Index
- Introduction.
- Network IP plan.
- Host server network.
- DHCP client daemon.
- Configure the DNS server.
- Configure the DHCP server.
- Testing client configuration.
15-Jan-2012: small fix to /etc/dhcpd.conf 29-Dec-2011: reverted to the original named database path. 03-Dec-2011: management workstation uses fixed IP via DHCP. 26-Oct-2011: added udev rules, improved dnssec-keygen command. 17-Aug-2011: updated DHCP client daemon. 10-Aug-2011: added DHCP client daemon. 09-Jun-2011: initial release.
Introduction.
Our new home server has two network cards, eth0 is a 1 GB interface which we will use for our client computers, eth1 is a 100 MB interface which will be connected to our ADSL or Cable modem. That modem uses DHCP so we don’t need a static configuration for that card. Then we will configure DNS and DHCP for our client computers so that they are automatic configured and registered.
Network IP plan.
We need a plan. We will allocate a private range (RFC 1918) of 8 networks, and we will use one of them. The network in total is 10.126.160.0/21. This is on purpose and makes expanding our network and routing easy when you would connect several home networks together using VPN links. Unused networks will be used in the future for DMZ and virtual connections. The used range is more or less random chosen, but on purpose we stay away from the popular 192.168.* and low 10.* network ranges because they are too much used in public access points. If you would use a generic public range you can get into troubles if you would access your home network from a public network using a VPN that uses the same range as you have on this server. Choosing this one makes this chance a lot smaller.
| IPv4 | Remark |
|---|---|
| 10.126.160.0/24 | Workstations LAN |
| 10.126.161.0/24 | Spare |
| 10.126.162.0/24 | Spare |
| 10.126.163.0/24 | Spare |
| 10.126.164.0/24 | Spare |
| 10.126.165.0/24 | Spare |
| 10.126.166.0/24 | Spare |
| 10.126.167.0/24 | Spare |
Home server network.
On the home server are DNS and DHCP installed for the local network computers. These services will take care to configure the client computer so that they get their IPv4 address, get the nameserver address, routing and timeserver information and are registered on the network. Our server wil be called homsrv.wpl.ym which is a complete fake but will do just what is must do. The top level domain ym is invented and doesn’t exist in the real world.
Make sure the following packages are installed: bind, dhcp, dnsutils, inetutils, iproute2, iptables, iputils and net-tools . Just run: “pacman -S –needed bind dhcp dnsutils inetutils iproute2 iptables iputils net-tools” as root to get them installed.
Since we have two Ethernet cards in our server, there are chances that the order in which they are detected changes with every system boot and that makes the eth0 and eth1 names change every time this happens. To prevent this, create a udev rule file /etc/udev/rules.d/10-network.rules like this:
SUBSYSTEM=="net", ATTR{address}=="00:1f:c6:b5:6e:ef", NAME="eth0"
SUBSYSTEM=="net", ATTR{address}=="4c:00:10:50:f5:31", NAME="eth1"
Next edit the network interfaces in /etc/rc.conf like this:
# HOSTNAME: Hostname of machine. Should also be put in /etc/hosts # HOSTNAME="homsrv" #Static IP eth0="eth0 10.126.160.253 netmask 255.255.255.0 broadcast 10.126.160.255" eth1="dhcp" # ADSL or Cable INTERFACES=(eth0 eth1) # Routes to start at boot-up (in this order) # Declare each route then list in ROUTES # - prefix an entry in ROUTES with a ! to disable it # gateway="default gw 192.168.0.1" ROUTES=(!gateway)
Edit /etc/hosts like this:
# # /etc/hosts: static lookup table for host names # #<ip-address> <hostname.domain.org> <hostname> 127.0.0.1 localhost.localdomain localhost #::1 localhost.localdomain localhost 10.126.160.253 homsrv.wpl.ym homsrv
Now reboot and the network should be configured and the computer should be named homsrv in the wpl.ym domain.
DHCP client daemon.
If your need to use DHCP to get an IP address from your ISP, you need to make some changes to the dhcpcd parameters. Edit /etc/conf.d/dhcpcd line this:
# # Arguments to be passed to the DHCP client daemon # DHCPCD_ARGS="-d -q -C resolv.conf"
These changes do the following things, -d for debug logging in syslog, -q for quiet and -C resolv.conf to prevent that /etc/resolv.conf is overwritten every time we get a new IP address.
FIXME: problems if the ISP drops the link, comes back and want a different IP address.
Configure the DNS server.
We are going to use the BIND nameserver together with the DHCP server, both written by the ISC. We will make it so that the DHCP server updates the DNS server as soon as a new client PC is given a fresh IP address. There is a easier program (dnsmasq) to do this, but in the future we will do a lot more and are prepared for our future needs.
The configuration uses two views so that internal network clients get different answers from this DNS server then external (Internet) clients. The external view will be used for IPv6 but it’s already visible here.
Now we are ready to setup named, first we need to create a secret key that will be used between the DNS and DHCP servers:
[root@homsrv ~]# cd /var/named
[root@homsrv named]# dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 \
-n USER DHCP_UPDATER
Kdhcp_updater.+157+47641
[root@homsrv named]# ls -la
total 32
drwxr-x--- 3 named named 4096 Jun 4 21:15 .
drwxr-xr-x 15 root root 4096 Jun 4 19:51 ..
drwxr-xr-x 2 named named 4096 Jun 4 20:00 int
-rw------- 1 root root 54 Jun 4 21:15 Kdhcp_updater.+157+47641.key
-rw------- 1 root root 165 Jun 4 21:15 Kdhcp_updater.+157+47641.private
[root@homsrv named]# cat Kdhcp_updater.+157+47641.key
DHCP_UPDATER. IN KEY 0 3 157 XCe+CXl7kQBi762sjpjymg==
[root@homsrv named]#
Edit /etc/named.conf:
#
# /etc/named.conf on homsrv.wpl.ym
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
datasize default;
listen-on {
10.126.160.253;
10.126.161.2;
127.0.0.1;
};
notify no;
interface-interval 10;
recursive-clients 200;
tcp-clients 10;
files 4096;
};
#
# Internal DNS, this is used by the internal servers
# and workstations. The LAN is updated by the DHCP servers.
#
view "internal" {
match-clients {
10.0.0.0/8;
127.0.0.1;
};
auth-nxdomain yes;
max-cache-size 16M;
key "dhcp_updater" {
algorithm HMAC-MD5;
secret "XCe+CXl7kQBi762sjpjymg==";
};
# Your ISP's nameservers
forwarders {
195.241.77.51;
195.241.77.52;
};
#
# localhost
#
zone "localhost" IN {
type master;
file "int/db.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "int/db.0.0.127";
allow-update { none; };
};
#
# Internal network
#
zone "wpl.ym" IN {
type master;
file "int/db.wpl.ym";
allow-update { key "dhcp_updater"; };
allow-transfer { none; };
};
zone "160.126.10.in-addr.arpa" IN {
type master;
file "int/db.160.126.10";
allow-update { key "dhcp_updater"; };
allow-transfer { none; };
};
};
#
# External view, used by the Internet. Most important is the
# reverse IPv6 mapping that you can set with the SixXS subnet
# configuration screen.
#
# Normal forward IPv4 and IPv6 is most likely set in the DNS
# that belongs to your domain (wpl.uk is this case).
#
view "external" {
match-clients { any; };
recursion no;
# No zones yet
};
Edit /var/named/int/db.0.0.127
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
Edit /var/named/int/db.160.126.10
$ORIGIN .
$TTL 86400 ; 1 day
160.126.10.in-addr.arpa IN SOA homsrv.wpl.ym. hostmaster.wpl.ym. (
2011020634 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS ns1.wpl.ym.
$ORIGIN 160.126.10.in-addr.arpa.
253 PTR homsrv.wpl.ym.
5 PTR mgmtws.wpl.ym.
Edit /var/named/int/db.localhost
$TTL 86400
$ORIGIN localhost.
@ IN SOA @ root (
2010121601 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
Edit /var/named/int/db.wpl.ym. There are also host records for the nameserver ns1.wpl.ym and mail server mail.wpl.ym. These are needed to make our fake domain complete.
$ORIGIN .
$TTL 86400 ; 1 day
wpl.ym IN SOA homsrv.wpl.ym. hostmaster.wpl.ym. (
2011020700 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.wpl.ym.
A 10.126.160.253
MX 10 mail.wpl.ym.
$ORIGIN wpl.ym.
homsrv A 10.126.160.253
mail A 10.126.160.253
mgmtws A 10.126.160.5
ns1 A 10.126.160.253
Now start the server and test it:
[root@homsrv ~]# /etc/rc.d/named start :: Starting BIND [DONE] [root@homsrv ~]# host ns1.wpl.ym localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: ns1.wpl.ym has address 10.126.160.253 [root@homsrv ~]# host 10.126.160.253 localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: 253.160.126.10.in-addr.arpa domain name pointer homsrv.wpl.ym. [root@homsrv ~]# host www.google.com localhost Using domain server: Name: localhost Address: 127.0.0.1#53 Aliases: www.google.com is an alias for www.l.google.com. www.l.google.com has address 74.125.79.147 www.l.google.com has address 74.125.79.99 www.l.google.com has address 74.125.79.104 [root@homsrv ~]#
We did force the host command to use our localhost nameserver so that we can test if it works. Edit /etc/resolv.conf like this:
search wpl.ym nameserver 10.126.160.253
Now you should be able to do all tests above without the localhost on the command line.
Configure the DHCP server.
Here we configure the DHCP server for IPv4 only. Adding IPv6 is for another story. Edit /etc/dhcpd.conf:
# /etc/dhcpd.conf
authoritative;
#
# Updates
#
ddns-update-style interim;
ddns-updates on;
ddns-domainname "wpl.ym";
ddns-rev-domainname "in-addr.arpa";
allow client-updates;
# To work around a bug where IPv4 and IPv6 updates confict.
update-conflict-detection false;
# Adds a lot more DNS updates.
update-optimization false;
key "dhcp_updater" {
algorithm HMAC-MD5;
secret XCe+CXl7kQBi762sjpjymg==;
}
zone wpl.ym. {
primary 10.126.160.253;
key "dhcp_updater";
}
zone 160.126.10.in-addr.arpa. {
primary 10.126.160.253;
key "dhcp_updater";
}
#
# Default 30 minutes, max 2 hours..
#
default-lease-time 1800;
max-lease-time 7200;
log-facility local7;
subnet 10.126.160.0 netmask 255.255.255.0 {
authoritative;
range 10.126.160.100 10.126.160.199;
option domain-name "wpl.ym";
option routers 10.126.160.253;
option broadcast-address 10.126.160.255;
option domain-name-servers 10.126.160.253;
option subnet-mask 255.255.255.0;
option netbios-name-servers 10.126.160.253;
option netbios-dd-server 10.126.160.253;
option netbios-node-type 8;
option time-servers 10.126.160.253;
option ntp-servers 10.126.160.253;
# Workaround for Windows Vista and 7, this allows these to get
# the offered IP address.
always-broadcast on;
}
# Management workstation, a fixed address.
host mgmtws {
hardware ethernet 08:00:27:d0:de:af;
fixed-address 10.126.160.5;
}
Then /etc/conf.d/dhcp:
# # Arguments to be passed to the DHCP server daemon # # ipv4 runtime parameters DHCP4_ARGS="-q -cf /etc/dhcpd.conf eth0" # ipv6 runtime parameters DHCP6_ARGS="-q -cf /etc/dhcpd6.conf eth0"
Now start the server:
[root@homsrv ~]# /etc/rc.d/dhcp4 start :: Starting DHCPv4 Server [DONE] [root@homsrv ~]#
Testing the client configuration.
Windows got a IP address
Now when you plug a computer in the eth0 network, it should get a IPv4 address and other information from our home server. If that works you then this part is ok, but you won’t be able to connect to the Internet yet. This is because our home computer doesn’t forward network traffic yet and does not do Network Address Translation (NAT), that is for the next article.
Do not forget to add dhcp4 to /etc/rc.conf in the DAEMONS=() line so that it now looks like: DAEMONS=(syslog-ng network netfs named sshd crond dhcp4 @mdadm)