Configuring Dynamic DNS & DHCP on Debian Stable

Posted by ajt on Tue 31 Jan 2006 at 08:37

For the average home computer user there is no need to install a complex package such as the Internet Software Consortium's BIND DNS or DHCP server, since there are far simpler lower resource tools to use, for example dnsmasq. For those who you wish to learn how to use ISC's BIND and DHCP, for example as a learning exercise, this is how I got it all to work in Debian Sarge, the current stable version of Debian GNU/Linux.

This short article was prompted by my question on the Debian-Administration forum site, where I was able to get some answers to the issues I faced and I did promise to post a solution if I got one.

Installation of Packages

The version of ISC BIND DNS and DHCP servers installed by default in Debian stable are the older versions, which will not actually work together. If you have either server installed you need to remove it and upgrade to the newer version of each package. The newer versions are available in the Debian stable archive so you do not need a back-port from testing.

[user@box ~]$ sudo aptitude remove bind dhcp
[user@box ~]$ sudo aptitude install bind9 dhcp3-server

Let aptitude or apt-get figure out and resolve any dependencies. You will get a set of basic configuration files and start scripts all created for you in the usual Debian way.

To set-up DNS you need to set your domain rules as per normal BIND9 format. BIND9 does have a reputation for being complex but you can find help in the man pages which are complete, if very long, and there are good books to help you get through (see below). Setting up the DHCP server is by comparison much simpler; set that up as you need.

The hard bit is getting the two to talk to each other, as this is less well documented and the documentation that does exist does contradict itself. It was my difficulties with getting the DHCP server to automatically update the DNS server that lead me ask a question on the D-A.org web site. Though I got no perfect answer, I was able to piece together enough to generate this working solution.

Configuring BIND9

/etc/bind/named.conf

You need to tell BIND that it is okay to allow other applications to update it. I added the following to my BIND9 configuration, everything else was left as stock Debian. My DHCP server and DNS server are on the box, so here I am only allowing localhost to perform the update. The file rndc-key is a file containing a shared secret, so that BIND9 knows that it is an approved application sending instructions.

controls {
        inet 127.0.0.1 allow {localhost; } keys { "rndc-key"; };
};

/etc/bind/named.conf.local

Here is my local zone details, suitably modified. Here I let BIND know which domains it can update; in my case I only have one domain to deal with. I am also loading in the shared secret key in at this stage. You can see I am using a private IP address range.

// Add local zone definitions here.
zone "network.athome" {
        type master;
        file "/etc/bind/db.network";
        allow-update { key "rndc-key"; };
        notify yes;
};

zone "0.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192.168.0";
        allow-update { key "rndc-key"; };
        notify yes;
};

include "/etc/bind/rndc.key";

/etc/bind/rndc.key

The secret key is created with a tool. If your DHCP and DNS servers are on separate machines you need to copy the file between them or arrange for one machine to remotely access the file system of the other.

key "rndc-key" {
        algorithm       hmac-md5;
        secret          "lgkbhjhtthgtlghtl6567==";
};

db files

Set up your zone databases as normal. You do not need to do anything fancy.

Configuring DHCP3 Server

By default the ISC DHCP3 server shipped in Debian Sarge does not do dynamic DNS update. You simply need to enable it. Below are the options I selected for my system.

/etc/dhcp3/dhcpd.conf

You have to turn on the updating with the ddns-update-style interim command. I have client-updates ignore as Windows machines try to set their FQDN, not just their hostname, which causes problems. I have included the key so the two server daemons can trust each other.

# Basic stuff to name the server and switch on updating
server-identifier           server;
ddns-updates                on;
ddns-update-style           interim;
ddns-domainname             "network.athome.";
ddns-rev-domainname         "in-addr.arpa.";
ignore                      client-updates;

# This is the key so that DHCP can authenticate it's self to BIND9
include                     "/etc/bind/rndc.key";

# This is the communication zone
zone network.athome. {
    primary 127.0.0.1;
    key rndc-key;
}

# Normal DHCP stuff
option domain-name              "network.athome.";
option domain-name-servers      192.168.0.60, 192.168.0.1;
option ntp-servers              192.168.0.60;
option ip-forwarding            off;

default-lease-time              600;
max-lease-time                  7200;
authoritative;

log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
    range                       192.168.0.100 192.168.0.200;
    option broadcast-address    192.168.0.255;
    option routers              192.168.0.1;
    allow                       unknown-clients;

    zone    0.168.192.in-addr.arpa. {
            primary 192.168.0.60;
            key             "rndc-key";
    }

    zone    localdomain. {
            primary 192.168.0.60;
            key             "rndc-key";
    }
}

 

 


Posted by oxtan (80.126.xx.xx) on Thu 2 Feb 2006 at 12:58
[ View Weblogs ]
great article! Thanks, I'll try it when I get a spare moment at home.

One question though:

you write:


/etc/bind/rndc.key

The secret key is created with a tool.



Sorry for missing the obvious part: which tool?


[ Parent | Reply to this comment ]

Posted by oxtan (80.126.xx.xx) on Thu 2 Feb 2006 at 13:04
[ View Weblogs ]
ok, rtfm 1st :)


$ apropos rndc
rndc (8) - name server control utility
rndc-confgen (8) - rndc key generation tool
rndc.conf (5) - rndc configuration file


so I'll guess it's rndc-confgen, then.

[ Parent | Reply to this comment ]

Posted by Anonymous (200.87.xx.xx) on Tue 8 Apr 2008 at 20:46
a litle tutorial how to configure DHCP

[ Parent | Reply to this comment ]

Posted by ajt (204.193.xx.xx) on Thu 2 Feb 2006 at 13:36
[ View Weblogs ]
Fair comment...

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by GoodTimes (146.180.xx.xx) on Thu 2 Feb 2006 at 14:31
[ View Weblogs ]
This is a very good article, i've been wanting to set this up as a learning experience in my home network for some time.

I'm sure this question is answered once I get this set up. But what happens with a static ip address i'm assigning through dhcp? Does it get the hostname from the dhcp config and then use that to update dns? Or am I missing the point?

aaron



Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent | Reply to this comment ]

Posted by ajt (84.12.xx.xx) on Thu 2 Feb 2006 at 18:53
[ View Weblogs ]
Static though DHCP? Do you mean a DHCP Reservation?

My static machines retain their hostname and fully qualified domain name as they ignore DHCP totally. They have static enteries in my DNS.

My work machine has a work hostname and FQDN. Work's machine is not in my DNS, so it uses DHCP and it retains it's hostname, but is placed in the domain of the DHCP server, not work's. Once it's in my domain, DNS know where it is and I can access it via it's hostname or FQDN.

Does this help?

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by GoodTimes (146.180.xx.xx) on Fri 3 Feb 2006 at 15:24
[ View Weblogs ]
yes, i mean a static reservation

what i do is i have all my machines set to get their info thorugh dhcp. Some of these machines i want on fixed ip addresses (various reasons) but I want them getting their information from dhcp, but i want to make sure that it won't hurt anything. The more I think about it, the more it seems like I would just leave my static configurations the way they are, and just new machines (laptops) that come in and out of my network would possibly change ip address. But where does the hostname come from? I'd assume the hostname configured on the client.

For example

machine with a hostname of foo contacts dhcp for the athome.network domain, this then gives it ip address ...100 and then there is a dynamic dns entry for foo.athome.network

aaron



Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent | Reply to this comment ]

Posted by GoodTimes (69.17.xx.xx) on Sun 26 Feb 2006 at 06:20
[ View Weblogs ]
So, i finally got around to doing this

I had a few issues that were eventually resolved simply, but were a bit tedious to track down, since "no one is having this problem but me!"

I had setup everything like the article says (i made some typos, but we don't have to cover that) but things weren't working and i couldn't find what I didn't do right.

to debug the problem

I edited /etc/default/bind9 so that options read

OPTIONS="-u bind -g -d 20"

and then restarted bind9 in a window

and in another window i stopped the /etc/init.d/dhcpd3-server and ran the command

dhcpd3 -d -f 2>&1 | tee dhcp3.log

and in another window, i did a

tail -f /var/log/daemon.log

this way, from a test machine, i could renew my lease, and see what happened between the daemons

But everytime i'd try and renew a lease on a test machine, i'd get the message


named[30593]: client 127.0.0.1#49087: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)

so, i looked around for rndc information and came across the rndc-confgen program

running it, it gave me a config for a /etc/rndc.conf file and a new /etc/bind/rndc.key file

i made sure that the /etc/rndc.conf file's key and what was in /etc/bind/rndc.key matched

so, that took care of that message, but then i started getting the messages

named[30901]: db.rdu90.com.jnl: create: permission denied

<mistake>
Ok, so i'm about to make my big mistake here. What happened was, I saw that my /etc/bind directory was owned by smmsp, which had to have been done by the package management system, and so i didn't want to mess with that. So, I figured i'd provde a couple of 0 length .jnl files and chown them to bind. Then it could do what it needed...right?
</mistake>

so, i execute

touch db.mydomain.com.nl
touch db.192.168.1.jnl

and chown them both to bind

at this point i begin seeing the following messages

client 127.0.0.1#49097: updating zone 'your.domain/IN': error: journal open failed: no more

dhcpd dhcpd: Unable to add forward map from
host.yourdomain.com to ##.##.##.##: timed out

/etc/bind/named.conf:59: couldn't install keys for command channel 127.0.0.1#953: permission denied
/etc/bind/named.conf:59: couldn't add command channel 127.0.0.1#953: permission denied

at this point, i figured since the /etc/bind directory was group 'bind', i'd just give the group write permissions (i am loathe to change perms on directories apt controls since this might get changed back during an upgrade)

and everything started working perfectly

this site helped a lot

http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html

that explained to me what the log messages meant

what i'd like to know is if there's someplace else i should have these journal files being written as i don't know if bind should be able to write to that directory

i'm very happy with having this done overall, i've wanted to do it for years actually. thank you for this article.

aaron

Through correctness comes ease
-Chiun
-The Destroyer series

[ Parent | Reply to this comment ]

Posted by Anonymous (187.101.xx.xx) on Wed 14 Mar 2012 at 15:47
I think the best method is include the line "journal" in your zone config:

zone "db.rdu90.com"IN {
... //others zone options
journal "/var/cache/bind/db.rdu90.com.jnl";
};

[ Parent | Reply to this comment ]

Posted by Anonymous (94.240.xx.xx) on Mon 24 May 2010 at 10:39
Try
update-static-leases on;
in your dhcpd.conf

Tomek

[ Parent | Reply to this comment ]

Posted by Anonymous (213.146.xx.xx) on Thu 2 Feb 2006 at 16:34
Dude, you have no idea how much this helps, after struggling for two days this is a great help!

Not for sounding too lazy, but you wouldn't have a simple Bind9 setup article too? I am writing a script to install a domain controller with Samba, bind, dhcp and squid. Got most of the rest figured out but this bind thingy is giving me the runaround :-(

[ Parent | Reply to this comment ]

Posted by ajt (84.12.xx.xx) on Thu 2 Feb 2006 at 19:05
[ View Weblogs ]
I slogged through the O'Reilly book on DNS and BIND to get mine working back in the days of version 4. I then upgraded to 8, which took some messing, and most recently to 9 - which was painless.

BIND is dead easy for a simple network, I've got 6 machines with static addresses, a work notebook on DHCP and a variable number of guests also on DHCP. I have only one server and a handful of aliases for Apache and that's it.

It all starts to get messy when you several domains/sub-domains and email routing can make it all awfully complex. For a simple home network the O'Reilly book and the man page should be all you need.

I could write up a noddy BIND9, but I suspect that there are several out there already.

However I'll see if I can get round to a BIND9 how-to...

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by Anonymous (196.25.xx.xx) on Thu 2 Feb 2006 at 19:46
You mention at the start that it was a learning exercise. With that in mind, why in your zone definitions did you opt for the (slightly deprecated) "allow-update" rather than the newer and finer grained "update-policy"?

Just wondering really...

[ Parent | Reply to this comment ]

Posted by ajt (84.12.xx.xx) on Thu 2 Feb 2006 at 22:47
[ View Weblogs ]
I tried several things, which didn't work. This does work which why I'm using it, I am however willing to accept that it may be improved.

I've already exchanged emails with the a few people and I plan to improve the article if I can. Any helpful input will be accepted - "patches are welcome".

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by pgquiles (62.15.xx.xx) on Sat 4 Feb 2006 at 18:14
I'm a Debian guy but today I was configuring a CentOS machine and I went crazy about this line in dhcpd.conf:

allow-update { key "rndc-key"; };

It's worth to note in RedHat-based distributions you must write:

allow-update { key "rndckey"; };

(notice the lack of the hyphen)

[ Parent | Reply to this comment ]

Posted by Anonymous (82.70.xx.xx) on Wed 22 Feb 2006 at 11:26
Hey thanks... that was a great article. I've been wondering how to do that for a while now.
One thing I noticed on both debian and Ubuntu:
Ensure that your /etc/bind directory is writable for bind (chown bind:bind /etc/bind). Otherwise you will get an error in your logs telling you that bind is unable to create a journal file. By default the /etc/bind directory is owned by root and is not writable by bind.

Thanks again.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.42.xx.xx) on Sun 23 Apr 2006 at 21:13
Yeah, its very good, thanks. I've had a lot of problems but now its OK, thanks
http://www.make4u.cz

[ Parent | Reply to this comment ]

Posted by Anonymous (88.2.xx.xx) on Tue 15 Apr 2008 at 14:48
"Ensure that your /etc/bind directory is writable for bind"

Don't do that; point instead the dinamically updatable zone files within /var/cache/bind/ which already is writable by bind.

On a side note I'd prefer all dynamic updates going into a subdomain (like dyn.example.com) in order to "sandbox" mistakes or hack attempts from the "main server's" domains.

[ Parent | Reply to this comment ]

Posted by Anonymous (201.248.xx.xx) on Thu 24 Aug 2006 at 03:49
Who is 192.168.0.60? I understand that all is in the box 192.168.1.1

Thanks for your paper.
Later,
MS

[ Parent | Reply to this comment ]

Posted by ajt (204.193.xx.xx) on Thu 24 Aug 2006 at 09:01
[ View Weblogs ]
In this case 192.168.0.1 is my router and 192.168.0.60 is the DNS, NTP DHCP server.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by Anonymous (82.240.xx.xx) on Tue 29 May 2007 at 10:37
Be sure to "chmod g+w /etc/bind", otherwise bind will not be able to write the journal files.

[ Parent | Reply to this comment ]

Posted by Anonymous (207.27.xx.xx) on Tue 7 Aug 2007 at 06:14
Ditto to the above. I spend hours trying to get DDNS to work on a FreeBSD system; finally I did a 'chown bind /etc/namedb' AND 'chown bind /etc/namedb/master' (FreeBSD uses /etc/namedb instead of /etc/bind, and stores all the zone info in /etc/namedb/master.)

Moral of the story: if things don't seem to be working, make sure bind can write to BOTH the main bind/namedb folder, and to any folders within it.

[ Parent | Reply to this comment ]

Posted by Anonymous (159.162.xx.xx) on Mon 8 Oct 2007 at 09:32
Great article.

I wanted this problem solved the other way around, wich means have the client in dns, and use dhcp for giving the ip. With a record in dns, all you need is the client mac, and this in dchp server conf:

host hostname {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address hostname.homedomain;
}

This can be mixed with ordinary dhcp setup wich you describe. Why use this setup? Well, you don't allow unknown mac's on your LAN and you don't risk having two clients using the same name (which has happen on a windows system at my work). If you want to move your LAN to another IP - say from 192.168.X.X to 10.10.X.X - you just have a zone file to adjust.
I use this on my linux wlan AP as well, using the mac in firewalls rules and in dchpd.

Regards,

Hans Einar Gautun

[ Parent | Reply to this comment ]

Posted by razametal (200.93.xx.xx) on Fri 27 Jun 2008 at 01:19
I want the same configuration.


How can I update the dns for the fixed address declared under "host machinename" ?

[ Parent | Reply to this comment ]

Posted by Anonymous (194.106.xx.xx) on Sat 3 Nov 2007 at 00:11
Great article! I just did the same on Ubuntu Gutsy Gibbon and it worked like a charm. Thanks a lot for this!

[ Parent | Reply to this comment ]

Posted by Anonymous (194.106.xx.xx) on Sat 3 Nov 2007 at 16:25
If anybody is interested, I just finished writing a step by step procedure of how to set up the DNS and DHCP servers on Ubuntu Gutsy server edition. The DNS stuff was taken from the O'Reilly book and the DHCP stuff from this article. Don't hesitate to comment and point out mistakes. Here is the link:

http://brunogirin.blogspot.com/2007/11/dhcp-and-dynamic-dns-on-ub untu-server.html

Bruno

[ Parent | Reply to this comment ]

Posted by Anonymous (84.87.xx.xx) on Mon 7 Jan 2008 at 23:49
I took me some time to find out why ddns was not working on my system. Ultimately I found that "ddns-update-style interim" must be declared GLOBALLY in dhcpd.conf. Initially, I had declared it locally within the subnet declaration, but this is NOT adequate: a global definition is required.

[ Parent | Reply to this comment ]

Posted by Anonymous (82.240.xx.xx) on Tue 8 Jan 2008 at 16:24
In dhcpd.conf, you must not enclose the secret key with " ", otherwise you will get weird base64 error messages.

So you have to do like this:

key "mykey" {
algorithm hmac-md5;
secret XXXXXXXXXXX...;
};


[ Parent | Reply to this comment ]

Posted by Anonymous (83.125.xx.xx) on Wed 16 Jul 2008 at 15:25
Thanks for all comments. This helped us a lot, even on OpenBSD (which brought up the same problems :-)

[ Parent | Reply to this comment ]

Posted by Anonymous (201.210.xx.xx) on Wed 23 Nov 2011 at 02:42
hello friends,

i have a problem. I have a server DNS BIND and DHCP. The records are updated dynamically. When i create a static record for example mihost.dominio.com and a workstation get an ip address through DHCP and the machine has the same fqdn (mihost.dominio.com) the new record is updated and the old static record is rewrited. CAN I PROTECT MY STATICS RECORDS???? I DONT WANT THAT MY STATICS RECORDS WERE REWRITED.

[ Parent | Reply to this comment ]

Posted by ajt (204.193.xx.xx) on Wed 23 Nov 2011 at 08:27
[ View Weblogs ]

If you have your ranges set correctly: non-overlapping, there is no reason why dynamic records should update your static records.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by deb (82.157.xx.xx) on Sat 24 Nov 2012 at 17:35
Nice tutorial.
I've noticed there are tons of examples on this but none of them seem to work on my environment.
Maybe anyone can enlighten my problem.

What I've got:
Squeeze with dhcp3 (stable) and bind9 on static ip 192.168.2.1.
All work well, other debian servers (having the same domain) in the lan get an ip.
On the dns server i can add A records using nsupdate (also visible in syslog).
However, the dhcp deamon does not issue requests to update my zone (at least I don't see any in syslog, and nslookup on their hostnames fail).

This is my dhcpd.conf configuration:
server-identifier dns.home.i;
ddns-updates on;
ddns-update-style interim;

ddns-domainname "home.i.";
ddns-rev-domainname "in-addr.arpa.";
ignore client-updates;

# This is the key so that DHCP can authenticate it's self to BIND9
include "/etc/bind/rndc.key";

# This is the communication zone
zone home.i. {
primary 127.0.0.1;
key rndc-key;
}

# Normal DHCP stuff
option domain-name "home.i.";
option domain-name-servers 192.168.2.1;
option ntp-servers 192.168.2.1;
option ip-forwarding off;

default-lease-time 600;
max-lease-time 7200;
authoritative;

log-facility local7;

subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.100 192.168.2.200;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
allow unknown-clients;

zone 2.168.192.in-addr.arpa. {
primary 192.168.2.1;
key "rndc-key";
}

zone home.i. {
primary 192.168.2.1;
key "rndc-key";
}
}

Been at for days no and it is breaking my head.
Anyone?

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 495 votes ~ 5 comments )