Difference between revisions of "How to setup Local Authoritative DNS"

From LinuxMCE
Jump to: navigation, search
(Installation)
Line 28: Line 28:
 
   sudo cp -arp /etc/dhcp3/* /etc/dhcp3.new
 
   sudo cp -arp /etc/dhcp3/* /etc/dhcp3.new
  
Also create a new resolve.conf file:
+
Also create a new resolv.conf file:
  
 
   sudo touch /etc/resolv.conf.new
 
   sudo touch /etc/resolv.conf.new
Line 120: Line 120:
 
   sudo mv /etc/dhcp3 /etc/dhcp3.original
 
   sudo mv /etc/dhcp3 /etc/dhcp3.original
 
   sudo mv /etc/dhcp3.new /etc/dhcp3
 
   sudo mv /etc/dhcp3.new /etc/dhcp3
   sudo mv /etc/resolve.conf /etc/resolve.conf.original
+
   sudo mv /etc/resolv.conf /etc/resolv.conf.original
   sudo mv /etc/resolve.conf.new /etc/resolve.conf
+
   sudo mv /etc/resolv.conf.new /etc/resolv.conf
  
 
Finally restart the bind and dhcpd services:
 
Finally restart the bind and dhcpd services:

Revision as of 03:59, 14 August 2012

How to setup Local Authoritative DNS

I was wanting an authoritative name server for my local intranet. I also wanted any dynamic IP's to be visible to the name server. The name server included with linuxmce is configured as a recursive name server. Here's the changes I did to configure my core's name server to be authoritative and support dynamic IPs. Note, the machines on my intranet are private, i.e., not known to the outside world.

 3 Feb 2008 - Developed and tested on LinuxMCE 0710 Beta 3 amd64.

I named my intranet "wright.local". Using a "local" top level domain (TLD) is recommended for private intranets. Some may prefer to use "lan". You do not want to use any of the standard TLDs like "com", "net", "org",...

I used the core's default intranet addresses, 192.168.80.0/24 with the core at 192.168.80.1.

I've attempted to verbosely document each config file. :)

The directions for adapting the config files are included in the named.conf file.

Installation

If you want to try this, I would suggest building the config in new directories then swapping with the originals when you are ready (I had a little mess when my core hung and I had to restart with only half the configs ready) :)

So start with creating two directories:

 sudo mkdir /etc/bind.new
 sudo mkdir /etc/dhcp3.new

Now copy the contents of the original directories:

 sudo cp -arp /etc/bind/* /etc/bind.new
 sudo cp -arp /etc/dhcp3/* /etc/dhcp3.new

Also create a new resolv.conf file:

 sudo touch /etc/resolv.conf.new

You will be creating or editing the following config files in these new directories:

 /etc/bind.new/named.conf
 /etc/bind.new/named.conf.options
 /etc/bind.new/logging.conf
 /etc/bind.new/rndc.conf
 /etc/bind.new/rndc.key
 /etc/bind.new/db.wright.local.zone
 /etc/bind.new/db.wright.local.rev
 /etc/dhcp3.new/dhcpd.conf
 /etc/resolv.conf.new

The full text of the files you will be editing is at the foot of this page. The original author named his network "wright"; you should replace all instances of "wright" with the name of your network.

Notes on Editing Files

rndc.key and dhcpd.conf key values

To create a key for use in rndc.key and dhcpd.conf:

 sudo dnssec-keygen -a HMAC-MD5 -b 256 -n user rndc

Now get the key from the private file:

 sudo cat Krndc.*.private
 Private-key-format: v1.2
 Algorithm: 157 (HMAC_MD5)
 Key: 3+GnSWV5FKxcUu57k7QFxbpvv/xr4fXj2wBVGtdGifI=
 Bits: AAA=

Now cut the key which is to the right of "Key: " and paste where needed (replace "<paste your key here>" with the key in the config files). So an example using the above key would look like:

 key "linuxmce-dhcp" {
       algorithm	hmac-md5;
       secret		"<paste your key here>";
 };

becomes:

 key "linuxmce-dhcp" {
       algorithm	hmac-md5;
       secret		"3+GnSWV5FKxcUu57k7QFxbpvv/xr4fXj2wBVGtdGifI=";
 };

Check directory ownership

Make the logging directory:

 sudo mkdir /var/log/named
 sudo chown bind:bind /var/log/named
 sudo chmod 755 /var/log/named

Setting default domain

You probably ought to check and change the defaultdomain:

 domainname

will probably show

 pluto

if so, then set it by:

 sudo domainname yourdomain.local

where "yourdomain.local" is your domain.  :-)

File Permissions

Change all the file permissions per instructions in named.conf:

  File permissions:
 //    /etc/bind/named.conf   root:root   644
 //    /etc/bind/rndc.key     root:bind   640
 //    /etc/bind/rndc.conf    root:root   600
 //    /etc/resolv.conf       root:root   644
 //    /etc/bind              root:bind   775, chmod g+s => drwxrwsr-x
 //    /etc/dhcp3             root:root   755
 //    /etc/dhcp3/dhcpd.conf  root:root   644
 //

Double check. Everything

Double check everything. Roll Eyes

Wrapping up

When and if you are feeling lucky, rename the original directories and then rename the new directories to take their place:

 sudo mv /etc/bind /etc/bind.original
 sudo mv /etc/bind.new /etc/bind
 sudo mv /etc/dhcp3 /etc/dhcp3.original
 sudo mv /etc/dhcp3.new /etc/dhcp3
 sudo mv /etc/resolv.conf /etc/resolv.conf.original
 sudo mv /etc/resolv.conf.new /etc/resolv.conf

Finally restart the bind and dhcpd services:

 sudo rndc reload
 sudo /etc/init.d/dhcp3-server restart

Check the syslog for any errors:

 grep named /var/log/syslog
 grep dhcpd /var/log/syslog

Config Files

/etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// This configuration supports an authoritative local zone (wright.local on
// 192.168.80.0/24) and allows DHCP to update the local zone.  
// To customize to your setup:
// 1) replace "wright.local" with your internal domain name.
// 2) edit db.wright.local.zone and db.wright.local.rev and replace
//    my static names/addresses with your network's static names/addresses.
//    Make sure to increment the serial number of any file edited.  
//    Note, format of serial number is:  YYYYMMDDNN where YYYY is year, 
//    MM is month, DD is day, NN is update number for that day (i.e., 01, 
//    02, 03,...)
// 3) rename db.wright.local.zone to match your domain name.
// 4) rename db.wright.local.rev to match your domain name.
// 5) If you changed the internal network IP from the LinuxMCE default of
//    192.168.80.0/24, then replace "192.168.80" with your network
//    ip and replace it's reverse "80.168.192" wity your network ip's
//    reverse.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
//
// references:
// http://www.arda.homeunix.net/dnssetup.html
// http://www.madboa.com/geek/soho-bind/
//
// notes:
// 1) The following command should be ran about twice a year to keep
//    the root servers current:
//      dig @a.root-servers.net . ns > /etc/bin/db.root
//    Root name servers don’t change very often so updating this file more 
//    than twice a year is probably overkill. Frequent updates also put undo 
//    load on the root name servers; they have enough to do as it is.
//
// 2) File permissions:
//    /etc/bind/named.conf   root:root   644
//    /etc/bind/rndc.key     root:bind   640
//    /etc/bind/rndc.conf    root:root   600
//    /etc/resolv.conf       root:root   644
//    /etc/bind              root:bind   775, chmod g+s => drwxrwsr-x
//    /etc/dhcp3             root:root   755
//    /etc/dhcp3/dhcpd.conf  root:root   644
//
// Manually Updating Zone Files
// 1. Use rndc to stop BIND.
//      sudo rndc stop
// 2. Remove any .jnl files from the zone file directory.
//      sudo rm /etc/bind/*.jnl
// 3. Edit the zone files as necessary. Make sure to increment the serial 
//    number of any file edited.  Note, format of serial number is:
//    YYYYMMDDNN where YYYY is year, MM is month, DD is day, NN is update
//    number for that day (i.e., 01, 02, 03,...)
// 4. Start BIND using its startup script. 
//      sudo /etc/init.d/bind9 start


// secret must be the same as in /etc/bind/rndc.conf
include "/etc/bind/rndc.key";

// access control list used to limit queries to local net
acl "internal-net" { 192.168.80/24; 127.0.0.1; };

controls {
    inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
};

include "/etc/bind/named.conf.options";

// The single dot (.) is the root of all DNS namespace, so
// this zone tells named where to start looking for any
// name on the Internet
zone "." IN {
	type hint;
	file "/etc/bind/db.root";
};

// local intranet zones and reverse zones
// intranet is wright.local and 192.168.80.0/24
// the DHCP servers is on linuxmce-dhcp
// an optional second nameserver would be on linuxmce-ns2
	
zone "wright.local" IN {
	type master;
	file "/etc/bind/db.wright.local.zone";
	// both allow-update and update-policy can enable DHCP updates,
	// but update-policy allows more control over what kinds of 
	// updates DHCP can perform on a zone.
	// allow-update { none; };
	update-policy { grant linuxmce-dhcp subdomain wright.local. A TXT; };
	// allow-transfer { key "linuxmce-ns2"; };
	// notify on zone transfers
	notify yes;
};
	
zone "80.168.192.in-addr.arpa" IN {
	type master;
	file "/etc/bind/db.wright.local.rev";
	// allow-update { none; };
	update-policy { grant linuxmce-dhcp subdomain 80.168.192.in-addr.arpa. PTR TXT; };
	// allow-transfer { key "linuxmce-ns2"; };
	notify yes;
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912 (http://www.ietf.org/rfc/rfc1912.txt)

// Where the localhost hostname is defined
zone "localhost" IN {
	// a master type means that this server needn't look
	// anywhere else for information; the localhost buck
	// stops here.
	type master;
	file "/etc/bind/db.local";
	// don't allow dynamic DNS clients to update info
	// about the localhost zone
	allow-update { none; };
};
	
// Where the 127.0.0.0 network is defined
zone "127.in-addr.arpa" IN {
	type master;
	file "/etc/bind/db.127";
	allow-update { none; };
};
	
zone "0.in-addr.arpa" IN {
	type master;
	file "/etc/bind/db.0";
	allow-update { none; };
};
	
zone "255.in-addr.arpa" IN {
	type master;
	file "/etc/bind/db.255";
	allow-update { none; };
};
	

// Include logging config file
include "/etc/bind/logging.conf";

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies delegation-only
//  logic to all top level domains, and to the root domain.  An exception list
//  should be specified, including "MUSEUM" and "DE", and any other top level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

include "/etc/bind/named.conf.local";

/etc/bind/named.conf.options

options {
	// tell named where to find files mentioned below
	directory "/var/cache/bind";

	// file that contains the process id when bind is running
	pid-file "/var/run/bind/run/named.pid";

	// enable statistics
	statistics-file "/var/named/named.stats";
	zone-statistics yes;

	dump-file "/var/named/named.dump";

	// If there is a firewall between you and nameservers you want
	// to talk to, you might need to uncomment the query-source
	// directive below.  Previous versions of BIND always asked
	// questions using port 53, but BIND 8.1 and later use an unprivileged
	// port by default.
	// query-source address * port 53;

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// The forwarders option tells BIND to not use iterative queries itself 
	// for information it doesn’t already know about but to forward a 
	// recursive query to the name servers specified instead.
	include "/etc/bind/named.conf.forwarders";

	// conform to RFC1035
	auth-nxdomain no;

	// on a multi-homed host, you might want to tell named
	// to listen for queries only on certain interfaces
	listen-on-v6 { any; };
	listen-on { "internal-net"; };

	// to allow only specific hosts to use the DNS server:
	allow-query { "internal-net"; };

	// sets BIND’s default behaviour to refuse all zone transfers. 
	// Without setting this option, anyone can transfer any zone.
	allow-transfer { none; };

	// do not generate notify messages for all zones on a restart.
	// override for authorative zones
	notify no;
};

/etc/bind/logging.conf

logging {

	channel default_file {
		file "/var/log/named/default.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel general_file {
		file "/var/log/named/general.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel database_file {
		file "/var/log/named/database.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel security_file {
		file "/var/log/named/security.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel config_file {
		file "/var/log/named/config.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel resolver_file {
		file "/var/log/named/resolver.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel xfer-in_file {
		file "/var/log/named/xfer-in.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel xfer-out_file {
		file "/var/log/named/xfer-out.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel notify_file {
		file "/var/log/named/notify.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel client_file {
		file "/var/log/named/client.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel unmatched_file {
		file "/var/log/named/unmatched.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel queries_file {
		file "/var/log/named/queries.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel network_file {
		file "/var/log/named/network.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel update_file {
		file "/var/log/named/update.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel dispatch_file {
		file "/var/log/named/dispatch.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel dnssec_file {
		file "/var/log/named/dnssec.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};
	channel lame-servers_file {
		file "/var/log/named/lame-servers.log" versions 3 size 5m;
		severity dynamic;
		print-time yes;
		};


	category lame-servers {
		lame-servers_file;
		};
	category dnssec {
		dnssec_file;
		};
	category dispatch {
		dispatch_file;
		};
	category update {
		update_file;
		};
	category network {
		network_file;
		};
	category queries {
		queries_file;
		};
	category unmatched {
		unmatched_file;
		};
	category client {
		client_file;
		};
	category notify {
		notify_file;
		};
	category xfer-out {
		xfer-out_file;
		};
	category xfer-in {
		xfer-in_file;
		};
	category resolver {
		resolver_file;
		};
	category config {
		config_file;
		};
	category security {
		security_file;
		};
	category database {
		database_file;
		};
	category general {
		general_file;
		};
	category default {
		default_file;
		};
};

/etc/bind/rndc.conf

options {
	default-server  localhost;
	default-key     "rndc-key";
	default-port 953;
};

server localhost {
	key     "rndc-key";
};

key "rndc-key" {
	algorithm       hmac-md5;
	secret		"<paste your key here>";
};

/etc/bind/rndc.key

key "rndc-key" {
        algorithm	hmac-md5;
        secret		"<paste your key here>";
};

key "linuxmce-dhcp" {
        algorithm	hmac-md5;
        secret		"<paste your key here>";
};

key "linuxmce-ns2" {
        algorithm	hmac-md5;
        secret		"<paste your key here>";
};

/etc/bind/db.wright.local.zone

;
; BIND data file for wright.local
; ref. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html
;
$TTL 86400 ; time to live : 86400s = 1 day
; Start Of Authority record, proclaims important authoritative information 
; about a namespace to the nameserver.
@               IN SOA  dcerouter.wright.local        roy@wright.org (
                2008013101      ;serial (YYYYMMDDNN where N = 01,02,03,...)
                10800           ;refresh (3 hours)
                7200            ;retry (2 hours)
                36000000        ;expire (10,000 hours = 416 2/3 days)
                86400)          ;default minimum ttl
;
; NameServer record, which announces the authoritative nameservers for a particular zone.
;
                IN NS   dcerouter.wright.local.
;
; Address records specify an IP address to assign to a name
;
dcerouter       IN A            192.168.80.1
thenameofamachine     IN A            192.168.80.21
thenameofanothermachine  IN A		192.168.80.20
;
; Canonical name records, maps one name to another. 
;
linuxmce        IN CNAME        dcerouter

/etc/bind/db.wright.local.rev


;
; BIND reverse data file for wright.local
; ref. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html
;
$ORIGIN 80.168.192.in-addr.arpa.
$TTL 86400 ; time to live : 86400s = 1 day
; Start Of Authority record, proclaims important authoritative information 
; about a namespace to the nameserver.
@               IN SOA  dcerouter.wright.local        roy@wright.org (
                2008013101      ;serial (YYYYMMDDNN where N = 01,02,03,...)
                10800           ;refresh (3 hours)
                7200            ;retry (2 hours)
                36000000        ;expire (10,000 hours = 416 2/3 days)
                86400)          ;default minimum ttl
;
; NameServer record, which announces the authoritative nameservers for a particular zone.
;
                IN NS   dcerouter.wright.local.
;
; PTR — PoinTeR record, designed to point to another part of the namespace.
;
1               IN PTR  dcerouter.wright.local.
21              IN PTR  dad-kubuntu.wright.local.
20		IN PTR	royw-gentoo.wright.local.

/etc/dhcp3/dhcpd.conf

option domain-name-servers 192.168.80.1;
authoritative;

option routers 192.168.80.1;
option subnet-mask 255.255.255.0;

# lease IPs for 1 day, maximum 1 week
default-lease-time 86400;
max-lease-time 604800;

# dynamic DNS updates
ddns-updates on;
ddns-update-style interim;
ddns-domainname "wright.local.";
ddns-rev-domainname "in-addr.arpa.";
ddns-ttl 14400;

# don't let clients modify their own A records
ignore client-updates;

key "linuxmce-dhcp" {
	algorithm       hmac-md5;
	secret		"<paste your key here>";
};

zone wright.local {
	primary 192.168.80.1;
	key "linuxmce-dhcp";
}

zone 80.168.192.in-addr.arpa {
	primary 192.168.80.1;
	key "linuxmce-dhcp";
}


option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;

subnet 192.168.80.0 netmask 255.255.255.0 {
	next-server 192.168.80.1;
	filename "/tftpboot/pxelinux.0";
	option pxelinux.reboottime = 30;

	option domain-name "wright.local";
	option domain-name-servers 192.168.80.1;
	option routers 192.168.80.1;

	default-lease-time 86400;
	max-lease-time 604800;
	pool {
		 allow unknown-clients;
		 range 192.168.80.129 192.168.80.254; 
	}
}

# PXE booting machines
group {
	next-server 192.168.80.1;
	filename "/tftpboot/pxelinux.0";
	option pxelinux.reboottime = 30;

}

# regular machines
group {
}

# CORE (1) has bad mac address: 

/etc/resolv.conf

domain wright.local
nameserver localhost