Table of Contents

, , , , , , , , , ,

DHCP / DNS Setup

Outdated

I have moved my DNS and DHCP servers to Docker, Docker-DNS Server. I am still using ISC_Bind9, but am now using ISC_Kea for DHCP as ISC_Bind is no longer supported as of 2022.

tl;dr;

Main references used (2017)

An interesting older resource is BigDinosaur Blog Running BIND9 and ISC-DHCP. Unfortunately, no longer readily available, Kill-9 Ubuntu 16.04 based Router, Part 2 - DHCP

Another reference is Lani's Weblog - Make your DHCP server dynamically update your DNS records on Ubuntu 12.04 (Precise Pangolin). Also dragon.org.uk DNS with bind9 and DHCP on Ubuntu 16.04.

DNS Setup

First install or ensure already installed the DNS server software: “sudo apt install bind9”

Next check the named.conf configuration file, “less /etc/bind/named.conf”. This can remain as default as below. However the configuration files noted there in will need to be set up. We will copy the existing files to default:

Bind9 Control Nomenclature

There are a number of “names” that are used with bind9 dns.

Setting Bind9 to IPv4 Mode

sudo vim /etc/default/bind9 or sudo vim /etc/default/named, set following parameter: OPTIONS=“-u bind -4”

named.conf

The /etc/bind/named.conf is not changed, and should look as below.

named.conf

Next modify the named.conf.options configuration file, sudo vim /etc/bind/named.conf.options, as noted below.

name.conf.options

The forwarders section contains the DNS servers to be checked if this DNS does not have the record. I have been using OpenDNS to allow some free security screening, IP 208.67.222.222 and 208.67.220.220. I have stop using these. IP 9.9.9.9, Quadnine provides some protection bad web sites. Similar for 1.1.1.1 and 1.0.0.1. from Another common option is to use Google DNS at 8.8.8.8 and 8.8.4.4. I avoid using Google products as there is something unclean about free services that extra value by tracking you.

rndc-key

Next create a cryptographic key file using sudo /usr/sbin/rndc-confgen -a, note that this command can take quite some time to complete, a number of minutes. The command produces a key file /etc/bind/rndc.key.

rndc.key

Configure the DNS zones sudo vim /etc/bind/named.conf.local

named.conf.local

lookup zone definition file

Modify the forward lookup zone definition file sudo vim /var/lib/bind/db.kptree.net

db.kptree.net

Note: To allow all LAN traffic to correctly flow to the html server and reverse proxy to sub-domain servers the DNS origin and all sub-domains must point to the main html server.

define reverse zone

Define the reverse zone, sudo vim /var/lib/bind/db.168.192

db.168.192

If and of the above files are changed the serial number should be incremented up before updating the the DNS service, “sudo systemctl restart bind9”. A common technique is to use the date followed by a small single or double digit number, e.g. 2017072101.

The configuration file can be tested with:

The zone files checked with:

If not using IPv6 bind may still look for IPv6 unnecessarily filling up log files. To prevent perform the following:

Fixing BIND's journal out of sync with zone error

Almost all ways caused by manually editing the zone file, which causes it to become out of sync with the automatic DHCP update. Solution is to:

Before performing a manual update on a zone file use rndc freeze before editing and rndc thaw after. See man rndc for information on his command.

Split Horizon DNS

Split horizon DNS or split DNS allows the DNS query to be treated differently depending upon the source of the query. It is is usually used for internal services that can not be reached off LAN.

I am not sure how split DNS addresses the use of SSL certificated domain names based upon external web address on local address hosts with outsome form of hairpin NAT or similar occurring. Think about it, the IP address on the local server does not match the domain certificate IP address.

hairpin_nat is used to allow services provided by hosts on the internal network to be reached externally via NAT also to be reached by internal clients behind a NAT. Split DNS is not a direct replacement of this functionality.

Some external resources:

Other Bind9 Stuff

Update Root hints Data File for Bind Named Server

Download latest bind9 root file to /etc/bind/db.root: sudo wget –user=ftp –password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root

Reload rndc: sudo rndc reload

DHCP Setup

This section is outdated, ISC DHCP was replaced by ISC Kea, and ISC DHCP is no longer formally supported as of 2022.

Outdated tl;dr;

dhcp.conf

The configuration file can be tested with: sudo dhcpd -t

Restart the DHCP and DNS servers to update for latest configurations changes. DNS: sudo systemctl restart bind9 and DHCP: sudo systemctl restart isc-dhcp-server.

To see active leases use command sudo dhcp-lease-list.

ISC has stopped supporting ISC-DHCP client and relay versions as of 2022 and indicated that they plan to eventually stop support of server version. They seem to recommend migration to ISC-Kea, the ISC-DHCP replacement.

isc-dhcp-server defaults file

The default isc-dhcp-server configuration files is: sudo vim /etc/default/isc-dhcp-server. Ensure the interface(s) that the DHCP server is to server requests upon is indicated, for example:

isc-dhcp-server log file comments

Unfortunately the log / journal for isc-dhcp-server contains the following comment for each system interface that is not assigned in /etc/default/isc-dhcp-server. This is a warning, not an error! As such it can generally be ignored.

Example isc-dhcp-server warning

ipv6

radvd

ipv6 requires router advertisement to be functional to operate correctly. In Linux the radvd program performs this function and can be set up independently or with dhcp. The radvd daemon provides basic advertisement functionality, dhcp6 can give additional functionality.

DNS Check Commands

local dns nameserver

The local name resolver can be seen in /etc/resolv.conf. Usually this can not be effectively directly edited as it is controlled by other parts of the system that will wrote over it.

dig

host

nslookup

secure DNS