Docker - DHCP Server

Back  
 Next

This is an old revision of the document!


Back  
 Next

Docker - DHCP Server

Since mid 2023 I have been running a Docker ISC Kea Image using base Docker Alpine Linux images, with S6 init system. (ISC Kea is a modern replacement for their DHCP.) The main DHCP server runs on my main server and I have an automatic fall over back up on my separate Linux router. I basically followed the Kea template Home Network of a Power User. I was never quite sure I had the automatic fall over back-up working. On 2023-01-02 I modified a configuration file on the primary server with a syntax error, 8 days later I notice millions of lines of errors on my log files. Sure enough the backup had simply been working. I fixed up the simple syntax error and the primary server took back over. Everything basically worked as expected.

ISC also has a project for a simple GUI interface primarily for Kea and basic for Bind9. There is apparently no Alpine package yet for Stork.

ISC-Kea seems to be provided in a number of packages

PackageDescriptiionComment
isc-kea-adminThis package provides backend database initialization and migration scripts and a DHCP benchmark tool. If you are not using a database backend, you may not need this.Not using a database backend at this time
isc-kea-commonCommon libraries for the ISC Kea DHCP server. Install this.Need this.
isc-kea-ctrl-agentThis package provides the REST API service agent for Kea DHCP.?
isc-kea-devDevelopment headers for ISC Kea DHCP server. Install if you plan to create any custom Kea hooks.Probably do not need.
isc-kea-dhcp4-serverDHCPv4 server.Need this.
isc-kea-dhcp6-serverDHCPv6 server.Do not need at this time.
isc-kea-dhcp-ddns-serverDDNS server.Need this.
isc-kea-docKea documentation. Highly recommended.On a Docker container?
isc-kea-hook-flex-optionFlexible Options hook.What is this?
isc-kea-hook-haHigh Availability hook.What is this?
isc-kea-hook-lease-cmdsLease Commands hook.What is this?
isc-kea-hook-mysql-cbMySQL Configuration Backend.Dont need this at this time.
isc-kea-hook-pgsql-cbPostgreSQL Configuration Backend.Dont need this.
isc-kea-hook-stat-cmdsStatistics Commands hook.?
isc-kea-httpThis package is essential, install it.It is essential…
isc-kea-perfdhcpOptional. Includes a DHCP performance testing tool from ISC.?
isc-kea-shellText client for Kea DHCP Control Agent.?

Network Ports

From IANA Service Name and Transport Protocol Port online Number Registry:

bootps    67   {tcp, udp}       Bootstrap Protocol Server (DHCP)
bootpc    68   {tcp, udp}       Bootstrap Protocol Client (DHCP)

The Kea Control Agent uses port 8000 by default, but that value can be manually defined in its configuration file. (Usually located at /etc/kea/kea-ctrl-agent.conf.) This port needs to be open and accessible on every server that hosts a Kea DHCP service and a Kea Control Agent.

Docker Network Type

This is a good case where the Docker network type needs to be set to host. The DHCP server needs to be directly on the host to function.

DHCP testing

sudo nmap --script broadcast-dhcp-discover will test the DHCP servers on the same network.

Reference

main dhcp4

  • kea-dhcp4 -t /app/dhcpv4.conf to test the kea-dhcp4 configuration files /app/dhcpv4.conf
  • kea-dhcp4 -c /app/dhcpv4.conf to start kea dhcp4 using configuration file /app/dhcpv4.conf

Use of symlink, TL;DR;

  • kea-dhcp4 -c /app/dhcpv4_plus.conf to start kea dhcp4 using configuration file /app/dhcpv4_plus.conf. This configuration file is designed to work with the kea control agent setup. Where as the basic configuration /app/dhcpv4_basic.conf is not.

ctrl-agent -t /app/kea-ctrl-agent.conf

  • kea-ctrl-agent -t /app/kea-ctrl-agent.conf to test the kea-cont-agent configuration file /app/kea-ctrl-agent.conf
  • kea-ctrl-agent -c /app/kea-ctrl-agent.conf to start the kea-cont-agent configuration file /app/kea-ctrl-agent.conf

Kea logging

I have stored log files in the .config directory that is a Docker mounted volume for persistence and easy external viewing outside container. The following logs files can be seen.

  • .config/log/kea-dhcp4-commands.log
  • .config/log/kea-dhcp4-dhcpsrv.log
  • .config/log/kea-dhcp4-leases.log
  • .config/log/kea-dhcp4.log
  • .config/log/kea-dhcp4-ha-hooks.log

Kea Miscellaneous

  • docker attach kptr-kea-1 to attach to running container
  • kea-dhcp4 -v To check running version

DNSSEC

My local DNS server is a recursive caching type only. It take local (LAN) DNS queries and answers directly for any LAN name resolution, checks the cache for any external name resolution and then if not found locally or in cache checks the specified external DNS servers to resolve names. My DNS server is not setup as a public DNS server and is not publicly accessible. Hence DNSSEC is not relevant for this local DNS server query validation.

For external name resolution Bind9 basically now defaults to automatic use of DNSSEC. This can be validated with (How To Test A Recursive Server) using:

  • dig @192.168.1.14 ftp.isc.org. A +dnssec +multiline, the query return flag ad indicates the DNS answer returned a validated answer.
  • dig @192.168.1.2 ftp.isc.org. A +dnssec +multiline

Equally important the following commands helps confirm that invalid DNS queries have failed and do not rerun invalid IP address, which would be security risk. If dig @192.168.1.14 www.dnssec-failed.org A receives status: SERVFAIL then dig @192.168.1.14 www.dnssec-failed.org A +cd will disable DNSSEC and return the IP address showing that the SERVFAIL occurred due to DNSSEC failure.

Basic Bind9 DNSSEC configuration options

  • The option (in /etc/bind/named.conf.options) dnssec-enable yes; is no longer valid and use will cause configuration error. DO NOT USE! DNSSEC is enabled by default.
  • The option dnssec-validation is set default to auto. The other setting options are yes and no. No action is required, if the option is not specified in the configuration file it is set to auto by default.

So I do not need to do any configuration for DNSSEC to function on external queries.

reference

DNS over TLS (DoT)

References

/app/www/public/data/attic/docker_notes/docker-dhcp.1721535524.txt.gz · Last modified: 2024-07-21 Sun wk29 12:18
CC Attribution-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International