Jul 232008
 

Sponsored Link

This tutorial will explain Howto setup DHCP Server and Dynamic DNS with BIND in Debian.

Preparing you system

First you need to install DHCP,BIND servers using the following command

#aptitude install dhcp3-server bind9

This will complete the installation.

This is the network configuration of our DHCP/DNS server we are using for our tutorial
Hostname : router.static.example.org
WAN interface (eth0) : 192.168.99.254 mask 255.255.255.0
LAN interface (eth1) : 172.30.200.254 mask 255.255.0.0
Default gateway : 192.168.99.1

First, we need to tell the DHCP server to only run on eth1 you need to edit the /etc/default/dhcp3-server file using the following command

#vi /etc/default/dhcp3-server

enter the following line save and exit file.

INTERFACES="eth1"

Configuring DHCP Server Configuration

/etc/dhcp3/dhcpd.conf :

This is the DHCP server configuration.

When a computer requests network information from the DHCP server, the DHCP will update the DNS zones

-- dyn.example.org : the zone that will map hostnames to IP address
-- 201.30.172.in-addr.arpa : the zone in charge of reverse lookups

ddns-domainname is the domain name that the DHCP server will try to update in the zone. For example if my computer is named mycomputer, it will try to upload the dyn.example.org zone with mycomputer.dyn.example.org.

That option is absolutely needed if you have several domains in the “option domain-name” field (the “search” domains that will be in /etc/resolv.conf), or it could try to add the hostname mycomputer.static.example.org to the dyn.example.org zone.

If you only have one domain in the “option domain-name” field, you can go without ddns-domainname as it will upload the zone with the domain specified there.

ddns-update-style interim;
include "/etc/bind/rndc.key";

zone dyn.example.org. {
primary 127.0.0.1;
key "rndc-key";
}

ddns-domainname "dyn.example.org";
option domain-name "static.example.org dyn.example.org";
option domain-name-servers 172.30.200.254;
option routers 172.30.200.254;
option broadcast-address 172.30.255.255;
option ntp-servers 172.30.200.254;

default-lease-time 86400;
max-lease-time 86400;

authoritative;

log-facility local7;

subnet 172.30.0.0 netmask 255.255.0.0 {

range 172.30.201.10 172.30.201.200;

# DNS zones to update
zone 201.30.172.in-addr.arpa. {
primary 172.30.200.254;
key "rndc-key";
}

zone dyn.example.org. {
primary 172.30.200.254;
key "rndc-key";
}
}

Bind Server Configuration
/etc/bind9/named.conf :

Make sure the file contains the following :

include "/etc/bind/named.conf.local";

You should not change that file, as you will specify your options in two other files.

/etc/bind9/named.conf.options :

Your options.

The zone files will be stored under /var/cache/bind/

The queries for unauthoritative domains will be forwarded to 192.168.99.1. You can put the DNS provided by your ISP there (or put the DNS from opendns.com)

options {
directory "/var/cache/bind";

query-source address * ;

forwarders {
192.168.99.1;
};

recursion yes;

version "REFUSED";

allow-recursion {
127.0.0.1;
192.168.99.0/24;
172.30.0.0/16;
};

allow-query {
127.0.0.1;
192.168.99.0/24;
172.30.0.0/16;
};

};

/etc/bind9/named.conf.local :

This will contain your zone declarations

### options #########

include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

### "static" zones #########

zone "static.example.org" {
type master;
file "db.static.example.org";
};

zone "200.30.172.in-addr.arpa" {
type master;
notify no;
file "db.172.30.200";
};

### dynamic zones (updated by DDNS) #########

zone "dyn.example.org" {
type master;
file "db.dyn.example.org";
allow-update { key "rndc-key"; };
};

zone "201.30.172.in-addr.arpa" {
type master;
notify no;
file "db.172.30.201";
allow-update { key "rndc-key"; };
};

Now let’s focus on DNS zones.

In this example we have several zones :

-- static.example.org : static zone (like servers with static IP’s)
-- dyn.example.org : dynamic zone, updated by DHCP when a computer gets an IP from it
-- 172.30.200 : static zone (servers, etc.), which is not updated by DDNS
-- 172.30.201 : dynamic zone, will contain information about machines using DHCP

My advise to split the static zones from the dynamic zones, DDNS has a tendency to mess up the zone files, which make them barely readable and manageable.

/var/cache/bind/db.172.30.200 :

$ORIGIN .
$TTL 86400	; 1 day
200.30.172.in-addr.arpa	IN SOA	static.example.org. postmaster.example.org. (
200806299  ; serial
28800      ; refresh (8 hours)
7200       ; retry (2 hours)
2419200    ; expire (4 weeks)
86400      ; minimum (1 day)
)
NS	ns.static.example.org.
$ORIGIN 200.30.172.in-addr.arpa.
253			IN PTR	server.static.example.org.
254			IN PTR	router.static.example.org.

/var/cache/bind/db.172.30.201 :

$ORIGIN .
$TTL 86400	; 1 day
201.30.172.in-addr.arpa	IN SOA	static.example.org. postmaster.example.org. (
200806327  ; serial
28800      ; refresh (8 hours)
7200       ; retry (2 hours)
2419200    ; expire (4 weeks)
86400      ; minimum (1 day)
)
NS	ns.static.example.org.
$ORIGIN 201.30.172.in-addr.arpa.

/var/cache/bind/db.static.example.org :

$ORIGIN .
$TTL 86400	; 1 day
static.example.org	IN SOA	ns.static.example.org. postmaster.example.org. (
200806327  ; serial
28800      ; refresh (8 hours)
7200       ; retry (2 hours)
2419200    ; expire (4 weeks)
86400      ; minimum (1 day)
)
NS	ns.static.example.org.
A	172.30.200.254
$ORIGIN static.example.org.
server			A	172.30.200.253
router			A	172.30.200.254
ns			A	172.30.200.254

ntp			CNAME	router.static.example.org.
smtp			CNAME	router.static.example.org.

/var/cache/bind/db.dyn.example.org

$ORIGIN .
$TTL 86400	; 1 day
dyn.example.org		IN SOA	ns.static.example.org. admin.example.org. (
200806341  ; serial
28800      ; refresh (8 hours)
7200       ; retry (2 hours)
2419200    ; expire (4 weeks)
86400      ; minimum (1 day)
)
NS	ns.dyn.example.org.
A	172.30.200.254
$ORIGIN dyn.example.org.

Now, make sure the zones will be writable by the user “bind” and restart the services :

# chown bind. /var/cache/bind/*

# /etc/init.d/bind restart

# /etc/init.d/dhcp3-server restart

On a computer on the network :

As root :

Edit /etc/dhcp3/dhclient.conf and set :
send host-name "mycomputer";

Now request an IP :
# dhclient eth0

Let’s imagine the computer has received the IP 172.30.201.200

You should see on the server’s syslog that the DNS zones have been updated.

-- mycomputer.dyn.example.org is now bound to 172.30.201.200
-- 172.30.201.200 will return mycomputer.dyn.example.org

From your computer, you should be able to verify the zones have been updated properly :

$ nslookup mycomputer
Server:		172.30.200.254
Address:	172.30.200.254#53

Name:	mycomputer.dyn.example.org
Address: 172.30.201.200
$ nslookup 172.30.201.200
Server:		172.30.200.254
Address:	172.30.200.254#53

200.201.30.172.in-addr.arpa	name = mycomputer.dyn.example.org.

You don’t need to type the whole mycomputer.dyn.example.org thing since it will lookup for either :
-- mycomputer.dyn.example.org
-- mycomputer.static.example.org if the previous wasn’t found
-- mycomputer if the previous two were not found

This actually means that if you lookup www.google.com, it would try to resolve www.google.com.dyn.example.org first, then www.google.com.static.example.org, and finally www.google.com

You can avoid those unnecessary lookups by adding a dot to the end of the hostname you are trying to resolve :

# nslookup www.google.com.

This is the purpose of the search domains in /etc/resolv.conf

Sponsored Link

 Posted by at 12:03 am

  19 Responses to “Howto setup DHCP Server and Dynamic DNS with BIND in Debian”

  1. query-source address * port 53;

    you should edit the article ASAP and add that they should remove this line…

    http://www.google.com/search?q=dns+poisoning+kaminsky&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

  2. or edit it, so it gets:
    query-source address *;

  3. @gp

    updated article

  4. dnsmasq is a much simpler solution for admins with small networks. It’s a combined DHCP/DNS server which automatically resolves queries for the hostnames of DHCP clients, has static DHCP/DNS entry support, etc.

    That said, I do have a large network with 2nd and 3rd-level domains and multiple offices, and we use BIND/DHCPD. Thanks for writing this!

  5. No mention of the fact that you need to have DHCP3-Server, not just plain old DHCPD, for this to work.

  6. hi, newbie here. i just installed ubuntu desktop in vmware and i am wondering if this tutorial will work with what i have. pls let me know so i can try it. thanks.

  7. nice tutorial, but i have a problem:
    sudo /etc/init.d/dhcp3-server restart
    sudo /etc/init.d/bind9 restart
    sudo rndc reload
    can’t open /etc/bind/rndc.key: Permission denied

  8. @Pastor_Ni, try logging in as root with
    su
    and then run
    rndc reload.

  9. Nice article. Helps a lot to someone who tries to integrate DHCP and DNS for getting hostnames to dynamic IP addresses

  10. in named.conf.local :
    include “/etc/bind/rndc.key”;
    should be :
    include “/etc/bind/rndc-key”;

    And also /etc/bind9 doesn’t exist, whether you need to create a smylink or use /etc/bind

    However, nice article.

  11. @pastor_ni: you have to make one last minor change to /etc/apparmor.d/usr.sbin.dhcpd3:

    /etc/bind/ rw,
    /etc/bind/** rw,

    This allows access to the rndc-key files.

    http://ubuntuforums.org/showthread.php?t=1198162

  12. Alex Dong

    I change a appamor profile and the error persist after reload apparmor profile, rndc.

    Sugestions?

  13. People

    After make a Alex dong talks, a change de onwer to dhcpd of rndc.key file and dhcp server start.

    tks a lot

  14. Hi buddy, also you can change the file permission with sudo chmod 644 rndc.key

    By yummy man!

  15. Hey all, i’ve been trying to get this working for several weeks without success. I do not know why it’s not working and haven’t found any log information about it. It has occurred to me that this whole process seems redundant to have the dpcp server tell the client to inform the dns server of it’s name. It would seem that it would be simpler to have the dhcp server inform the DNS server of the client hostname and the IP it just assigned. I understand dnsmasq preforms this in it’s function as dpcp/dns server, however I already have a full implementation of Bind9 and dhcp3-server. Is there anyway to configure dhcp3-server to inform Bind9 directly of name/ip assignments?

    I’d also to confirm that the dynamic DNS described in the article should work with windows clients set to “Register this connection’s address in DNS” and not just linux clients.

    thanks for the tutorial and any additional information will be appreciated.
    -Ryan

  16. I finally figured out what was wrong. you need the set the journal file for each of your dns zones in named.conf.local. add the line:
    journal “/var/lib/bind/example.com.jnl”; and it will start working.

    you also need to add the line:
    ddns-rev-domainname “in-addr.arpa.”;
    to your dhcpd.conf in order for it to update your reverse zones

    -Ryan

  17. Great Post, been looking for this for awhile!!

  18. Why, in the dhcpd.conf, you repeat the zone “dyn.example.com” two times (one with the 127.0.0.1 and another with 172.30.200.254)?

  19. The name of the file for telling the DHCP server to only run on eth1 you need to edit is the /etc/default/isc-dhcp-server file using the following command

    #vi /etc/default/isc-dhcp-server

    enter the following line save and exit file.

    INTERFACES=”eth1″

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>