HET306 UNIX for Telecommunications

Configuring DHCP and DNS Services with Unix

Outline
DHCP
Dynamic Host Configuration Protocol Allows hosts to request (via broadcast) host information Server will respond with network configuration information Primarily for IP address/gateway/subnet mask AND DNS server information Also can provide other information eg. Time Server Proxy

DNS
Domain Name System Allows forward (name to IP address) and reverse (IP address to name) resolution Standard Hierarchical system which distributes ownership and responsibility of network domains

Combining DHCP and DNS

Why would we do this?
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DHCP
Protocol is Standard what about implementation
ISC (Internet Software Consortium) DHCP Server version 3 http://www.isc.org/products/DHCP

FreeBSD Install
cd /usr/ports/net/isc-dhcp3-server make && make install

Configuration File Location

/usr/local/etc/dhcpd.conf
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DHCP Configuration
Configuration File
/usr/local/etc/dhcpd.conf

Two Sections Global and Lease/Group Configuration Options Global Options

Options/Settings common to all leases Default lease timeout values Details of DNS Server to communicate with

Lease/Group Options
Ranges of IP Addresses to assign Specific options override globals for this group of leases
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DHCP Configuration
Common Global Options
option domain-name company.com; option domain-name-servers list of dns servers; option routers default gateway; default-lease-time seconds; max-lease-time seconds; authoritative;

Many other options are available DHCP is flexible

Common Lease/Group Options

subnet a.b.c.d netmask e.f.g.h { range a.b.c.x1 a.b.c.x2; option any_local_options; };

Assigns a free IP address in the specified range to a querying host Assigns the specified subnet mask

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DHCP Configuration
Assigning Static IP Addresses
host host_name { hardware ethernet 00:01:02:03:04:05; fixed-address a.b.c.d; option host-name advertised name; };

host_name for labelling purposes A host with the specified MAC address is always assigned fixed-address IP address A host requesting a lease and advertising itself as advertised name is always assigned fixed-address IP address Advertised names must be configured in the OS of the requesting workstation
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Running DHCP
TO autostart at we edit /etc/rc.conf
dhcpd_enable=YES dhcpd_ifaces=if0 if1

Will ensure that at system boot

dhcpd will be started Listening for DHCP Lease request on the specified network interfaces

Daemon started by /usr/local/etc/rc.d/isc-dhcpd.sh

Only if dhcpd_enable is set

Lease Database
Assigned leases are stored in a simple text file /var/db/dhcpd.leases This allows dhcpd to remember what leases have been assigned after a restart Database stores when leases expire Periodically file will be re-created to remove expired leases and ensure it doesnt get too big

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DNS
Many products available You already know about BIND Berkeley Internet Name Daemon
http://www.isc.org/products/BIND/bind9.html April 2005 figures 72.5% of all DNS servers run BIND*

Free BSD Install

/usr/ports/net/bind9

* http://mydns.bboy.net/survey/
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DNS Configuration
Configuration File
/etc/named/named.conf

Two Sections Global and Zone Configuration Options Global Options

Specify system behaviour Upstream DNS Servers Location of other database files

Zone Options
Definition of domain names AND files storing the database Database files storing resolution information

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

DNS Configuration
Common Global Options
options { version information; directory listen-on forward forwarders allow-query pid-file }; Response string for Version /location/of/database/files; { a.b.c.d; 127.0.0.1; }; only; { a.b.c.d; e.f.g.h; }; { a.b.c.d/24; localhost; }; /var/run/named/named.pid;

Many other options are available

zone domain.hello. { type master; notify no; file database.filename; };

Common Zone Options

Specifies which database file contains either the forward or reverse resolution information for the specified zone Reverse zone names always 0.168.192.in-addr.arpa (means 192.168.0.*)
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Forward Zone Files

Specifies forward (name -> IP Address) resolutions for a domain Trailing periods important Fields
Domain Name example.org. Email of administrator (replace @ with .) admin.example.org. Name Server for Domain ns1.example.org Serial Number Used for versioning Timeouts specified in seconds NS Name Server A Standard IPv4 Address for name CNAME This name resolves to the same address as the provided other name MX This host is responsible for handling mail for this domain. Priority number specifies order to use multiple mail servers

example.org. IN SOA ns1.example.org. admin.example.org. ( 2006051501 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ; Minimum TTL )
IN NS ns1.example.org. A A A CNAME MX 10 192.168.0.1 192.168.0.2 192.168.0.3 host1 host2

Record Types

host1 host2 ns1 www IN

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Reverse Zone Files

Specifies reverse (IP Address -> name) resolutions for a domain Trailing periods important Fields
Same as for forward resolution
0.168.19.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( 2006051501 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ; Minimum TTL )
IN 1 2 3 NS ns1.example.org. PTR PTR PTR host1.example.org. host2.example.org. ns1.example.org.

Record Types
PTR This address resolves to the following name

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Running DNS
TO autostart at we edit /etc/rc.conf
named_enable=YES

Will ensure that at system boot

named will be started

Daemon started by /etc/rc.d/named.sh

Only if named_enable is set

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Dynamic DNS Updates

DHCP allocates IP addresses to hosts As a new IP address is allocated
We would like to update the DNS server such that the new host resolves to that IP address

We need to configure dhcpd and bind to work together

dhcpd must be able to (securely) connect to the bind server bind must be able to accept changes to database from remote dhcpd server

So how do we do it??
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Dynamic DNS Updates

To enable communications
named.conf must be configured to allow connections for update purposes Want to only allow connections from the system running dhcpd Want to only allow connections from a user who knows a secret key to encrypt communications

Encryption
Primarily for authentication of who can update database Not so much to protect database anyone can query the DNS server after an update
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Dynamic DNS Updates Key

Generating the update key
dnssec-keygen a HMAC-MD5 b 128 n USER DDNS-KEY

This will generate two files

The portion of the key you need is within both files

The key is used to

Secure communications between dhcpd and named Ensure that only a registered dhcpd application can affect changes to the DNS database

For more info on generating keys see:

man dhcpd.conf

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

dhcpd.conf Settings
Have to specify the key in the configuration file
key "KEY-NAME" { algorithm HMAC-MD5; secret AbCdEfGhIj*WhAtEvEr=="; };

Then tell dhcpd which zones it should try to dynamically update

zone zone_name primary dns_ip_address; key KEY-NAME; }

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Update Behaviour
DHCP Server
zone_name must match corresponding authoritative zones in DNS server When an address is assigned to one of the matching zones, dhcpd will contact DNS server with information about the hostname of the machine assigned the lease and its corresponding IP Address

DNS Server
bind must be listening for update connections on dns_ip_address bind must be configured with a matching key Via secure update, DNS server will add an entry to resolve the specified IP Address and Name
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

named.conf Settings
Have to specify the key in the configuration file same format as dhcpd.conf
key "KEY-NAME" { algorithm HMAC-MD5; secret AbCdEfGhIj*WhAtEvEr=="; };

Configure which interfaces and which key must be used to connect to the DNS Server control channel allows updates
controls { inet 127.0.0.1 allow { localhost; } keys { KEY-NAME; }; } This allows connections on localhost and only from localhost assumes DHCP and DNS server running on same machine

Configure zone information to allow updates given a correct key

zone domain.hello. { type master; notify no; file database.filename; allow-update { key KEY-NAME; }; };

Should specify both forward and reverse zones as updateable

HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au

Dynamic DNS Updates

End results
A workstation/PC is turned on Sends its hostname and requests an IP address from the DHCP server DHCP server sends back an IP lease DHCP server contacts the DNS server with the hostname and allocated IP address DNS server updates the mapping between the specified hostname and IP address

Any requests to the DNS server for that particular hostname will result in the correct IP address being resolved Any reverse resolution requests for the IP address will resolve to the machine that currently holds that lease
HET306 Slide Set 11 Configuring DHCP and DNS Services jbut@swin.edu.au