Difference between revisions of "How to setup Local Authoritative DNS"
(→After Editing Files) |
(→Installation) |
||
Line 32: | Line 32: | ||
sudo touch /etc/resolv.conf.new | sudo touch /etc/resolv.conf.new | ||
− | You will be creating or editing the following config files in these new directories | + | You will be creating or editing the following config files in these new directories: |
/etc/bind.new/named.conf | /etc/bind.new/named.conf | ||
Line 39: | Line 39: | ||
/etc/bind.new/rndc.conf | /etc/bind.new/rndc.conf | ||
/etc/bind.new/rndc.key | /etc/bind.new/rndc.key | ||
− | /etc/bind.new/db. | + | /etc/bind.new/db.wright.local.zone |
− | /etc/bind.new/db. | + | /etc/bind.new/db.wright.local.rev |
/etc/dhcp3.new/dhcpd.conf | /etc/dhcp3.new/dhcpd.conf | ||
/etc/resolv.conf | /etc/resolv.conf | ||
+ | |||
+ | The full text of the files you will be editing is at the foot of this page. The original author named his network "wright"; you should replace all instances of "wright" with the name of your network. | ||
==Notes on Editing Files== | ==Notes on Editing Files== |
Revision as of 23:29, 5 September 2008
Contents
How to setup Local Authoritative DNS
I was wanting an authoritative name server for my local intranet. I also wanted any dynamic IP's to be visible to the name server. The name server included with linuxmce is configured as a recursive name server. Here's the changes I did to configure my core's name server to be authoritative and support dynamic IPs. Note, the machines on my intranet are private, i.e., not known to the outside world.
3 Feb 2008 - Developed and tested on LinuxMCE 0710 Beta 3 amd64.
I named my intranet "wright.local". Using a "local" top level domain (TLD) is recommended for private intranets. Some may prefer to use "lan". You do not want to use any of the standard TLDs like "com", "net", "org",...
I used the core's default intranet addresses, 192.168.80.0/24 with the core at 192.168.80.1.
I've attempted to verbosely document each config file. :)
The directions for adapting the config files are included in the named.conf file.
Installation
If you want to try this, I would suggest building the config in new directories then swapping with the originals when you are ready (I had a little mess when my core hung and I had to restart with only half the configs ready) :)
So start with creating two directories:
sudo mkdir /etc/bind.new sudo mkdir /etc/dhcp3.new
Now copy the contents of the original directories:
sudo cp -arp /etc/bind/* /etc/bind.new sudo cp -arp /etc/dhcp3/* /etc/dhcp3.new
Also create a new resolve.conf file:
sudo touch /etc/resolv.conf.new
You will be creating or editing the following config files in these new directories:
/etc/bind.new/named.conf /etc/bind.new/named.conf.options /etc/bind.new/logging.conf /etc/bind.new/rndc.conf /etc/bind.new/rndc.key /etc/bind.new/db.wright.local.zone /etc/bind.new/db.wright.local.rev /etc/dhcp3.new/dhcpd.conf /etc/resolv.conf
The full text of the files you will be editing is at the foot of this page. The original author named his network "wright"; you should replace all instances of "wright" with the name of your network.
Notes on Editing Files
rndc.key and dhcpd.conf key values
To create a key for use in rndc.key and dhcpd.conf:
sudo dnssec-keygen -a HMAC-MD5 -b 256 -n user rndc
Now get the key from the private file:
sudo cat Krndc.*.private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: 3+GnSWV5FKxcUu57k7QFxbpvv/xr4fXj2wBVGtdGifI= Bits: AAA=
Now cut the key which is to the right of "Key: " and paste where needed (replace "<paste your key here>" with the key in the config files). So an example using the above key would look like:
key "linuxmce-dhcp" { algorithm hmac-md5; secret "<paste your key here>"; };
becomes:
key "linuxmce-dhcp" { algorithm hmac-md5; secret "3+GnSWV5FKxcUu57k7QFxbpvv/xr4fXj2wBVGtdGifI="; };
Check directory ownership
Make the logging directory:
sudo mkdir /var/log/named sudo chown bind:bind /var/log/named sudo chmod 755 /var/log/named
You probably ought to check and change the defaultdomain:
domainname
will probably show
pluto
if so, then set it by:
sudo domainname yourdomain.local
where "yourdomain.local" is your domain. :-)
File Permissions
Change all the file permissions per instructions in named.conf.
Double check everything. Roll Eyes
Wrapping up
When and if you are feeling lucky, rename the original directories and then rename the new directories to take their place:
sudo mv /etc/bind /etc/bind.original sudo mv /etc/bind.new /etc/bind sudo mv /etc/dhcp3 /etc/dhcp3.original sudo mv /etc/dhcp3.new /etc/dhcp3 sudo mv /etc/resolve.conf /etc/resolve.conf.original sudo mv /etc/resolve.conf.new /etc/resolve.conf
Finally restart the bind and dhcpd services:
sudo rndc reload sudo /etc/init.d/dhcp3-server restart
Check the syslog for any errors:
grep named /var/log/syslog grep dhcpd /var/log/syslog
Config Files
/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named. // // This configuration supports an authoritative local zone (wright.local on // 192.168.80.0/24) and allows DHCP to update the local zone. // To customize to your setup: // 1) replace "wright.local" with your internal domain name. // 2) edit db.wright.local.zone and db.wright.local.rev and replace // my static names/addresses with your network's static names/addresses. // Make sure to increment the serial number of any file edited. // Note, format of serial number is: YYYYMMDDNN where YYYY is year, // MM is month, DD is day, NN is update number for that day (i.e., 01, // 02, 03,...) // 3) rename db.wright.local.zone to match your domain name. // 4) rename db.wright.local.rev to match your domain name. // 5) If you changed the internal network IP from the LinuxMCE default of // 192.168.80.0/24, then replace "192.168.80" with your network // ip and replace it's reverse "80.168.192" wity your network ip's // reverse. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local // // references: // http://www.arda.homeunix.net/dnssetup.html // http://www.madboa.com/geek/soho-bind/ // // notes: // 1) The following command should be ran about twice a year to keep // the root servers current: // dig @a.root-servers.net . ns > /etc/bin/db.root // Root name servers don’t change very often so updating this file more // than twice a year is probably overkill. Frequent updates also put undo // load on the root name servers; they have enough to do as it is. // // 2) File permissions: // /etc/bind/named.conf root:root 644 // /etc/bind/rndc.key root:bind 640 // /etc/bind/rndc.conf root:root 600 // /etc/resolv.conf root:root 644 // /etc/bind root:bind 775, chmod g+s => drwxrwsr-x // /etc/dhcp3 root:root 755 // /etc/dhcp3/dhcpd.conf root:root 644 // // Manually Updating Zone Files // 1. Use rndc to stop BIND. // sudo rndc stop // 2. Remove any .jnl files from the zone file directory. // sudo rm /etc/bind/*.jnl // 3. Edit the zone files as necessary. Make sure to increment the serial // number of any file edited. Note, format of serial number is: // YYYYMMDDNN where YYYY is year, MM is month, DD is day, NN is update // number for that day (i.e., 01, 02, 03,...) // 4. Start BIND using its startup script. // sudo /etc/init.d/bind9 start // secret must be the same as in /etc/bind/rndc.conf include "/etc/bind/rndc.key"; // access control list used to limit queries to local net acl "internal-net" { 192.168.80/24; 127.0.0.1; }; controls { inet 127.0.0.1 allow { any; } keys { "rndc-key"; }; }; include "/etc/bind/named.conf.options"; // The single dot (.) is the root of all DNS namespace, so // this zone tells named where to start looking for any // name on the Internet zone "." IN { type hint; file "/etc/bind/db.root"; }; // local intranet zones and reverse zones // intranet is wright.local and 192.168.80.0/24 // the DHCP servers is on linuxmce-dhcp // an optional second nameserver would be on linuxmce-ns2 zone "wright.local" IN { type master; file "/etc/bind/db.wright.local.zone"; // both allow-update and update-policy can enable DHCP updates, // but update-policy allows more control over what kinds of // updates DHCP can perform on a zone. // allow-update { none; }; update-policy { grant linuxmce-dhcp subdomain wright.local. A TXT; }; // allow-transfer { key "linuxmce-ns2"; }; // notify on zone transfers notify yes; }; zone "80.168.192.in-addr.arpa" IN { type master; file "/etc/bind/db.wright.local.rev"; // allow-update { none; }; update-policy { grant linuxmce-dhcp subdomain 80.168.192.in-addr.arpa. PTR TXT; }; // allow-transfer { key "linuxmce-ns2"; }; notify yes; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 (http://www.ietf.org/rfc/rfc1912.txt) // Where the localhost hostname is defined zone "localhost" IN { // a master type means that this server needn't look // anywhere else for information; the localhost buck // stops here. type master; file "/etc/bind/db.local"; // don't allow dynamic DNS clients to update info // about the localhost zone allow-update { none; }; }; // Where the 127.0.0.0 network is defined zone "127.in-addr.arpa" IN { type master; file "/etc/bind/db.127"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "/etc/bind/db.0"; allow-update { none; }; }; zone "255.in-addr.arpa" IN { type master; file "/etc/bind/db.255"; allow-update { none; }; }; // Include logging config file include "/etc/bind/logging.conf"; // zone "com" { type delegation-only; }; // zone "net" { type delegation-only; }; // From the release notes: // Because many of our users are uncomfortable receiving undelegated answers // from root or top level domains, other than a few for whom that behaviour // has been trusted and expected for quite some length of time, we have now // introduced the "root-delegations-only" feature which applies delegation-only // logic to all top level domains, and to the root domain. An exception list // should be specified, including "MUSEUM" and "DE", and any other top level // domains from whom undelegated responses are expected and trusted. // root-delegation-only exclude { "DE"; "MUSEUM"; }; include "/etc/bind/named.conf.local";
/etc/bind/named.conf.options
options { // tell named where to find files mentioned below directory "/var/cache/bind"; // file that contains the process id when bind is running pid-file "/var/run/bind/run/named.pid"; // enable statistics statistics-file "/var/named/named.stats"; zone-statistics yes; dump-file "/var/named/named.dump"; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. // query-source address * port 53; // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // The forwarders option tells BIND to not use iterative queries itself // for information it doesn’t already know about but to forward a // recursive query to the name servers specified instead. include "/etc/bind/named.conf.forwarders"; // conform to RFC1035 auth-nxdomain no; // on a multi-homed host, you might want to tell named // to listen for queries only on certain interfaces listen-on-v6 { any; }; listen-on { "internal-net"; }; // to allow only specific hosts to use the DNS server: allow-query { "internal-net"; }; // sets BIND’s default behaviour to refuse all zone transfers. // Without setting this option, anyone can transfer any zone. allow-transfer { none; }; // do not generate notify messages for all zones on a restart. // override for authorative zones notify no; };
/etc/bind/logging.conf
logging { channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; }; category lame-servers { lame-servers_file; }; category dnssec { dnssec_file; }; category dispatch { dispatch_file; }; category update { update_file; }; category network { network_file; }; category queries { queries_file; }; category unmatched { unmatched_file; }; category client { client_file; }; category notify { notify_file; }; category xfer-out { xfer-out_file; }; category xfer-in { xfer-in_file; }; category resolver { resolver_file; }; category config { config_file; }; category security { security_file; }; category database { database_file; }; category general { general_file; }; category default { default_file; }; };
/etc/bind/rndc.conf
options { default-server localhost; default-key "rndc-key"; default-port 953; }; server localhost { key "rndc-key"; }; key "rndc-key" { algorithm hmac-md5; secret "<paste your key here>"; };
/etc/bind/rndc.key
key "rndc-key" { algorithm hmac-md5; secret "<paste your key here>"; }; key "linuxmce-dhcp" { algorithm hmac-md5; secret "<paste your key here>"; }; key "linuxmce-ns2" { algorithm hmac-md5; secret "<paste your key here>"; };
/etc/bind/db.wright.local.zone
; ; BIND data file for wright.local ; ref. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html ; $TTL 86400 ; time to live : 86400s = 1 day ; Start Of Authority record, proclaims important authoritative information ; about a namespace to the nameserver. @ IN SOA dcerouter.wright.local roy@wright.org ( 2008013101 ;serial (YYYYMMDDNN where N = 01,02,03,...) 10800 ;refresh (3 hours) 7200 ;retry (2 hours) 36000000 ;expire (10,000 hours = 416 2/3 days) 86400) ;default minimum ttl ; ; NameServer record, which announces the authoritative nameservers for a particular zone. ; IN NS dcerouter.wright.local. ; ; Address records specify an IP address to assign to a name ; dcerouter IN A 192.168.80.1 dad-kubuntu IN A 192.168.80.21 royw-gentoo IN A 192.168.80.20 ; ; Canonical name records, maps one name to another. ; linuxmce IN CNAME dcerouter
/etc/bind/db.wright.local.rev
; ; BIND reverse data file for wright.local ; ref. http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html ; $ORIGIN 80.168.192.in-addr.arpa. $TTL 86400 ; time to live : 86400s = 1 day ; Start Of Authority record, proclaims important authoritative information ; about a namespace to the nameserver. @ IN SOA dcerouter.wright.local roy@wright.org ( 2008013101 ;serial (YYYYMMDDNN where N = 01,02,03,...) 10800 ;refresh (3 hours) 7200 ;retry (2 hours) 36000000 ;expire (10,000 hours = 416 2/3 days) 86400) ;default minimum ttl ; ; NameServer record, which announces the authoritative nameservers for a particular zone. ; IN NS dcerouter.wright.local. ; ; PTR — PoinTeR record, designed to point to another part of the namespace. ; 1 IN PTR dcerouter.wright.local. 21 IN PTR dad-kubuntu.wright.local. 20 IN PTR royw-gentoo.wright.local.
/etc/dhcp3/dhcpd.conf
option domain-name-servers 192.168.80.1; authoritative; option routers 192.168.80.1; option subnet-mask 255.255.255.0; # lease IPs for 1 day, maximum 1 week default-lease-time 86400; max-lease-time 604800; # dynamic DNS updates ddns-updates on; ddns-update-style interim; ddns-domainname "wright.local."; ddns-rev-domainname "in-addr.arpa."; ddns-ttl 14400; # don't let clients modify their own A records ignore client-updates; key "linuxmce-dhcp" { algorithm hmac-md5; secret "<paste your key here>"; }; zone wright.local { primary 192.168.80.1; key "linuxmce-dhcp"; } zone 80.168.192.in-addr.arpa { primary 192.168.80.1; key "linuxmce-dhcp"; } option space pxelinux; option pxelinux.magic code 208 = string; option pxelinux.configfile code 209 = text; option pxelinux.pathprefix code 210 = text; option pxelinux.reboottime code 211 = unsigned integer 32; subnet 192.168.80.0 netmask 255.255.255.0 { next-server 192.168.80.1; filename "/tftpboot/pxelinux.0"; option pxelinux.reboottime = 30; option domain-name "wright.local"; option domain-name-servers 192.168.80.1; option routers 192.168.80.1; default-lease-time 86400; max-lease-time 604800; pool { allow unknown-clients; range 192.168.80.129 192.168.80.254; } } # PXE booting machines group { next-server 192.168.80.1; filename "/tftpboot/pxelinux.0"; option pxelinux.reboottime = 30; } # regular machines group { } # CORE (1) has bad mac address:
/etc/resolv.conf
domain wright.local nameserver localhost