Linux DHCP Server: Difference between revisions
(One intermediate revision by the same user not shown) | |||
Line 46: | Line 46: | ||
=== DHCP and DNS server === | === DHCP and DNS server === | ||
Provided by [https://www.saruman.biz/saruwiki/index.php/Main_Page | Provided by [https://www.saruman.biz/saruwiki/index.php/Main_Page SaruWiki] from the original author. | ||
apt-get install isc-dhcp-server | apt-get install isc-dhcp-server | ||
Edited /etc/dhcp/dhcpd.conf. Tested the configuration with | Edited /etc/dhcp/dhcpd.conf. Tested the configuration with | ||
dhcpd -t | dhcpd -t | ||
(do not put anything behind the -t, it’ll get interpreted as an interface name) | (do not put anything behind the -t, it’ll get interpreted as an interface name) | ||
Line 58: | Line 58: | ||
Changed the log facility to local7; created an empty log file | Changed the log facility to local7; created an empty log file | ||
mkdir /var/log/dhcpd | mkdir /var/log/dhcpd | ||
touch /var/log/dhcpd/dhcpd.err | |||
touch /var/log/dhcpd/dhcpd.err | touch /var/log/dhcpd/dhcpd.info | ||
touch /var/log/dhcpd/dhcpd.info | |||
Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf | Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf | ||
local7.err /var/log/dhcpd/dhcpd.err | local7.err /var/log/dhcpd/dhcpd.err | ||
local7.* -/var/log/dhcpd/dhcpd.info | |||
local7.* -/var/log/dhcpd/dhcpd.info | |||
Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though… | Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though… | ||
Line 74: | Line 71: | ||
Added local7.none to the line filling syslog, so it becomes | Added local7.none to the line filling syslog, so it becomes | ||
*.*;auth,authpriv,local7.none -/var/log/syslog | *.*;auth,authpriv,local7.none -/var/log/syslog | ||
Also removing dhcp-messages from /var/log/messages in the same way | Also removing dhcp-messages from /var/log/messages in the same way | ||
Line 83: | Line 80: | ||
Installed Bind9 using the Debian instructions. | Installed Bind9 using the Debian instructions. | ||
apt-get install bind9 bind9-doc dnsutils | apt-get install bind9 bind9-doc dnsutils | ||
(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck) | (recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck) | ||
rndc-confgen > /etc/bind/rndc.conf | rndc-confgen > /etc/bind/rndc.conf | ||
Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640. | Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640. | ||
Line 104: | Line 101: | ||
To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key: | To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key: | ||
cd /tmp | cd /tmp | ||
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns | |||
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns | |||
This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content: | This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content: | ||
key DDNS_UPDATE { | key DDNS_UPDATE { | ||
algorithm HMAC-MD5.SIG-ALG.REG.INT; | |||
algorithm HMAC-MD5.SIG-ALG.REG.INT; | secret "<key>"; | ||
}; | |||
secret "<key>"; | |||
}; | |||
We install this file to the DHCP and DNS directories using | We install this file to the DHCP and DNS directories using | ||
install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key | install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key | ||
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key | |||
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key | |||
Then remove the created files from /tmp (don’t leave keys like this lying around!) | Then remove the created files from /tmp (don’t leave keys like this lying around!) | ||
Line 130: | Line 122: | ||
We tell Bind to allow updates that are signed with this key by including in named.conf.local the line: | We tell Bind to allow updates that are signed with this key by including in named.conf.local the line: | ||
include "/etc/bind/ddns.key"; | include "/etc/bind/ddns.key"; | ||
and put two allow-update lines in the forward and reverse zones: | and put two allow-update lines in the forward and reverse zones: | ||
allow-update { amberlan; key DDNS_UPDATE; }; | allow-update { amberlan; key DDNS_UPDATE; }; | ||
The first term references the “amberlan” ACL, the second one the key. | The first term references the “amberlan” ACL, the second one the key. | ||
Line 141: | Line 133: | ||
We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert | We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert | ||
ddns-updates on; | ddns-updates on; | ||
ddns-update-style interim; | |||
ddns-update-style interim; | ignore client-updates; | ||
update-static-leases on; | |||
ignore client-updates; | include "/etc/bind/ddns.key"; | ||
update-static-leases on; | |||
include "/etc/bind/ddns.key"; | |||
Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates: | Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates: | ||
zone amber.lan. { | zone amber.lan. { | ||
primary 127.0.0.1; | |||
key DDNS_UPDATE; | |||
} | |||
zone 67.168.192.in-addr.arpa. { | |||
primary 127.0.0.1; | |||
key DDNS_UPDATE; | |||
} | |||
zone 67.168.192.in-addr.arpa. { | |||
primary 127.0.0.1; | |||
key DDNS_UPDATE; | |||
} | |||
Check the configs using | Check the configs using | ||
named-checkconf /etc/bind/named.conf | named-checkconf /etc/bind/named.conf | ||
dhcpd -t | |||
dhcpd -t | |||
Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using | Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using | ||
rndc sync -clean | rndc sync -clean |
Latest revision as of 15:14, 25 February 2016
Errors
interface name too long
dhcpd -t /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf: interface name too long (is 20)
This message has nothing to do with your dhcpd.conf file or configuration.
The error is because dhcpd is interpreting the /etc/dhcp/dhcpd.conf as an interface.
The 20 is the character count of "/etc/dhcp/dhcpd.conf" and not the file contents.
Add the -cf to your syntax and so that config file is actually getting tested or just use dhcpd -t.
Correct Syntax
dhcpd -t –cf /etc/dhcp/dhcpd.conf
or
dhcpd -t
DHCP failing to start
Check your messages log:
tail -f /var/log/message Mar 14 19:50:49 server dhcpd: No subnet declaration for eth1 (172.16.31.254). Mar 14 19:50:49 server dhcpd: ** Ignoring requests on eth1. If this is not what Mar 14 19:50:49 server dhcpd: you want, please write a subnet declaration Mar 14 19:50:49 server dhcpd: in your dhcpd.conf file for the network segment Mar 14 19:50:49 server dhcpd: to which interface eth1 is attached. ** Mar 14 19:50:49 server dhcpd: Mar 14 19:50:49 server dhcpd: Mar 14 19:50:49 server dhcpd: Not configured to listen on any interfaces!
cat /etc/network/interfaces
~ # To Router Interface auto eth1 iface eth1 inet static address 172.16.31.254 netmask 255.255.255.0 network 172.16.31.0 broadcast 172.16.31.255
This issue is because the interface set for DHCP does have the subnet defined in a declaration statement in dhcp.conf.
At the very least declare the subnet even if you do not plan on serving DHCP to that particular subnet.
subnet 172.16.31.0 netmask 255.255.255.0 { }
DHCP and DNS server
Provided by SaruWiki from the original author.
apt-get install isc-dhcp-server
Edited /etc/dhcp/dhcpd.conf. Tested the configuration with
dhcpd -t
(do not put anything behind the -t, it’ll get interpreted as an interface name)
Changed the log facility to local7; created an empty log file
mkdir /var/log/dhcpd touch /var/log/dhcpd/dhcpd.err touch /var/log/dhcpd/dhcpd.info
Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf
local7.err /var/log/dhcpd/dhcpd.err local7.* -/var/log/dhcpd/dhcpd.info
Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though…
Added local7.none to the line filling syslog, so it becomes
*.*;auth,authpriv,local7.none -/var/log/syslog
Also removing dhcp-messages from /var/log/messages in the same way
(is this smart??)
Installed Bind9 using the Debian instructions.
apt-get install bind9 bind9-doc dnsutils
(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck)
rndc-confgen > /etc/bind/rndc.conf
Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640.
Set the named.conf.options sections for two acls (bogusnets and amberlan), specified interfaces, forwarders/forwarding, permissions based on acls.
Created file db.192.168.67 with the IP numbers/names of the fixed hosts;
created file db.amber.lan with the names/IP numbers of the fixed hosts. Referenced the zones in named.conf.local.
Made the /etc/bind directory writable for bind; made bind:bind the owner of the forward and reverse zone files.
To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key:
cd /tmp dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns
This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content:
key DDNS_UPDATE { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "<key>"; };
We install this file to the DHCP and DNS directories using
install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key
Then remove the created files from /tmp (don’t leave keys like this lying around!)
We tell Bind to allow updates that are signed with this key by including in named.conf.local the line:
include "/etc/bind/ddns.key";
and put two allow-update lines in the forward and reverse zones:
allow-update { amberlan; key DDNS_UPDATE; };
The first term references the “amberlan” ACL, the second one the key.
We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert
ddns-updates on; ddns-update-style interim; ignore client-updates; update-static-leases on; include "/etc/bind/ddns.key";
Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates:
zone amber.lan. { primary 127.0.0.1; key DDNS_UPDATE; }
zone 67.168.192.in-addr.arpa. { primary 127.0.0.1; key DDNS_UPDATE; }
Check the configs using
named-checkconf /etc/bind/named.conf dhcpd -t
Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using
rndc sync -clean