DHCP server and domain

fishkake · 04-13-2017, 09:55 AM

Hi all

I've been building a DHCP server and router using iptables and isc-dhcp-server on Debian 8. I'm definitely slowly getting there, but I've hit another snag regarding DNS/DHCP.

I own a domain, lets call it beans.com. I've not set it up properly yet and at the moment it resolves to, lets call it 5.5.5.5 for simplicity.

My dhcpd.conf file looks like this (with some of the commented lines removed):

Code:

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "beans.com";
option domain-name-servers 194.168.4.100,194.168.8.100;
# ^ Note - these are my ISPs DNS servers

default-lease-time 86400;
max-lease-time 604800;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

#subnet 10.152.187.0 netmask 255.255.255.0 {
#}

# This is a very basic subnet declaration.

subnet 192.168.27.0 netmask 255.255.255.0 {
  range 192.168.27.101 192.168.27.199;
  option routers 192.168.27.70;
}

This is handing out IP addresses perfectly. I have a windows machine called BEAR and another called TEST. Both are running on 192.168.100 addresses dished out by this DHCP.

When I ping ANY hostname from these PCs, it pings thing.beans.com which resolves to 5.5.5.5. Even if I ping a host which doesn't exist.

Ultimately I want to be able to ping server.beans.com and mail.beans.com and baked.beans.com from the web and hit different servers in my house. But I also want to be able to ping BEAR from TEST and have it resolve to 192.168.x.x.

I'm guessing I need my router/DHCP to also be a DNS server which resolves local addresses and forwards remote addresses. I'm looking up BIND now but if there's a simpler way of doing this or a problem with my DHCP setup, I'd appreciate your advice.

Thanks!

ferrari · 04-14-2017, 03:36 AM

For a small LAN environment consider using dnsmasq perhaps

https://wiki.debian.org/HowTo/dnsmasq

fishkake · 04-14-2017, 02:12 PM

I was gradually getting a bit lost in BIND. Hadn't heard of dnsmasq, my rampant googling was apparently not appropriately aimed. I will look in to it now, thank you!

lazydog · 04-14-2017, 03:50 PM

The reason that everything is resolving to 5.5.5.5 is because you have a wild card entry in your DNS zone file that points to 5.5.5.5 not because of DHCP. If you only want things to resolve that are real then you have to remove the wildcard from your DNS.

lazydog · 04-14-2017, 03:59 PM

You need to allow your DHCP server to update your DNS server with the names and IP Addresses of the systems it assigns IP's to so you can ping them internally.

Reaching your systems from the internet is another story and requires a lot more then just setting up DHCP and DNS. Now you need to protect everything andf you need to setup your IPTABLES accordingly.

fishkake · 04-15-2017, 11:47 AM

Quote:

Originally Posted by lazydog

Reaching your systems from the internet is another story and requires a lot more then just setting up DHCP and DNS. Now you need to protect everything andf you need to setup your IPTABLES accordingly.

This is what was slowly dawning on me, but what I think I needed to hear. :-)

I'm not sure I understad what you mean by a "zone file" as I don't yet have a DNS server, I just have a DHCP server which assigns the ISP server. But for now I think I'll set up a server to be accessed from the internet as beans.com and worry about stuff.beans.com later on.

Also regarding protection, this is noted - at the moment my "protection" is provided by having nothing on this network which is at all sensitive, but I am well aware that before anything goes live, so to speak, I need to worry about security.

Thanks for your help!

lazydog · 04-15-2017, 12:20 PM

If you have a domain then you have a zone file. Where ever your domain is registered is where your zone file is and they most likely setup a wildcard in there to point all unknowns to the same ip address. Since you own a domain you should have access to this domain on their dns server. Just log in and check.

Just because you are pointing your machines at your ISP's dns server if you are using your domain your ISP is going to query the site that is hosting your domain.

Quote:

But I also want to be able to ping BEAR from TEST and have it resolve to 192.168.x.x

You can set your public dns sever to resolve these names to a private IP Address so you can use your domain and still get to these servers internally. Now if you are going to use these servers on the public IP then you cannot setup the same name to point to both your public ip and your private ip.

If you do not plan on hosting your own public DNS server then dnsmasq might be the best option fo you.