11 - configuring dhcp and dns services with unix

7/29/2019 11 - Configuring DHCP and DNS Services With Unix

1/20

HET306 UNIX for

Telecommunications

Configuring DHCP andDNS Services with Unix


2/20

HET306 Slide Set 11 Configuring DHCP and DNS Services

[email protected]

Outline DHCP

Dynamic Host Configuration Protocol Allows hosts to request (via broadcast) host information

Server will respond with network configuration information

Primarily for IP address/gateway/subnet mask AND DNSserver information

Also can provide other information eg. Time Server Proxy

DNS Domain Name System

Allows forward (name to IP address) and reverse (IPaddress to name) resolution

Standard Hierarchical system which distributes ownership

and responsibility of network domains Combining DHCP and DNS

Why would we do this?


3/20


[email protected]

DHCP

Protocol is Standard what about

implementation

ISC (Internet Software Consortium) DHCP

Server version 3

http://www.isc.org/products/DHCP FreeBSD Install

cd /usr/ports/net/isc-dhcp3-server

make && make install

Configuration File Location /usr/local/etc/dhcpd.conf
http://www.isc.org/products/DHCPhttp://www.isc.org/products/DHCP


4/20


[email protected]

DHCP Configuration Configuration File

/usr/local/etc/dhcpd.conf

Two Sections Global and Lease/Group

Configuration Options

Global Options

Options/Settings common to all leases

Default lease timeout values

Details of DNS Server to communicate with

Lease/Group Options

Ranges of IP Addresses to assign

Specific options override globals for this group of

leases


5/20


6/20


[email protected]

DHCP Configuration Assigning Static IP Addresses

host host_name {

hardware ethernet 00:01:02:03:04:05;

fixed-address a.b.c.d;

option host-name advertised name;

};

host_name for labelling purposes

A host with the specified MAC address is always assignedfixed-address IP address

A host requesting a lease and advertising itself asadvertised name is always assigned

fixed-addressIP

address

Advertised names must be configured in the OS of the

requesting workstation


7/20


[email protected]

Running DHCP TO autostart at we edit /etc/rc.conf

dhcpd_enable=YESdhcpd_ifaces=if0 if1

Will ensure that at system boot dhcpdwill be started Listening for DHCP Lease request on the specified network

interfaces

Daemon started by /usr/local/etc/rc.d/isc-dhcpd.sh Only ifdhcpd_enable is set Lease Database

Assigned leases are stored in a simple text file/var/db/dhcpd.leases

This allows dhcpdto remember what leases have been assignedafter a restart

Database stores when leases expire

Periodically file will be re-created to remove expired leases andensure it doesnt get too big


8/20


[email protected]

DNS

Many products available

You already know about BIND Berkeley

Internet Name Daemon

http://www.isc.org/products/BIND/bind9.html

April 2005 figures 72.5% of all DNS servers runBIND*

Free BSD Install

/usr/ports/net/bind9

* http://mydns.bboy.net/survey/
http://www.isc.org/products/BIND/bind9.htmlhttp://mydns.bboy.net/survey/http://mydns.bboy.net/survey/http://www.isc.org/products/BIND/bind9.html


9/20


[email protected]

DNS Configuration Configuration File

/etc/named/named.conf

Two Sections Global and Zone Configuration

Options

Global Options

Specify system behaviour

Upstream DNS Servers

Location of other database files

Zone Options

Definition of domain names AND files storing the database Database files storing resolution information


10/20


[email protected]

DNS Configuration Common Global Options

options {

version Response string for Versioninformation;directory /location/of/database/files;listen-on { a.b.c.d; 127.0.0.1; };forward only;forwarders { a.b.c.d; e.f.g.h; };allow-query { a.b.c.d/24; localhost; };

pid-file /var/run/named/named.pid;};

Many other options are available

Common Zone Optionszone domain.hello. {

type master;notify no;file database.filename;

};

Specifies which database file contains either the forward or reverseresolution information for the specified zone

Reverse zone names always 0.168.192.in-addr.arpa (means 192.168.0.*)


11/20


[email protected]

Forward Zone Files Specifies forward (name -> IP

Address) resolutions for a domain

Trailing periods important Fields

Domain Name example.org.

Email of administrator (replace @with .) admin.example.org.

Name Server for Domainns1.example.org

Serial Number Used forversioning

Timeouts specified in seconds

Record Types NS Name Server

A Standard IPv4 Address forname

CNAME This name resolves tothe same address as the providedother name

MX This host is responsible forhandling mail for this domain.Priority number specifies order touse multiple mail servers

example.org. IN SOAns1.example.org.

admin.example.org. (2006051501 ; Serial10800 ; Refresh3600 ; Retry604800 ; Expire86400 ; Minimum TTL

)

IN NSns1.example.org.

host1 A 192.168.0.1host2 A 192.168.0.2

ns1 A 192.168.0.3www CNAME host1IN MX 10 host2


12/20


[email protected]

Reverse Zone Files Specifies reverse (IP

Address -> name)resolutions for adomain

Trailing periodsimportant

Fields Same as for forwardresolution

Record Types PTR This address

resolves to the followingname

0.168.19.in-addr.arpa. IN SOAns1.example.org.

admin.example.org. (2006051501 ; Serial10800 ; Refresh3600 ; Retry604800 ; Expire86400 ; Minimum TTL

)

IN NSns1.example.org.

1 PTR host1.example.org.2 PTR host2.example.org.

3 PTR ns1.example.org.


13/20


[email protected]

Running DNS TO autostart at we edit /etc/rc.conf

named_enable=YES

Will ensure that at system boot

namedwill be started

Daemon started by /etc/rc.d/named.sh Only ifnamed_enable is set


14/20


[email protected]

Dynamic DNS Updates DHCP allocates IP addresses to hosts

As a new IP address is allocated We would like to update the DNS server such

that the new host resolves to that IP address

We need to configure dhcpdandbindtowork together dhcpdmust be able to (securely) connect to thebindserver

bindmust be able to accept changes to

database from remote dhcpdserver So how do we do it??


15/20


[email protected]

Dynamic DNS Updates To enable communications

named.conf must be configured to allowconnections for update purposes

Want to only allow connections from the systemrunning dhcpd

Want to only allow connections from a user whoknows a secret key to encrypt communications

Encryption Primarily for authentication of who can update

database Not so much to protect database anyone can

query the DNS server after an update


16/20


[email protected]

Dynamic DNS Updates Key Generating the update key

dnssec-keygen a HMAC-MD5 b 128 n USER DDNS-KEY

This will generate two files

The portion of the key you need is within both files

The key is used to

Secure communications between dhcpdand named Ensure that only a registered dhcpdapplication can affect

changes to the DNS database

For more info on generating keys see:

man dhcpd.conf


17/20


[email protected]

dhcpd.conf Settings Have to specify the key in the configuration file

key "KEY-NAME" {

algorithm HMAC-MD5;

secret AbCdEfGhIj*WhAtEvEr==";

};

Then tell dhcpdwhich zones it should try todynamically updatezone zone_name

primary dns_ip_address;

key KEY-NAME;}


18/20


[email protected]

Update Behaviour DHCP Server

zone_name must match corresponding authoritative zonesin DNS server

When an address is assigned to one of the matchingzones, dhcpdwill contact DNS server with informationabout the hostname of the machine assigned the lease and

its corresponding IP Address

DNS Server

bindmust be listening for update connections ondns_ip_address

bindmust be configured with a matching key Via secure update, DNS server will add an entry to resolve

the specified IP Address and Name


19/20


[email protected]

named.conf Settings Have to specify the key in the configuration file same format as

dhcpd.conf

key "KEY-NAME" {algorithm HMAC-MD5;secret AbCdEfGhIj*WhAtEvEr==";

};

Configure which interfaces and which key must be used to connect to the DNSServer control channel allows updatescontrols {

inet 127.0.0.1 allow { localhost; } keys { KEY-NAME; };} This allows connections on localhost and only from localhost assumes DHCP and

DNS server running on same machine

Configure zone information to allow updates given a correct keyzone domain.hello. {

type master;notify no;

file database.filename;allow-update { key KEY-NAME; };

};

Should specify both forward and reverse zones as updateable


20/20


[email protected]

Dynamic DNS Updates End results

A workstation/PC is turned on Sends its hostname and requests an IP address from the

DHCP server

DHCP server sends back an IP lease

DHCP server contacts the DNS server with the hostnameand allocated IP address

DNS server updates the mapping between the specifiedhostname and IP address

Any requests to the DNS server for that particularhostname will result in the correct IP address beingresolved

Any reverse resolution requests for the IP addresswill resolve to the machine that currently holds thatlease

11 - configuring dhcp and dns services with unix

Documents