HowTo Configure DHCP and DNS Servers
From SIPfoundry sipx, The Open Source SIP PBX for Linux - Calivia
The sipX system needs properly configured DHCP and DNS servers to operate. If such servers do not already exist in your network, you might want to run them on the same host as the sipx system. This page describes how to setup Linux DHCP and DNS servers on the sipX host that will provide the required services to your network. Note that only one DHCP server can be authoritative per LAN segment.
Adding a mail server required for voicemail notification by email is described on this page: Configure sendmail for Email Notification of Voicemail.
This page initially is intended for Red Hat / Fedora users. We might add info for other distros later.
Note: SELinux has to be turned off for sipX, which means that the Fedora security policy for the named DNS server is turned off as well. You therefore should run named in a chroot jail, which we will do in a second step. Refer to man named.
You should not use the domain name "example.com" - you should register a real domain name; there are many ISPs and DNS providers that can help you with setting this up.
DHCP Server Configuration
Make sure the host on which you plan to install DHCP and DNS servers has a fixed IP address as well as a properly assigned host and domain name. In this example we use domain.com for the domain name and sipx for the hostname.
File: /etc/hosts |
A host that was assigned a fixed IP address: |
Pick a suitable private address range for your internal LAN (If you don't know what they are use 192.168.1.x and a netmask of 255.255.255.0).
Installing the DHCP Server
We need the ISC DHCP server version 3, which is the default on FC4:
yum install dhcp
Configuring the DHCP Server
We configure the DHCP server for dynamic updating with the DNS server. The DHCP server has the ability to dynamically update the Domain Name System. Within the configuration files, you can define how you want the Domain Name System to be updated. These updates are RFC 2136 compliant so any DNS server supporting RFC 2136 should be able to accept updates from the DHCP server. The advantage of this scheme is that if a new host is connected and obtains its IP address, its name is automatically inserted into the DNS system, For security reasons a key is required to communicate between the DHCP and DNS servers. Refer to "man dhcpd.conf" for more information.
File: /etc/dhcpd.conf |
authoritative; # No other DHCP servers on this subnet |
Note: The key and the keyfile /etc/rndc.key is first generated with the rndc-confgen -a command (see DNS server configuration below). It needs to be manually copied into the /etc/dhcpd.conf file.
Note: For further information refer to man dhcpd.conf.
Starting the DHCP Server
/sbin/service dhcpd start
Add to runlevels: chkconfig --levels 235 dhcpd on. The leases database is in the file /var/lib/dhcp/dhcpd.leases.
DNS Server Configuration
The Linux DNS Server is called bind or named; we need version 9. It should already be installed on your system, which can be verified using rpm -q bind.
The following files need to be configured:
- /etc/named.conf
- /var/named/example.com.zone
- /var/named/192.168.5.zone
- /etc/resolv.conf
- /etc/sysconfig/named
Generate Key required to exchange updates between DHCP and DNS
The tool rndc-confgen, using the -a option, can auto-generate the necessary keys as well as the configuration required by bind. It generates /etc/rndc.conf and /etc/rndc.key files. The key still needs to be manually inserted in the the DHCP configuration file /etc/dhcpd.conf.
rndc-confgen -a
File: Generated /etc/rndc.key file |
key "rndckey" { |
The /etc/named.conf File
The following two sections were added automatically when running the rndc-confgen -a command:
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
The following two zone definitions were added manually:
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { key "rndckey"; };
notify yes;
};
zone "5.168.192.in-addr.arpa" {
type master;
file "192.168.5.zone";
allow-update { key "rndckey"; };
notify yes;
};
Optional: DNS Security
There are lots of options to secure access to the DNS resources on your LAN. The following provides some simple mechanisms.
File: Additions to /etc/named.conf |
// prevent zone transfers: |
The /var/named/example.com.zone File
;
; Zone file for domain.com
;
$TTL 3D
@ IN SOA ns1.example.com. root.example.com. (
200602132 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum TTL, seconds
NS ns1.example.com. ; Inet Address of nameserver
example.com. MX 10 mail ; Primary Mail Exchanger
;
localhost A 127.0.0.1
sipx A 192.168.5.145 ; Record of class IN by default
_sip._udp SRV 100 1 5060 sipx
_sip._tcp SRV 200 1 5060 sipx
_sips._tcp SRV 300 1 5060 sipx
ns1 CNAME sipx
mail CNAME sipx
Note: If a name (hostname or domainname) is followed by a period "." nothing is appended. If there is no period, the domain name of the current context is automatically appended.
The /var/named/192.168.5.zone File
;
; Reverse zone file for domain.com
;
$TTL 3D
@ IN SOA ns1.example.com. root.example.com. (
200602132 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum TTL, seconds
NS ns1.example.com. ; Inet Address of nameserver
;
1 PTR localhost.
145 PTR sipx.example.com.
; Don't specify any reverse pointer records for addresses in the
; DHCP range. Dynamic updates will define those as necessary.
Change Zone File Ownership
In order for the named server to be able to update the zone files as it receives dynamic update requests from the DHCP server, it has to have write permission for all the zone files. If you created your zone files as root, you have to change permissions as follows:
cd /var/named
chown named:named *
Enable named to write Zone Files
If SELinux is disabled (required for sipX), then allow named to write its zone files and create files in its $ROOTDIR/var/named directory; this is necessary for dynamic updates (DDNS) and slave zone transfers.
File: /etc/sysconfig/named |
# This line needs to be added |
The /etc/resolv.conf File
search example.com
nameserver 127.0.0.1
Starting the DNS Server
/sbin/service named start
Add to runlevels: chkconfig --levels 235 named on.
Important note: Editing the Zone files while dynamic updates are active |
When dynamic update is enabled for a zone, the zone can no longer be manually edited as normal. Attempting to do so may work in some cases, but will usually result in a name server error. The DNS server keeps a journal (.jnl) file of incoming updates. The file is not automatically syncronized with the zone file, but can be forced with the "rndc stop" command. Extreme care has to be exercised when manually updating a zone subject to dynamic updates. When using BIND 9.3 the following can be used, which does not require that named be stopped: 1. rndc freeze example.com Remember to increment the serial number in the zone file as you make changes. |
Install the chroot Jail to run named in a Secure Environment
yum install bind-chroot
The bind-chroot RPM installs the necessary directory tree in /var/named/chroot and copies all the necessary configuration files from your existing non-chroot installation. The old files in /etc and /var/named are automatically replaced with symbolic links to the new locations.
Make sure that going forward you edit the configuration files in the chroot jail:
- /etc/named.conf -> /var/named/chroot/etc/named.conf
- /etc/rndc.conf -> /var/named/chroot/etc/rndc.conf
- /etc/rndc.key -> /var/named/chroot/etc/rndc.key
- /var/named/* -> /var/named/chroot/var/named/*
Starting named now should start it in the chroot environment. This can be verified by issuing ps aux | grep named. The named daemon should have been started with the -u and -t command line options (refer to man named).
The root directory (default: /var/named/chroot) got configured in the file /etc/sysconfig/named also during the installation process of the named-chroot RPM.
Configuring DHCP Clients
For dynamic DNS updates to work, the DHCP client has to send its hostname to the DHCP server. Windows typically does this, but lots of linux clients need to be told. If you use dhclient, make sure you have the following line in your /etc/dhclient-eth0.conf file (Ubuntu: This file is in /etc/dhcp3/dhclient.conf. Debian Sarge: Look in /etc/dhclient.conf). If the file does not exist, create it (i.e FC4). Only enter the hostname and not the FQHN and don't forget the ";".
File: /etc/dhclient-eth0.conf |
send host-name "hostname"; |
Diagnostics
There are various ways how you can troubleshoot DHCP and DNS servers. All of the tools below have good man pages.
Check Configuration
named-checkconf
named-checkzone
Logs
Syslog:
tail -f /var/log/messages
Turn on logging for the named daemon:
File: /etc/named.conf or /var/named/chroot/etc/named.conf |
// add the following section. A log file "dns-security.log" will be created |
Note: If logging is turned on as shown above all log messages will be in /var/named/chroot/var/named/dns-security.log and no longer in the syslog file.
Controlling named
The name server control utility rndc is used to control named while it is running. Please refer to man rndc for further details.
rndc
rndc reload
DNS Lookups
dig is a powerful utility to verify DNS settings. The option "AXFR" initiates a zone transfer that if allowed displays the currently active zone information for easy verification.
dig -x 127.0.0.1
dig yahoo.com
dig example.com AXFR
Other utilities include nslookup and host. Please refer to the respective man pages.
nslookup
host