DNS and DHCP

DNS DHCP

DNS: with Bind9 / DHCP “Ubuntu 14.04 and *Ubuntu 18.04 LTS”

  • Domain info
  • server hostname: dcsrv
  • search-domain abc.lan
  • Domain Realm mydc“for the next tutorial setting up samba4”
Edit host file: nano /etc/hosts/
127.0.0.1 localhost
127.0.0.1 dcsrv.adc.lan dcsrv
10.0.2.99 ns.abc.lan ns
10.0.2.99 mydc.acb.lan mydc

 Setup static IP:  /etc/network/interfaces

auto eth0
iface eth0 inet static
   address 10.1.200.3
   gateway 10.1.200.1
   netmask 255.255.255.0
   dns-nameservers  8.8.8.8

Update your system, then reboot.

sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot

Install Bind9 and DHCP.

sudo apt-get install isc-dhcp-server bind9

 Configuring DNS

sudo nano /etc/bind/named.conf.options
 
acl internals {
    localhost;
    localnets;
};
 
options {
   directory "/var/cache/bind";
 
   // If there is a firewall between you and nameservers you want
   // to talk to, you may need to fix the firewall to allow multiple
   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
 
   // If your ISP provided one or more IP addresses for stable
   // nameservers, you probably want to use them as forwarders.
   // Uncomment the following block, and insert the addresses replacing
   // the all-0's placeholder.
 
   forwarders {
       // DNS to the internet you could also add the DNS servers from your ISP
       8.8.8.8;
   };
   allow-query {
      internals;
   };
   // restrict recursion
   allow-recursion {
      internals;
   };
   allow-transfer {
      internals;
   };
   //========================================================================
   // If BIND logs error messages about the root key being expired,
   // you will need to update your keys.  See https://www.isc.org/bind-keys
   //========================================================================
   // turn off zone encryption. The auto flag still generates warnings in the log file
   dnssec-enable no;
   // dnssec-validation auto;
 
   listen-on-v6 { any; };
   auth-nxdomain no;    # conform to RFC1035
};

The installation process creates the crypto file needed when the new DHCP server communicates with the DNS server. The command below creates a file /etc/bind/rndc.key which replaces the file generated by the install process.

To view current rndc-key file created during the install:
nano /etc/bind/rndc.key
Example of rndc-key below:

key "rndc-key" {
  algorithm hmac-md5;
  secret "wrhfunsh45k/wodkqtfhsnv==";
};
Recommend to change key using this command:
sudo /usr/sbin/rndc-confgen -a

Set permissions on key to keep it safe.

sudo chown root:bind /etc/bind/rndc.key
sudo chmod 640 /etc/bind/rndc.key

Adding DNS Zones

sudo nano /etc/bind/named.conf.local
//
// Do any local configuration here
//
include "/etc/bind/rndc.key";
 
zone "abc.lan" {
     type master;
     file "/var/lib/bind/abc.lan.zone";
     allow-update { key rndc-key; };
};
 

zone "2.0.10.in-addr.arpa" {
     type master;
     file "/var/lib/bind/abc.lan.rev.zone";
     allow-update { key rndc-key; };
};
 
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
sudo nano /var/lib/bind/abc.lan.zone
$ORIGIN .
$TTL 907200	; 1 week 3 days 12 hours
abc.lan		IN SOA	ns.abc.lan. admin.abc.lan. (
				2014071403 ; serial
				28800      ; refresh (8 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				38400      ; minimum (10 hours 40 minutes)
				)
			NS	ns.abc.lan.
$ORIGIN abc.lan.
router01		A	10.0.2.1
ns                      A       10.0.2.99
dnsserver               CNAME   ns
mydc                    CNAME   ns

Reverse lookup zone:

sudo nano /var/lib/bind/abc.lan.rev.zone
$ORIGIN .
$TTL 907200	; 1 week 3 days 12 hours
2.0.10.in-addr.arpa IN SOA	ns.abc.lan. admin.abc.lan. (
				2014071402 ; serial
				28800      ; refresh (8 hours)
				604800     ; retry (1 week)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	ns.abc.lan.
$ORIGIN 2.0.10.in-addr.arpa.
1			PTR	router01.abc.lan.
3                                             PTR     mydc.abc.lan
3                       PTR     dnsserver.abc.lan
                        PTR     abc.lan

Change the permissions on the two new zone files that were created.

sudo chown root:bind /var/lib/bind/*zone
sudo service bind9 restart

DHCP Configuration

sudo nano /etc/dhcp/dhcpd.conf
Remove your current information in the dhcp.conf and add the
information below; then modify to your needs.
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
authoritative;
include "/etc/dhcp/ddns-keys/rndc.key";
allow unknown-clients;
use-host-decl-names on;
default-lease-time 86400; #24  hours
max-lease-time 86400; #21 hours
log-facility local7;
 
# abd.lan DNS zones
zone abc.lan. {
  primary 127.0.0.1; # This server is the primary DNS server for the zone
  key rndc-key;       # Use the key we defined earlier for dynamic updates
}
zone 2.0.10.in-addr.arpa. {
  primary 127.0.0.1; # This server is the primary reverse DNS server for the zone
  key rndc-key;       # Use the key we defined earlier for dynamic updates
}
 
# abc.lan LAN range
subnet 10.0.2.0 netmask 255.255.255.0 {
  range 10.0.2.100 10.0.2.200;
  option subnet-mask 255.255.255.0;
  option routers 10.0.2.1;
  option domain-name-servers 10.0.2.99;
  option domain-name "abc.lan";
  ddns-domainname "abc.lan.";
  ddns-rev-domainname "2.0.10.in-addr.arpa.";
}
 

Apply these commands to create some links and set permissions:

sudo ln /etc/bind/rndc.key /etc/dhcp/ddns-keys/rndc.key
sudo ls -l /etc/dhcp/ddns-keys/rndc.key
sudo chown root:bind /etc/dhcp/ddns-keys/rndc.key
  • restart services
  • sudo service bind9 restart
  • sudo service isc-dhcp-server restart

Next, let’s build a Samba4 domain controller around the DNS/DHCP server.