{"id":43,"date":"2023-07-11T21:25:59","date_gmt":"2023-07-11T21:25:59","guid":{"rendered":"http:\/\/thejonas.net\/?page_id=43"},"modified":"2023-07-13T20:32:47","modified_gmt":"2023-07-14T03:32:47","slug":"dns-and-dhcp","status":"publish","type":"page","link":"https:\/\/www.thejonas.net\/?page_id=43","title":{"rendered":"DNS and DHCP"},"content":{"rendered":"\n

DNS DHCP<\/h1>\n\n\n\n

DNS: with Bind9 \/ DHCP \u201cUbuntu 14.04 and *Ubuntu 18.04<\/em> LTS\u201d<\/em><\/strong><\/h1>\n\n\n\n
    \n
  • Domain info<\/li>\n\n\n\n
  • server hostname: dcsrv<\/strong><\/li>\n\n\n\n
  • search-domain abc.lan<\/strong><\/li>\n\n\n\n
  • Domain Realm mydc<\/strong>\u201cfor the next tutorial setting up samba4\u201d<\/em><\/li>\n<\/ul>\n\n\n\n
    Edit host file: nano \/etc\/hosts\/\n127.0.0.1 localhost\n127.0.0.1 dcsrv.adc.lan dcsrv\n10.0.2.99 ns.abc.lan ns\n10.0.2.99 mydc.acb.lan mydc<\/strong><\/pre>\n\n\n\n
     Setup static IP:  \/etc\/network\/interfaces<\/p>\n\n\n\n
    auto eth0\niface eth0 inet static\n   address 10.1.200.3\n   gateway 10.1.200.1\n   netmask 255.255.255.0\n   dns-nameservers  8.8.8.8<\/pre>\n\n\n\n
    Update your system, then reboot.<\/p>\n\n\n\n
    sudo apt-get update\nsudo apt-get dist-upgrade\nsudo reboot\n<\/strong><\/pre>\n\n\n\n
    Install Bind9 and DHCP.<\/p>\n\n\n\n
    sudo apt-get install isc-dhcp-server bind9<\/strong><\/pre>\n\n\n\n
     Configuring DNS<\/h2>\n\n\n\n
    sudo nano \/etc\/bind\/named.conf.options\n<\/strong> \nacl internals {<\/strong><\/em><\/pre>\n\n\n\n
        localhost;\n    localnets;\n};<\/strong><\/em>\n \noptions {\n   directory \"\/var\/cache\/bind\";\n \n   \/\/ If there is a firewall between you and nameservers you want\n   \/\/ to talk to, you may need to fix the firewall to allow multiple\n   \/\/ ports to talk.  See http:\/\/www.kb.cert.org\/vuls\/id\/800113\n \n   \/\/ If your ISP provided one or more IP addresses for stable\n   \/\/ nameservers, you probably want to use them as forwarders.\n   \/\/ Uncomment the following block, and insert the addresses replacing\n   \/\/ the all-0's placeholder.\n \n   forwarders {\n       \/\/ DNS to the internet you could also add the DNS servers from your ISP\n       8.8.8.8;\n   };<\/strong>\n   allow-query {\n      internals;\n   };\n   \/\/ restrict recursion\n   allow-recursion {\n      internals;\n   };\n   allow-transfer {\n      internals;\n   };\n   \/\/========================================================================\n   \/\/ If BIND logs error messages about the root key being expired,\n   \/\/ you will need to update your keys.  See https:\/\/www.isc.org\/bind-keys\n   \/\/========================================================================\n   \/\/ turn off zone encryption. The auto flag still generates warnings in the log file\n   dnssec-enable no;<\/strong>\n   \/\/ dnssec-validation auto;\n \n   listen-on-v6 { any; };\n   auth-nxdomain no;    # conform to RFC1035\n};<\/strong><\/pre>\n\n\n\n
    The installation process creates the crypto file needed when the new DHCP server communicates with the DNS server. The command below creates a file \/etc\/bind\/rndc.key<\/strong> which replaces the file generated by the install process.<\/p>\n\n\n\n
    To view current rndc-key file created during the install:\nnano \/etc\/bind\/rndc.key<\/strong>\nExample of rndc-key below:\n<\/pre>\n\n\n\n
    key \"rndc-key\" {\n  algorithm hmac-md5;\n  secret \"wrhfunsh45k\/wodkqtfhsnv==\";\n};<\/pre>\n\n\n\n
    Recommend to change key using this command:\nsudo<\/strong> \/usr\/sbin\/rndc-confgen -a<\/strong><\/pre>\n\n\n\n
    Set permissions on key to keep it safe.<\/p>\n\n\n\n
    sudo chown root:bind \/etc\/bind\/rndc.key\nsudo chmod 640 \/etc\/bind\/rndc.key<\/strong><\/pre>\n\n\n\n
    Adding DNS Zones<\/h2>\n\n\n\n
    sudo nano \/etc\/bind\/named.conf.local<\/pre>\n\n\n\n
    \/\/\n\/\/ Do any local configuration here\n\/\/\ninclude \"\/etc\/bind\/rndc.key\";\n \nzone \"abc.lan\" {\n     type master;\n     file \"\/var\/lib\/bind\/abc.lan.zone\";\n     allow-update { key rndc-key; };\n};\n \n\nzone \"2.0.10.in-addr.arpa\" {\n     type master;\n     file \"\/var\/lib\/bind\/abc.lan.rev.zone\";\n     allow-update { key rndc-key; };\n};<\/strong>\n \n\/\/ Consider adding the 1918 zones here, if they are not used in your\n\/\/ organization\n\/\/include \"\/etc\/bind\/zones.rfc1918\";<\/pre>\n\n\n\n
    sudo nano \/var\/lib\/bind\/abc.lan.zone<\/strong><\/pre>\n\n\n\n
    $ORIGIN .\n$TTL 907200\t; 1 week 3 days 12 hours\nabc.lan\t\tIN SOA\tns.abc.lan. admin.abc.lan. (\n\t\t\t\t2014071403 ; serial\n\t\t\t\t28800      ; refresh (8 hours)\n\t\t\t\t3600       ; retry (1 hour)\n\t\t\t\t604800     ; expire (1 week)\n\t\t\t\t38400      ; minimum (10 hours 40 minutes)\n\t\t\t\t)\n\t\t\tNS\tns.abc.lan.\n$ORIGIN abc.lan.\nrouter01\t\tA\t10.0.2.1\nns                      A       10.0.2.99\ndnsserver               CNAME   ns\nmydc                    CNAME   ns<\/pre>\n\n\n\n
    Reverse lookup zone:<\/p>\n\n\n\n
    sudo nano \/var\/lib\/bind\/abc.lan.rev.zone<\/strong><\/pre>\n\n\n\n
    $ORIGIN .\n$TTL 907200\t; 1 week 3 days 12 hours\n2.0.10.in-addr.arpa IN SOA\tns.abc.lan. admin.abc.lan. (\n\t\t\t\t2014071402 ; serial\n\t\t\t\t28800      ; refresh (8 hours)\n\t\t\t\t604800     ; retry (1 week)\n\t\t\t\t604800     ; expire (1 week)\n\t\t\t\t86400      ; minimum (1 day)\n\t\t\t\t)\n\t\t\tNS\tns.abc.lan.\n$ORIGIN 2.0.10.in-addr.arpa.\n1\t\t\tPTR\trouter01.abc.lan.\n3                                            <\/strong> PTR     mydc.abc.lan\n3                       PTR     dnsserver.abc.lan\n                        PTR     abc.lan<\/pre>\n\n\n\n
    Change the permissions on the two new zone files that were created.<\/p>\n\n\n\n
    sudo chown root:bind \/var\/lib\/bind\/*zone<\/strong><\/pre>\n\n\n\n
    sudo service bind9 restart<\/strong><\/pre>\n\n\n\n
    DHCP Configuration<\/p>\n\n\n\n
    sudo nano \/etc\/dhcp\/dhcpd.conf\nRemove your current information in the dhcp.conf and add the\ninformation below; then modify to your needs.<\/pre>\n\n\n\n
    ddns-updates on;\nddns-update-style interim;\nupdate-static-leases on;\nauthoritative;\ninclude \"\/etc\/dhcp\/ddns-keys\/rndc.key\";\nallow unknown-clients;\nuse-host-decl-names on;\ndefault-lease-time 86400; #24  hours\nmax-lease-time 86400; #21 hours\nlog-facility local7;\n \n# abd.lan DNS zones\nzone abc.lan.<\/strong> {\n  primary 127.0.0.1; # This server is the primary DNS server for the zone\n  key rndc-key;       # Use the key we defined earlier for dynamic updates\n}<\/em>\nzone 2.0.10.in-addr.arpa. {\n  primary 127.0.0.1; # This server is the primary reverse DNS server for the zone\n  key rndc-key;       # Use the key we defined earlier for dynamic updates\n}<\/em><\/strong>\n \n# abc.lan LAN range\nsubnet 10.0.2.0 netmask 255.255.255.0<\/strong><\/em> {\n  range 10.0.2.100 10.0.2.200;\n  option subnet-mask 255.255.255.0;\n  option routers 10.0.2.1;\n  option domain-name-servers 10.0.2.99;\n  option domain-name \"abc.lan\";\n  ddns-domainname \"abc.lan.\";\n  ddns-rev-domainname \"2.0.10.in-addr.arpa.\";\n<\/strong><\/em>}<\/strong>\n \n<\/pre>\n\n\n\n
    Apply these commands to create some links and set permissions:<\/p>\n\n\n\n
    sudo ln \/etc\/bind\/rndc.key \/etc\/dhcp\/ddns-keys\/rndc.key\nsudo ls -l \/etc\/dhcp\/ddns-keys\/rndc.key\nsudo chown root:bind \/etc\/dhcp\/ddns-keys\/rndc.key<\/strong><\/pre>\n\n\n\n