HowTo Configure DHCP and DNS Servers
来源:互联网 发布:知乎诈骗 童谣 编辑:程序博客网 时间:2024/05/19 03:20
HowTo Configure DHCP and DNS Servers
From SIPfoundry sipx, The Open Source SIP PBX for Linux - Calivia
The sipX system needs properly configured DHCP and DNS servers to operate. If such servers do not already exist in your network, you might want to run them on the same host as the sipx system. This page describes how to setup Linux DHCP and DNS servers on the sipX host that will provide the required services to your network. Note that only one DHCP server can be authoritative per LAN segment.
Adding a mail server required for voicemail notification by email is described on this page: Configure sendmail for Email Notification of Voicemail.
This page initially is intended for Red Hat / Fedora users. We might add info for other distros later.
Note: SELinux has to be turned off for sipX, which means that the Fedora security policy for the named DNS server is turned off as well. You therefore should run named in a chroot jail, which we will do in a second step. Refer to man named.
You should not use the domain name "example.com" - you should register a real domain name; there are many ISPs and DNS providers that can help you with setting this up.
DHCP Server Configuration
Make sure the host on which you plan to install DHCP and DNS servers has a fixed IP address as well as a properly assigned host and domain name. In this example we use domain.com for the domain name and sipx for the hostname.
A host that was assigned a fixed IP address:
127.0.0.1 localhost.localdomain localhost
192.168.5.145 sipx.example.com sipx
Pick a suitable private address range for your internal LAN (If you don't know what they are use 192.168.1.x and a netmask of 255.255.255.0).
Installing the DHCP Server
We need the ISC DHCP server version 3, which is the default on FC4:
yum install dhcp
Configuring the DHCP Server
We configure the DHCP server for dynamic updating with the DNS server. The DHCP server has the ability to dynamically update the Domain Name System. Within the configuration files, you can define how you want the Domain Name System to be updated. These updates are RFC 2136 compliant so any DNS server supporting RFC 2136 should be able to accept updates from the DHCP server. The advantage of this scheme is that if a new host is connected and obtains its IP address, its name is automatically inserted into the DNS system, For security reasons a key is required to communicate between the DHCP and DNS servers. Refer to "man dhcpd.conf" for more information.
authoritative; # No other DHCP servers on this subnet
ddns-update-style interim; # Supported update method - see man dhcpd.conf
ignore client-updates; # Overwrite client configured FQHNs
key rndckey { # Key for DNS updates
algorithm hmac-md5;
secret "JIjUPfT2GZZ172o5IdcK1Q=="; # Same as used for bind - see /etc/rndc.key
};
zone domain.com. { # Forward zone to be updated
primary 127.0.0.1;
key rndckey;
}
zone 5.168.192.in-addr.arpa. { # Backward zone to be updated
primary 127.0.0.1;
key rndckey;
}
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.200 192.168.5.250;
default-lease-time 21600;
max-lease-time 43200;
option routers 192.168.5.1; # Default gateway
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.5.145; # loopback address does not work here
# option nis-domain "example.com";
option time-offset -18000; # Eastern Standard Time
option tftp-server-name "sipx.example.com"; # required for phones to pickup profiles
option ntp-servers 192.168.5.145;
# option netbios-name-servers 192.168.5.145;
# option netbios-node-type 8; # try WINS servers first, broadcast if necessary
# Example for resource reservations:
# host xyz {
# ddns-hostname "host.example.com"; # use for hosts that do not send a hostname
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 192.168.5.x;
# }
}
Note: The key and the keyfile /etc/rndc.key is first generated with the rndc-confgen -a command (see DNS server configuration below). It needs to be manually copied into the /etc/dhcpd.conf file.
Note: For further information refer to man dhcpd.conf.
Starting the DHCP Server
/sbin/service dhcpd start
Add to runlevels: chkconfig --levels 235 dhcpd on. The leases database is in the file /var/lib/dhcp/dhcpd.leases.
DNS Server Configuration
The Linux DNS Server is called bind or named; we need version 9. It should already be installed on your system, which can be verified using rpm -q bind.
The following files need to be configured:
- /etc/named.conf
- /var/named/example.com.zone
- /var/named/192.168.5.zone
- /etc/resolv.conf
- /etc/sysconfig/named
Generate Key required to exchange updates between DHCP and DNS
The tool rndc-confgen, using the -a option, can auto-generate the necessary keys as well as the configuration required by bind. It generates /etc/rndc.conf and /etc/rndc.key files. The key still needs to be manually inserted in the the DHCP configuration file /etc/dhcpd.conf.
rndc-confgen -a
key "rndckey" {
algorithm hmac-md5;
secret "JIjUPfT2GZZ172o5IdcK1Q==";
}; The /etc/named.conf File
The following two sections were added automatically when running the rndc-confgen -a command:
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
The following two zone definitions were added manually:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { key "rndckey"; };
notify yes;
};
zone "5.168.192.in-addr.arpa" {
type master;
file "192.168.5.zone";
allow-update { key "rndckey"; };
notify yes;
};
Optional: DNS Security
There are lots of options to secure access to the DNS resources on your LAN. The following provides some simple mechanisms.
// prevent zone transfers:
options {
allow-transfer {none;};
};
// restrict access:
acl "trusted-subnet" {192.168.5.0/24; };
The /var/named/example.com.zone File
;
; Zone file for domain.com
;
$TTL 3D
@ IN SOA ns1.example.com. root.example.com. (
200602132 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum TTL, seconds
NS ns1.example.com. ; Inet Address of nameserver
example.com. MX 10 mail ; Primary Mail Exchanger
;
localhost A 127.0.0.1
sipx A 192.168.5.145 ; Record of class IN by default
_sip._udp SRV 100 1 5060 sipx
_sip._tcp SRV 200 1 5060 sipx
_sips._tcp SRV 300 1 5060 sipx
ns1 CNAME sipx
mail CNAME sipx
Note: If a name (hostname or domainname) is followed by a period "." nothing is appended. If there is no period, the domain name of the current context is automatically appended.
The /var/named/192.168.5.zone File
;
; Reverse zone file for domain.com
;
$TTL 3D
@ IN SOA ns1.example.com. root.example.com. (
200602132 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum TTL, seconds
NS ns1.example.com. ; Inet Address of nameserver
;
1 PTR localhost.
145 PTR sipx.example.com.
; Don't specify any reverse pointer records for addresses in the
; DHCP range. Dynamic updates will define those as necessary.
Change Zone File Ownership
In order for the named server to be able to update the zone files as it receives dynamic update requests from the DHCP server, it has to have write permission for all the zone files. If you created your zone files as root, you have to change permissions as follows:
cd /var/named
chown named:named *
Enable named to write Zone Files
If SELinux is disabled (required for sipX), then allow named to write its zone files and create files in its $ROOTDIR/var/named directory; this is necessary for dynamic updates (DDNS) and slave zone transfers.
# This line needs to be added
ENABLE_ZONE_WRITE=yes
# This line enables the chroot and was configured automatically
ROOTDIR=/var/named/chroot
The /etc/resolv.conf File
search example.com
nameserver 127.0.0.1
Starting the DNS Server
/sbin/service named start
Add to runlevels: chkconfig --levels 235 named on.
When dynamic update is enabled for a zone, the zone can no longer be manually edited as normal. Attempting to do so may work in some cases, but will usually result in a name server error.
The DNS server keeps a journal (.jnl) file of incoming updates. The file is not automatically syncronized with the zone file, but can be forced with the "rndc stop" command. Extreme care has to be exercised when manually updating a zone subject to dynamic updates.
When using BIND 9.3 the following can be used, which does not require that named be stopped:
1. rndc freeze example.com
2. edit the zone
3. rndc unfreeze example.com
Remember to increment the serial number in the zone file as you make changes.
Install the chroot Jail to run named in a Secure Environment
yum install bind-chroot
The bind-chroot RPM installs the necessary directory tree in /var/named/chroot and copies all the necessary configuration files from your existing non-chroot installation. The old files in /etc and /var/named are automatically replaced with symbolic links to the new locations.
Make sure that going forward you edit the configuration files in the chroot jail:
- /etc/named.conf -> /var/named/chroot/etc/named.conf
- /etc/rndc.conf -> /var/named/chroot/etc/rndc.conf
- /etc/rndc.key -> /var/named/chroot/etc/rndc.key
- /var/named/* -> /var/named/chroot/var/named/*
Starting named now should start it in the chroot environment. This can be verified by issuing ps aux | grep named. The named daemon should have been started with the -u and -t command line options (refer to man named).
The root directory (default: /var/named/chroot) got configured in the file /etc/sysconfig/named also during the installation process of the named-chroot RPM.
Configuring DHCP Clients
For dynamic DNS updates to work, the DHCP client has to send its hostname to the DHCP server. Windows typically does this, but lots of linux clients need to be told. If you use dhclient, make sure you have the following line in your /etc/dhclient-eth0.conf file (Ubuntu: This file is in /etc/dhcp3/dhclient.conf. Debian Sarge: Look in /etc/dhclient.conf). If the file does not exist, create it (i.e FC4). Only enter the hostname and not the FQHN and don't forget the ";".
send host-name "hostname";
Diagnostics
There are various ways how you can troubleshoot DHCP and DNS servers. All of the tools below have good man pages.
Check Configuration
named-checkconf
named-checkzone
Logs
Syslog:
tail -f /var/log/messages
Turn on logging for the named daemon:
// add the following section. A log file "dns-security.log" will be created
// in the named directory
logging {
category dnssec { security_log; };
category update { security_log; };
category security { security_log; };
channel security_log {
file "dns-security.log" versions 5 size 20m;
// every time the log grows over 20 Mbyte, it will
// backup and rollover. Maximum 5 backups will be kept.
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
};
Note: If logging is turned on as shown above all log messages will be in /var/named/chroot/var/named/dns-security.log and no longer in the syslog file.
Controlling named
The name server control utility rndc is used to control named while it is running. Please refer to man rndc for further details.
rndc
rndc reload
DNS Lookups
dig is a powerful utility to verify DNS settings. The option "AXFR" initiates a zone transfer that if allowed displays the currently active zone information for easy verification.
dig -x 127.0.0.1
dig yahoo.com
dig example.com AXFR
Other utilities include nslookup and host. Please refer to the respective man pages.
nslookup
host
- HowTo Configure DHCP and DNS Servers
- Howto Install and Configure VTK on Ubuntu
- Howto Install and Configure QtCreator on Ubuntu
- Howto Install and Configure PCL on Ubuntu
- Howto Install and Configure ROS on Ubuntu
- Fortinet and huawei 6502 DHCP configure
- Howto Install and Configure Chinese Input Methods on Ubuntu
- Howto Install and Configure Doxygen for QtCreator on Ubuntu
- MinGW - 安装和配置 / MinGW - Howto Install And Configure
- MinGW - 安装和配置 / MinGW - Howto Install And Configure
- dhcp--dns
- 两例思科路由器的特殊应用(dhcp and dns)
- What are: DNS, DHCP, IP Addresses and Subnet Mask
- Configure IP Address and DNS from Command Line
- HOWTO Configure JBoss for HTTPS
- 网关 DNS DHCP 路由
- Linux DHCP & DNS
- rac dns-dhcp配置
- Web Service开发指南
- 安装,启动与卸载Mysql系统服务(MYSQL常见问题)
- 在ASP.NET中自动给URL地址加上超链接
- java运行过程
- 给初学者:用VB写外挂 ———— 如何给外挂定义一组热键:红色警戒五项属性修改器VB版
- HowTo Configure DHCP and DNS Servers
- 定义变量时 使用volatile修饰的作用
- 项目经理是这样当的!
- DirectShow是有点难度啊。。。
- 用完成端口搭建自己的网络应用服务
- document.execCommand() 解析
- testsets
- 第一篇文章
- 利用oracle的job定时执行任务
