#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2015
    Location
    Warren, Mi
    Posts
    6
    Rep Power
    0

    Setting up internal DNS and DHCP server


    I am setting up a CentOS/BIND9/DHCP machine internally - inside my home office network.
    I want to
    1) Cache DNS queries
    2) When someone asks for something outside of the internal network (let's say yahoo.com), I want it to forward the request on to Google's DNS or my service provider's DNS. Assuming that info isn't already cached.
    3) I want most client machines to be DHCP clients and get all the info automatically from this DHCP server.
    3) When someone asks for something INSIDE my internal network, I want the DNS to resolve it.
    For instance, if someone pings another workstation by name, I want it to respond with the IP:
    $ ping somemachine
    ... but it does not work. Even if I use the FQDN:
    $ ping somemachine.office.mycompany.com
    ...it still does not work.

    I've got DNS happily doing 1 and 2, but not 3. What am I missing? Info on the webs point me to dyndns/ddns stuff, but I am starting to question if this is actually what I should be looking for. Dyndns/ddns may actually be for if I want the world to resolve an address to my dynamic ISP given IP, which is not something I need. Though there seems to also be reference to ddns being something to accomplish item 3. Maybe it does both.

    I posted earlier in this forum trying to resolve this from another angle, but I think maybe I did not word the problem correctly (based on lack of response and further trolling of the internets). So this is an attempt to do frame the problem better. What is the secret to item 3? This seems like it should be an easy thing, but it continues to elude me.

    Anyway, here are all the relevant config files. Any help you can give me would be very appreciated. Even if it is as basic as "you don't want ddns, you want <blah>"

    Item 1: Contents of file test.bind.ddns (used for item 2)
    Code:
    server ns1.office.mycompany.com
    key rndc-key xxxxxxxxxxxxxxxxxxxxxx==
    zone office.mycompany.com.
    update add 55.4.168.192.in-addr.arpa. 600 IN PTR stinky.office.mycompany.com.
    send
    update add stinky.office.mycompany.com. 600 IN A 192.168.4.55
    send
    Item 2: output of $ nsupdate -d test.bind.ddns
    Code:
    Sending update to 192.168.4.25#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  12786
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;office.mycompany.com. IN    SOA
    
    ;; UPDATE SECTION:
    55.4.168.192.in-addr.arpa. 600  IN      PTR     stinky.office.mycompany.com.
    
    ;; TSIG PSEUDOSECTION:
    rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1424545073 300 16 xxxxxxxxxxxxxxxxxxxxxx== 12786 NOERROR 0
    
    
    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOTZONE, id:  12786
    ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;office.mycompany.com. IN    SOA
    
    ;; TSIG PSEUDOSECTION:
    rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1424545073 300 16 xxxxxxxxxxxxxxxxxxxxxx== 12786 NOERROR 0
    
    Sending update to 192.168.4.25#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  25853
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;office.mycompany.com. IN    SOA
    
    ;; UPDATE SECTION:
    stinky.office.mycompany.com. 600 IN A 192.168.4.55
    
    ;; TSIG PSEUDOSECTION:
    rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1424545073 300 16 xxxxxxxxxxxxxxxxxxxxxx== 25853 NOERROR 0
    
    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id:  25853
    ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;office.mycompany.com. IN    SOA
    
    ;; TSIG PSEUDOSECTION:
    rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1424545073 300 16 xxxxxxxxxxxxxxxxxxxxxx== 25853 NOERROR 0
    
    Sending update to 192.168.4.25#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  64801
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;office.mycompany.com. IN    SOA
    
    ;; TSIG PSEUDOSECTION:
    rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1424545073 300 16 xxxxxxxxxxxxxxxxxxxxxx== 64801 NOERROR 0
    
    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  64801
    ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
    ;; ZONE SECTION:
    ;office.mycompany.com. IN    SOA
    
    ;; TSIG PSEUDOSECTION:
    rndc-key.               0       ANY     TSIG    hmac-md5.sig-alg.reg.int. 1424545073 300 16 xxxxxxxxxxxxxxxxxxxxxx== 64801 NOERROR 0
    Item 3: Contents of /etc/named.conf
    Code:
    options {
     directory "/var/named";
     recursion yes;
     allow-recursion { trusted; };
     listen-on { 192.168.4.25; };
     allow-query { 192.168.4/24; 127.0.0.1; };
     allow-transfer { 192.168.4/24; 127.0.0.1; };
     forwarders {
      8.8.8.8;
      8.8.4.4;
      };
     };
    
    key "rndc-key" {
     algorithm hmac-md5;
     secret "xxxxxxxxxxxxxxxxxxxxxx==";
     };
    
    acl "trusted" {
     192.168.4.0/24;
     };
    
    zone "." IN {
     type hint;
     file "named.ca";
     };
    
    # forward lookup
    zone "office.mycompany.com" {
     type master;
     file "/var/named/forward.office.mycompany.com";
     allow-update { key rndc-key; };
     };
    
    # reverse lookup
    zone "168.192.4.in-addr.arpa" {
     type master;
     file "/var/named/reverse.office.mycompany.com";
     allow-update { key rndc-key; };
     };
    Item 4: Content of /var/named/forward.office.mycompany.com
    Code:
     $TTL    604800
    @ IN SOA ns1.office.mycompany.com. tj.hooker.us. (
     2015022111     ; Serial YYYYMMDD1x
     604800         ; Refresh (1 week)
     86400          ; Retry (1 day)
     2419200        ; Expire (4 weeks)
     604800 )       ; Negative Cache TTL (1 week)
    ;
    
    ; name servers - NS records
     IN NS ns1.office.mycompany.com.
     IN NS ns2.office.mycompany.com.
    
    ; A records for name servers
    ns1.office.mycompany.com. IN A 192.168.4.25
    ns2.office.mycompany.com. IN A 192.168.4.26
    
    ; Other A records
    fileserver01.office.mycompany.com. IN A 192.168.4.14
    Item 5: Contents of /var/named/reverse.office.mycompany.com
    Code:
    $TTL 604800
    @ IN SOA office.mycompany.com. tj.hooker.us. (
     2015022101     ; Serial YYYYMMDD0x
     604800         ; Refresh (1 week)
     86400          ; Retry (1 day)
     2419200        ; Expire (4 weeks)
     604800 )       ; Negative Cache TTL (1 week)
    ;
    ; name servers
     IN NS ns1.office.mycompany.com.
     IN NS ns2.office.mycompany.com.
    
    ; PTR records
    25 IN PTR ns1.office.mycompany.com.
    26 IN PTR ns2.office.mycompany.com.
    14 IN PTR fileserver01.office.mycompany.com.
    Item 6: Contents of /etc/dhcp/dhcpd.conf
    Code:
    ddns-updates on;
    ddns-update-style interim;
    update-static-leases on; # allows dyn update of even reserved addresses
    option domain-name "office.mycompany.com"; #no trailing .
    ddns-domainname "office.mycompany.com."; #trailing .
    ddns-rev-domainname "in-addr.arpa."; # trailing .
    option domain-name-servers 192.168.4.25, 192.168.4.26;
    option time-offset -18000; # Eastern Std Time
    default-lease-time 259200; # 3 days
    max-lease-time 259200; # 3 days
    authoritative;
    key rndc-key { algorithm hmac-md5; secret xxxxxxxxxxxxxxxxxxxxxx==;}
    allow unknown-clients;
    use-host-decl-names on;
    
    zone 168.192.in-addr.arpa. {
            primary 192.168.4.25;
            key rndc-key;
            }
    zone office.mycompany.com. {
            primary 192.168.4.25;
            key rndc-key;
            }
    
    subnet 192.168.4.0 netmask 255.255.255.0 {
            range 192.168.4.50 192.168.4.200;
            option subnet-mask 255.255.255.0;
            # needed?       option broadcast-address 192.168.4.255;
            option routers 192.168.4.1;
            }
    
    group {
            # Host number one - doesn't really work, just for showzes
            host blackmamba.office.mycompany.com {
                    hardware ethernet 00:00:00:00:00:01;
                    fixed-address 192.168.4.17;
                    ddns-hostname "blackmamba";
                    }
            # Host 2,3,4,... here
            }
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2015
    Location
    Warren, Mi
    Posts
    6
    Rep Power
    0
    Or... I could simply ask what the bare minimum configuration is to setup Bind9 (internal, caching, dynamically updated from DHCP), and DHCP Server on a CentOS7 (or equiv) system. My setup (modified since above - it is in constant revision) can be thrown out. No security, nothing fancy, bare bones - that's all I need. I figure I can add features if need be later once I have a solid system. Or heck - point me at a reasonably priced appliance that does this. Or heck again - point me at a competent BINDer person who will contract this for a reasonable fee. Maybe Windows SBS 2011 is a good idea after all. I hate getting my butt whipped like this, but it's getting to cut my losses time - my family misses me
    -Jeff
  4. #3
  5. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,531
    Rep Power
    4542
    I don't use BIND, but for my own internal network I use dnsmasq on a CentOS 7 server for internal DNS & DHCP

    Comments on this post

    • gephenzie agrees
    ======
    Doug G
    ======
    I've never been able to appreciate the sublime arrogance of folks who feel they were put on earth just to save other folks from themselves .." - Donald Hamilton
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2015
    Location
    Warren, Mi
    Posts
    6
    Rep Power
    0
    In retrospect I shouldn't have been using a flame thrower to light the candle when a match would have worked just fine.

    I'm still a little beat down that BIND eluded me for so long and I'm still no further with it. But on the other hand, you pointing me to the now extremely obvious solution of using dnsmasq has me up and running correctly within a matter of an hour. Thank you for your reply DougG.
    -Jeff

IMN logo majestic logo threadwatch logo seochat tools logo