Linux DHCP Server

From Braindisconnect
Revision as of 15:14, 25 February 2016 by Jbutler (talk | contribs) (→‎DHCP and DNS server)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Errors

interface name too long

dhcpd -t /etc/dhcp/dhcpd.conf
 /etc/dhcp/dhcpd.conf: interface name too long (is 20)

This message has nothing to do with your dhcpd.conf file or configuration.
The error is because dhcpd is interpreting the /etc/dhcp/dhcpd.conf as an interface.
The 20 is the character count of "/etc/dhcp/dhcpd.conf" and not the file contents.

Add the -cf to your syntax and so that config file is actually getting tested or just use dhcpd -t.

Correct Syntax

dhcpd -t –cf /etc/dhcp/dhcpd.conf

or

dhcpd -t


DHCP failing to start

Check your messages log:

tail -f /var/log/message
 Mar 14 19:50:49 server dhcpd: No subnet declaration for eth1 (172.16.31.254).
 Mar 14 19:50:49 server dhcpd: ** Ignoring requests on eth1.  If this is not what
 Mar 14 19:50:49 server dhcpd:    you want, please write a subnet declaration
 Mar 14 19:50:49 server dhcpd:    in your dhcpd.conf file for the network segment
 Mar 14 19:50:49 server dhcpd:    to which interface eth1 is attached. **
 Mar 14 19:50:49 server dhcpd: 
 Mar 14 19:50:49 server dhcpd: 
 Mar 14 19:50:49 server dhcpd: Not configured to listen on any interfaces!

cat /etc/network/interfaces

~
# To Router Interface
auto eth1
iface eth1 inet static
       address 172.16.31.254
       netmask 255.255.255.0
       network 172.16.31.0
       broadcast 172.16.31.255

This issue is because the interface set for DHCP does have the subnet defined in a declaration statement in dhcp.conf.

At the very least declare the subnet even if you do not plan on serving DHCP to that particular subnet.

subnet 172.16.31.0 netmask 255.255.255.0 {
}

DHCP and DNS server

Provided by SaruWiki from the original author.

apt-get install isc-dhcp-server

Edited /etc/dhcp/dhcpd.conf. Tested the configuration with

dhcpd -t

(do not put anything behind the -t, it’ll get interpreted as an interface name)

Changed the log facility to local7; created an empty log file

mkdir /var/log/dhcpd
touch /var/log/dhcpd/dhcpd.err
touch /var/log/dhcpd/dhcpd.info

Redirected local7 to these files in new log config file /etc/rsyslog.d/local7.conf

local7.err /var/log/dhcpd/dhcpd.err
local7.* -/var/log/dhcpd/dhcpd.info

Can’t remove dhcpd messages from syslogs without editing rsyslog.conf though…

Added local7.none to the line filling syslog, so it becomes

*.*;auth,authpriv,local7.none -/var/log/syslog

Also removing dhcp-messages from /var/log/messages in the same way

(is this smart??)


Installed Bind9 using the Debian instructions.

apt-get install bind9 bind9-doc dnsutils

(recommended but not installed: resolvconf, ufw, geoip-bin, rblcheck)


rndc-confgen > /etc/bind/rndc.conf

Copied the key part to ns.amber.lan.key; included that key in named.conf.local with its control statement. Secured the rndc.conf and ns.amber.lan.key files with user root:bind permission 640.


Set the named.conf.options sections for two acls (bogusnets and amberlan), specified interfaces, forwarders/forwarding, permissions based on acls.

Created file db.192.168.67 with the IP numbers/names of the fixed hosts;

created file db.amber.lan with the names/IP numbers of the fixed hosts. Referenced the zones in named.conf.local.

Made the /etc/bind directory writable for bind; made bind:bind the owner of the forward and reverse zone files.


To allow the DCHP server to securely updat DNS, we’ll chdir into /tmp and create a new key:

cd /tmp
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST ddns

This creates two files, Kddns.+157+31433.key and Kddns.+157+31433.private. The two files contain different pieces of text, but the same MD5 key – that’s what we’re after. We open one of the files, find the line that starts with “Key:” and copy the complete string that follows. We put it in file ddns.key with the following content:

key DDNS_UPDATE {
    algorithm HMAC-MD5.SIG-ALG.REG.INT;
    secret "<key>";
};


We install this file to the DHCP and DNS directories using

install -o root -g bind -m 0640 ddns.key /etc/bind/ddns.key
install -o root -g root -m 0640 ddns.key /etc/dhcp/ddns.key

Then remove the created files from /tmp (don’t leave keys like this lying around!)


We tell Bind to allow updates that are signed with this key by including in named.conf.local the line:

include "/etc/bind/ddns.key";

and put two allow-update lines in the forward and reverse zones:

allow-update { amberlan; key DDNS_UPDATE; };

The first term references the “amberlan” ACL, the second one the key.


We tell the DHCP daemon to send signed updates on behalf of all its clients: in dhcpd.conf we insert

ddns-updates on;
ddns-update-style interim;
ignore client-updates;
update-static-leases on;
include "/etc/bind/ddns.key";

Furthermore, we have to specify every zone which is to be updated, including the primary nameserver and the key with which to secure the updates:

zone amber.lan. {
     primary 127.0.0.1;
     key DDNS_UPDATE;
}
zone 67.168.192.in-addr.arpa. {
    primary 127.0.0.1;
    key DDNS_UPDATE;
}


Check the configs using

named-checkconf /etc/bind/named.conf
dhcpd -t


Dynamic updates appear in the bind directory in journal files (*.jnl). Sync these to the zone files using

rndc sync -clean