Linux DHCP Server: Difference between revisions

From Braindisconnect
Jump to navigationJump to search
 
(One intermediate revision by the same user not shown)
Line 46: Line 46:


=== DHCP and DNS server ===
=== DHCP and DNS server ===
Provided by [https://www.saruman.biz/saruwiki/index.php/Main_Page Richard SaruWiki] from the original author.
Provided by [https://www.saruman.biz/saruwiki/index.php/Main_Page SaruWiki] from the original author.


apt-get install isc-dhcp-server
apt-get install isc-dhcp-server


Edited /etc/dhcp/dhcpd.conf. Tested the configuration with
Edited /etc/dhcp/dhcpd.conf. Tested the configuration with


dhcpd -t
dhcpd -t


(do not put anything behind the -t, it’ll get interpreted as an interface name)
(do not put anything behind the -t, it’ll get interpreted as an interface name)
Line 58: Line 58:
Changed the log facility to local7; created an empty log file
Changed the log facility to local7; created an empty log file


mkdir /var/log/dhcpd
mkdir /var/log/dhcpd
 
touch /var/log/dhcpd/dhcpd.err
touch /var/log/dhcpd/dhcpd.err
touch /var/log/dhcpd/dhcpd.info
 
touch /var/log/dhcpd/dhcpd.info


Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf
Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf


local7.err /var/log/dhcpd/dhcpd.err
local7.err /var/log/dhcpd/dhcpd.err
 
local7.* -/var/log/dhcpd/dhcpd.info
local7.* -/var/log/dhcpd/dhcpd.info


Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though…
Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though…
Line 74: Line 71:
Added local7.none to the line filling syslog, so it becomes
Added local7.none to the line filling syslog, so it becomes


*.*;auth,authpriv,local7.none -/var/log/syslog
*.*;auth,authpriv,local7.none -/var/log/syslog


Also removing dhcp-messages from /var/log/messages in the same way
Also removing dhcp-messages from /var/log/messages in the same way
Line 83: Line 80:
Installed Bind9 using the Debian instructions.
Installed Bind9 using the Debian instructions.


apt-get install bind9 bind9-doc dnsutils
apt-get install bind9 bind9-doc dnsutils


(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck)
(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck)




rndc-confgen > /etc/bind/rndc.conf
rndc-confgen > /etc/bind/rndc.conf


Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640.
Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640.
Line 104: Line 101:
To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key:
To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key:


cd /tmp
cd /tmp
 
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns


This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content:
This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content:


key DDNS_UPDATE {
key DDNS_UPDATE {
 
    algorithm HMAC-MD5.SIG-ALG.REG.INT;
algorithm HMAC-MD5.SIG-ALG.REG.INT;
    secret "<key>";
 
};
secret "<key>";
 
};




We install this file to the DHCP and DNS directories using
We install this file to the DHCP and DNS directories using


install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key
install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key
 
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key


Then remove the created files from /tmp (don’t leave keys like this lying around!)
Then remove the created files from /tmp (don’t leave keys like this lying around!)
Line 130: Line 122:
We tell Bind to allow updates that are signed with this key by including in named.conf.local the line:
We tell Bind to allow updates that are signed with this key by including in named.conf.local the line:


include "/etc/bind/ddns.key";
include "/etc/bind/ddns.key";


and put two allow-update lines in the forward and reverse zones:
and put two allow-update lines in the forward and reverse zones:


allow-update { amberlan; key DDNS_UPDATE; };
allow-update { amberlan; key DDNS_UPDATE; };


The first term references the “amberlan” ACL, the second one the key.
The first term references the “amberlan” ACL, the second one the key.
Line 141: Line 133:
We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert
We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert


ddns-updates on;
ddns-updates on;
 
ddns-update-style interim;
ddns-update-style interim;
ignore client-updates;
 
update-static-leases on;
ignore client-updates;
include "/etc/bind/ddns.key";
 
update-static-leases on;
 
include "/etc/bind/ddns.key";


Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates:
Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates:


zone amber.lan. {
zone amber.lan. {
      primary 127.0.0.1;
      key DDNS_UPDATE;
}


primary 127.0.0.1;
zone 67.168.192.in-addr.arpa. {
 
    primary 127.0.0.1;
key DDNS_UPDATE;
    key DDNS_UPDATE;
 
}
}
 
zone 67.168.192.in-addr.arpa. {
 
primary 127.0.0.1;
 
key DDNS_UPDATE;
 
}




Check the configs using
Check the configs using


named-checkconf /etc/bind/named.conf
named-checkconf /etc/bind/named.conf
 
dhcpd -t
dhcpd -t




Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using
Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using


rndc sync -clean
rndc sync -clean

Latest revision as of 16:14, 25 February 2016

Errors

interface name too long

dhcpd -t /etc/dhcp/dhcpd.conf
 /etc/dhcp/dhcpd.conf: interface name too long (is 20)

This message has nothing to do with your dhcpd.conf file or configuration.
The error is because dhcpd is interpreting the /etc/dhcp/dhcpd.conf as an interface.
The 20 is the character count of "/etc/dhcp/dhcpd.conf" and not the file contents.

Add the -cf to your syntax and so that config file is actually getting tested or just use dhcpd -t.

Correct Syntax

dhcpd -t –cf /etc/dhcp/dhcpd.conf

or

dhcpd -t


DHCP failing to start

Check your messages log:

tail -f /var/log/message
 Mar 14 19:50:49 server dhcpd: No subnet declaration for eth1 (172.16.31.254).
 Mar 14 19:50:49 server dhcpd: ** Ignoring requests on eth1.  If this is not what
 Mar 14 19:50:49 server dhcpd:    you want, please write a subnet declaration
 Mar 14 19:50:49 server dhcpd:    in your dhcpd.conf file for the network segment
 Mar 14 19:50:49 server dhcpd:    to which interface eth1 is attached. **
 Mar 14 19:50:49 server dhcpd: 
 Mar 14 19:50:49 server dhcpd: 
 Mar 14 19:50:49 server dhcpd: Not configured to listen on any interfaces!

cat /etc/network/interfaces

~
# To Router Interface
auto eth1
iface eth1 inet static
       address 172.16.31.254
       netmask 255.255.255.0
       network 172.16.31.0
       broadcast 172.16.31.255

This issue is because the interface set for DHCP does have the subnet defined in a declaration statement in dhcp.conf.

At the very least declare the subnet even if you do not plan on serving DHCP to that particular subnet.

subnet 172.16.31.0 netmask 255.255.255.0 {
}

DHCP and DNS server

Provided by SaruWiki from the original author.

apt-get install isc-dhcp-server

Edited /etc/dhcp/dhcpd.conf. Tested the configuration with

dhcpd -t

(do not put anything behind the -t, it’ll get interpreted as an interface name)

Changed the log facility to local7; created an empty log file

mkdir /var/log/dhcpd
touch /var/log/dhcpd/dhcpd.err
touch /var/log/dhcpd/dhcpd.info

Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf

local7.err /var/log/dhcpd/dhcpd.err
local7.* -/var/log/dhcpd/dhcpd.info

Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though…

Added local7.none to the line filling syslog, so it becomes

*.*;auth,authpriv,local7.none -/var/log/syslog

Also removing dhcp-messages from /var/log/messages in the same way

(is this smart??)


Installed Bind9 using the Debian instructions.

apt-get install bind9 bind9-doc dnsutils

(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck)


rndc-confgen > /etc/bind/rndc.conf

Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640.


Set the named.conf.options sections for two acls (bogusnets and amberlan), specified interfaces, forwarders/forwarding, permissions based on acls.

Created file db.192.168.67 with the IP numbers/names of the fixed hosts;

created file db.amber.lan with the names/IP numbers of the fixed hosts. Referenced the zones in named.conf.local.

Made the /etc/bind directory writable for bind; made bind:bind the owner of the forward and reverse zone files.


To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key:

cd /tmp
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns

This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content:

key DDNS_UPDATE {
    algorithm HMAC-MD5.SIG-ALG.REG.INT;
    secret "<key>";
};


We install this file to the DHCP and DNS directories using

install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key

Then remove the created files from /tmp (don’t leave keys like this lying around!)


We tell Bind to allow updates that are signed with this key by including in named.conf.local the line:

include "/etc/bind/ddns.key";

and put two allow-update lines in the forward and reverse zones:

allow-update { amberlan; key DDNS_UPDATE; };

The first term references the “amberlan” ACL, the second one the key.


We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert

ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
include "/etc/bind/ddns.key";

Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates:

zone amber.lan. {
     primary 127.0.0.1;
     key DDNS_UPDATE;
}
zone 67.168.192.in-addr.arpa. {
    primary 127.0.0.1;
    key DDNS_UPDATE;
}


Check the configs using

named-checkconf /etc/bind/named.conf
dhcpd -t


Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using

rndc sync -clean