Skip to main content

Dynamic DNS with BIND and ISC-DHCP

I personally prefer to work with hostnames instead of ip-addresses. If you have anything like freeipa or active directory, it will do that for you by registering the client you added to your realm to the managed dns and edit the records dynamically. We can achieve the same goal with just bind and isc-dhcp. I'll use a raspberry pi with raspbian 9 for this setup.

So here is a quick tutorial on how to configure the isc-dhcp-server to dynamically update bind.

First set a static ip to your server.
 [archy@ddns ~]$ sudo vim /etc/network/interfaces  
 # interfaces(5) file used by ifup(8) and ifdown(8)  
 # Please note that this file is written to be used with dhcpcd  
 # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'  

 # Include files from /etc/network/interfaces.d:  
 source-directory /etc/network/interfaces.d  

 auto eth0  
 iface eth0 inet static  
  address 172.31.30.5    
  network 172.31.30.0  
  broadcast 172.31.30.255  
  netmask 255.255.255.0  
  gateway 172.31.30.1  
  dns-nameservers 127.0.0.1  
Restart the networking.service to make the service reread the configuration.
 [archy@ddns ~]$ sudo systemctl restart networking.service  
Next you'll need to install the necessary packages
 [archy@ddns~]$ sudo apt-get -y install bind9 isc-dhcp-server  
I'll start with the bind9-config first. Start by editing the /etc/bind/named.conf.options-file
Note that I'm concentrating on IPv4 for this post.
 [archy@ddns ~]$ sudo vim /etc/bind/named.conf.options  
This is what my named.conf.options-file looks like
 acl localnet {  
  //localhost  
  127.0.0.1;  
  //local IPv4 LAN  
  172.31.30.0/24;  
 };  
   
 options {  
  directory "/var/cache/bind";  

  // If there is a firewall between you and nameservers you want  
  // to talk to, you may need to fix the firewall to allow multiple  
  // ports to talk. See http://www.kb.cert.org/vuls/id/800113  

  // If your ISP provided one or more IP addresses for stable  
  // nameservers, you probably want to use them as forwarders.  
  // Uncomment the following block, and insert the addresses replacing  
  // the all-0's placeholder.  

  forwarders {  
  208.67.220.220;  
  208.67.222.222;  
  };  
   
  allow-query {  
  localnet;  
  };  
   
  allow-query-cache {  
  localnet;  
  };  

  recursion yes;  

  allow-recursion {  
  localnet;  
  };  

  allow-transfer {  
  localnet;  
  };  

  //========================================================================  
  // If BIND logs error messages about the root key being expired,  
  // you will need to update your keys. See https://www.isc.org/bind-keys  
  //========================================================================  
  dnssec-enable no;  
  // dnssec-validation auto;  

  auth-nxdomain no;  # conform to RFC1035  
  listen-on-v6 { any; };  
 };  
Before we can continue configuring the dns, we'll have to create a rndc-key which is internally used for authentication. You can create a key by running the following command
 [archy@ddns ~]$ sudo rndc-confgen -a -b 512  
the keyfile should look something like this
 key "rndc-key" {  
     algorithm hmac-md5;  
     secret "VelhSlByBRfitjxhgp7LZEmUHD7cNoS6xcn9UIZRRyofPKfoA3qt/zzYW0J6IlK4eAMJSeQc97m2lZqFeyjVRQ==";  
 };  
Next up, the /etc/bind/named.conf.local-file. In this file, we'll be defining the zones which are going to be hosted by this dns'.
 [archy@ddns ~]$ sudo vim /etc/bind/named.conf.local  
This is what my named.conf.local-file looks like
 //  
 // Do any local configuration here  
 //  
   
 // Consider adding the 1918 zones here, if they are not used in your  
 // organization  
 //include "/etc/bind/zones.rfc1918";  
   
 // enter your key here  
 key "rndc-key" {  
     algorithm hmac-md5;  
     secret "VelhSlByBRfitjxhgp7LZEmUHD7cNoS6xcn9UIZRRyofPKfoA3qt/zzYW0J6IlK4eAMJSeQc97m2lZqFeyjVRQ==";  
 };  
   
 zone "archyslife.lab" {  
  type master;  
  file "/var/lib/bind/archyslife.lab.zone";  
  allow-update { key rndc-key; };  
 };  
   
 zone "03.31.172.in-addr.arpa" {  
  type master;  
  file "/var/lib/bind/30.31.172.in-addr.arpa.zone";  
  allow-update { key rndc-key; };  
 };  
You can configure dummy-zones that will not be resolved if you'd like to block / redirect traffic.
A dummy-zone would look something like this
 zone "example.com" {  
     type master;  
     file "/var/lib/bind/restricted-domains";  
 };  
With the configuration set, it's time to write the zone-files. As you can see, I've just setup 2 zones in my named.conf.local "archyslife.lab" and the corresponding reverse-zone "30.31.172.in-addr.arpa".
 [archy@ddns ~]$ sudo vim /var/lib/bind/archyslife.lab.zone  
 $ORIGIN archyslife.lab.  
 $TTL 604800 ; 1 week  
 @ IN SOA ddns.archyslife.lab. dnsadmin.archyslife.lab. (  
   2018021364 ; serial  
   28800   ; refresh (8 hours)  
   3600    ; retry (1 hour)  
   302400   ; expire (3 days 12 hours)  
   43200   ; minimum (12 hours)  
   )  
   NS ddns.archyslife.lab.  
 ddns  A 172.31.30.5  
 gw              A   172.31.30.1  
 ; you can just keep adding more static entries here  
Now add the reverse-zone
 [archy@ddns ~]$ sudo vim /var/lib/bind/30.31.172.in-addr.arpa.zone  
 $TTL 604800 ; 1 week  
 @ IN SOA ddns.archyslife.lab. dnsadmin.archyslife.lab. (  
   2018021408 ; serial  
   28800   ; refresh (8 hours)  
   3600    ; retry (1 hour)  
   302400   ; expire (3 days 12 hours)  
   43200   ; minimum (12 hours)  
   )  
   NS   ddns.archyslife.lab.  
 5  PTR   ddns.archyslife.lab.  ;NOTE the "." at the end of the hostname!!!  
 1  PTR   gw.archyslife.lab.  
Make sure the files all have the right permissions for bind to access them.
 [archy@ddns ~]$ sudo chown bind:bind /var/lib/bind/*.zone  
 [archy@ddns ~]$ sudo chmod 664 /var/lib/bind/*.zone  
I'd recommend you check your conf and zones with the bind-provided helper-programs.

Checking your configuration
 [archy@ddns ~]$ sudo named-checkconf  
Checking your zones
 [archy@ddns ~]$ sudo named-checkzone /var/lib/bind/archyslife.lab.zone  
 [archy@ddns ~]$ sudo named-checkzone /var/lib/bind/30.31.172.in-addr.arpa.zone  
If the output does not show any errors or nothing at all, you can restart and enable the bind.service
 [archy@ddns ~]$ sudo systemctl restart bind9.service  
 [archy@ddns ~]$ sudo systemctl enable bind9.service  
That completes the dns-setup. Now let's configure the DHCP-Part.

As mentioned earlier, bind uses a rndc.key to authenticate internally. We have to give that key to the dhcp-server. For convenience, I like to copy that key to the dhcp-folder.
 [archy@ddns ~]$ sudo mkdir /etc/dhcp/rndc-keys/  
 [archy@ddns ~]$ sudo cp /etc/bind/rndc.key /etc/dhcp/rndc-keys/rndc.key  
In my case, I only want the dhcpd to listen to the eth0 interface.
 [archy@ddns ~]$ sudo vim /etc/default/isc-dhcp-server  
 # On what interfaces should the DHCP server (dhcpd) serve DHCP requests?  
 # Separate multiple interfaces with spaces, e.g. "eth0 eth1".  
 #INTERFACESv6=""  
 INTERFACESv4="eth0"  
Now let's get to the actual configuration of the dhcp-server.
 [archy@ddns ~]$ sudo vim /etc/dhcp/dhcpd.conf  
This is what my dhcpd.conf-file looks like
 # my config for ddns  
 ddns-updates on;  
 ddns-update-style standard;  
 authoritative;  
   
 include "/etc/dhcp/rndc-keys/rndc.key";  
   
 allow unknown-clients;  
 default-lease-time 7200;  
 max-lease-time 28800;  
 log-facility local7;  
   
 zone archyslife.lab. {  
  primary 172.31.30.5;  
  key rndc-key;  
 }  
   
 zone 30.31.172.in-addr.arpa. {  
  primary 172.31.30.5;  
  key rndc-key;  
 }  
   
 subnet 172.31.30.0 netmask 255.255.255.0 {  
  range 172.31.30.100 172.31.30.199;  
  option subnet-mask 255.255.255.0;  
  option domain-name-servers 172.31.30.5, 172.31.30.1;  
  option domain-name "archyslife.lab";  
  option routers 172.31.30.1;  
  option broadcast-address 172.31.30.255;  
 }  
Now you can restart and enable the dhcp-server to make it read the configuration and start at boot.
 [archy@ddns ~]$ sudo systemctl restart isc-dhcp-server.service  
 [archy@ddns ~]$ sudo systemctl enable isc-dhcp-server.service  
The configuration itself is done. If you are having trouble, try checking the services with systemd
 [archy@ddns ~]$ sudo systemctl status bind9.service  
 [archy@ddns ~]$ sudo systemctl status isc-dhcp-server.service  
or check the syslog for errors or problems
 [archy@dns ~]$ sudo tail -f /var/log/syslog  
If everything went well, you can check the leases by running
 [archy@ddns ~]$ dhcp-lease-list  
and try to resolv one of the hosts which is listed there. Reverse lookup also works with this configuration!

and in the syslog you should see something like this when a new dhcp-client joins the network
 Feb 14 03:23:49 ddns dhcpd[583]: DHCPDISCOVER from 00:0c:29:f4:b0:c7 via eth0  
 Feb 14 03:23:50 ddns dhcpd[583]: DHCPOFFER on 172.31.30.127 to 00:0c:29:f4:b0:c7 (castle-bravo) via eth0  
 Feb 14 03:23:50 ddns named[536]: client 172.31.30.5#20327/key rndc-key: signer "rndc-key" approved  
 Feb 14 03:23:50 ddns named[536]: client 172.31.30.5#20327/key rndc-key: updating zone 'archyslife.lab/IN': adding an RR at 'castle-bravo.archyslife.lab' A 172.31.30.127  
 Feb 14 03:23:50 ddns named[536]: client 172.31.30.5#20327/key rndc-key: updating zone 'archyslife.lab/IN': adding an RR at 'castle-bravo.archyslife.lab' DHCID AAABBCUo11rQ8ThEL97lxqkkq9FarJ7js2K1WdrrfwpKlhY=  
 Feb 14 03:23:50 ddns dhcpd[583]: DHCPREQUEST for 172.31.30.127 (172.31.30.5) from 00:0c:29:f4:b0:c7 (castle-bravo) via eth0  
 Feb 14 03:23:50 ddns dhcpd[583]: DHCPACK on 172.31.30.127 to 00:0c:29:f4:b0:c7 (castle-bravo) via eth0  
 Feb 14 03:23:51 ddns dhcpd[583]: Added new forward map from castle-bravo.archyslife.lab to 172.31.30.127  
 Feb 14 03:23:51 ddns named[536]: client 172.31.30.5#20327/key rndc-key: signer "rndc-key" approved  
 Feb 14 03:23:51 ddns named[536]: client 172.31.30.5#20327/key rndc-key: updating zone '30.31.172.in-addr.arpa/IN': deleting rrset at '127.30.31.172.in-addr.arpa' PTR  
 Feb 14 03:23:51 ddns named[536]: client 172.31.30.5#20327/key rndc-key: updating zone '30.31.172.in-addr.arpa/IN': adding an RR at '127.30.31.172.in-addr.arpa' PTR castle-bravo.archyslife.lab.  
 Feb 14 03:23:52 ddns dhcpd[583]: Added reverse map from 127.30.31.172.in-addr.arpa to castle-bravo.archyslife.lab  

Comments

Popular posts from this blog

LACP-Teaming on CentOS 7 / RHEL 7

What is teaming? Teaming or LACP (802.3ad) is a technique used to bond together multiple interfaces to achieve higher combined bandwith. NOTE: every clients speed can only be as high as the single link speed of one of the members. That means, if the interfaces I use in the bond have 1 Gigabit, every client will only have a maximum speed of 1 Gigabit. The advantage of teaming is, that it can handle multiple connections with 1 Gigabit. How many connections depends on the amount of your network cards. I'm using 2 network cards for this team on my server. That means I can handle 2 Gigabit connections at full rate on my server provided the rest of the hardware can deliver that speed. There also exists 'Bonding' in the Linux world. They both do the same in theory but  for a detailed comparison check out this  article about teaming in RHEL7 . To create a teaming-interface, we will first have to remove all the interface configurations we've done on the (soon to be) sla...

Push logs and data into elasticsearch - Part 2 Mikrotik Logs

This is only about the setup of different logging, one being done with Filebeat and the other being done with sending logging to a dedicated port opened in Logstash using the TCP / UDP Inputs. Prerequesites: You'll need a working Elasticsearch Cluster with Logstash and Kibana. Start by getting the Log Data you want to structure parsed correctly. Mikrotik Logs are a bit difficult since they show you Data in the interface which is already enriched with Time / Date. That means a message that the remote logging will send to Logstash will look like this: firewall,info forward: in:lan out:wan, src-mac aa:bb:cc:dd:ee:ff, proto UDP, 172.31.100.154:57061->109.164.113.231:443, len 76 You can check them in the grok debugger and create your own filters and mapping. The following is my example which might not fit your needs. Here are some custom patterns I wrote for my pattern matching: MIKROTIK_DATE \b(?:jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?...

FreeIPA - Integrating your DHCPD dynamic Updates into IPA

I recently went over my network configuration and noticed that the dhcp-leases were not pushed into the IPA-DNS yet. So I thought, why not do it now. The setup is very similar to setting it up on a single bind instance not managed by IPA (I've already written a guide about this here ). My setup is done with the following hosts: ipa01.archyslife.lan - 172.31.0.1 inf01.archyslife.lan - 172.31.0.5 First of all, create a rndc-key: [archy@ipa01 ~]$ sudo rndc-confgen -a -b 512 This will create the following file '/etc/rndc-key' [archy@ipa01 ~]$ sudo cat /etc/rndc.key key "rndc-key" { algorithm hmac-md5; secret "secret_key_here=="; }; We also need to make named aware of the rndc-key and allow our remote dhcp server to write dns entries: [archy@ipa01 ~]$ sudo vim /etc/named.conf ... include "/etc/rndc-key"; controls { inet 172.31.0.1 port 953 allow { 172.31.0.5; } keys ...

SSSD - Debugging PAM permission denied

Sometimes there's weird errors in IT that occur on random chance. I've had such an encounter with SSSD in combination with IPA(+AD-Trust) recently, where only sometimes, a connection to one of the IPA-Servers would fail with this error: Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: pam_sss(sshd:account): Access denied for user runner: 4 (System error) Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: fatal: Access denied for user runner by PAM account configuration [preauth] In my case, it was only happening sometimes when running a basic system setup role using ansible on every host in the entire environment. This way, there was no consistent pattern besides being the same host every time if it failed. First up, add the 'debug_level=X' to every section required in the /etc/sssd/sssd.conf where X is a number from 1 to 10 with 10 being the most verbose. Afterward, restart sssd and check the logs for any obvious problems. 1) If you are using local users, check the...