- Suspend updates to all dynamic zones.
rndc freeze
- Edit zone file
- Enable updates to all dynamic zones and reload them.
rndc thaw
Thursday, December 16, 2010
How to edit Dynamic DNS zone
All changes made to a zone using dynamic update are stored in the zone's journal file. The zone file is updated every 15 min. The zone files of dynamic zones cannot normally be edited by hand because they are not guaranteed to contain the most recent dynamic changes (those are only in the journal file). Here are few steps that let you edit entries in dynamic dns zone:
Debian DHCP server failover
Before we start I assume you followed previous two posts: setup and dynamic-dns. Our primary dhcp server located at 192.168.10.4 and secondary at 192.168.10.5.
Primary DHCP Server
- You need declare failover section that identifies the primary dhcp server (file /etc/dhcp/dhcpd.conf).
failover peer "dhcp-failover" { primary; # declare this to be the primary server address 192.168.10.4; port 647; peer address 192.168.10.5; peer port 647; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; mclt 1800; split 128; } - Failover peer needs to be referenced by concrete subnet:
subnet 192.168.10.0 netmask 255.255.255.0 { pool { # In order to turn off failover just comment out # the line below failover peer "dhcp-failover"; range 192.168.10.41 192.168.10.254; } option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; option routers gw1.dev.local; }
Secondary DHCP Server
- Failover secondary peer declaration (file /etc/dhcp/dhcpd.conf):
failover peer "dhcp-failover" { secondary; # declare this to be the secondary server address 192.168.10.5; port 647; peer address 192.168.10.4; peer port 647; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; } -
subnet 192.168.10.0 netmask 255.255.255.0 { pool { # In order to turn off failover just comment out # the line below failover peer "dhcp-failover"; range 192.168.10.41 192.168.10.254; } option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; option routers gw1.dev.local; }
Dynamic DNS update with DHCP on Debian
If you have many dhcp clients it is much convenient to find them by name than remember ip addresses. This is what dynamic dns update with dhcp is for. I assume you followed few previous posts on dns and dhcp topic.
Configure DNS server
- We would like to accept only authorized secure updates, so let generate a secure key:
dnssec-keygen -r /dev/urandom -a hmac-md5 -b 256 -n host key cat Kkey.*.private rm Kkey*
Here is sample output:Private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: 9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI= ...
- Add the following (replace md5 key with the one you generated) to a new file /etc/bind/dynamic-dns.key
key DYNAMICDNS { algorithm hmac-md5; secret "9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI="; }; -
Secure key:
chmod o-r /etc/bind/dynamic-dns.key
- Ensure bind is the owner of the configucation directory, since it save some files there during dynamic updates:
chmod -R g+w /etc/bind/
- Update zone registration file to allow dynamic updates (file /etc/bind/named.conf.local):
include "/etc/bind/dynamic-dns.key"; zone "dev.local" IN { type master; file "/etc/bind/db.dev.local"; allow-update { key DYNAMICDNS; }; }; zone "10.168.192.IN-ADDR.ARPA" IN { type master; file "/etc/bind/db.10.168.192"; allow-update { key DYNAMICDNS; }; }; - Restart bind9
Test DNS Settings
- Let configure DNS for a new host test with ip 192.168.10.7:
root@ns1:/etc/bind# nsupdate > server 127.0.0.1 > key DYNAMICDNS 9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI= > zone dev.local > update add test.dev.local. 600 IN A 192.168.10.7 > send > zone 10.168.192.IN-ADDR.ARPA > update add 7.10.168.192.in-addr.arpa 600 IN PTR test.dev.local. > send
- And now verify:
user1@deby01:~$ host test test.dev.local has address 192.168.10.7 user1@deby01:~$ host 192.168.10.7 7.10.168.192.in-addr.arpa domain name pointer test.dev.local.
Configure DHCP server
- Add the following (replace md5 key with the one you generated) to a new file /etc/dhcp/dynamic-dns.key
key DYNAMICDNS { algorithm hmac-md5; secret "9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI="; }; - Create a new file /etc/dhcp/dhcpd.conf.local with the following content:
include "/etc/dhcp/dynamic-dns.key"; zone dev.local. { primary ns1.dev.local; key DYNAMICDNS; } zone 10.168.192.IN-ADDR.ARPA. { primary ns1.dev.local; key DYNAMICDNS; } - Open file /etc/dhcp/dhcpd.conf and ensure:
ddns-update-style interim; include "/etc/dhcp/dhcpd.conf.local";
- Restart dhcp server so our change take effect.
/etc/init.d/isc-dhcp-server restart
Test DHCP server with Debian client
- First of all in order to identify your debian client by name you must ensure it send host name to dhcp server. You can check this in file /etc/dhcp/dhclient.conf:
send host-name "deby01";
- Assuming the dhcp client interface is configured for eth1, here is a command to re-new ip address from server:
dhclient -v eth1
Debian DHCP Server Setup
Dynamic Host Configuration Protocol (DHCP) is a protocol. It gives client machines "leases" for IP addresses and can automatically set their network configuration.
apt-get -y install rsyslog isc-dhcp-serverBefore we start configuring the dhcp server let set our requirements:
- Domain name: dev.local
- Network: 192.168.10.0/24
- DNS Servers: ns1.dev.local, ns2.dev.local
- Gateway: gw1.dev.local
- First 40 ip addresses are reserved for servers
- DHCP pool is 41 - 254
Server Configuration
- The server will be listening on eth0 interface (file /etc/default/isc-dhcp-server):
# On what interfaces should the DHCP server (dhcpd) # serve DHCP requests? Separate multiple interfaces # with spaces, e.g. "eth0 eth1". INTERFACES="eth0"
- Configure DHCP per our requirements (file /etc/dhcp/dhcpd.conf)
# The ddns-updates-style parameter controls whether or # not the server will attempt to do a DNS update when # a lease is confirmed. We default to the behavior of # the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; # option definitions common to all supported networks option domain-name "dev.local"; option domain-name-servers ns1.dev.local, ns2.dev.local; option ip-forwarding off; # This way you can specify multiple search domains. # For Windows clients it doesn't work and need to be # setup manually option domain-search "dev.local", "corp.local"; # Lease time is in seconds default-lease-time 600; max-lease-time 7200; # If this DHCP server is the official DHCP server for # the local network, the authoritative directive should # be uncommented. authoritative; # Use this to send dhcp log messages to a different log # file (you also have to hack syslog.conf to complete # the redirection). log-facility local7; subnet 192.168.10.0 netmask 255.255.255.0 { pool { range 192.168.10.41 192.168.10.254; } option subnet-mask 255.255.255.0; option broadcast-address 192.168.10.255; option routers gw1.dev.local; }
How to test from Debian client
- You need a network interface configured for dhcp (file /etc/network/interfaces):
allow-hotplug eth0 iface eth0 int dhcp
- Obtain ip address and check your up:
root@dh1:~# dhclient eth0 && ifconfig eth0 | grep inet inet addr:192.168.10.41 ... - Try some lookups (notice multiple dns search list; in order to use host command you need to install dnsutils package):
root@dh1:~# host ns1 ns1.dev.local has address 192.168.10.2 root@dh1:~# host mail mail.corp.local has address 192.168.11.10
How to enable multi-domain search in Windows client
- Choose Advanced TCP/IP Settings
- In DNS tab choose "Append these DNS suffixes (in order)"
- Add as many as you need domain to search
- Try some lookups (notice multiple dns search list):
C:\>nslookup ns1 ... C:\>nslookup mail ...
Wednesday, December 15, 2010
Debian Slave DNS Server Setup
The setup of Slave (Secondary) DNS Server is pretty easy. You need to follow two previous posts of setting up a simple DNS server and chroot bind9.
Master (Primary) DNS Server
- Add the following to /etc/bind/named.conf.options
dnssec-enable yes;
- Generate MD5 hash key:
dnssec-keygen -r /dev/urandom -a hmac-md5 \ -b 256 -n host rndc ; cat Krndc.*.private \ | grep Key ; rm Krndc*
Here is output:Key: 9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=
- Add the following (replace md5 key with the one you generated) to a new file /etc/bind/transfer.key
key TRANSFER { algorithm hmac-md5; secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM="; }; -
Secure key:
chmod o-r /etc/bind/transfer.key
- Add the following to a new file /etc/bind/named.conf.transfer
include "/etc/bind/transfer.key"; // Slave IP Address server 192.168.10.3 { keys { TRANSFER; }; }; - Add the following to file /etc/bind/named.conf
include "/etc/bind/named.conf.transfer";
Slave (Secondary) DNS Server
- Add the following to /etc/bind/named.conf.options
dnssec-enable yes;
- Add the following (replace md5 key with the one you generated) to file /etc/bind/transfer.key
key TRANSFER { algorithm hmac-md5; secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM="; }; -
Secure key:
chmod o-r /etc/bind/transfer.key
- Add the following to file /etc/bind/named.conf.transfer
include "/etc/bind/transfer.key"; // Master IP Address server 192.168.10.2 { keys { TRANSFER; }; }; - Add the following to file /etc/bind/named.conf
include "/etc/bind/named.conf.transfer";
- Specify slave zones in file /etc/bind/named.conf.local:
zone "dev.local" IN { type slave; file "/etc/bind/db.dev.local"; masters { 192.168.10.2; }; allow-notify { 192.168.10.2; }; }; zone "10.168.192.IN-ADDR.ARPA" IN { type slave; file "/etc/bind/db.10.168.192"; masters { 192.168.10.2; }; allow-notify { 192.168.10.2; }; }; - Copy forwards to slave (file /etc/bind/named.conf.forward):
zone "corp.local" IN { type forward; forwarders { 192.168.11.2; 192.168.11.3; }; }; - Ensure bind:bind is the owner of the configuration so it can update the files received from master.
chown -R bind:bind /var/chroot/bind9/etc/*
root@ns2:/etc/bind# apt-get install ntpdate ... root@ns2:/etc/bind# ntpdate pool.ntp.orgNow you can restart bind9 on both servers and ensure that slave received zone files.
Troubleshooting
Have a look at system log file (/var/log/syslog) for any errors reported by named. If you will see something telling you permission denied while dumping a file, ensure bind:bind is the owner as following:chown -R bind:bind /var/chroot/bind9/etc/* /etc/init.d/bind9 restart ls -l /ent/bind/db.*
Debian LAN DNS setup
We are going setup a LAN DNS server for a dev.local domain. I assume you already have dns server up and running, if not please follow previous post here.
Configure Forward Lookup Zone
First of all let start from forward lookup zone (file /etc/bind/db.dev.local):
$TTL 2d
dev.local. IN SOA ns1.dev.local. hostmaster.dev.local. (
2010122201 ; se = serial number
6h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
3h ; min = minimum
)
IN NS ns1.dev.local.
IN NS ns2.dev.local.
IN MX 10 mail.dev.local.
IN A 192.168.10.5
; hosts
gw1 IN A 192.168.10.1
ns1 IN A 192.168.10.2
ns2 IN A 192.168.10.3
mail IN A 192.168.10.4
www IN CNAME dev.local.
Configure Reverse Lookup Zone
Each forward lookup zone can have a reverse lookup zone, here is ours (file /etc/bind/db.10.168.192):
$ORIGIN .
$TTL 2d
10.168.192.IN-ADDR.ARPA IN SOA ns1.dev.local. hostmaster.dev.local. (
2010122201 ; se = serial number
6h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
3h ; min = minimum
)
IN NS ns1.dev.local.
IN NS ns2.dev.local.
$ORIGIN 10.168.192.IN-ADDR.ARPA.
1 IN PTR gw1.dev.local.
2 IN PTR ns1.dev.local.
3 IN PTR ns2.dev.local.
4 IN PTR mail.dev.local.
5 IN PTR www.dev.local.
Add Zone to DNS server
Now that we have both forward and reverse dns lookup zones for dev.local domain, we need to let dns server to know about it. All we need to do is add the following to /etc/bind/named.conf.local:
//
// Do any local configuration here
//
zone "dev.local" IN {
type master;
file "/etc/bind/db.dev.local";
};
zone "10.168.192.IN-ADDR.ARPA" IN {
type master;
file "/etc/bind/db.10.168.192";
};
// Consider adding the 1918 zones here, if they are not
// used in your organization
include "/etc/bind/zones.rfc1918";
Forwarding to other LAN DNS Servers
Let do DNS forwarding for corp.local LAN domain with dns server on 192.168.11.2 (create a new file /etc/bind/named.conf.forward).
zone "corp.local" IN {
type forward;
forwarders { 192.168.11.2; 192.168.11.3; };
};
zone "11.168.192.IN-ADDR.ARPA" IN {
type forward;
forwarders { 192.168.11.2; 192.168.11.3; };
};
Let include it into the /etc/bind/named.conf
include "/etc/bind/named.conf.forward";We need to ask bind9 reload the changes:
/etc/init.d/bind9 reload
Forwarding to IPS DNS Servers
You can optimize the dns queries to use dns servers supplied by your ISP (they are much closer to you than any others). In case your dns server can not resolve some domains, instead of contacting root servers it will contact ISP's servers first. This can be configured in /etc/bind/named.conf.options file:
// forwarders {
// 0.0.0.0;
// };
forwarders {
192.168.123.123; # ns1.your-isp.net
192.168.321.321; # ns2.your-isp.net
};
Client Configuration
Our dns server for dev.local is up and running, so now it is time configure client machines to use it. Ensure the following in /etc/resolv.conf:search dev.local nameserver 192.168.10.2Please read more here.
How to chroot bind9 in Debian
Here are few simple steps to chroot bind9 in debian squeeze.
#!/bin/bash
/etc/init.d/bind9 stop
mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run}
chown -R bind:bind /var/chroot/bind9/var/*
mknod /var/chroot/bind9/dev/null c 1 3
mknod /var/chroot/bind9/dev/random c 1 8
chmod 666 /var/chroot/bind9/dev/{null,random}
mv /etc/bind /var/chroot/bind9/etc
ln -s /var/chroot/bind9/etc/bind /etc/bind
chown -R bind:bind /etc/bind/*
echo "\$AddUnixListenSocket /var/chroot/bind9/dev/log" > /etc/rsyslog.d/bind-chroot.conf
Switch bind9 to use the chroot (file /etc/default/bind9):
OPTIONS="-u bind -t /var/chroot/bind9"Finally restart rsyslogd and start bind9.
/etc/init.d/rsyslog restart ; /etc/init.d/bind9 startYou can download script from here.
Debian simple DNS server setup
We are going setup a simple Debian DNS server for local purpose using bind9.
apt-get install -y rsyslog bind9 bind9-doc dnsutilsOnce the server installed let our system know which dns server to use (a one we just installed), ensure that 127.0.0.1 is the first nameserver in the list (file /etc/resolv.conf):
nameserver 127.0.0.1In case you do no need the server to listen on ipv6 set the following option (file /etc/bind/named.conf.options):
listen-on-v6 { none; };
Restart bind9 daemon:
/etc/init.d/bind9 restartand verify with:
root@ns1:~# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.10.2:53 0.0.0.0:* LISTEN 816/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 816/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 816/named udp 0 0 192.168.10.2:53 0.0.0.0:* 816/named udp 0 0 127.0.0.1:53 0.0.0.0:* 816/namedThat pretty it, let ensure its working. First we need install dnsutils package that comes with dig command, so here we go:
root@ns1:~# dig debian.org ; <<>> DiG 9.7.2-P3 <<>> debian.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64434 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;debian.org. IN A ;; ANSWER SECTION: debian.org. 3600 IN A 128.31.0.51 debian.org. 3600 IN A 206.12.19.7 ;; AUTHORITY SECTION: debian.org. 28606 IN NS ns2.debian.org. debian.org. 28606 IN NS ns4.debian.com. debian.org. 28606 IN NS ns1.debian.org. ;; ADDITIONAL SECTION: ns1.debian.org. 28606 IN AAAA 2607:f8f0:610:4000:214:38ff:feee:b65a ns4.debian.com. 28606 IN A 194.177.211.209 ns4.debian.com. 28606 IN AAAA 2001:648:2ffc:deb::10:10 ;; Query time: 96 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 15 21:47:12 2010 ;; MSG SIZE rcvd: 196Notice the server responded to our request was 127.0.0.1. Read more here and here. Consider chroot your dns server, details here.
How to solve eth0 missing in VirtualBox
Suppose you setup a linux virtual machine in VirtualBox and once you clone that hard disk and attach to a new virtual machine you notice that eth0 is not available. The problem is related to fact that since the MAC address of network adapter has changed (you created a new virtual machine) kernel has reconfigured it to be used by next available name, e.g. eth1. So what you need is simply open file /etc/udev/rules.d/70-persistent-net.rules in your favorite editor and remove a line that uses currently eth0 and change the line with NAME="eth1" to NAME="eth0". Here is an example:
# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \
ATTR{address}=="08:00:27:43:0b:0f", ATTR{dev_id}=="0x0", \
ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
Probably simplest way to do this:
echo > /etc/udev/rules.d/70-persistent-net.rules reboot
How to disable ipv6 in Debian
Here are simple steps to disable ipv6 in Debian:
- Comment out anything related to ipv6 in /etc/hosts
- SSH. Ensure AddressFamily inet is set in /etc/ssh/sshd_config. Restart ssh.
- BIND. Ensure listen-on-v6 { none; }; in /etc/bind/named.conf.options. Restart bind9.
- NTP. Ensure -4 option is set in /etc/default/ntp (e.g. NTPD_OPTS='-4 -g'). Restart ntp.
- APACHE2. Ensure Listen 0.0.0.0:80 in /etc/apache2/ports.conf file. Restart apache2.
- RPCBIND (rpc.statd, rpc.mountd). Comment out the appropriate entries in /etc/netconfig:
udp tpi_clts v inet udp - - tcp tpi_cots_ord v inet tcp - - #udp6 tpi_clts v inet6 udp - - #tcp6 tpi_cots_ord v inet6 tcp - - rawip tpi_raw - inet - - - local tpi_cots_ord - loopback - - - unix tpi_cots_ord - loopback - - -
- PostgreSQL 9. Ensure ipv4 in listen_addresses (file /etc/postgresql/9.1/main/postgresql.conf):
# - Connection Settings listen_addresses = '0.0.0.0'
Comment out lines related to ipv6 (file /etc/postgresql/9.1/main/pg_hba.conf):# IPv6 local connections: #host all all ::1/128 md5
Restart postgresql. - Disable ipv6 in kernel:
echo net.ipv6.conf.all.disable_ipv6=1 \ > /etc/sysctl.d/disableipv6.conf
- Disable ipv6 in kernel modules (file /etc/modprobe.d/aliases.conf):
# alias net-pf-10 ipv6 alias net-pf-10 off alias ipv6 off
netstat -tunlpHere is a sample output:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.10.2:53 0.0.0.0:* LISTEN 895/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 895/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 734/sshd tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 895/named udp 0 0 192.168.10.2:53 0.0.0.0:* 895/named udp 0 0 127.0.0.1:53 0.0.0.0:* 895/namedRead more about ipv6 here.
Tuesday, December 14, 2010
How to lock console in Debian
There is an easy way to lock your console session in Linux. Just install vlock:
apt-get install vlockOnce installed, issue command vlock, here is what you will see:
This TTY is now locked. Please press [ENTER] to unlock.Read more about vlock here.
Subscribe to:
Posts
(
Atom
)
Posts
