc/bind/db.vandenbussche.nl.external";
        };
        zone "roebus.nl" {
                type master;
                file "/etc/bind/db.roebus.nl.external";
        };
        zone "scouthout.nl" {
                type master;
                file "/etc/bind/db.scouthout.nl.external";
        };
        zone "scoutingschipluiden.nl" {
                type master;
                file "/etc/bind/db.scoutingschipluiden.nl.external";
        };
};

DHCP part

The DHCP server is configured to issue specific addresses to certain known hosts. Unknown hosts will get an address form a pool. Such addresses are inserted in DNS.

ddns-update-style interim;
max-lease-time 86400;
default-lease-time 14400;
ddns-ttl 14400;
allow booting;
allow bootp;

# Your dhcp server is not master on your network !
#not authoritative;
# Your dhcpd server is master on your network !
authoritative;
#not authoritative;

#Interface where dhcpd is active
DHCPD_INTERFACE = "eth0";

class "known" {
        match hardware;
        one-lease-per-client on;
        ignore client-updates;
}

# TAG: COMPUTER_LIST_BEGIN
host canonps {
    hardware ethernet 00:11:e5:00:2d:3f;
    fixed-address 192.168.10.9;}
host egbert{
    hardware ethernet 00:50:da:41:4d:1c;
    fixed-address 192.168.10.13;}
host d600{
    hardware ethernet 00:0f:1f:a8:f8:b9;
    fixed-address 192.168.10.14;}
host lacie{
    hardware ethernet 00:d0:4b:86:d2:60;
    fixed-address 192.168.10.18;}
host lanserver{
    hardware ethernet 00:02:2a:e1:a6:88;
    fixed-address 192.168.10.19;}
host tiptel{
    hardware ethernet 00:15:65:10:a4:cd;
    fixed-address 192.168.10.60;}
host roel{
    hardware ethernet 00:24:8c:8f:7b:40;
    fixed-address 192.168.10.20;}
host roellaptop{
    hardware ethernet 00:19:7e:be:d6:ba;
    fixed-address 192.168.10.21;}
host roelnetbook{
    hardware ethernet 00:23:4d:05:dc:68;
    fixed-address 192.168.10.22;}
host roeltv{
    hardware ethernet 00:13:D4:B7:28:D5;
    fixed-address 192.168.10.23;}
host roelnas{
    hardware ethernet 00:14:FD:10:93:C8;
    fixed-address 192.168.10.26;}
host roelserver{
    hardware ethernet 00:11:85:10:a3:89;
    fixed-address 192.168.10.27;}
host roelxbox{
    hardware ethernet 00:17:fa:1f:17:a9;
    fixed-address 192.168.10.28;}
host riespc{
    hardware ethernet 00:21:85:1e:f0:b7;
    fixed-address 192.168.10.31;}
host wii{
    hardware ethernet 00:1a:e9:a8:11:5c;
    fixed-address 192.168.10.33;}
# TAG: COMPUTER_LIST_END

subnet 192.168.10.0 netmask 255.255.255.0 {
        range 192.168.10.180 192.168.10.199;
        ignore client-updates;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.166.10.255;
        option routers 192.168.10.1;
        option domain-name "vandenbussche.nl";
        option domain-name-servers 192.168.10.42, 192.168.10.41;
        option ntp-servers 192.168.10.42;
        option netbios-scope "";
        option netbios-node-type 8;
        option netbios-name-servers 192.168.10.42, 192.168.10.41;
        option netbios-dd-server 192.168.10.42;
        ddns-updates on;
        ddns-domainname "vandenbussche.nl";
        ddns-rev-domainname "in-addr.arpa.";
        next-server 192.168.10.42;
        filename "pxelinux.0";

        key "dhcp-key" {
                algorithm hmac-md5;
                secret "**********************";
        };

        zone vandenbussche.nl {
                primary 192.168.10.42;
                key "dhcp-key";
        }
        zone 10.168.192.in-addr.arpa {
                primary 192.168.10.42;
                key "dhcp-key";
        }
}