Dynamic DNS with DHCP and BIND 9

· Read in about 5 min · (873 Words)

Unfortunately, getting DHCP3 and BIND9 to work together is not quite as easy as it could/should be. I found it really difficult to find any decent examples, and the docs weren't much use. DHCP's man page fails to actually explicitly tell you about certain options, instead you have to guess them from the text. I've put this here in the hope that it might be handy to some of you.

Config Files

The main two config files are dhcpd.conf and named.conf. Here they are:

       

# /etc/dhcp/dhcpd.conf
################################################################## 

server-identifier 192.168.0.9; # Should be the IP address of the DHCP server
# thanks to Aaron for pointing this out.
authoritative;
# this is the most important line. It specifies the method
# to use to connect to the DNS server and update it.

ddns-update-style interim;

# this has to be the same key as is used in named.conf
key mykey {
    algorithm hmac-md5;
    secret "secret_md5_hash";
};
# this section describes what key to use in what zone
zone example.com. {
    primary 192.168.0.9;
key mykey;
}
zone 0.168.192.in-addr.arpa. {
    primary 192.168.0.9;
key mykey;
}
# and this section holds all the options for the subnet listed,
# including the range of addresses to lease out, gateways etc.
subnet 192.168.0.0 netmask 255.255.255.0 {
      # use these addresses:
      range 192.168.0.10 192.168.0.20;
      option subnet-mask 255.255.255.0;
      option broadcast-address 192.168.0.255;
      option domain-name "example.com";
      one-lease-per-client on;
      default-lease-time 14400;
      max-lease-time 14401;
      option ip-forwarding off;
      option time-offset -18000;
      # set a few handy default options
      option routers 192.168.0.9;
      option domain-name-servers 192.168.0.9;
      option smtp-server 192.168.0.9;
      option netbios-name-servers 192.168.0.9;
}
################################################################## 

   
////////////////////////////////////////////////////////////////// 
// /etc/bind/named.conf
////////////////////////////////////////////////////////////////// 

// First off is the key. To modify the running DNS server you need
// this, the same as in the dhcpd.conf file.
key mykey {
  algorithm hmac-md5;
  secret "secret_md5_hash";
};
// Next the access control section, we allow the 192.168.0.0-255
// subnet, and localhost.
acl "home" { 192.168.0.0/24; 127.0.0.1;};
// Some general options, including who to forward queries you can't 
// resolve to. (in this case they are claranet's dns servers.)
options {
  directory "/var/bind/"; //Working directory
  pid-file "/var/run/named/named.pid"; 

  allow-query { "home"; };
  forwarders { 195.8.69.7; 195.8.69.12; };
};
// You need this section to allow the communication between
// daemons. (dhcp and bind)
controls {
  inet 127.0.0.1 port 953

  allow { 127.0.0.1; 192.168.0.9; } keys { "mykey"; 
};
};
// And then you have pretty much standard zones, except for the
// fact that the key specified at the top is allowed to modify the 
// domain zone and reverse zone at the bottom.
zone "0.0.127.in-addr.arpa" {
  type master;
  file "localhost.rev";
  notify no;
};
zone "example.com" {

  type master;
  notify no;
  file "/var/bind/example.com";
  allow-update { key mykey; };
};
zone "0.168.192.in-addr.arpa"{
  type master;
  notify no;
  file "/var/bind/example.com.rev";
  allow-update { key mykey; };
};
zone "." {

  type hint;

  file "named.ca";
};
////////////////////////////////////////////////////////////////// 

You can generate the keys with dnssec-keygen, and you may well need to use rndc-confgen to generate the config for rndc, the dns control program. You should make sure you use the same md5 key in that as well.

Zone Files

Originally, I didn't include my zone files here, mainly due to a lack of understanding. I've now got the DNS and BIND O'Reilly book though, and have discovered that things are actually fairly simple.

Here is my home.hosts file.

;
; SOA: Start of authority record - this NS is the best source of info in this
; zone (See DNS and Bind book, ch 4.)
;
$ORIGIN .
$TTL 86400  ; 1 day
example.com.    IN SOA  example.com. nadir.example.com. (
                2000111383 ; serial
                10800      ; refresh (3 hours)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                86400      ; minimum (1 day)
                )
;
; Name servers: same domain name as origin. 
;
                IN NS   nadir.example.com.

;
; Name to address mappings follow. Address to name mappings can be found in
; home.hosts.rev
;
; Put any addresses you want fixed here. Dynamically set addresses will appear
; below.
; 
nadir.example.com   IN A    192.168.0.254

Here is home.hosts.rev

;
; SOA section: like above only maps addresses to names.
;
$ORIGIN .
$TTL 86400  ; 1 day
0.168.192.in-addr.arpa  IN SOA  example.com. nadir.example.com. (
                2000107274 ; serial
                28800      ; refresh (8 hours)
                14400      ; retry (4 hours)
                3024000    ; expire (5 weeks)
                86400      ; minimum (1 day)
                )
;
; Name Servers
;
            IN NS   nadir.example.com.

;
; Fixed addresses, followed by DDNS inserted mappings. 
;
254.0.168.192.in-addr.arpa. PTR nadir.example.com.

This setup works for me, and allows both forward and reverse lookups.

Troubleshooting

What to do if DNS fails to update:

  • Check that BIND has write permissions for the directory where you've put the zone files. On my box, that's /var/bind. (Thanks Alex!)
  • Make sure your DHCP client sends it's hostname. Windows boxes do this anyway, but lots of unix clients need to be told. So, for pump users, you need to do pump -h hostname. If you use dhclient, then make sure you have a line reading:
    send host-name "hostname"
    in your dhclient.conf.

Finally

I'm no expert, and I may well have done something very stupid, or missed something altogether. Please tell me if I have, and I'll tweak this. I used the domain example.com for security reasons, and because everyone else does. Have fun :-)

Comments