Tag Archives: bind

DNS updated via DHCP: BIND9 and ISC-DHCP on Linux

Linux: Debian stable (currently version 7)

Packages:

apt-get install install bind9 isc-dhcp-server

Create a key required for DHCP server to update the DNS zones:

/usr/sbin/rndc-confgen -a

This will create /etc/bind/rndc.key, whose contents will look something like this:

key "rndc-key" {
algorithm hmac-md5;
secret "+zZSeeetHWFdNwECit1Ktw==";
};

BIND configuration

Configuration files:

 

/etc/hosts

127.0.0.1 localhost
10.0.60.60 dns.lab.loc dns

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

 

/etc/bind/named.conf.local

// Do any local configuration here
// Consider adding the 1918 zones here, if they are not used in your organization
include "/etc/bind/zones.rfc1918";

include "/etc/bind/rndc.key";

zone "lab.loc" {
type master;
file "/etc/bind/db.lab.loc";
allow-update { key rndc-key; };
};

zone "60.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10.0.60";
allow-update { key rndc-key; };
};

 

/etc/bind/named.conf.options

(just to setup the external forwarders)

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
<strong>208.67.222.222;208.67.220.220;8.8.8.8;8.8.4.4;</strong>
};

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035

allow-query {
10.0.60/24;
127.0.0.1;
};
allow-transfer {
10.0.60/24;
127.0.0.1;
};

listen-on-v6 { any; };
};

 

/etc/bind/db.lab.loc

$ORIGIN lab.loc.
$TTL 24h ;$TTL (DNS time-to-live setting) used for all RRs without explicit TTL value

;SOA - Start of Authority. This is the record that states that this server is authoritative for the specified domain
;The SOA record lists the name server for the domain, and next the e-mail address of the administer of the domain
;(note that the @ has been replaced by a period).
@ IN SOA dns.lab.loc. root.lab.loc. (
2014032109 ; serial YYYYMMDDNN
10800 ; refresh (3 hours)
1800 ; retry (30 minutes)
604800 ; expire (1 week)
38400 ; minimum (10 hrs 40 min)
)
IN NS dns.lab.loc. ;Specifies the name server to use to look up a domain
; IN NS dns2.lab.loc. ;Specifies the name server to use to look up a domain
IN A 10.0.60.60 ; IP Address(es) of the DNS server(s)
; IN A 10.0.60.61 ; IP Address(es) of the DNS server(s)
IN MX 10 dns.lab.loc. ;Specifies mail server(s) for the domain

; HOSTS
dns IN A 10.0.60.60
;dns2 A 10.0.60.61

esxi01 IN A 10.0.60.71
esxi02 IN A 10.0.60.72
esxi03 IN A 10.0.60.73

freenas IN A 10.0.60.80

mail IN CNAME dns
dnsmaster IN CNAME dns
storage IN CNAME freenas

 

/etc/bind/db.10.0.60

; BIND reverse file for lab.loc
$ORIGIN 60.0.10.in-addr.arpa.
$TTL 24h
@ IN SOA dsn.lab.loc. root.lab.loc. (
2014032104 ; serial number YYMMDDNN
10800 ; Refresh (3 hours)
3600 ; Retry (1 hour)
604800 ; Expire (1 week)
38400 ; Min TTL (10 hours 40 minutes)
)
IN NS dns.lab.loc.
; IN NS dns2.lab.loc.

;LIST OF HOSTS (reverse)

60 IN PTR dns.lab.loc.

71 IN PTR esxi01.lab.loc.
72 IN PTR esxi02.lab.loc.
73 IN PTR esxi03.lab.loc.

80 IN PTR freenas.lab.loc.

 

DHCP configuration

Here there is just one file that has to be modified: dhcpd.conf

/etc/dhcp/dhcpd.conf

Here we need to enter the key in plain text.

# DHCPD
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
authoritative;
key rndc-key { algorithm hmac-md5; secret +zZSeeetHWFdNwECit1Ktw==;}
allow unknown-clients;
use-host-decl-names on;
default-lease-time 1814400; #21 days
max-lease-time 1814400; #21 days
log-facility local7;

# lab.loc DNS zones
zone lab.loc. {
primary localhost; # This server is the primary DNS server for the zone
key rndc-key; # Use the key we defined earlier for dynamic updates
}
zone 60.0.10.in-addr.arpa. {
primary localhost; # This server is the primary DNS server for the zone
key rndc-key; # Use the key we defined earlier for dynamic updates
}

# lab.loc LAN scope
subnet 10.0.60.0 netmask 255.255.255.0 {
range 10.0.60.100 10.0.60.200;
option subnet-mask 255.255.255.0;
option routers 10.0.60.2;
option domain-name-servers 10.0.60.60;
option domain-name "lab.loc";
ddns-domainname "lab.loc.";
ddns-rev-domainname "in-addr.arpa.";
}

# lab.loc STATIC assigned group
group {
host freenas.lab.loc {
hardware ethernet 00:0c:29:18:af:b4;
fixed-address 10.0.60.80;
ddns-hostname "freenas";
}
host esxi01.lab.loc {
hardware ethernet 00:0c:29:d4:14:ce;
fixed-address 10.0.60.71;
ddns-hostname "esxi01";
}
host esxi02.lab.loc {
hardware ethernet 00:0c:29:2c:30:fd;
fixed-address 10.0.60.72;
ddns-hostname "esxi02";
}
host esxi03.lab.loc {
hardware ethernet 00:0c:29:46:90:fd;
fixed-address 10.0.60.73;
ddns-hostname "esxi03";
}
}

 

Once everything is configured, just restart bind and dhcp:

/etc/init.d/bind9 restart && /etc/init.d/isc-dhcp-server restart

 

Sources:

https://www.centos.org/docs/4/html/rhel-rg-en-4/s1-bind-zone.html