20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

Bigdinosaur Blog
Tales of hacking and stomping on things.
RSS
Search Navigate

Blog Archives Main Site

Running BIND9 and ISC-DHCP

21 January 2012 | Comments

Most people use a NAT router at home for connecting to the Internet, and most consumer-grade NAT routers offer some limited version of DHCP for automatically handing out IP addresses to desktops and laptops and game consoles and smartphones and some limited version of DNS for making sure all the devices on the network know what all the other devices are called. However, the feature set and functionality of these cut-down DHCP and DNS instances are almost always too limited to handle more than the simplest of network designs; sometimes, you need to be able to do more. For example, if you wanted to set up a separate DHCP zone for handing out addresses to untrusted wireless clients versus trusted clients, or if you wanted to do something more awesome like implement the Upside-Down-Ternet, youd need something a lot more configurable than the little NAT routers applications. There are lots of options, but its easiest to just pull out the big guns and set up BIND9, the current version of the DNS software that powers the Internet, along with the ISCs DHCP server. DNS and DHCP are like peas and carrots, as the saying goesDHCP hands out the addresses, but doesnt communicate to other network hosts who has what address; DNS knows how to correlate names to addresses but doesnt hand out addresses itself. In this post, well set up DNS and DHCP on Ubuntu, and then configure them to work together. (NB. This blog entry ended up being bloody huge, because I dont just list the configuration options to set but rather go into detail on what each one does. Id intended to bang the post out in a single evening, but instead its taken a couple of hours over three days to complete. I hope it is informative and helpful!) This tutorial has been done more than once, to be sure. You can search around and find tons of other writeups about deploying DNS and DHCP and getting them to update each other. However, no single tutorial worked for meso, this is a write-up of everything I had to do to get the end-to-end solution working.

Prerequisites
First, the necessary installations. Both BIND9 and DHCP are are available in handy-dandy prepackaged form if youre running Ubuntu or another Debian-based distro:
1$ s u d oa p t i t u d ei n s t a l lb i n d 9i s c d h c p s e r v e r

In versions of Ubuntu prior to 11.04, the DHCP server package was simply called d h c p 3 s e r v e r ; the 11.04 and later repositories have the updated i s c d h c p s e r v e r package in its place (which is version 4, though why they didnt just call it d h c p 4 s e r v e ris beyond me). If youre running DHCP and DNS on your NAT router, now would be a good time to disable it. How to do this varies depending on the type of router, but if youre willing to set up your own DHCP and DNS services on a Linux server, you can probably figure it out.

DNS configuration
BIND9 is a Unixy-beastits a powerful but cryptic application with a rich and potentially complex configuration. Still, all were going to do is set up three simple zonesthat is, three separate administrative blocksand add a few options so that servers on your LAN can use the DNS server, so the resultant set of config files wont be too bad at all. The configuration for the DHCP server will be a lot more complex, so well save it for last. When installed from a package, the configuration files for BIND9 are located in / e t c / b i n d . The main configuration file is n a m e d . c o n f(thats name-d, as in the daemon controlling the naming service, not named as in the past tense verb), which really just functions as a container and references the other three configuration files: Default contents oflink
1 2 3 4 5 6 7 8 / /T h i si st h ep r i m a r yc o n f i g u r a t i o nf i l ef o rt h eB I N DD N Ss e r v e rn a m e d . / / / /P l e a s er e a d/ u s r / s h a r e / d o c / b i n d 9 / R E A D M E . D e b i a n . g zf o ri n f o r m a t i o no nt h e / /s t r u c t u r eo fB I N Dc o n f i g u r a t i o nf i l e si nD e b i a n ,* B E F O R E *y o uc u s t o m i z e / /t h i sc o n f i g u r a t i o nf i l e . / / / /I fy o ua r ej u s ta d d i n gz o n e s ,p l e a s ed ot h a ti n/ e t c / b i n d / n a m e d . c o n f . l o c a l

blog.bigdinosaur.org/running-bind9-and-isc-dhcp/

1/8

20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

9 i n c l u d e" / e t c / b i n d / n a m e d . c o n f . o p t i o n s " ; 1 0i n c l u d e" / e t c / b i n d / n a m e d . c o n f . l o c a l " ; 1 1i n c l u d e" / e t c / b i n d / n a m e d . c o n f . d e f a u l t z o n e s " ;

As the file says in the comments, this isnt the place to do any actual work. We need to dive into n a m e d . c o n f . l o c a land n a m e d . c o n f . o p t i o n s . First, the options. Ive modified my n a m e d . c o n f . o p t i o n sfile so that it looks like this: /etc/bind/named.conf.options
1 o p t i o n s{ 2 d i r e c t o r y" / v a r / c a c h e / b i n d " ; 3 a u t h n x d o m a i nn o ; #c o n f o r mt oR F C 1 0 3 5 4 f o r w a r d e r s{ 5 8 . 8 . 8 . 8 ; 6 8 . 8 . 4 . 4 ; 7 } ; 8 a l l o w q u e r y{ 9 1 0 . 1 0 . 1 0 / 2 4 ; 1 0 1 2 7 . 0 . 0 . 1 ; 1 1 } ; 1 2 a l l o w t r a n s f e r{ 1 3 1 0 . 1 0 . 1 0 / 2 4 ; 1 4 1 2 7 . 0 . 0 . 1 ; 1 5 } ; 1 6} ;

The f o r w a r d e r ssection contains servers that the DNS server will check if it doesnt have a record of the host youre trying to reach. Since the DNS server wont have a record of anything outside of your LAN, youll need to put your ISPs or some other entitys DNS server IP addresses here. The two I have listed belong to Google. Your DNS server will eventually build up a good cache of sites you visit regularly, but it still will often need to query external name servers. The a l l o w q u e r yline contains the subnet(s) and netmask(s) that are allowed to send DNS queries to the server. You obviously want to constrain this to your local LAN. The a l l o w t r a n s f e rsegment lists which subnets and netmasks are allowed to get copies of the DNS servers zone data. Best to set this to the local LAN as well. Its not something youll need to worry about unless youre running multiple DNS servers, though. Next, we have to decide what zones we need. Ill be defining three DNS zones for my LANthe first will be a forward lookup zone for my LANs main network segment, which the DNS server will use to correlate host names to IP addresses. However, in order to do the opposite and correlate IP addresses to names, a separate zone must be created called a reverse lookup zone. Finally, Ill also create a special zone for * . f a c e b o o k . c o m , which will prevent any hosts using this DNS server from resolving any Facebook IP addresses, because I dont use Facebook and I dislike the load delays its bugs and banners introduce into web pages.

Dynamic updating: DNS

Before we add those zones into the configuration file, though, we have to also do some cryptographic voodoo. This whole exercise of building zones is kind of pointless without dynamic updating; that is, without the ability of the DHCP server to update the DNS zones with the addresses it hands out and the host names those addresses are assigned to. So, we need to generate a cryprographic hash which the DHS and DHCP servers both have access to. To do this, run the following command:
1/ u s r / s b i n / r n d c c o n f g e na

This will create a file named r n d c . k e y , whose contents will look something like this: rndc.key
1k e y" r n d c k e y "{ 2 a l g o r i t h mh m a c m d 5 ; 3 s e c r e t" H F Q Y u 0 R s x J / D J b 3 d y Z Q N Q = = " ; 4} ;

Creating DNS zones

Copy this file to the clipboard, as were now reqdy to configure our DNS zones, and the very first thing to put into the config file will be the contents of r n d c . k e y . Open up n a m e d . c o n f . l o c a lfor editing and make it look like this: /etc/bind/named.conf.local
1 k e y" r n d c k e y "{ 2 a l g o r i t h mh m a c m d 5 ; 3 s e c r e t" H F Q Y u 0 R s x J / D J b 3 d y Z Q N Q = = " ; 4 } ; 5 6 z o n e" b i g d i n o s a u r . o r g "{ 7 t y p em a s t e r ; 8 f i l e" / v a r / l i b / b i n d / b i g d i n o s a u r . o r g . h o s t s " ; 9 a l l o w u p d a t e{k e yr n d c k e y ;} ; 1 0} ; 1 1 1 2z o n e" 1 0 . 1 0 . 1 0 . i n a d d r . a r p a "{ 1 3 t y p em a s t e r ; 1 4 f i l e" / v a r / l i b / b i n d / 1 0 . 1 0 . 1 0 . r e v " ; 1 5 a l l o w u p d a t e{k e yr n d c k e y ;} ; 1 6} ; 1 7 1 8z o n e" f a c e b o o k . c o m "{ 1 9 t y p em a s t e r ; 2 0 f i l e" / v a r / l i b / b i n d / d u m m y b l o c k " ; 2 1} ;

blog.bigdinosaur.org/running-bind9-and-isc-dhcp/

2/8

20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

This defines the three zones we need. The first zone is my forward lookup zone for Bigdinosaur.org, and the entry tells the DNS server that the IP addresses for all host names ending in bigdinosaur.org can be found in the file / v a r / l i b / b i n d / b i g d i n o s a u r . o r g . h o s t s . The second zone is the reverse lookup zone for the 1 0 . 1 0 . 1 0 . 0 / 2 4RFC 1918 netblock, and tells the DNS server that the host names for all IP addresses between 10.10.10.0 and 10.10.10.255 can be found in the file / v a r / l i b / b i n d / 1 0 . 1 0 . 1 0 . r e v . The third zone is for * . f a c e b o o k . c o m , and tells the DNS server that any hostnames ending in facebook.com can be found in / v a r / l i b / b i n d / d u m m y b l o c k . Dynamic updates of the forward and reverse zones is controlled by the a l l o w u p d a t eline. This line says that a DHCP server which presents a hash matching the one defined by the k e ysection is allowed to make modifications to that zone. Here, were allowing the DHCP server (which well also configure with the same key) to update the Bigdinosaur.org forward lookup zone and also the 10.10.10.0/24 reverse lookup zone. We dont need the server to be able to update the dummy Facebook zone, since we wont be assigning out any DHCP addresses to that zone. Alternately, instead of cutting and pasting in the contents of r n d c . k e y , you can simply add an i n c l u d eline for it, like this:
1i n c l u d e" / e t c / b i n d / r n d c . k e y "

The generated key file is automatically set to be owned by and only readable by the b i n duser, so using an include statement instead of actually having the code block in n a m e d . c o n f . l o c a lis more secure. However, this is just a home DNS server, so its not really necessary.

DNS zone population

Now that the zones have been created, well need to populate them with basic data, as well as the IP addresses and network names of any statically-addressed hosts on the network. Dont worry about filling in the names for any DHCP-assigned hosts, as the dynamic update setting weve just finished with will take care of allowing DHCP to add in its own hosts without you having to deal with it. The first file we need to modify is the forward lookup zone definition, we defined a moment ago to be / v a r / l i b / b i n d / b i g d i n o s a u r . o r g . h o s t s : /var/lib/bind/bigdinosaur.org.hosts
1 #T h i sl i n ei n d i c a t e st h a tt h eo b j e c tw e ' r ec o n f i g u r i n gb e l o w( i nt h i sc a s e , 2 #b i g d i n o s a u r . o r g )h a si t so r i g i na tt h e" . "d o m a i n . " . "i st h er o o td o m a i n 3 #f r o mw h i c ha l lt h eT L D sb r a n c h . 4 $ O R I G I N. 5 6 #N e x tl i n ed e f i n e st h eD N St i m e t o l i v es e t t i n g 7 $ T T L9 0 7 2 0 0 ;1w e e k3d a y s1 2h o u r s 8 9 #T h en e x ts e to fl i n e sa r et h e" S t a r to fA u t h o r i t y "r e c o r da n dd e f i n ei m p o r t a n t 1 0# i n f oa b o u tt h ed o m a i n .I nm yc a s e ,w e ' r ed e f i n i n gb i g d i n o s a u r . o r ga n ds a y i n g 1 1# t h a td n s s e r v e r . b i g d i n o s a u r . o r gi si t ss o u r c eh o s t ,a n dw e b m a s t e r @ b i g d i n o s a u r . o r g 1 2# i st h ed o m a i nm a i n t a i n e r .F o rt h ee m a i la d d r e s s ,w eu s ead o ti n s t e a do fa n@ . 1 3# T h el i n e sa f t e rt h a td e f i n et h ez o n es e r i a ln u m b e r ,w h i c hi su s e dt ok e e pt r a c k 1 4# o fw h e nt h ez o n ef i l ew a sm o d i f i e d ,a n dt h e ns o m ei n t e r v a ld e f i n i t i o n sw h i c h 1 5# y o uc a nl e a v ea sd e f a u l t . 1 6b i g d i n o s a u r . o r g I NS O A d n s s e r v e r . b i g d i n o s a u r . o r g .w e b m a s t e r . b i g d i n o s a u r . o r g .( 1 7 1 2 6 3 5 2 7 8 3 8;s e r i a l 1 8 1 0 8 0 0 ;r e f r e s h( 3h o u r s ) 1 9 3 6 0 0 ;r e t r y( 1h o u r ) 2 0 6 0 4 8 0 0 ;e x p i r e( 1w e e k ) 2 1 3 8 4 0 0 ;m i n i m u m( 1 0h o u r s4 0m i n u t e s ) 2 2 ) 2 3 2 4# N e x t ,w ed e f i n et h eh o s t sn e c e s s a r yt om a k et h ed o m a i nf u n c t i o n .F i r s t ,w ea d d 2 5# a n" N SR e c o r d "t od e f i n et h ed o m a i n ' sn a m es e r v e r . . . 2 6 N S d n s s e r v e r . b i g d i n o s a u r . o r g . 2 7 2 8# . . . t h e na n" AR e c o r d "f o rt h ed o m a i ns e r v e r ' sI Pa d d r e s s . . . 2 9 A 1 0 . 1 0 . 1 0 . 1 0 3 0 3 1# . . . a n df i n a l l y" M XR e c o r d s "s ot h a te m a i lf o rt h ed o m a i n ' se m a i la d d r e s s e s 3 2# g o e st ot h er i g h tp l a c e .S i n c em yd o m a i ni sr e g i s t r e dt h r o u g hG o o g l eA p p s , 3 3# t h i si n f ow a sa l lp r o v i d e db yG o o g l e . 3 4 M X 1 0a s p m x . l . g o o g l e . c o m . 3 5 M X 2 0a l t 1 . a s p m x . l . g o o g l e . c o m . 3 6 M X 2 0a l t 2 . a s p m x . l . g o o g l e . c o m . 3 7 M X 3 0a s p m x 2 . g o o g l e m a i l . c o m . 3 8 M X 3 0a s p m x 3 . g o o g l e m a i l . c o m . 3 9 M X 3 0a s p m x 4 . g o o g l e m a i l . c o m . 4 0 M X 3 0a s p m x 5 . g o o g l e m a i l . c o m . 4 1# 4 2# N O T ET H ET R A I L I N GP E R I O D S .T H E YA R EE X T R E M E L YI M P O R T A N T . 4 3# 4 4# 4 5# N o ww e ' r er e a d yt ob e g i na d d i n gh o s t s ,b u tf i r s tw en e e da n o t h e ro r i g i n 4 6# s t a t e m e n tt oi n d i c a t et h a tt h eh o s t sa d d e db e l o wo r i g i n a t en o tf r o m" . " ,l i k e 4 7# t h ed o m a i ni t s e l f ;r a t h e r ,t h e yo r i g i n a t ef r o m" b i g d i n o s a u r . o r g " . 4 8# 4 9$ O R I G I Nb i g d i n o s a u r . o r g . 5 0# 5 1# A g a i n ,N O T ET H ET R A I L I N GP E R I O D . 5 2# N o ww ea d dAr e c o r d sf o rt h en o n D H C Ph o s t si nt h ed o m a i n : 5 3s e r v e r _ 1 A 1 0 . 1 0 . 1 0 . 2 1 5 4s e r v e r _ 2 A 1 0 . 1 0 . 1 0 . 2 2 5 5s e r v e r _ 3 A 1 0 . 1 0 . 1 0 . 2 3 5 6. . .

As indicated above, the first part of the file defines basic info about the zone, and the second part defines the hosts. Each statically-addressed host gets an A record so that the
blog.bigdinosaur.org/running-bind9-and-isc-dhcp/ 3/8

20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

server knows how to correlate its name with its IP address. Now that the forward zone is built, we need to build the reverse zone, so that we can correlate IP addresses back to names, just like a reverse phonebook. The reverse zone we defined earlier is located at / v a r / l i b / b i n d / 1 0 . 1 0 . 1 0 . r e v , and should look something like this: /var/lib/bind/10.10.10.rev
1 #A g a i n ,w eh a v ea no r i g i nr e c o r da n daT T Le n t r y . . . 2 $ O R I G I N. 3 $ T T L9 0 7 2 0 0 ;1w e e k3d a y s1 2h o u r s 4 5 #. . . b u tn o t et h en a m eo ft h er e v e r s ed o m a i n :" 1 0 . 1 0 . 1 0 . i n a d d r a r p a " .T h i si sa 6 #s p e c i a ln a m ef o r m a tu s e do n l yb yr e v e r s el o o k u pd o m a i n s . 7 1 0 . 1 0 . 1 0 . i n a d d r . a r p aI NS O A d n s s e r v e r . b i g d i n o s a u r . o r g .w e b m a s t e r . b i g d i n o s a u r . o r g .( 8 1 2 6 3 1 8 7 3 5 6;s e r i a l 9 1 0 8 0 0 ;r e f r e s h( 3h o u r s ) 1 0 3 6 0 0 ;r e t r y( 1h o u r ) 1 1 6 0 4 8 0 0 ;e x p i r e( 1w e e k ) 1 2 3 8 4 0 0 ;m i n i m u m( 1 0h o u r s4 0m i n u t e s ) 1 3 ) 1 4 N S d n s s e r v e r . b i g d i n o s a u r . o r g . 1 5# 1 6# J u s tl i k ea b o v e ,w en o ws e to u ro r i g i na w a yf r o m" . "t ot h ea c t u a ld o m a i nn a m e , 1 7# w h i c hi s" 1 0 . 1 0 . 1 0 . i n a d d r a r p a " ,a n dt h e nw ea d dr e c o r d s .H o w e v e r ,t h i st i m e , 1 8# w e ' r ea d d i n g" P T Rr e c o r d s " ,o rp o i n t e rr e c o r d s . 1 9$ O R I G I N1 0 . 1 0 . 1 0 . i n a d d r . a r p a . 2 02 1 P T Rs e r v e r _ 1 . b i g d i n o s a u r . o r g . 2 12 2 P T Rs e r v e r _ 2 . b i g d i n o s a u r . o r g . 2 22 3 P T Rs e r v e r _ 3 . b i g d i n o s a u r . o r g . 2 3. . .

The thing to notice about the reverse zone is the name of the domain were working with: 1 0 . 1 0 . 1 0 . i n a d d r . a r p a . The .arpa domain is a legacy domain from the early days of the Internet; i n a d d r . a r p ais used as the domain for reverse lookups for historical reasons, because DNS reverse lookups use a method codified back when .arpa was actually a working domain. The very last zone to define is our dummy zone, which we use to blackhole all Facebook.com DNS lookups. This file is defined at / v a r / l i b / b i n d / d u m m y b l o c k : /var/lib/bind/dummy-block
1$ T T L2 4 h 2 3@ I NS O Ad n s s e r v e r . b i g d i n o s a u r . o r g .w e b m a s t e r . b i g d i n o s a u r . o r g .( 4 2 0 0 3 0 5 2 8 0 0 8 6 4 0 0 3 0 0 6 0 4 8 0 0 3 6 0 0) 5 6@ I N N S d n s s e r v e r . b i g d i n o s a u r . o r g . 7@ I N A 1 2 7 . 0 . 0 . 1 8* I N A 1 2 7 . 0 . 0 . 1

This files structure is much simpler and adds an A record to return an IP address of 1 2 7 . 0 . 0 . 1for all host name lookups it services. To make all of our changes in all of the above files active, restart the DNS service with s u d o/ e t c / i n i t . d / b i n d 9r e s t a r t .

Configuring DHCP
Our DHCP configuration touches only one file, but has a big chunk of options we need to set for dynamic updating to work; additionally, there are some decisions to be made about how and to which hosts addresses should be distributed. Well be modifying / e t c / d h c p / d h c p d . c o n f , which contains all the configuration settings for the DHCP server. The file is organized into four sections: configuration directives, the DNS zones were allowed to update, the DHCP scope definition and scope-specific configuration directives, and DHCP groups; well tackle them one at a time. A cautionary note: pay extremely close attention to syntax, especially punctuation. Many of the options, particularly in the second, third, and fourth sections, are very similar to some of the lines from the DNS configuration, but very similar is not exactly alike. Cut and paste with cautionwhen I was originally setting this all up, I ran into a problem which had me banging my head against the wall for almost a full hour, and which all ended up coming back to a single misplaced period. Dont be me: carefully doublecheck your syntax!

Global options
Heres the option block in my d h c p d . c o n f : /etc/dhcp/dhcpd.conf
1 d d n s u p d a t e so n ; 2 d d n s u p d a t e s t y l ei n t e r i m ; 3 u p d a t e s t a t i c l e a s e so n ; 4 a u t h o r i t a t i v e ; 5 k e yr n d c k e y{a l g o r i t h mh m a c m d 5 ;s e c r e tH F Q Y u 0 R s x J / D J b 3 d y Z Q N Q = = ; } 6 a l l o wu n k n o w n c l i e n t s ; 7 u s e h o s t d e c l n a m e so n ; 8 d e f a u l t l e a s e t i m e1 8 1 4 4 0 0 ;# 2 1d a y s 9 m a x l e a s e t i m e1 8 1 4 4 0 0 ;# 2 1d a y s 1 0l o g f a c i l i t yl o c a l 7 ;

And, line by line, heres what were doing:

d d n s u p d a t e so n ; : This line enables global dynamic updating.

You can also set this per-scope, in case you wanted some scopes to be able to do updating and not others, but since in this example well only configure one scope, we can make the option global.
blog.bigdinosaur.org/running-bind9-and-isc-dhcp/ 4/8

20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

d d n s u p d a t e s t y l ei n t e r i m ; : Sets the style of dynamic updating.

It can be interim, which is what we want, off, which disables dynamic updating, or ad-hoc, which

refers to a deprecated dynamic update style and shouldnt be used.

u p d a t e s t a t i c l e a s e so n ; : Tells the DHCP

server to do DNS updates even for clients with static leases; that is, clients who receive a DHCP address that you specifically assign them based on MAC address. Were going to define a few static leases further down, and this option is useful in that it saves you from having to manually update DNS entries for those clients if you ever want to change their addresses.
a u t h o r i t a t i v e ; : Tells the DHCP

server that it is to act as the one true DHCP server for the scopes its configured to understand, by sending out DHCPNAK (DHCP-noacknowledge) packets to misconfigured DHCP clients. You always want a u t h o r i t a t i v eset if this is your only DHCP server; without it, the server wont tell misconfigured clients that theyre misconfigured, and some clients might not get IP addresses immediately on requesting them.
k e yr n d c k e y : Heres where we put our crypto

hash we generated during the DNS configuration section earlier. This sets rndc-key as a key variable so that when we define our DHCP scope (or scopes), we can reference just the name of the key instead of having to have the whole thing in each scope statement.
a l l o wu n k n o w n c l i e n t s ; : Tells the DHCP

server to assign addresses to clients without static host declarations, which is almost certainly something you want to do. Otherwise, only clients youve manually given addresses to later in the file will get DHCP assignments.
u s e h o s t d e c l n a m e so n ; : Tells the DHCP

server to tell static-mapped clients what their hostname is via the hostname option inside the DHCP response. This is a legacy option that Ive left on because in some cases it can simplify your DHCP server configuration; most clients ignore the hostname option entirely.
d e f a u l t l e a s e t i m eand m a x l e a s e t i m e : Set how log the DHCP

leases are good for. This is the maximum time a client will go before it asks for a new address. This option can be set longer or shorter to taste; for a small home LAN, it doesnt make much difference what its set to.
l o g f a c i l i t yl o c a l 7 ; : Sets debug logging.

We want this at least at first because it will help identify any DHCP config problems. After things are verified good, we can scale

this back to l o c a l 2 .

DNS zones
The next section of the file defines the DNS forward and reverse zones inside of which our DHCP server will be operating, as well as the key that well have to use to do dynamic updating in those zones. Here well be using the information we established earlier in the DNS configuration portion of this entry. /etc/dhcp/dhcpd.conf (cont)
1 . . . 2 #B i g d i n oD N Sz o n e s 3 z o n eb i g d i n o s a u r . o r g .{ 4 p r i m a r yl o c a l h o s t ;#T h i ss e r v e ri st h ep r i m a r yD N Ss e r v e rf o rt h ez o n e 5 k e yr n d c k e y ;#U s et h ek e yw ed e f i n e de a r l i e rf o rd y n a m i cu p d a t e s 6 } 7 z o n e1 0 . 1 0 . 1 0 . i n a d d r . a r p a .{ 8 p r i m a r yl o c a l h o s t ;#T h i ss e r v e ri st h ep r i m a r yD N Ss e r v e rf o rt h ez o n e 9 k e yr n d c k e y ;#U s et h ek e yw ed e f i n e de a r l i e rf o rd y n a m i cu p d a t e s 1 0 }

DHCP scope
Now we define our DHCP scope. A scope in DHCP terminology is a chunk of your network which will be assigned dynamic IP addresses and DHCP configuration options out of the same bucket. If you had two different blocks of network addressessay, one for wireless clients and one for wiredyoud build two scopes. Here, were only going to construct one, and set some scope-specific configuration options on it: /etc/dhcp/dhcpd.conf (cont)
1 . . . 2 #B i g d i n oL A Ns c o p e 3 s u b n e t1 0 . 1 0 . 1 0 . 0n e t m a s k2 5 5 . 2 5 5 . 2 5 5 . 0{ 4 r a n g e1 0 . 1 0 . 1 0 . 2 0 01 0 . 1 0 . 1 0 . 2 5 0 ; 5 o p t i o ns u b n e t m a s k2 5 5 . 2 5 5 . 2 5 5 . 0 ; 6 o p t i o nr o u t e r s1 0 . 1 0 . 1 0 . 1 ; 7 o p t i o nd o m a i n n a m e s e r v e r s1 0 . 1 0 . 1 0 . 3 ; 8 o p t i o nd o m a i n n a m e" b i g d i n o s a u r . o r g " ; 9 d d n s d o m a i n n a m e" b i g d i n o s a u r . o r g . " ; 1 0 d d n s r e v d o m a i n n a m e" i n a d d r . a r p a . " ; 1 1}

The scope declaration begins with the address pool and subnet mask inside of which all DHCP-able addresses are located (the s u b n e tline), and then defines a specific r a n g e of dynamic addresses it is allowed to hand out. Note that my range is included in, but doesnt take up all of, the declared subnet; the r a n g esetting defines the addresses that will be handed out to unknown clients, like your buddys iPhone when he comes over. In the final section of the config file were going to define some static hosts, and those hosts will get addresses inside the scope, but outside of the unknown client range. The lines beginning with o p t i o ncontrol information sent out inside the initial DHCP responses from the server to clientsin order, Im defining the subnet mask clients get, the network gateway (router) they get, the DNS server they get, and the domain name suffix they are told to apply to their hostnames. Finally, the last two lines telll the DHCP server which DNS forward and reverse zone names to update when clients get addresses. One thing to note is that the d d n s r e v d o m a i n n a m eis simply set to i n a d d r . a r p a .instead of the full name of the reverese zone; this is okay, because the DHCP server is smart enough to figure out what the reverse zones full name is based on the addresses its handing out.

Static hosts
The last section is where we define our static DHCP hosts. This is different from hosts with true static IP addresses, because static IP addresses are set on the client site, whereas statically-assigned DHCP addresses are set here, in the servers configuration file. Statically-assigned DHCP addresses are handy if you want some hosts to always have the same IP address, but dont want to have to sit down at each host and enter its address information manually. Plus, if the name of the DNS server or any of the domain info ever changes, you can update it at the DHCP server instead of having to track down each of the hosts. I statically assign all of my LAN hosts, and then leave the DHCP server to hand out addresses from its pool to other unknown devices (buddies laptops and
blog.bigdinosaur.org/running-bind9-and-isc-dhcp/ 5/8

20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

phones when they come over, mainly). /etc/dhcp/dhcpd.conf (cont)

1 #B i g d i n o s a u r . o r gg r o u p 2 g r o u p{ 3 #H o s tn u m b e ro n e 4 h o s tf i r s t l a n h o s t . b i g d i n o s a u r . o r g{ 5 h a r d w a r ee t h e r n e t0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 1 ; 6 f i x e d a d d r e s s1 0 . 1 0 . 1 0 . 1 0 1 ; 7 d d n s h o s t n a m e" f i r s t l a n h o s t " ; 8 } 9 #H o s tn u m b e rt w o 1 0 h o s ts e c o n d l a n h o s t . b i g d i n o s a u r . o r g{ 1 1 h a r d w a r ee t h e r n e t0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 2 ; 1 2 f i x e d a d d r e s s1 0 . 1 0 . 1 0 . 1 0 2 ; 1 3 d d n s h o s t n a m e" s e c o n d l a n h o s t " ; 1 4 } 1 5 #H o s tn u m b e rt h r e e 1 6 h o s tt h i r d l a n h o s t . b i g d i n o s a u r . o r g{ 1 7 h a r d w a r ee t h e r n e t0 0 : 0 0 : 0 0 : 0 0 : 0 0 : 0 3 ; 1 8 f i x e d a d d r e s s1 0 . 1 0 . 1 0 . 1 0 3 ; 1 9 d d n s h o s t n a m e" t h i r d l a n h o s t " ; 2 0 } 2 1. . . 2 2}

The host declarations are pretty easy to followyou define the fully-qualified domain name of the host, followed by the MAC address (which is how the DHCP server identifies the host), the address you want the host to receive, and the name that the DHCP server will use in its dynamic update call back to the DNS server.

Bringing it all together

After a whole lot of configuration work, were ready to try it out. Bounce both the DNS and DHCP services:
1$ s u d o/ e t c / i n i t . d / b i n d 9r e s t a r t 2$ s u d o/ e t c / i n i t . d / i s c d h c p s e r v e rr e s t a r t

Then, have one of your LAN boxes try to grab an IP address. Tail the syslog file to watch the process as as it moves along:

1 $t a i lf/ v a r / l o g / s y s l o g 2 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rd h c p d :D H C P R E Q U E S Tf o r1 0 . 2 1 1 . 5 5 . 4f r o m0 0 : 1 c : 4 2 : 0 f : b c : a 4v i ae t h 0 :w r o n gn e t w o r k . 3 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rd h c p d :D H C P N A Ko n1 0 . 2 1 1 . 5 5 . 4t o0 0 : 1 c : 4 2 : 0 f : b c : a 4v i ae t h 0 4 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rd h c p d :D H C P D I S C O V E Rf r o m0 0 : 1 c : 4 2 : 0 f : b c : a 4v i ae t h 0 5 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rd h c p d :D H C P O F F E Ro n1 0 . 1 0 . 1 0 . 2 3 4t o0 0 : 1 c : 4 2 : 0 f : b c : a 4( o n e i r i c v m v m )v i ae t h 0 6 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rn a m e d [ 1 5 6 7 ] :c l i e n t1 2 7 . 0 . 0 . 1 # 4 3 9 9 5 :s i g n e r" r n d c k e y "a p p r o v e d 7 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rn a m e d [ 1 5 6 7 ] :c l i e n t1 2 7 . 0 . 0 . 1 # 4 3 9 9 5 :u p d a t i n gz o n e' b i g d i n o s a u r . o r g / I N ' :a d d i n ga nR Ra t' o n e i r i c v m v m . b i g d 8 J a n2 11 2 : 1 4 : 3 5d n s s e r v e rn a m e d [ 1 5 6 7 ] :c l i e n t1 2 7 . 0 . 0 . 1 # 4 3 9 9 5 :u p d a t i n gz o n e' b i g d i n o s a u r . o r g / I N ' :a d d i n ga nR Ra t' o n e i r i c v m v m . b i g d 9 J a n2 11 2 : 1 4 : 3 6d n s s e r v e rd h c p d :A d d e dn e wf o r w a r dm a pf r o mo n e i r i c v m v m . b i g d i n o s a u r . o r g .t o1 0 . 1 0 . 1 0 . 2 3 4 1 0J a n2 11 2 : 1 4 : 3 6d n s s e r v e rn a m e d [ 1 5 6 7 ] :c l i e n t1 2 7 . 0 . 0 . 1 # 5 2 5 0 1 :s i g n e r" r n d c k e y "a p p r o v e d 1 1J a n2 11 2 : 1 4 : 3 6d n s s e r v e rn a m e d [ 1 5 6 7 ] :c l i e n t1 2 7 . 0 . 0 . 1 # 5 2 5 0 1 :u p d a t i n gz o n e' 1 0 . 1 0 . 1 0 . i n a d d r . a r p a / I N ' :d e l e t i n gr r s e ta t' 2 3 4 . 1 0 . 1 0 1 2J a n2 11 2 : 1 4 : 3 6d n s s e r v e rn a m e d [ 1 5 6 7 ] :c l i e n t1 2 7 . 0 . 0 . 1 # 5 2 5 0 1 :u p d a t i n gz o n e' 1 0 . 1 0 . 1 0 . i n a d d r . a r p a / I N ' :a d d i n ga nR Ra t' 2 3 4 . 1 0 . 1 0 . 1 1 3J a n2 11 2 : 1 4 : 3 6d n s s e r v e rd h c p d :a d d e dr e v e r s em a pf r o m2 3 4 . 1 0 . 1 0 . 1 0 . i n a d d r . a r p a .t oo n e i r i c v m v m . b i g d i n o s a u r . o r g . 1 4J a n2 11 2 : 1 4 : 3 6d n s s e r v e rd h c p d :D H C P R E Q U E S Tf o r1 0 . 1 0 . 1 0 . 2 3 4( 1 0 . 1 0 . 1 0 . 3 )f r o m0 0 : 1 c : 4 2 : 0 f : b c : a 4( o n e i r i c v m v m )v i ae t h 0 1 5J a n2 11 2 : 1 4 : 3 6d n s s e r v e rd h c p d :D H C P A C Ko n1 0 . 1 0 . 1 0 . 2 3 4t o0 0 : 1 c : 4 2 : 0 f : b c : a 4( o n e i r i c v m v m )v i ae t h 0

I started up a new Ubuntu virtual machine with its networking set to bridged so that it would behave like a real LAN host. The VM previously was set to shared networking, meaning Parallels (the VM software Im using) used NAT behind my host computers LAN IP address. So, the first thing that happens here is that the virtual machine reqests the old NATd address Parallels was giving it. But our DHCP server knows its authoritative and it can say no, and so it replies with a DHCPNAK packet, telling the client that the address its requesting is an invalid address for this network. Without the a u t h o r i t a t i v edirective we set above, the client would sit there and stubbornly re-request its old address until its DHCP lease expired, which could take days or months. Next, having been told its address is invalid, the client sends out a DHCPDISCOVER packet, which the DHCP server sees and replies to with a DHCPOFFER of an IP address out of its range of assignable addresses. The next step is where the work we did above with dynamic updating will either succeeed or fail. The DHCP server reaches out to the DNS server (referred to in the log as named, the name server daemon) and presents its credentials in the form of our rndc-key crypto hash. The DNS server finds it valid and approves, and then makes two changes to the Bigdinosaur.org forward lookup zoneit adds an A record for oneiricvm-vm.bigdinosaur.org, and then it adds a TXT record right below that. The A record is used for forward DNS lookups, and the TXT record contains a signature from the DHCP server so that both the DNS and DHCP server know that the DHCP server was responsible for the creation of this entry. The DHCP server wont modify A records which lack a corresponding TXT record with its signature. Tthe DHCP server acknowledges in the log that its successfully added records for our VM into the forward lookup zone. Then, the reverse map is added. Once again, the DNS server validates the DHCP servers update key, and then the DHCP server locates the previous PTR record for that IP address, deletes it, and adds a new PTR record for our VM, then acknowledges that its made the change. With that work completed and the client having been told its allowed to request a valid address via DHCPOFFER, the client then sends a formal DHCPREQUEST packet asking for it to be assigned the address. At the very last step, the DHCP server acknowledges the addresss assignment to the VM with a DHCPACK packet. Weve done it! The listing will look a little different for static-mapped hosts or hosts which are merely refreshing their leases, but at all steps you should see this interplay of DNS and DHCP servers in the log.

Summarizing
blog.bigdinosaur.org/running-bind9-and-isc-dhcp/ 6/8

20/06/13

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

This has been a ridiculously long entry, but its also provided an excellent opportunity for me to refresh my own memory of what exactly I did when setting this all up on my LAN last year. The key point to making the DNS and DHCP server work together are the several dynamic update settings and the cryptographic hash generation and exchange; all the other options can be tweaked to fit your own LAN. Posted by Lee 21 January 2012 Ubuntu
Tw eet 3

Using @font-face with Octopress Gzipping @font-face with Nginx

Comments
14 comments 1 reaction Leave a message...
Best Community Charles
5 months ago

Share

Thanks for such a complete and descriptive tutorial. Helped me setup everything as I wanted in one afternoon. My only comment is that your choice of local ip subnet (10.10.10.0) hides the fact that the 10.10.10.in-addr.arpa. is actually reversed.
1

Reply

Share

Gordon Zaft

a day ago

Curt is

This is a great tutorial. You're missing a semicolon after this line, though: include "/etc/bind/rndc.key"
Reply Share

a month ago

niz x

This guide has filled many blanks for me THANK YOU

Reply Share

ingo k ueper

3 months ago

This is an excellent guide. Easy to follow and structured. Thank you for your work!
Reply Share

5 months ago

I love your guides and hope you can assist, after doing all the steps to the letter I ran into this problem when restarting both services the syslog prints dhcpd: Unable to add forward map from xxxx.mydomain.com. to 192.168.1.51: SERVFAIL

any clues on how to work this out?

Reply niz x Share
5 months ago

> nizx

I actually solved it, the problem was on my zones file when starting bind it reported and error related to dnsserver not having an A or AAAA record. I just manually added one and it worked like a charm. Great guide, thanks a lot for all your help.
Reply Share

Jimmy Ljungberg Reply

7 months ago

Thank you for writing such a detailed and informative tutorial.

Share

z z eroo

7 months ago

Absolut great article!

Reply Share

Doublez 13

a year ago

Hey I wanted to thank you so much for this tutorial. I've been through like a million of these that have gotten me nowhere. Is there a specific reason why the zone files have to in the var/lib/bind directory? I followed your tutorial almost exactly, but placed my zone files in the /etc/bind/ directory, and the DHCP4 and BIND9 would not sync. As soon as I moved them they started syncing up.
Reply z z eroo Share

> Doublez13

6 months ago

P at ric k

Hey Doublez13, you can put Your zone files at any place you want, I like /etc/bind as well. But if you do so be sure that bind has write permission to that directory. I've to `chmod g+w /etc/bind` on my debian wheezy installation. Look at /var/log/syslog there must be a hint :)
Reply Share

a year ago

blog.bigdinosaur.org/running-bind9-and-isc-dhcp/

Thanks for a brilliant article, very helpful, however even after following that to the letter, I still have a ' signer "rndc-key" denied which so far I have been unable to explain, any hint appreciated!!!
Reply Share

7/8

20/06/13

Lee
Mod

Running BIND9 and ISC-DHCP - Bigdinosaur Blog

> Patrick

a year ago

If you're storing your key in a separate file and then referencing that file, check to make sure you don't have a permissions issue. If bind9 & dhcp are running with separate service accounts, both of those service accounts will need to be able to read the file, if you're using the same file for both. If you're not storing your key separately and instead you're including it in the conf files, then I'd check for typos. Make sure you're not missing a semicolon or a quote anywhere!
Reply Share

S amuel K ros lak

a year ago

missing semicolon after "ddns-hostname "firstlanhost"" :) (just half-joking) awesome guide, I'm just digging into my LAN to set it up
Reply Lee
Mod

Share

> Samuel Kroslak

a year ago

Whoops! When I was replacing my actual hostnames with those placeholders, apparently I deleted too much. Fixed :) Glad the guide was helpful. Took to small amount of head-on-desk frustration when I first got things set up, and so I wanted to make sure I had it all written down just in case I ever need to do it again! Cheers :)
Reply Share

r
C o m m e n t fe e d

Su b s cri b e vi a e m a i l

About Me
My name is Lee and this is my blog. I frequently talk about poking around with Ubuntu Server and Nginx, and I play too much Minecraft. E-mail me at lee@bigdinosaur.org with questions or comments.

Recent Posts
Node.js, Redis, and Etherpad Lite Platforms and Value Judgments Adventures in Varnish Blitz.io makes load testing fun If This Then That Dot Com

Ars Technica Highlights

I'm a senior editor at Ars Technica, and here are some things I've written of which I'm particularly proud: Mass Effect 3 "Citadel" DLC is 4GB of gooey, cheesy fan service Swimming with spacemen: training for spacewalks at NASA's giant pool How I launched 3 consoles (and found true love) at Babbages store no. 9 In living color: Ars reviews the hacker-approved Philips Hue LEDs Achieving fusionwith a service training doc, Ars tears open Apples Fusion Drive Going boldly: Behind the scenes at NASAs hallowed Mission Control Center Solid-state revolution: in-depth on how SSDs really work Copyright 2013 Bigdinosaur.org. Some rights reserved - Powered by Octopress on Nginx

blog.bigdinosaur.org/running-bind9-and-isc-dhcp/

8/8