Linux DHCP Server: Difference between revisions
(→Errors) |
|||
(5 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
=== Errors === | === Errors === | ||
==== interface name too long ==== | ==== interface name too long ==== | ||
dhcpd -t /etc/dhcp/dhcpd.conf | dhcpd -t /etc/dhcp/dhcpd.conf | ||
/etc/dhcp/dhcpd.conf: interface name too long (is 20) | |||
This message has nothing to do with your dhcpd.conf file.<br> | This message has nothing to do with your dhcpd.conf file or configuration.<br> | ||
The error is because dhcpd is interpreting the /etc/dhcp/dhcpd.conf as an interface.<br> | The error is because dhcpd is interpreting the /etc/dhcp/dhcpd.conf as an interface.<br> | ||
The 20 is the character count of "/etc/dhcp/dhcpd.conf" and not the file contents.<br> | The 20 is the character count of "/etc/dhcp/dhcpd.conf" and not the file contents.<br> | ||
Line 44: | Line 44: | ||
subnet 172.16.31.0 netmask 255.255.255.0 { | subnet 172.16.31.0 netmask 255.255.255.0 { | ||
} | } | ||
=== DHCP and DNS server === | |||
Provided by [https://www.saruman.biz/saruwiki/index.php/Main_Page SaruWiki] from the original author. | |||
apt-get install isc-dhcp-server | |||
Edited /etc/dhcp/dhcpd.conf. Tested the configuration with | |||
dhcpd -t | |||
(do not put anything behind the -t, it’ll get interpreted as an interface name) | |||
Changed the log facility to local7; created an empty log file | |||
mkdir /var/log/dhcpd | |||
touch /var/log/dhcpd/dhcpd.err | |||
touch /var/log/dhcpd/dhcpd.info | |||
Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf | |||
local7.err /var/log/dhcpd/dhcpd.err | |||
local7.* -/var/log/dhcpd/dhcpd.info | |||
Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though… | |||
Added local7.none to the line filling syslog, so it becomes | |||
*.*;auth,authpriv,local7.none -/var/log/syslog | |||
Also removing dhcp-messages from /var/log/messages in the same way | |||
(is this smart??) | |||
Installed Bind9 using the Debian instructions. | |||
apt-get install bind9 bind9-doc dnsutils | |||
(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck) | |||
rndc-confgen > /etc/bind/rndc.conf | |||
Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640. | |||
Set the named.conf.options sections for two acls (bogusnets and amberlan), specified interfaces, forwarders/forwarding, permissions based on acls. | |||
Created file db.192.168.67 with the IP numbers/names of the fixed hosts; | |||
created file db.amber.lan with the names/IP numbers of the fixed hosts. Referenced the zones in named.conf.local. | |||
Made the /etc/bind directory writable for bind; made bind:bind the owner of the forward and reverse zone files. | |||
To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key: | |||
cd /tmp | |||
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns | |||
This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content: | |||
key DDNS_UPDATE { | |||
algorithm HMAC-MD5.SIG-ALG.REG.INT; | |||
secret "<key>"; | |||
}; | |||
We install this file to the DHCP and DNS directories using | |||
install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key | |||
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key | |||
Then remove the created files from /tmp (don’t leave keys like this lying around!) | |||
We tell Bind to allow updates that are signed with this key by including in named.conf.local the line: | |||
include "/etc/bind/ddns.key"; | |||
and put two allow-update lines in the forward and reverse zones: | |||
allow-update { amberlan; key DDNS_UPDATE; }; | |||
The first term references the “amberlan” ACL, the second one the key. | |||
We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert | |||
ddns-updates on; | |||
ddns-update-style interim; | |||
ignore client-updates; | |||
update-static-leases on; | |||
include "/etc/bind/ddns.key"; | |||
Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates: | |||
zone amber.lan. { | |||
primary 127.0.0.1; | |||
key DDNS_UPDATE; | |||
} | |||
zone 67.168.192.in-addr.arpa. { | |||
primary 127.0.0.1; | |||
key DDNS_UPDATE; | |||
} | |||
Check the configs using | |||
named-checkconf /etc/bind/named.conf | |||
dhcpd -t | |||
Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using | |||
rndc sync -clean |
Latest revision as of 15:14, 25 February 2016
Errors
interface name too long
dhcpd -t /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf: interface name too long (is 20)
This message has nothing to do with your dhcpd.conf file or configuration.
The error is because dhcpd is interpreting the /etc/dhcp/dhcpd.conf as an interface.
The 20 is the character count of "/etc/dhcp/dhcpd.conf" and not the file contents.
Add the -cf to your syntax and so that config file is actually getting tested or just use dhcpd -t.
Correct Syntax
dhcpd -t –cf /etc/dhcp/dhcpd.conf
or
dhcpd -t
DHCP failing to start
Check your messages log:
tail -f /var/log/message Mar 14 19:50:49 server dhcpd: No subnet declaration for eth1 (172.16.31.254). Mar 14 19:50:49 server dhcpd: ** Ignoring requests on eth1. If this is not what Mar 14 19:50:49 server dhcpd: you want, please write a subnet declaration Mar 14 19:50:49 server dhcpd: in your dhcpd.conf file for the network segment Mar 14 19:50:49 server dhcpd: to which interface eth1 is attached. ** Mar 14 19:50:49 server dhcpd: Mar 14 19:50:49 server dhcpd: Mar 14 19:50:49 server dhcpd: Not configured to listen on any interfaces!
cat /etc/network/interfaces
~ # To Router Interface auto eth1 iface eth1 inet static address 172.16.31.254 netmask 255.255.255.0 network 172.16.31.0 broadcast 172.16.31.255
This issue is because the interface set for DHCP does have the subnet defined in a declaration statement in dhcp.conf.
At the very least declare the subnet even if you do not plan on serving DHCP to that particular subnet.
subnet 172.16.31.0 netmask 255.255.255.0 { }
DHCP and DNS server
Provided by SaruWiki from the original author.
apt-get install isc-dhcp-server
Edited /etc/dhcp/dhcpd.conf. Tested the configuration with
dhcpd -t
(do not put anything behind the -t, it’ll get interpreted as an interface name)
Changed the log facility to local7; created an empty log file
mkdir /var/log/dhcpd touch /var/log/dhcpd/dhcpd.err touch /var/log/dhcpd/dhcpd.info
Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf
local7.err /var/log/dhcpd/dhcpd.err local7.* -/var/log/dhcpd/dhcpd.info
Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though…
Added local7.none to the line filling syslog, so it becomes
*.*;auth,authpriv,local7.none -/var/log/syslog
Also removing dhcp-messages from /var/log/messages in the same way
(is this smart??)
Installed Bind9 using the Debian instructions.
apt-get install bind9 bind9-doc dnsutils
(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck)
rndc-confgen > /etc/bind/rndc.conf
Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640.
Set the named.conf.options sections for two acls (bogusnets and amberlan), specified interfaces, forwarders/forwarding, permissions based on acls.
Created file db.192.168.67 with the IP numbers/names of the fixed hosts;
created file db.amber.lan with the names/IP numbers of the fixed hosts. Referenced the zones in named.conf.local.
Made the /etc/bind directory writable for bind; made bind:bind the owner of the forward and reverse zone files.
To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key:
cd /tmp dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns
This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content:
key DDNS_UPDATE { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "<key>"; };
We install this file to the DHCP and DNS directories using
install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key
Then remove the created files from /tmp (don’t leave keys like this lying around!)
We tell Bind to allow updates that are signed with this key by including in named.conf.local the line:
include "/etc/bind/ddns.key";
and put two allow-update lines in the forward and reverse zones:
allow-update { amberlan; key DDNS_UPDATE; };
The first term references the “amberlan” ACL, the second one the key.
We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert
ddns-updates on; ddns-update-style interim; ignore client-updates; update-static-leases on; include "/etc/bind/ddns.key";
Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates:
zone amber.lan. { primary 127.0.0.1; key DDNS_UPDATE; }
zone 67.168.192.in-addr.arpa. { primary 127.0.0.1; key DDNS_UPDATE; }
Check the configs using
named-checkconf /etc/bind/named.conf dhcpd -t
Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using
rndc sync -clean