Dynamic DHCP update to DNS

Dark_Helmet · 12-31-2011, 01:38 AM

Ok, I've thrown everything at this, and I cannot get my Ubuntu 10.04 server to handle dynamic DNS updates from DHCP. The IP lease itself is fine. It's only the DNS update.

Unfortunately, that's worse than where I used to be. In earlier attempts to get it working, I saw error messages about dynamic updates timing out. But now, I get nothing at all.

The last try for dynamic updates gave these messages from the DHCP server's syslog:

Code:

Dec 30 23:16:07 dhcp01 dhcpd: DHCPDISCOVER from 08:00:27:f8:82:a0 via eth0
Dec 30 23:16:08 dhcp01 dhcpd: DHCPOFFER on 10.1.1.100 to 08:00:27:f8:82:a0 via eth0
Dec 30 23:16:08 dhcp01 dhcpd: DHCPREQUEST for 10.1.1.100 (10.1.1.21) from 08:00:27:f8:82:a0 via eth0
Dec 30 23:16:08 dhcp01 dhcpd: DHCPACK on 10.1.1.100 to 08:00:27:f8:82:a0 via eth0
Dec 30 23:16:08 dhcp01 dhcpd: DHCPREQUEST for 10.1.1.100 (10.1.1.21) from 08:00:27:f8:82:a0 via eth0
Dec 30 23:16:08 dhcp01 dhcpd: DHCPACK on 10.1.1.100 to 08:00:27:f8:82:a0 via eth0

The MAC address is from a virtual machine setup with a bridged adapter to my physical DNS server.

A sample message from an earlier run where the dynamic update error appeared:

Code:

Dec 30 19:59:45 dhcp01 dhcpd: Unable to add forward map from workstation01.mydomain.lan to 10.1.1.100: timed out

Again, I'm not getting that far anymore.

I've got to be close. I just need someone smarter than me to please look over my configs. It could be anything--something incredibly stupid like a missing semicolon or huge, like a fundamental issue I just don't understand.

I'm posting stripped down configs. "Stripped down" meaning that I sent them through sed to delete comments and blank lines. I'll add some breaks manually for readability...

FYI:

10.1.1.21 is my static-ip, combined dhcp and dns server. Don't ask why I put it at .21 (as opposed to .1), because I don't remember. Alcohol may have been involved.

The config files are below. Please let me know if there's any other information (e.g. directory/file permissions) to help get this solved.

I truly appreciate all help on this problem. It's been driving me nuts.

My /etc/dhcp3/dhcpd.conf

Code:

option domain-name-servers 10.1.1.21;
option routers 10.1.1.21;
option subnet-mask 255.255.255.0;

ddns-updates on;
ddns-update-style interim;
ddns-domainname "mydomain.lan";
ddns-rev-domainname "1.1.10.in-addr.arpa";
ddns-ttl 14400;
ignore-client-updates;

key "dhcp-key" {
    algorithm		HMAC-MD5;
    secret		"<shhh! it's a secret>";
}

zone mydomain.lan. {
     primary   10.1.1.21;
     key       "dhcp-key";
}

zone 1.1.10.in-addr.arpa. {
     primary	10.1.1.21;
     key	"dhcp-key";
}

default-lease-time 86400;
max-lease-time 604800;
authoritative;
log-facility local7;

subnet 10.1.1.0 netmask 255.255.255.0 {
       option domain-name "mydomain.lan";
       option domain-name-servers 10.1.1.21;
       option routers 10.1.1.21;
       default-lease-time 86400;
       max-lease-time 604800;
       pool {
       	    allow unknown-clients;
	    range 10.1.1.100 10.1.1.200;
       }
}

Ubuntu spreads the bind config files to the four corners...

/etc/bind/named.conf

Code:

include "/etc/bind/rndc.key";
acl "internal-net" { 10.1/16; 127.0.0/24; };

controls {
	 inet 127.0.0.1 allow { any; } keys { "dhcp-key"; };
};

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/logging.conf";

/etc/bind/rndc.key

Code:

key "dhcp-key" {
    algorithm		HMAC-MD5;
    secret		"<shhh! it's a secret>";
};

NOTE: the values for the secret field in rndc.key and dhcpd.conf match. I have checked that more times than I can count.

/etc/bind/named.conf.options

Code:

options {
	directory "/var/cache/bind";
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	statistics-file "/var/run/named/named.stats";
	zone-statistics yes;
	dump-file "/var/run/named/named.dump";
	listen-on { "internal-net"; };
	allow-query { "internal-net"; };
	allow-transfer { none; };
	allow-recursion { "internal-net"; };
        allow-update { "internal-net"; };
	notify no;
};

/etc/bind/named.conf.local:

Code:

zone "mydomain.lan" IN {
   type master;
   file "/etc/bind/db.mydomain.lan";
   allow-update { key "dhcp-key"; };
};

zone "1.1.10.in-addr.arpa" IN {
   type master;
   file "/etc/bind/db.mydomain.lan.reverse";
   allow-update { key "dhcp-key"; };
};

/etc/bind/named.conf.default-zones:

Code:

zone "." {
	type hint;
	file "/etc/bind/db.root";
};
zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

I'm omitting /etc/bind/logging.conf because it's really long and really has nothing but logging directives (I promise). I'll post it if anyone really, really needs to see it.

/etc/bind/db.mydomain.lan:

Code:

$TTL	3H
@	IN	SOA	ns.mydomain.lan. root.digitaltechlaw.com. (
		     2011123025
			     3H
			     1H
			     1W
			     1H )
	IN	NS		ns.mydomain.lan.
	IN	MX	10	mail.mydomain.lan.
mail		IN	A		10.1.1.21
ns		IN	A		10.1.1.21

/etc/bind/db.mydomain.lan.reverse:

Code:

$TTL	3H
@	IN	SOA	ns.mydomain.lan. root.digitaltechlaw.com. (
		     2011123025
			     3H
			     1H
			     1W
			     1H )
	IN	NS	ns.mydomain.lan.
21	IN	PTR	ns.mydomain.lan.

lithos · 12-31-2011, 05:06 AM

Hi,

It would be nice if you wrote what is the role of your server.
For ex.
- your server is a DNS server for your local LAN and it's connected to a DSL line with dyn. IP
- your server is a domain server for i.e. yourdomain.com which you want to host at home with dyn.IP DSL connection
- ...

you name it.

then it might be easier to help you.

good luck

Dark_Helmet · 12-31-2011, 12:46 PM

I thought I had.

The server is a combined DNS-DHCP server with a static IP within my local LAN space. It provides IPs and name resolution for the internal LAN only ("mydomain.lan" - it really is mydomain.lan--that's not a clever substitution for a ".com" TLD). The DNS server allows recursion for DNS lookups to external sites for internal clients only.

This is for my local LAN only. There will never, ever be any visitors from "foreign" domains requesting an IP. The only dynamic DNS updates will be to my internal server.

Dark_Helmet · 12-31-2011, 07:04 PM

Virtual machines are great. I set up a virtual environment to mimic my physical setup and tried a few things.

I switched to debian squeeze (6.0.3) for the server. I will include the commands as a walkthrough for anyone that needs it (i.e. copy-paste the commands directly into a root terminal). If you want something different, you'll need to update the commands. Or, at least, edit the necessary files before starting up the servers.

The environment it provides:

Internal network: 10.2.2.0/24
IP pool range: 10.2.2.50 to 10.2.2.254
Domain name: mydomain.lan
Name server address: (fixed) 10.2.2.1

PLEASE NOTE: I just ran the below commands on a clean, base install of Debian in a virtual machine. They worked on the Debian virtual machine without a problem. I also created an Ubuntu 10.04 virtual machine and tried to resolve my issues from there. It took more futzing with the Ubuntu machine to get working. After a day or two, I will come back and do a clean run through on both virtual machines to make sure that I did not leave out any steps.

Starting from a base Debian 6.0.3 install, configure your one of your network interfaces to use static IP (10.2.2.1), open a terminal, switch to root, and:

(1) Install the DHCP server
PLEASE NOTE: This step may end with a "failed!" when trying to start up the server. Don't worry about that.
PLEASE NOTE: If you are an Ubuntu user, you need to install dhcp3-server instead of isc-dhcp-server

Code:

/usr/bin/apt-get install isc-dhcp-server

(2) Install the DNS server (and associated packages)

Code:

/usr/bin/apt-get install bind9 bind9-doc bind9utils

(3) Generate a key to secure your updates

Code:

/usr/sbin/dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n USER DHCP_UPDATER

(4) Take the contents of the generated key and place it in a key file shared between DHCP and DNS

Code:

update_key=$( /bin/sed -n 's@^Key:[[:space:]]\+\(.*\)$@\1@ ; 3p' K*.private )
/bin/cat << EOF > /etc/bind/DHCP_UPDATER.key
key DHCP_UPDATER {
  algorithm hmac-md5;
  secret "${update_key}";
};
EOF

(5) Allow user bind to write to /etc/bind -- needed for zone journal files (*.jnl)
PLEASE NOTE: If you are an Ubuntu user, you do not need use any of the three commands below IF you do not want to modify the default apparmor profiles for bind. See note in step 6.

Code:

/bin/chown root:bind /etc/bind
/bin/chmod 775 /etc/bind
/bin/chmod g+s /etc/bind

(6) Backup the original named.conf.local and replace it with a custom config
PLEASE NOTE: If you are an Ubuntu user, Ubuntu expects your DNS server to store data (including dynamic update journals) in /var/lib/bind. Ubuntu has configured apparmor to deny read and write access to the bind user to /etc/bind. If you do not want to modify apparmor profiles, you must change the file paths for db.mydomain.lan and db.2.2.10.in-addr.arpa below to use /var/lib/bind/ instead of /etc/bind/ (e.g. 'file "/var/lib/bind/db.mydomain.lan";' instead of 'file "/etc/bind/db.mydomain.lan";'). Also for Ubuntu, in case you feel like being tricky and trying to soft link from /var/lib/bind back to the zone files in /etc/bind, the links will be replaced with normal files after the DNS server pushes through the first set of journal changes to the zone files.

Code:

/bin/cp /etc/bind/named.conf.local{,.original_install}
/bin/cat << EOF > /etc/bind/named.conf.local
include "/etc/bind/DHCP_UPDATER.key";

zone "mydomain.lan" {
   type master;
   file "/etc/bind/db.mydomain.lan";
   allow-update { key DHCP_UPDATER; };
};

zone "2.2.10.in-addr.arpa" {
   type master;
   file "/etc/bind/db.2.2.10.in-addr.arpa";
   allow-update { key DHCP_UPDATER; };
};
EOF

(7) Create the reverse zone file 2.2.10.in-addr.arpa
PLEASE NOTE: If you are an Ubuntu user and do not wish to modify apparmor profiles, you must change the path to /etc/bind/db.2.2.10.in-addr.arpa (as described in the note above for step 6).

Code:

/bin/cat << EOF > /etc/bind/db.2.2.10.in-addr.arpa
\$TTL 604800     ; 1 week
@     IN     SOA  ns.mydomain.lan. root.mydomain.lan. (
                             2009010702  ; serial
                                  86400  ; refresh (1 day)
                                  14400  ; retry (4 hours)
                                1204800  ; expire (1 week 6 days 22 hours 40 minutes)
                                 604800  ; minimum (1 week)
                             )

               NS      ns.mydomain.lan.
 
1              PTR     ns.mydomain.lan.
EOF

(8) Create the forward zone file for mydomain.lan
PLEASE NOTE: If you are an Ubuntu user and do not wish to modify apparmor profiles, you must change the path to /etc/bind/db.mydomain.lan (as described in the note above for step 6).

Code:

/bin/cat << EOF > /etc/bind/db.mydomain.lan
\$TTL 604800	; 1 week
@    IN     SOA ns.mydomain.lan. root.mydomain.lan. (
                             2003071701  ; serial
                                  86400  ; refresh (1 day)
                                  14400  ; retry (4 hours)
                                1204800  ; expire (1 week 6 days 22 hours 40 minutes)
                                 604800  ; minimum (1 week)
                             )
                NS              ns.mydomain.lan.
;
ns              A       10.2.2.1
EOF

(9) Back up the original dhcpd.conf and replace it with a custom config
PLEASE NOTE: There is a client_template section that needs to be filled out for each client that connects or the dynamic update may not work because dhcpd may not have a hostname to use for the update. There are more advanced ways to handle this, but I did not look into them much.

Code:

/bin/cp /etc/dhcp/dhcpd.conf{,/original_install}
/bin/cat << EOF > /etc/dhcp/dhcpd.conf
authoritative;

option domain-name "mydomain.lan";
option domain-name-servers 10.2.2.1;
option routers 10.2.2.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.2.2.255;

ddns-updates on;
ddns-update-style interim;
ddns-domainname "mydomain.lan";
ddns-rev-domainname "in-addr.arpa";

ignore client-updates;
 
default-lease-time 86400;
max-lease-time 86400;
 
log-facility local7;
 
key DHCP_UPDATER {
  algorithm hmac-md5;
  secret "${update_key}";
};

zone mydomain.lan. {
  primary ns.mydomain.lan;
  key DHCP_UPDATER;
}

zone 2.2.10.in-addr.arpa. {
  primary ns.mydomain.lan;
  key DHCP_UPDATER;
}

subnet 10.2.2.0 netmask 255.255.255.0 {
  range 10.2.2.50 10.2.2.254;

#  host client_template {
#    hardware ethernet XX:XX:XX:XX:XX:XX;
#    option host-name "clientYY";
#    ddns-hostname "clientYY";
#  }
}
EOF

(10) Make sure that resolv.conf is set up to use the local DNS
PLEASE NOTE: If your machine has two or more network cards and one or more of them run a dhcp client, then your resolv.conf file will change each and every time the dhclient leases an IP. I leave it to you to figure out how to work around that (because I don't have a good answer).

Code:

/bin/cat << EOF > /etc/resolv.conf
domain mydomain.lan
search mydomain.lan
nameserver 127.0.0.1
EOF

(11) Start the servers
PLEASE NOTE: The restart for isc-dhcp-server may begin with a "failed!" when trying to shut down the server if you received the "failed!" message when installing the server at the very beginning of these commands.
PLEASE NOTE: If you are an Ubuntu user, your DHCP server startup script is /etc/init.d/dhcp3-server instead of /etc/init.d/isd-dhcp-server.

Code:

/etc/init.d/bind9 restart
/etc/init.d/isc-dhcp-server restart

If everything goes well, when a client requests an IP address via DHCP, /var/syslog should contain something like the following:

Code:

Dec 31 17:12:10 dnsdhcp1 dhcpd: DHCPDISCOVER from 08:00:27:94:a3:f7 via eth1
Dec 31 17:12:11 dnsdhcp1 dhcpd: DHCPOFFER on 10.2.2.50 to 08:00:27:94:a3:f7 via eth1
Dec 31 17:12:11 dnsdhcp1 named[2723]: client 10.2.2.1#57971: signer "updatekey" approved
Dec 31 17:12:11 dnsdhcp1 named[2723]: client 10.2.2.1#57971: updating zone 'mydomain.lan/IN': adding an RR at 'debclient.mydomain.lan' A
Dec 31 17:12:11 dnsdhcp1 named[2723]: client 10.2.2.1#57971: updating zone 'mydomain.lan/IN': adding an RR at 'debclient.mydomain.lan' TXT
Dec 31 17:12:11 dnsdhcp1 dhcpd: Added new forward map from debclient.mydomain.lan to 10.2.2.50
Dec 31 17:12:11 dnsdhcp1 named[2723]: client 10.2.2.1#45304: signer "updatekey" approved
Dec 31 17:12:11 dnsdhcp1 named[2723]: client 10.2.2.1#45304: updating zone '2.2.10.in-addr.arpa/IN': deleting rrset at '50.2.2.10.2.2.10.in-addr.arpa' PTR
Dec 31 17:12:11 dnsdhcp1 named[2723]: client 10.2.2.1#45304: updating zone '2.2.10.in-addr.arpa/IN': adding an RR at '50.2.2.10.2.2.10.in-addr.arpa' PTR
Dec 31 17:12:11 dnsdhcp1 dhcpd: added reverse map from 50.2.2.10.2.2.10.in-addr.arpa to debclient.mydomain.lan
Dec 31 17:12:11 dnsdhcp1 dhcpd: DHCPREQUEST for 10.2.2.50 (10.2.2.1) from 08:00:27:94:a3:f7 via eth1
Dec 31 17:12:11 dnsdhcp1 dhcpd: DHCPACK on 10.2.2.50 to 08:00:27:94:a3:f7 via eth1

lithos · 01-06-2012, 10:06 AM

Great you could solve it,
could you Mark the thread as solved (look at my signature) if you have been successful, for other people that may come to this thread for a solution.