Configuring Dynamic DNS & DHCP on Debian Stable
Posted by ajt on Tue 31 Jan 2006 at 08:37
For the average home computer user there is no need to install a complex package such as the Internet Software Consortium's BIND DNS or DHCP server, since there are far simpler lower resource tools to use, for example dnsmasq. For those who you wish to learn how to use ISC's BIND and DHCP, for example as a learning exercise, this is how I got it all to work in Debian Sarge, the current stable version of Debian GNU/Linux.
This short article was prompted by my question on the Debian-Administration forum site, where I was able to get some answers to the issues I faced and I did promise to post a solution if I got one.
Installation of Packages
The version of ISC BIND DNS and DHCP servers installed by default in Debian stable are the older versions, which will not actually work together. If you have either server installed you need to remove it and upgrade to the newer version of each package. The newer versions are available in the Debian stable archive so you do not need a back-port from testing.
[user@box ~]$ sudo aptitude remove bind dhcp [user@box ~]$ sudo aptitude install bind9 dhcp3-server
Let aptitude or apt-get figure out and resolve
any dependencies. You will get a set of basic configuration files and
start scripts all created for you in the usual Debian way.
To set-up DNS you need to set your domain rules as per normal
BIND9 format. BIND9 does have a reputation for being complex
but you can find help in the man pages which are
complete, if very long, and there are good books to help you get
through (see below). Setting up the DHCP server is by comparison
much simpler; set that up as you need.
The hard bit is getting the two to talk to each other, as this is less well documented and the documentation that does exist does contradict itself. It was my difficulties with getting the DHCP server to automatically update the DNS server that lead me ask a question on the D-A.org web site. Though I got no perfect answer, I was able to piece together enough to generate this working solution.
Configuring BIND9
/etc/bind/named.conf
You need to tell BIND that it is okay to allow other applications
to update it. I added the following to my BIND9 configuration,
everything else was left as stock Debian. My DHCP server and
DNS server are on the box, so here I am only allowing localhost
to perform the update. The file rndc-key is a file
containing a shared secret, so that BIND9 knows that it is an
approved application sending instructions.
controls {
inet 127.0.0.1 allow {localhost; } keys { "rndc-key"; };
};
/etc/bind/named.conf.local
Here is my local zone details, suitably modified. Here I let BIND know which domains it can update; in my case I only have one domain to deal with. I am also loading in the shared secret key in at this stage. You can see I am using a private IP address range.
// Add local zone definitions here.
zone "network.athome" {
type master;
file "/etc/bind/db.network";
allow-update { key "rndc-key"; };
notify yes;
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192.168.0";
allow-update { key "rndc-key"; };
notify yes;
};
include "/etc/bind/rndc.key";
/etc/bind/rndc.key
The secret key is created with a tool. If your DHCP and DNS servers are on separate machines you need to copy the file between them or arrange for one machine to remotely access the file system of the other.
key "rndc-key" {
algorithm hmac-md5;
secret "lgkbhjhtthgtlghtl6567==";
};
db files
Set up your zone databases as normal. You do not need to do anything fancy.
Configuring DHCP3 Server
By default the ISC DHCP3 server shipped in Debian Sarge does not do dynamic DNS update. You simply need to enable it. Below are the options I selected for my system.
/etc/dhcp3/dhcpd.conf
You have to turn on the updating with the
ddns-update-style interim
command. I have client-updates ignore as Windows
machines try to set their FQDN, not just their
hostname, which causes problems. I have included the key so the
two server daemons can trust each other.
# Basic stuff to name the server and switch on updating
server-identifier server;
ddns-updates on;
ddns-update-style interim;
ddns-domainname "network.athome.";
ddns-rev-domainname "in-addr.arpa.";
ignore client-updates;
# This is the key so that DHCP can authenticate it's self to BIND9
include "/etc/bind/rndc.key";
# This is the communication zone
zone network.athome. {
primary 127.0.0.1;
key rndc-key;
}
# Normal DHCP stuff
option domain-name "network.athome.";
option domain-name-servers 192.168.0.60, 192.168.0.1;
option ntp-servers 192.168.0.60;
option ip-forwarding off;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option broadcast-address 192.168.0.255;
option routers 192.168.0.1;
allow unknown-clients;
zone 0.168.192.in-addr.arpa. {
primary 192.168.0.60;
key "rndc-key";
}
zone localdomain. {
primary 192.168.0.60;
key "rndc-key";
}
}
- Version 1.00 / January 2006
- See the following:
- As ever, many thanks to the many people who have helped, in particular V. E. Kerguelen
One question though:
you write:
/etc/bind/rndc.key
The secret key is created with a tool.
Sorry for missing the obvious part: which tool?
[ Parent | Reply to this comment ]
$ apropos rndc
rndc (8) - name server control utility
rndc-confgen (8) - rndc key generation tool
rndc.conf (5) - rndc configuration file
so I'll guess it's rndc-confgen, then.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
I'm sure this question is answered once I get this set up. But what happens with a static ip address i'm assigning through dhcp? Does it get the hostname from the dhcp config and then use that to update dns? Or am I missing the point?
aaron
Through correctness comes ease
-Chiun
-The Destroyer series
[ Parent | Reply to this comment ]
My static machines retain their hostname and fully qualified domain name as they ignore DHCP totally. They have static enteries in my DNS.
My work machine has a work hostname and FQDN. Work's machine is not in my DNS, so it uses DHCP and it retains it's hostname, but is placed in the domain of the DHCP server, not work's. Once it's in my domain, DNS know where it is and I can access it via it's hostname or FQDN.
Does this help?
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
what i do is i have all my machines set to get their info thorugh dhcp. Some of these machines i want on fixed ip addresses (various reasons) but I want them getting their information from dhcp, but i want to make sure that it won't hurt anything. The more I think about it, the more it seems like I would just leave my static configurations the way they are, and just new machines (laptops) that come in and out of my network would possibly change ip address. But where does the hostname come from? I'd assume the hostname configured on the client.
For example
machine with a hostname of foo contacts dhcp for the athome.network domain, this then gives it ip address ...100 and then there is a dynamic dns entry for foo.athome.network
aaron
Through correctness comes ease
-Chiun
-The Destroyer series
[ Parent | Reply to this comment ]
I had a few issues that were eventually resolved simply, but were a bit tedious to track down, since "no one is having this problem but me!"
I had setup everything like the article says (i made some typos, but we don't have to cover that) but things weren't working and i couldn't find what I didn't do right.
to debug the problem
I edited /etc/default/bind9 so that options read
OPTIONS="-u bind -g -d 20"
and then restarted bind9 in a window
and in another window i stopped the /etc/init.d/dhcpd3-server and ran the command
dhcpd3 -d -f 2>&1 | tee dhcp3.log
and in another window, i did a
tail -f /var/log/daemon.log
this way, from a test machine, i could renew my lease, and see what happened between the daemons
But everytime i'd try and renew a lease on a test machine, i'd get the message
named[30593]: client 127.0.0.1#49087: request has invalid signature: TSIG rndc-key: tsig verify failure (BADKEY)
so, i looked around for rndc information and came across the rndc-confgen program
running it, it gave me a config for a /etc/rndc.conf file and a new /etc/bind/rndc.key file
i made sure that the /etc/rndc.conf file's key and what was in /etc/bind/rndc.key matched
so, that took care of that message, but then i started getting the messages
named[30901]: db.rdu90.com.jnl: create: permission denied
<mistake>
Ok, so i'm about to make my big mistake here. What happened was, I saw that my /etc/bind directory was owned by smmsp, which had to have been done by the package management system, and so i didn't want to mess with that. So, I figured i'd provde a couple of 0 length .jnl files and chown them to bind. Then it could do what it needed...right?
</mistake>
so, i execute
touch db.mydomain.com.nl
touch db.192.168.1.jnl
and chown them both to bind
at this point i begin seeing the following messages
client 127.0.0.1#49097: updating zone 'your.domain/IN': error: journal open failed: no more
dhcpd dhcpd: Unable to add forward map from
host.yourdomain.com to ##.##.##.##: timed out
/etc/bind/named.conf:59: couldn't install keys for command channel 127.0.0.1#953: permission denied
/etc/bind/named.conf:59: couldn't add command channel 127.0.0.1#953: permission denied
at this point, i figured since the /etc/bind directory was group 'bind', i'd just give the group write permissions (i am loathe to change perms on directories apt controls since this might get changed back during an upgrade)
and everything started working perfectly
this site helped a lot
http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html
that explained to me what the log messages meant
what i'd like to know is if there's someplace else i should have these journal files being written as i don't know if bind should be able to write to that directory
i'm very happy with having this done overall, i've wanted to do it for years actually. thank you for this article.
aaron
Through correctness comes ease
-Chiun
-The Destroyer series
[ Parent | Reply to this comment ]
Not for sounding too lazy, but you wouldn't have a simple Bind9 setup article too? I am writing a script to install a domain controller with Samba, bind, dhcp and squid. Got most of the rest figured out but this bind thingy is giving me the runaround :-(
[ Parent | Reply to this comment ]
BIND is dead easy for a simple network, I've got 6 machines with static addresses, a work notebook on DHCP and a variable number of guests also on DHCP. I have only one server and a handful of aliases for Apache and that's it.
It all starts to get messy when you several domains/sub-domains and email routing can make it all awfully complex. For a simple home network the O'Reilly book and the man page should be all you need.
I could write up a noddy BIND9, but I suspect that there are several out there already.
However I'll see if I can get round to a BIND9 how-to...
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
Just wondering really...
[ Parent | Reply to this comment ]
I've already exchanged emails with the a few people and I plan to improve the article if I can. Any helpful input will be accepted - "patches are welcome".
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
allow-update { key "rndc-key"; };
It's worth to note in RedHat-based distributions you must write:
allow-update { key "rndckey"; };
(notice the lack of the hyphen)
[ Parent | Reply to this comment ]
One thing I noticed on both debian and Ubuntu:
Ensure that your /etc/bind directory is writable for bind (chown bind:bind /etc/bind). Otherwise you will get an error in your logs telling you that bind is unable to create a journal file. By default the /etc/bind directory is owned by root and is not writable by bind.
Thanks again.
[ Parent | Reply to this comment ]
Don't do that; point instead the dinamically updatable zone files within /var/cache/bind/ which already is writable by bind.
On a side note I'd prefer all dynamic updates going into a subdomain (like dyn.example.com) in order to "sandbox" mistakes or hack attempts from the "main server's" domains.
[ Parent | Reply to this comment ]
Thanks for your paper.
Later,
MS
[ Parent | Reply to this comment ]
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Moral of the story: if things don't seem to be working, make sure bind can write to BOTH the main bind/namedb folder, and to any folders within it.
[ Parent | Reply to this comment ]
I wanted this problem solved the other way around, wich means have the client in dns, and use dhcp for giving the ip. With a record in dns, all you need is the client mac, and this in dchp server conf:
host hostname {
hardware ethernet XX:XX:XX:XX:XX:XX;
fixed-address hostname.homedomain;
}
This can be mixed with ordinary dhcp setup wich you describe. Why use this setup? Well, you don't allow unknown mac's on your LAN and you don't risk having two clients using the same name (which has happen on a windows system at my work). If you want to move your LAN to another IP - say from 192.168.X.X to 10.10.X.X - you just have a zone file to adjust.
I use this on my linux wlan AP as well, using the mac in firewalls rules and in dchpd.
Regards,
Hans Einar Gautun
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
http://brunogirin.blogspot.com/2007/11/dhcp-and-dynamic-dns-on-ub untu-server.html
Bruno
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
So you have to do like this:
key "mykey" {
algorithm hmac-md5;
secret XXXXXXXXXXX...;
};
[ Parent | Reply to this comment ]