Trace: DHCP / DNS Setup

DHCP / DNS Setup

Back  
 Next

This is an old revision of the document!


DHCP / DNS Setup

Outdated

I have moved my DNS and DHCP servers to Docker, Docker-DNS Server. I am still using ISC_Bind9, but am now using ISC_Kea for DHCP as ISC_Bind is no longer supported as of 2022.

Further to this I am no looking at backups for both these services on my local area network. Whilst these services worked reliably well, when ever I shutdown the the router with DNS/DHCP servers my LAN would stop working. Hence the need for back-up DNS.

These notes still have some utility. I will presumably archive (tl;dr; roll-up) eventually.

Actually my router that I was running these services was totally lost when upgrading from Debian 11 to Debian 12, circa June 2023. So I had to rebuild from scratch using these various notes.

This setup was primarily written in 2017 and is based upon ISC Bind9 and ISC DHCP, which are the main internet backbone software used for DNS and DHCP.

(2022) ISC has a newer DHCP software called Kea that is designed to replace ISC DHCP. Kea was primarily developed around 2014-2020. They also are currently developing a monitor for Kea and Bind9 called Stork. A future plan would be to review and replace ISC DHCP with Kea and also implement Stork.

Main references used (2017)

DNS Setup

First install or ensure already installed the DNS server software: “sudo apt install bind9”

Next check the named.conf configuration file, “less /etc/bind/named.conf”. This can remain as default as below. However the configuration files noted there in will need to be set up. We will copy the existing files to default:

  • sudo cp /etc/bind/named.conf.options /etc/bind/default.named.conf.options
  • sudo cp /etc/bind/named.conf.local /etc/bind/default.named.conf.local
  • sudo cp /etc/bind/named.conf.default-zones /etc/bind/default.named.conf.default-zones

Bind9 Control Nomenclature

There are a number of “names” that are used with bind9 dns.

  • “bind9” is the DNS software is known as isc_bind9, and systemctl in some Linux refers to the service as bind9.service.
  • “named” is the normal name of the isc-bind9 code that is call to start the application
  • “rndc” is an application used to control a running bind9 instance, e.g. rndc reload to reload the configuration

Setting Bind9 to IPv4 Mode

sudo vim /etc/default/bind9 or sudo vim /etc/default/named, set following parameter: OPTIONS=“-u bind -4”

named.conf

The /etc/bind/named.conf is not changed, and should look as below.

named.conf

Next modify the named.conf.options configuration file, sudo vim /etc/bind/named.conf.options, as noted below.

name.conf.options

The forwarders section contains the DNS servers to be checked if this DNS does not have the record. I have been using OpenDNS to allow some free security screening, IP 208.67.222.222 and 208.67.220.220. I have stop using these. IP 9.9.9.9, Quadnine provides some protection bad web sites. Similar for 1.1.1.1 and 1.0.0.1. from Another common option is to use Google DNS at 8.8.8.8 and 8.8.4.4. I avoid using Google products as there is something unclean about free services that extra value by tracking you.

rndc-key

Next create a cryptographic key file using sudo /usr/sbin/rndc-confgen -a, note that this command can take quite some time to complete, a number of minutes. The command produces a key file /etc/bind/rndc.key.

rndc.key

Configure the DNS zones sudo vim /etc/bind/named.conf.local

named.conf.local

lookup zone definition file

Modify the forward lookup zone definition file sudo vim /var/lib/bind/db.kptree.net

db.kptree.net

Note: To allow all LAN traffic to correctly flow to the html server and reverse proxy to sub-domain servers the DNS origin and all sub-domains must point to the main html server.

define reverse zone

Define the reverse zone, sudo vim /var/lib/bind/db.168.192

db.168.192

If and of the above files are changed the serial number should be incremented up before updating the the DNS service, “sudo systemctl restart bind9”. A common technique is to use the date followed by a small single or double digit number, e.g. 2017072101.

The configuration file can be tested with:

  • sudo named-checkconf /etc/bind/named.conf

The zone files checked with:

  • sudo named-checkzone 168.192.in-addr.arpa /var/lib/bind/db.168.192 for the reverse zone file.
    • It is important that the first input parameter 168.192.in-addr-arpa matches the reverse address used in the SOA address used. The subsequent origin statements can be for lower address ranges, e.g. $origin 1.168.192.in-addr.arpa..
    • Again note the following fullstop after the origin address.
  • sudo named-checkzone kptree.net /var/lib/bind/db.kptree.net for the forward zone file.

If not using IPv6 bind may still look for IPv6 unnecessarily filling up log files. To prevent perform the following:

  • sudo vim /etc/default/bind9
  • add the -4 in the line: OPTIONS=“-u bind -4”
  • Also ensure to comment out “listen-on-v6 { any; };” in the file sudo vim /etc/bind/named.conf.options

Fixing BIND's journal out of sync with zone error

Almost all ways caused by manually editing the zone file, which causes it to become out of sync with the automatic DHCP update. Solution is to:

  • Stop bind9 (sudo systemctl stop bind9)
  • Delete the problem zone file ending ing .jnl. It can be found in the same directory as the zone files: (/var/lib/bind/)
  • Then start bind9 (sudo systemctl start bind9)

Before performing a manual update on a zone file use rndc freeze before editing and rndc thaw after. See man rndc for information on his command.

Split Horizon DNS

Split horizon DNS or split DNS allows the DNS query to be treated differently depending upon the source of the query. It is is usually used for internal services that can not be reached off LAN.

I am not sure how split DNS addresses the use of SSL certificated domain names based upon external web address on local address hosts with outsome form of hairpin NAT or similar occurring. Think about it, the IP address on the local server does not match the domain certificate IP address.

hairpin_nat is used to allow services provided by hosts on the internal network to be reached externally via NAT also to be reached by internal clients behind a NAT. Split DNS is not a direct replacement of this functionality.

Some external resources:

Other Bind9 Stuff

DHCP Setup

First install or ensure already installed the ISC DHCP server software: sudo apt install isc-dhcp-server

Next edit the dhcp configuration file: sudo vim /etc/dhcp/dhcpd.conf

dhcp.conf

The configuration file can be tested with: sudo dhcpd -t

Restart the DHCP and DNS servers to update for latest configurations changes. DNS: sudo systemctl restart bind9 and DHCP: sudo systemctl restart isc-dhcp-server.

To see active leases use command sudo dhcp-lease-list.

ISC has stopped supporting ISC-DHCP client and relay versions as of 2022 and indicated that they plan to eventually stop support of server version. They seem to recommend migration to ISC-Kea, the ISC-DHCP replacement.

isc-dhcp-server defaults file

The default isc-dhcp-server configuration files is: sudo vim /etc/default/isc-dhcp-server. Ensure the interface(s) that the DHCP server is to server requests upon is indicated, for example:

  • INTERFACESv4=“br0”
  • INTERFACESv6=“br0”

isc-dhcp-server log file comments

Unfortunately the log / journal for isc-dhcp-server contains the following comment for each system interface that is not assigned in /etc/default/isc-dhcp-server. This is a warning, not an error! As such it can generally be ignored.

Example isc-dhcp-server warning

ipv6

radvd

ipv6 requires router advertisement to be functional to operate correctly. In Linux the radvd program performs this function and can be set up independently or with dhcp. The radvd daemon provides basic advertisement functionality, dhcp6 can give additional functionality.

  • sudo apt install radvd
  • sudo vim /etc/radvd.conf
    • radvd.conf
  • sudo systemctl status radvd.service
    • /lib/systemd/system/radvd.service

DNS Check Commands

local dns nameserver

The local name resolver can be seen in /etc/resolv.conf. Usually this can not be effectively directly edited as it is controlled by other parts of the system that will wrote over it.

dig

  • dig bing.com, this will provide the name resolution information for this site.
  • dig @1.1.1.1 wiki.kptree.net will check name resolution @ the specified resolver. This can help determine name propagation.
  • dig mail.kptree.net will return mail server information
  • dig @9.9.9.9 mail.kptree.net will return mail server information @ the specified resolver

host

  • host mail.kptree.net
  • host kptree.net

nslookup

  • nslookup wiki.kptree.net
  • nslookup -type=mx mail.kptree.net for mail server information
  • nslookup -type=mx -debug mail.kptree.net more verbose

secure DNS

  • echo | openssl s_client -connect '9.9.9.9:853' 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 to query current SPKI pin for Quad9
    • This also seems to work for other DNS resolvers, 1.1.1.1 (Cloudflare), 8.8.8.8 (Google)
/app/www/public/data/attic/linux_router/dns_dhcp.1719107905.txt.gz · Last modified: 2024-06-23 Sun wk25 09:58
CC Attribution-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International