Thursday, December 16, 2010

How to edit Dynamic DNS zone

All changes made to a zone using dynamic update are stored in the zone's journal file. The zone file is updated every 15 min. The zone files of dynamic zones cannot normally be edited by hand because they are not guaranteed to contain the most recent dynamic changes (those are only in the journal file). Here are few steps that let you edit entries in dynamic dns zone:
  1. Suspend updates to all dynamic zones.
    rndc freeze
    
  2. Edit zone file
  3. Enable updates to all dynamic zones and reload them.
    rndc thaw
    
Read more about advanced dns features here.

Debian DHCP server failover

Before we start I assume you followed previous two posts: setup and dynamic-dns. Our primary dhcp server located at 192.168.10.4 and secondary at 192.168.10.5.

Primary DHCP Server

  1. You need declare failover section that identifies the primary dhcp server (file /etc/dhcp/dhcpd.conf).
    failover peer "dhcp-failover" {
      primary; # declare this to be the primary server
      address 192.168.10.4;
      port 647;
      peer address 192.168.10.5;
      peer port 647;
      max-response-delay 30;
      max-unacked-updates 10;
      load balance max seconds 3;
      mclt 1800;
      split 128;
    }
    
  2. Failover peer needs to be referenced by concrete subnet:
    subnet 192.168.10.0 netmask 255.255.255.0 {
      pool {
        # In order to turn off failover just comment out
        # the line below
        failover peer "dhcp-failover";
        range 192.168.10.41 192.168.10.254;
      }
      option subnet-mask 255.255.255.0;
      option broadcast-address 192.168.10.255;
      option routers gw1.dev.local;
    }
    

Secondary DHCP Server

  1. Failover secondary peer declaration (file /etc/dhcp/dhcpd.conf):
    failover peer "dhcp-failover" {
      secondary; # declare this to be the secondary server
      address 192.168.10.5;
      port 647;
      peer address 192.168.10.4;
      peer port 647;
      max-response-delay 30;
      max-unacked-updates 10;
      load balance max seconds 3;
    }
    
  2. subnet 192.168.10.0 netmask 255.255.255.0 {
      pool {
        # In order to turn off failover just comment out
        # the line below
        failover peer "dhcp-failover";
        range 192.168.10.41 192.168.10.254;
      }
      option subnet-mask 255.255.255.0;
      option broadcast-address 192.168.10.255;
      option routers gw1.dev.local;
    }
    
That pretty much you need to do. Read more here.

Dynamic DNS update with DHCP on Debian

If you have many dhcp clients it is much convenient to find them by name than remember ip addresses. This is what dynamic dns update with dhcp is for. I assume you followed few previous posts on dns and dhcp topic.

Configure DNS server

  1. We would like to accept only authorized secure updates, so let generate a secure key:
    dnssec-keygen -r /dev/urandom -a hmac-md5 -b 256 -n host key
    cat Kkey.*.private
    rm Kkey*
    
    Here is sample output:
    Private-key-format: v1.3
    Algorithm: 157 (HMAC_MD5)
    Key: 9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI=
    ...
    
  2. Add the following (replace md5 key with the one you generated) to a new file /etc/bind/dynamic-dns.key
    key DYNAMICDNS {
            algorithm hmac-md5;
            secret "9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI=";
    };
    
  3. Secure key:
    chmod o-r /etc/bind/dynamic-dns.key
    
  4. Ensure bind is the owner of the configucation directory, since it save some files there during dynamic updates:
    chmod -R g+w /etc/bind/
    
  5. Update zone registration file to allow dynamic updates (file /etc/bind/named.conf.local):
    include "/etc/bind/dynamic-dns.key";
    
    zone "dev.local" IN {
           type master;
           file "/etc/bind/db.dev.local";
           allow-update { key DYNAMICDNS; };
    };
    
    zone "10.168.192.IN-ADDR.ARPA" IN {
           type master;
           file "/etc/bind/db.10.168.192";
           allow-update { key DYNAMICDNS; };
    };
    
  6. Restart bind9

Test DNS Settings

  1. Let configure DNS for a new host test with ip 192.168.10.7:
    root@ns1:/etc/bind# nsupdate 
    > server 127.0.0.1
    > key DYNAMICDNS 9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI=
    > zone dev.local
    > update add test.dev.local. 600 IN A 192.168.10.7
    > send
    > zone 10.168.192.IN-ADDR.ARPA
    > update add 7.10.168.192.in-addr.arpa 600 IN PTR test.dev.local.
    > send
    
  2. And now verify:
    user1@deby01:~$ host test
    test.dev.local has address 192.168.10.7
    
    user1@deby01:~$ host 192.168.10.7
    7.10.168.192.in-addr.arpa domain name pointer test.dev.local.
    

Configure DHCP server

  1. Add the following (replace md5 key with the one you generated) to a new file /etc/dhcp/dynamic-dns.key
    key DYNAMICDNS {
            algorithm hmac-md5;
            secret "9rHjOgEuZ8O8LpsoJcl4zORqbeOCaPc3WfYDd5Mq3FHI=";
    };
    
  2. Create a new file /etc/dhcp/dhcpd.conf.local with the following content:
    include "/etc/dhcp/dynamic-dns.key";
    
    zone dev.local. {
            primary ns1.dev.local;
            key DYNAMICDNS;
    }
    
    zone 10.168.192.IN-ADDR.ARPA. {
            primary ns1.dev.local;
            key DYNAMICDNS;
    }
    
  3. Open file /etc/dhcp/dhcpd.conf and ensure:
    ddns-update-style interim;
    include "/etc/dhcp/dhcpd.conf.local";
    
  4. Restart dhcp server so our change take effect.
    /etc/init.d/isc-dhcp-server restart
    

Test DHCP server with Debian client

  1. First of all in order to identify your debian client by name you must ensure it send host name to dhcp server. You can check this in file /etc/dhcp/dhclient.conf:
    send host-name "deby01";
    
  2. Assuming the dhcp client interface is configured for eth1, here is a command to re-new ip address from server:
    dhclient -v eth1
    

Debian DHCP Server Setup

Dynamic Host Configuration Protocol (DHCP) is a protocol. It gives client machines "leases" for IP addresses and can automatically set their network configuration.
apt-get -y install rsyslog isc-dhcp-server
Before we start configuring the dhcp server let set our requirements:
  • Domain name: dev.local
  • Network: 192.168.10.0/24
  • DNS Servers: ns1.dev.local, ns2.dev.local
  • Gateway: gw1.dev.local
  • First 40 ip addresses are reserved for servers
  • DHCP pool is 41 - 254

Server Configuration

  1. The server will be listening on eth0 interface (file /etc/default/isc-dhcp-server):
    # On what interfaces should the DHCP server (dhcpd) 
    # serve DHCP requests? Separate multiple interfaces 
    # with spaces, e.g. "eth0 eth1".
    INTERFACES="eth0"
    
  2. Configure DHCP per our requirements (file /etc/dhcp/dhcpd.conf)
    # The ddns-updates-style parameter controls whether or
    # not the server will attempt to do a DNS update when 
    # a lease is confirmed. We default to the behavior of 
    # the version 2 packages ('none', since DHCP v2 didn't
    # have support for DDNS.)
    ddns-update-style none;
    
    # option definitions common to all supported networks
    option domain-name "dev.local";
    option domain-name-servers ns1.dev.local, ns2.dev.local;
    option ip-forwarding off;
    
    # This way you can specify multiple search domains.
    # For Windows clients it doesn't work and need to be
    # setup manually
    option domain-search "dev.local", "corp.local";
    
    # Lease time is in seconds
    default-lease-time 600;
    max-lease-time 7200;
    
    # If this DHCP server is the official DHCP server for 
    # the local network, the authoritative directive should 
    # be uncommented.
    authoritative;
    
    # Use this to send dhcp log messages to a different log 
    # file (you also have to hack syslog.conf to complete 
    # the redirection).
    log-facility local7;
    
    subnet 192.168.10.0 netmask 255.255.255.0 {
      pool {
        range 192.168.10.41 192.168.10.254;
      }
      option subnet-mask 255.255.255.0;
      option broadcast-address 192.168.10.255;
      option routers gw1.dev.local;         
    }
    
    

How to test from Debian client

  1. You need a network interface configured for dhcp (file /etc/network/interfaces):
    allow-hotplug eth0
    iface eth0 int dhcp
    
  2. Obtain ip address and check your up:
    root@dh1:~# dhclient eth0 && ifconfig eth0 | grep inet
              inet addr:192.168.10.41 ...
    
  3. Try some lookups (notice multiple dns search list; in order to use host command you need to install dnsutils package):
    root@dh1:~# host ns1
    ns1.dev.local has address 192.168.10.2
    
    root@dh1:~# host mail
    mail.corp.local has address 192.168.11.10
    

How to enable multi-domain search in Windows client

  1. Choose Advanced TCP/IP Settings
  2. In DNS tab choose "Append these DNS suffixes (in order)"
  3. Add as many as you need domain to search
  4. Try some lookups (notice multiple dns search list):
    C:\>nslookup ns1
    ...
    C:\>nslookup mail
    ...
    
Read more here.

Wednesday, December 15, 2010

Debian Slave DNS Server Setup

The setup of Slave (Secondary) DNS Server is pretty easy. You need to follow two previous posts of setting up a simple DNS server and chroot bind9.

Master (Primary) DNS Server

  1. Add the following to /etc/bind/named.conf.options
    dnssec-enable yes;
    
  2. Generate MD5 hash key:
    dnssec-keygen -r /dev/urandom -a hmac-md5 \
     -b 256 -n host rndc ; cat Krndc.*.private \
     | grep Key ; rm Krndc*
    
    Here is output:
    Key: 9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=
    
  3. Add the following (replace md5 key with the one you generated) to a new file /etc/bind/transfer.key
    key TRANSFER {
            algorithm hmac-md5;
            secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=";
    };
    
  4. Secure key:
    chmod o-r /etc/bind/transfer.key
    
  5. Add the following to a new file /etc/bind/named.conf.transfer
    include "/etc/bind/transfer.key";
    
    // Slave IP Address
    server 192.168.10.3 {
            keys {
            TRANSFER;
        };
    };
    
  6. Add the following to file /etc/bind/named.conf
    include "/etc/bind/named.conf.transfer";
    

Slave (Secondary) DNS Server

  1. Add the following to /etc/bind/named.conf.options
    dnssec-enable yes;
    
  2. Add the following (replace md5 key with the one you generated) to file /etc/bind/transfer.key
    key TRANSFER {
            algorithm hmac-md5;
            secret "9EKQM+7+EnJzO7TWyayUf0vks4k+SZPf9DAs8fOeREM=";
    };
    
  3. Secure key:
    chmod o-r /etc/bind/transfer.key
    
  4. Add the following to file /etc/bind/named.conf.transfer
    include "/etc/bind/transfer.key";
    
    // Master IP Address
    server 192.168.10.2 {
            keys {
            TRANSFER;
        };
    };
    
  5. Add the following to file /etc/bind/named.conf
    include "/etc/bind/named.conf.transfer";
    
  6. Specify slave zones in file /etc/bind/named.conf.local:
    zone "dev.local" IN {
           type slave;
           file "/etc/bind/db.dev.local";
           masters { 192.168.10.2; };
           allow-notify { 192.168.10.2; };
    };
    
    zone "10.168.192.IN-ADDR.ARPA" IN {
           type slave;
           file "/etc/bind/db.10.168.192";
           masters { 192.168.10.2; };
           allow-notify { 192.168.10.2; };
    };
    
  7. Copy forwards to slave (file /etc/bind/named.conf.forward):
    zone "corp.local" IN {
           type forward;
           forwarders { 192.168.11.2; 192.168.11.3; };
    };
    
  8. Ensure bind:bind is the owner of the configuration so it can update the files received from master.
    chown -R bind:bind /var/chroot/bind9/etc/*
    
In order to keep both servers in sync, setup ntpdate (on master and slave dns servers):
root@ns2:/etc/bind# apt-get install ntpdate
...
root@ns2:/etc/bind# ntpdate pool.ntp.org
Now you can restart bind9 on both servers and ensure that slave received zone files.

Troubleshooting

Have a look at system log file (/var/log/syslog) for any errors reported by named. If you will see something telling you permission denied while dumping a file, ensure bind:bind is the owner as following:
chown -R bind:bind /var/chroot/bind9/etc/*
/etc/init.d/bind9 restart
ls -l /ent/bind/db.*

Debian LAN DNS setup

We are going setup a LAN DNS server for a dev.local domain. I assume you already have dns server up and running, if not please follow previous post here.

Configure Forward Lookup Zone

First of all let start from forward lookup zone (file /etc/bind/db.dev.local):
$TTL 2d
dev.local.    IN     SOA     ns1.dev.local. hostmaster.dev.local. (
                             2010122201 ; se = serial number
                             6h         ; ref = refresh
                             15m        ; ret = update retry
                             3w         ; ex = expiry
                             3h         ; min = minimum
                             )
              IN     NS      ns1.dev.local.
              IN     NS      ns2.dev.local.
              IN     MX  10  mail.dev.local.
              IN     A       192.168.10.5
; hosts
gw1           IN     A       192.168.10.1
ns1           IN     A       192.168.10.2
ns2           IN     A       192.168.10.3
mail          IN     A       192.168.10.4
www           IN     CNAME   dev.local.

Configure Reverse Lookup Zone

Each forward lookup zone can have a reverse lookup zone, here is ours (file /etc/bind/db.10.168.192):
$ORIGIN .
$TTL 2d
10.168.192.IN-ADDR.ARPA      IN   SOA   ns1.dev.local. hostmaster.dev.local. (
                             2010122201 ; se = serial number
                             6h         ; ref = refresh
                             15m        ; ret = update retry
                             3w         ; ex = expiry
                             3h         ; min = minimum
                             )
              IN     NS      ns1.dev.local.
              IN     NS      ns2.dev.local.
$ORIGIN 10.168.192.IN-ADDR.ARPA.
1             IN     PTR     gw1.dev.local.
2             IN     PTR     ns1.dev.local.
3             IN     PTR     ns2.dev.local.
4             IN     PTR     mail.dev.local.
5             IN     PTR     www.dev.local.

Add Zone to DNS server

Now that we have both forward and reverse dns lookup zones for dev.local domain, we need to let dns server to know about it. All we need to do is add the following to /etc/bind/named.conf.local:
//
// Do any local configuration here
//

zone "dev.local" IN {
       type master;
       file "/etc/bind/db.dev.local";
};

zone "10.168.192.IN-ADDR.ARPA" IN {
       type master;
       file "/etc/bind/db.10.168.192";
};

// Consider adding the 1918 zones here, if they are not 
// used in your organization
include "/etc/bind/zones.rfc1918";

Forwarding to other LAN DNS Servers

Let do DNS forwarding for corp.local LAN domain with dns server on 192.168.11.2 (create a new file /etc/bind/named.conf.forward).
zone "corp.local" IN {
       type forward;
       forwarders { 192.168.11.2; 192.168.11.3; };
};
zone "11.168.192.IN-ADDR.ARPA" IN {
       type forward;
       forwarders { 192.168.11.2; 192.168.11.3; };
};
Let include it into the /etc/bind/named.conf
include "/etc/bind/named.conf.forward";
We need to ask bind9 reload the changes:
/etc/init.d/bind9 reload

Forwarding to IPS DNS Servers

You can optimize the dns queries to use dns servers supplied by your ISP (they are much closer to you than any others). In case your dns server can not resolve some domains, instead of contacting root servers it will contact ISP's servers first. This can be configured in /etc/bind/named.conf.options file:
// forwarders {
//      0.0.0.0;
// };
forwarders {
        192.168.123.123;    # ns1.your-isp.net
        192.168.321.321;    # ns2.your-isp.net
};

Client Configuration

Our dns server for dev.local is up and running, so now it is time configure client machines to use it. Ensure the following in /etc/resolv.conf:
search dev.local
nameserver 192.168.10.2
Please read more here.

How to chroot bind9 in Debian

Here are few simple steps to chroot bind9 in debian squeeze.
#!/bin/bash
/etc/init.d/bind9 stop
mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run}
chown -R bind:bind /var/chroot/bind9/var/*
mknod /var/chroot/bind9/dev/null c 1 3
mknod /var/chroot/bind9/dev/random c 1 8
chmod 666 /var/chroot/bind9/dev/{null,random}
mv /etc/bind /var/chroot/bind9/etc
ln -s /var/chroot/bind9/etc/bind /etc/bind
chown -R bind:bind /etc/bind/*
echo "\$AddUnixListenSocket /var/chroot/bind9/dev/log" > /etc/rsyslog.d/bind-chroot.conf
Switch bind9 to use the chroot (file /etc/default/bind9):
OPTIONS="-u bind -t /var/chroot/bind9"
Finally restart rsyslogd and start bind9.
/etc/init.d/rsyslog restart ; /etc/init.d/bind9 start
You can download script from here.

Debian simple DNS server setup

We are going setup a simple Debian DNS server for local purpose using bind9.
apt-get install -y rsyslog bind9 bind9-doc dnsutils
Once the server installed let our system know which dns server to use (a one we just installed), ensure that 127.0.0.1 is the first nameserver in the list (file /etc/resolv.conf):
nameserver 127.0.0.1
In case you do no need the server to listen on ipv6 set the following option (file /etc/bind/named.conf.options):
listen-on-v6 { none; };
Restart bind9 daemon:
/etc/init.d/bind9 restart
and verify with:
root@ns1:~# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.10.2:53         0.0.0.0:*               LISTEN      816/named       
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      816/named       
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      816/named       
udp        0      0 192.168.10.2:53         0.0.0.0:*                           816/named       
udp        0      0 127.0.0.1:53            0.0.0.0:*                           816/named       
That pretty it, let ensure its working. First we need install dnsutils package that comes with dig command, so here we go:
root@ns1:~# dig debian.org
; <<>> DiG 9.7.2-P3 <<>> debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64434
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;debian.org.   IN A

;; ANSWER SECTION:
debian.org.  3600 IN A 128.31.0.51
debian.org.  3600 IN A 206.12.19.7

;; AUTHORITY SECTION:
debian.org.  28606 IN NS ns2.debian.org.
debian.org.  28606 IN NS ns4.debian.com.
debian.org.  28606 IN NS ns1.debian.org.

;; ADDITIONAL SECTION:
ns1.debian.org.  28606 IN AAAA 2607:f8f0:610:4000:214:38ff:feee:b65a
ns4.debian.com.  28606 IN A 194.177.211.209
ns4.debian.com.  28606 IN AAAA 2001:648:2ffc:deb::10:10

;; Query time: 96 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 15 21:47:12 2010
;; MSG SIZE  rcvd: 196
Notice the server responded to our request was 127.0.0.1. Read more here and here. Consider chroot your dns server, details here.

How to solve eth0 missing in VirtualBox

Suppose you setup a linux virtual machine in VirtualBox and once you clone that hard disk and attach to a new virtual machine you notice that eth0 is not available. The problem is related to fact that since the MAC address of network adapter has changed (you created a new virtual machine) kernel has reconfigured it to be used by next available name, e.g. eth1. So what you need is simply open file /etc/udev/rules.d/70-persistent-net.rules in your favorite editor and remove a line that uses currently eth0 and change the line with NAME="eth1" to NAME="eth0". Here is an example:
# PCI device 0x1022:0x2000 (pcnet32)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \
ATTR{address}=="08:00:27:43:0b:0f", ATTR{dev_id}=="0x0", \
ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
Probably simplest way to do this:
echo > /etc/udev/rules.d/70-persistent-net.rules
reboot

How to disable ipv6 in Debian

Here are simple steps to disable ipv6 in Debian:
  1. Comment out anything related to ipv6 in /etc/hosts
  2. SSH. Ensure AddressFamily inet is set in /etc/ssh/sshd_config. Restart ssh.
  3. BIND. Ensure listen-on-v6 { none; }; in /etc/bind/named.conf.options. Restart bind9.
  4. NTP. Ensure -4 option is set in /etc/default/ntp (e.g. NTPD_OPTS='-4 -g'). Restart ntp.
  5. APACHE2. Ensure Listen 0.0.0.0:80 in /etc/apache2/ports.conf file. Restart apache2.
  6. RPCBIND (rpc.statd, rpc.mountd). Comment out the appropriate entries in /etc/netconfig:
    udp        tpi_clts      v     inet     udp     - -
    tcp        tpi_cots_ord  v     inet     tcp     - -
    #udp6       tpi_clts      v     inet6    udp    - -
    #tcp6       tpi_cots_ord  v     inet6    tcp    - -
    rawip      tpi_raw       -     inet      -      - -
    local      tpi_cots_ord  -     loopback  -      - -
    unix       tpi_cots_ord  -     loopback  -      - -
    
  7. PostgreSQL 9. Ensure ipv4 in listen_addresses (file /etc/postgresql/9.1/main/postgresql.conf):
    # - Connection Settings
    listen_addresses = '0.0.0.0'
    
    Comment out lines related to ipv6 (file /etc/postgresql/9.1/main/pg_hba.conf):
    # IPv6 local connections:
    #host  all     all     ::1/128   md5
    
    Restart postgresql.
  8. Disable ipv6 in kernel:
    echo net.ipv6.conf.all.disable_ipv6=1 \
    > /etc/sysctl.d/disableipv6.conf
    
  9. Disable ipv6 in kernel modules (file /etc/modprobe.d/aliases.conf):
    # alias net-pf-10 ipv6
    alias net-pf-10 off
    alias ipv6 off
    
The next time the system boots it will have ipv6 disabled. Let verify it with:
netstat -tunlp
Here is a sample output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.10.2:53         0.0.0.0:*               LISTEN      895/named       
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      895/named       
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      734/sshd        
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      895/named       
udp        0      0 192.168.10.2:53         0.0.0.0:*                           895/named       
udp        0      0 127.0.0.1:53            0.0.0.0:*                           895/named         
Read more about ipv6 here.

Tuesday, December 14, 2010

How to lock console in Debian

There is an easy way to lock your console session in Linux. Just install vlock:
apt-get install vlock
Once installed, issue command vlock, here is what you will see:
This TTY is now locked.

Please press [ENTER] to unlock.
Read more about vlock here.