Chapter 4

Running DHCP and DNS

IN THIS CHAPTER

Bullet Dealing with DHCP

Bullet Running a DNS server

Bullet Understanding BIND configuration files

One of the main reasons why many network administrators add Linux servers to their networks is to run Internet services, such as DHCP and DNS. These services were originally developed for the Unix environment, so they tend to run better under Linux than they do under Windows.

Well, that’s the theory, at least. The most recent versions of Windows are probably just as good at running these services as Linux. Still, if you prefer to set up these services on a Linux server, this chapter is for you.

Running a DHCP Server

DHCP is the TCP/IP protocol that automatically assigns IP addresses to hosts as they come on the network. (DHCP stands for Dynamic Host Configuration Protocol, but that won’t be on the test.) For a very small network (say, fewer than ten hosts), you don’t really need DHCP: You can just configure each computer to have a static IP address. For larger networks, however, DHCP is almost a must. Without DHCP, you have to manually plan your entire IP address scheme and manually configure every computer with its IP information. Then, if a critical address — such as your Internet gateway router or your DNS server address — changes, you have to manually update each computer on the network. As you can imagine, DHCP can save you a lot of time.

Tip Even for small networks, however, DHCP can be a timesaver. For example, suppose that you have a notebook computer that you take back and forth between your home and office. If you don’t set up a DHCP server at home, you have to change the computer’s static IP address each time you move the computer. With DHCP, the computer can change IP addresses automatically.

Tip For the complete lowdown on DHCP, please read Book 2, Chapter 5. In the following sections, I show you how to install and configure a DHCP server on the Fedora 12 Linux distribution.

Installing DHCP

You can quickly find out whether DHCP is installed on your system by entering the following command from a shell prompt:

sudo dnf install dhcp

If DHCP has already been installed, the dnf command will let you know that the package is already installed and that it has nothing to do. Otherwise, the dnf command will ask your permission to install the package:

Total download size: 2.7 M
Installed size: 8.7 M
Is this ok [y/N]:

Enter y to proceed with the installation. After a few moments, dnf will announce that the installation is complete.

Configuring DHCP

You configure DHCP settings through a file called dhcpd.conf that lives in the /etc/dhcp directory. Fedora provides you with a sample configuration file located at the following path:

/usr/share/doc/dhcp-server/dhcpd.conf.example

Open this file in vi to review it. Listing 4-1 shows a portion of the sample configuration file. Note that the exact contents of this file vary from release to release. For brevity, I've omitted portions of the configuration file that are for less common DHCP situations.

LISTING 4-1 The Example dhcpd.conf File

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks…
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# This is a very basic subnet declaration.

subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}

The following paragraphs describe some of the key points of this file:

  • option domain-name: This line provides the domain name for the network.
  • option domain-name-servers: This line provides the name or IP addresses of your DNS servers.
  • subnet: This line specifies a subnet that's managed by this DHCP server. Following the subnet ID and netmask is an opening bracket; all the options that appear between this bracket and the closing bracket in the last line of the file belong to this subnet. In some cases, your DHCP server may dole out IP configuration information for two or more subnet groups. In that case, you need additional subnet groups in the configuration file.
  • range: This line specifies the range of addresses that the DHCP server will assign for this subnet.
  • option routers: This line provides the IP address of the Default Gateway.
  • default-lease-time: This line determines the default lease time in seconds. The default in the example file (600 seconds, or 10 minutes) is far too short for anything other than a testing situation. More common settings are:
    • 86400 (1 day)
    • 604800 (7 days)
    • 2592000 (30 days)
  • max-lease-time: This line determines the maximum life of a lease.
  • host: This line specifies a reservation. The host group specifies the MAC address for the host and the fixed IP address to be assigned.

Starting DHCP

After you set up the configuration file, you can start DHCP by opening a terminal window or virtual console and entering the following command:

systemctl start dhcpd

If an error exists in the configuration file, a message to that effect is displayed. You have to edit the file in order to correct the error and then start the DHCP service again.

You should also restart the service whenever you make a change to the configuration file. To restart DHCP, enter this command:

systemctl restart dhcpd

To automatically start DHCP whenever you start the computer, run this command:

chkconfig –level 35 dhcpd on

Running a DNS Server

Linux comes with BIND, the best DNS server that money can buy. BIND is an extremely powerful program. Some people make entire careers of setting up and configuring BIND. In these few short pages, I just touch on the very basics of setting up a DNS server on your network.

Tip You can find plenty of details about DNS in Book 2, Chapter 6. Please review that chapter before playing with BIND on your Linux system.

Installing BIND

You can quickly find out whether BIND is installed on your system by entering the following command from a shell prompt:

sudo dnf install bind

If BIND has already been installed, the dnf command will let you know that the package is already installed and that it has nothing to do. Otherwise, the dnf command will ask your permission to install the package. Enter y to install the package.

After BIND has been installed, you can start its service (which is called named) by entering this command:

systemctl start named

You can also go to Cockpit to start the service.

Editing BIND configuration files

Like most things Linux, BIND is configured by editing configuration files. These files live in one of two places: /etc or /var/named. The following sections describe the most important configuration files.

named.conf

This file, found in the /etc directory, is the basic BIND configuration file. This file contains global properties and links to the other configuration files.

Listing 4-2 shows a typical named.conf file.

LISTING 4-2 The named.conf File

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND
// named(8) DNS server as a caching only nameserver (as a
// localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named
// configuration files.
//

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem:stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };

/*
- If you are building an AUTHORITATIVE DNS server, do NOT
enable recursion.
- If you are building a RECURSIVE (caching) DNS server,
you need to enable recursion.
- If your recursive DNS server has a public IP address,
you MUST enable access control to limit queries to your
legitimate users. Failing to do so will cause your
server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would
greatly reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;

managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The zone lines name the zone files for each domain for which the server is responsible. Initially, the file contains just one zone, which is used for all lookups that aren't covered by local zones you add to the file. This zone is defined by the following lines:

zone "." IN {
type hint;
file "named.ca";
};

In the first line (zone), a single period is used as the domain name. The second line indicates that the zone type is hint, which means that the zone will refer to the DNS root servers. Finally, the third line provides the name of the file that identifies the root servers. We'll look at this file in a moment. But first, I want to show you how to edit this file to include your own zones.

To do that, you can add additional zones statements to the named.conf file. But I prefer to define your own zones in a separate configuration file and simply add an include statement to the named.conf file to copy in your zone configurations. You can name the file anything you want, but named.custom is a common choice. Simply add the following line to the end of the named.conf file:

Include "/etc/named.custom";

Then, you can create this file in the /etc directory and add a zone statement for your domain's zone.

Here’s an example of a zone statement to create a new zone named lowewriter.com:

zone "lowewriter.com" IN {
type master;
file "lowewriter.com.zone";
};

Note that this zone specifies the type as master, which means that this server is authoritative for the zone. Then, the file option provides the name of the zone file that actually defines the zone. This file (lowewriter.com.zone) resides in /var/named. You'll learn how to create it later in this chapter, in the section “Zone files.” But first, let’s take a look at the named.ca file.

named.ca

The named.ca file, located in the /var/named directory, lists the names and addresses of the Internet's root servers. It's a fascinating file to look at because it helps to unveil the mystery of how the Internet really works. You shouldn’t change it, however, unless, of course, you happen to be the administrator of one of the Internet’s root servers — in which case, I hope you’re not reading this book to learn how BIND works.

Listing 4-3 shows a typical named.ca file. The exact contents of this file varies from release to release.

LISTING 4-3 A Sample named.ca File

; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35

;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811

Tip An organization named InterNIC keeps the named.ca file up to date. You can download the most current version of named.ca from the InterNIC FTP site at ftp.internic.net. Every once in a while, InterNIC publishes a new version of this file, so you should check now and then to make sure that your file is current.

Zone files

Each zone for which your DNS server is authoritative should have a zone file, named domain.zone and located in the /var/named directory. The name of this file must correspond to the filename you specified in either the named.conf file or in a file such as named.custom, which you included in the named.conf file.

Here's a typical zone file, named lowewriter.com.zone:

$TTL 86400
@ IN SOA dns01.lowewriter.local. root.lowewriter.local. (
20201004 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS dns01.lowewriter.local.
@ IN A 10.0.0.30
dns01 IN A 10.0.0.30
fs01 IN A 10.0.0.40
mail IN A 10.0.0.20

Table 4-1 lists the most common types of records that appear in zone files. For a complete description of each of these record types, see Book 2, Chapter 6.

Restarting BIND

Whenever you make changes to BIND configuration files, you should restart the named service to apply the changes. To do that, use this command:

systemctl restart named

You can also restart the named service in Cockpit; just summon the Services page, locate the named service, and restart it.

TABLE 4-1 Common Resource Record Types

Type

Name

Description

SOA

Start Of Authority

Identifies a zone and provides settings for the zone such as the serial number (often derived from the date), refresh, retry, and expiration intervals, and a minimum.

NS

Name Server

Identifies a name server that is authoritative for the zone

A

Address

Maps a fully qualified domain name to an IP address

CNAME

Canonical Name

Creates an alias for a fully qualified domain name

MX

Mail Exchange

Identifies the mail server for a domain

PTR

Pointer

Maps an IP address to a fully qualified domain name for reverse lookups
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.160.61