The Hannibal project is centralized around an LDAP store. So, why not put the DNS data into it. The option below describes a method to do this.
The backend authorative nameserver for our project is Ldapdns. It’s fast, robust and secure. No LDAP to DNS conversion or restarting daemons is required after DNS mutations. Note: Ldapdns is only serving our local zone(s)! We also need a caching-nameserver to allow clients to lookup foreign zones. This is described below.
Install the software
apt-get install ldapdns
Configure /etc/ldapdns.conf
DNS="." IP="192.168.1.51" HOSTMASTER="root@intra.example.com" DEFAULT_REFRESH=86400 DEFAULT_RETRY=7200 DEFAULT_EXPIRE=604800 DEFAULT_MINIMUM=172800 LOG="syslog" LDAP_HOST="192.168.1.12" ROOT="/var/lib/ldapdns" LDAP_AUTH="anonymous" LDAP_AUTH_NAME="" LDAP_SUFFIX="ou=Domains,dc=intra,dc=example,dc=com " SCHEMA=cosine HANDLERS="128" THREADS="2" RUN_UID="$(id -u ldapdns)" RUN_GID="$(id -g ldapdns)"
In the chapter on installing the Fedora Directory Server we already mentioned the custom LDAP-scheme that is required for Ldapdns usage (63ldapdns.ldif). We assume you are using this scheme.
Restart the ldapdns-server
/etc/init.d/ldapdns restart
Let’s load some DNS-data for Ldapdns in the directory server. An example ldif file is available at hannibal-dnsstuff.
/opt/fedora-ds/slapd-ldap/ldif2ldap "cn=Directory Manager" yourpassword /opt/hannibal-dnsstuff.ldif
To serve all other zones, ie. the non-autorative zones, a caching nameserver is used. Two options:
Earlier on we documented how to create an LDAP-backend for our local zone(s) using Ldapdns. In addition to an autorative nameserver we also need a solution that allows our clients to lookup foreign zones. This is called a caching nameserver.
Although from a technical point of view we prefer ‘Dnscache’, a utility that forms part of the ‘Djbdns’ software stack, it’s license doesn’t allow for binary distribution. For this reason we’ll choose Bind as a caching nameserver. However, after describing Bind, we’ll also document howto create a caching nameserver using Djbdns!
First install the software
apt-get install bind9
Make Bind listen on a unique IP. Remember that you already have Ldapdns running!
Edit /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
listen-on { 192.168.1.11; };
auth-nxdomain no;
};
Next we’ll tell Bind to forward requests regarding our local zone(s) to Ldapdns. Edit the file /etc/bind/named.conf.local
zone "1.168.192.in-addr.arpa"{
type forward;
forwarders { 192.168.1.51; };
};
zone "intra.example.com"{
type forward;
forwarders { 192.168.1.51; };
};
After you’re done, reload Bind
/etc/init.d/bind9 force-reload
Now you can use the new born caching nameserver on all clients. Configure /etc/resolv.conf like so:
search intra.example.com nameserver 192.168.1.11
In addition to ldapdns we can use dnscache (part of djbdns) as the caching nameserver. In order to run dnscache we also need the daemontools. Our project doesn’t support Dynamic DNS and DNSSEC. Due to licensing issues with djbdns and daemontools it’s not allowed to distribute binaries for these packages. However Debian GNU/Linux provides the packages ‘daemontools-installer’ and ‘djbdns-installer’. If one follows the instructions after installing these packages, binary packages will be created on the fly. As a result some additional packages will be installed on your system. For this reason we build the binaries on a separate development machine and copy the results to the production machine. You might want to read the Hannibal Development-server howto.
Logon to your development machine and build the daemontools and djbdns packages.
apt-get install daemontools-installer djbdns-installer
Follow the instructions during this proces, transfer the binary packages to your DNS-server then issue:
dpkg -i daemontools_0.76-9_i386.deb djbdns_1.05-11_i386.deb #use the names here of the .deb's you just created
Set up local dnscache:
mkdir /var/lib/svscan dnscache-conf dnscache dnslog /var/lib/svscan/dnscache 192.168.1.11 ln -s /var/lib/svscan/dnscache /service touch /var/lib/svscan/dnscache/root/ip/192.168.1 touch /var/lib/svscan/dnscache/root/ip/127.0.0.1
This generates a local cache. Clients on the 192.168.1.x network can use this dnscache. Next we’ll make the dnscache search our ldapdns-server. In this example the dnscache listens on 192.168.1.11 while the ldapdns server listens on 192.168.1.51.
/var/lib/svscan/dnscache/root/servers/1.168.192.in-addr.arpa
192.168.1.51
/var/lib/svscan/dnscache/root/servers/intra.example.com
192.168.1.51
Restart the dnscache
/etc/init.d/djbdns restart
Now you can use the new born caching nameserver on all clients. Configure /etc/resolv.conf like so:
search intra.example.com nameserver 192.168.1.11
The other option is to just use a standard primary/secondary DNS setup using ISC-Bind.
/etc/bind/named.conf:
options {
directory "/var/named";
allow-transfer{
127.0.0.1;
10.0.6.0/24;
};
listen-on{
127.0.0.1;
10.0.6.11;
};
recursion yes;
auth-nxdomain yes;
forwarders {
172.17.1.11;
172.17.1.31;
};
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "hannibal.local"{
type master;
file "db.hannibal.local";
notify yes;
};
zone "6.0.10.in-addr.arpa" {
type master;
file "db.6.0.10.in-addr.arpa";
};
/var/named/db.hannibal.local
$ORIGIN .
$TTL 7200 ; 2 hours
hannibal.local IN SOA ns1.hannibal.local. hostmaster.hannibal.local. (
2007120102 ; serial
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
)
NS ns1.hannibal.local.
NS ns2.hannibal.local.
MX 10 mail.hannibal.local.
$ORIGIN hannibal.local.
localhost A 127.0.0.1
router A 10.0.6.1
TXT "logical router"
dom0 A 10.0.6.3
ns1 A 10.0.6.11
TXT "logical primary dns"
ns CNAME ns1.hannibal.local.
ldap1 A 10.0.6.12
TXT "logical LDAP primary"
ldap CNAME ldap1.hannibal.local.
mail A 10.0.6.14
TXT "logical smtp"
smtp CNAME mail.hannibal.local.
imap CNAME mail.hannibal.local.
/var/named/db.6.0.10.in-addr.arpa
$TTL 7200
6.0.10.in-addr.arpa. IN SOA ns1.hannibal.local. hostmaster.hannibal.local. (
2007120102 ; serial
14400 ; refresh (4 hours)
1800 ; retry (30 minutes)
1209600 ; expire (2 weeks)
86400 ; minimum (1 day)
)
NS ns1.hannibal.local.
NS ns2.hannibal.local.
1 IN PTR router.hannibal.local.
3 IN PTR dom0.hannibal.local.
11 IN PTR ns1.hannibal.local.
12 IN PTR ldap1.hannibal.local.
14 IN PTR smtp.hannibal.local.
16 IN PTR fileserver.hannibal.local.
20 IN PTR www.hannibal.local.
31 IN PTR ns2.hannibal.local.
32 IN PTR ldap2.hannibal.local.
/etc/bind/named.conf
options {
directory "/var/named";
allow-transfer{
10.0.6.101;
10.0.6.0/24;
};
listen-on{
127.0.0.1;
10.0.6.31;
};
recursion yes;
auth-nxdomain yes;
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "hannibal.local"{
type slave;
file "sec/db.hannibal.local";
masters { 10.0.6.11; };
allow-query { any; };
};
zone "6.0.10-in-addr.arpa"{
type slave;
file "sec/db.6.0.10-in-addr.arpa";
masters { 10.0.6.31; };
allow-query { any; };
};
For large networks it might be a good idea to store DHCP-information in a central LDAP-database. Brian Masney has written a patch that gives the ISC DHCP-server an LDAP backend. You can find more information and download the patch at http://www.newwave.net/~masneyb/.
Download the sources of the ISC DHCP-server at http://www.isc.org, apply the LDAP-patch and then configure and compile the software or, even better, create binary packages for your GNU/Linux distribution of choice.
We built new Debian-packages (i386 platform only) based on the Debian Sarge source packages for the ISC DHCP-server.
Install the patched packages
dpkg -i dhcp3-common_3.0.4-1ldap_i386.deb dhcp3-server_3.0.4-1ldap_i386.deb
Add the interface to bind to to /etc/default/dhcp3-server
Install an LDAP-enabling /etc/dhcp3/dhcpd.conf
ldap-server "xenfds.intra.example.com"; ldap-port 389; # We do an anonymous bind # ldap-username "cn=directorymanagerloginname"; # ldap-password "mypassword"; ldap-base-dn "ou=DHCP,dc=intra,dc=example,dc=com"; ldap-method static; ldap-debug-file "/var/log/dhcp-ldap-startup.log";
In the chapter on installing the Fedora Directory Server we already described the custom LDAP-scheme that is required for DHCP usage (64ldapdhcp.ldif).
A basic example to fill the DHCP part of the LDAP-server is needed to get things going. You can save it eg. as /opt/dhcp-ldap.ldif
dn: ou=DHCP,dc=intra,dc=example,dc=com ou: DHCP objectClass: top objectClass: organizationalUnit description: DHCP Servers dn: cn=DHCP Config, ou=DHCP,dc=intra,dc=example,dc=com cn: DHCP Config objectClass: top objectClass: dhcpService dhcpPrimaryDN: cn=xendns, ou=DHCP,dc=intra,dc=example,dc=com dhcpStatements: ddns-update-style none dhcpStatements: get-lease-hostnames true dhcpStatements: use-host-decl-names true dn: cn=192.168.1.0, cn=DHCP Config, ou=DHCP,dc=intra,dc=example,dc=com cn: 192.168.1.0 objectClass: top objectClass: dhcpSubnet objectClass: dhcpOptions dhcpNetMask: 24 dhcpRange: 192.168.1.150 192.168.1.200 dhcpStatements: default-lease-time 600 dhcpStatements: max-lease-time 7200 dhcpOption: netbios-name-servers 192.168.1.16 dhcpOption: subnet-mask 255.255.255.0 dhcpOption: routers 192.168.1.1 dhcpOption: domain-name-servers 192.168.1.11 dhcpOption: domain-name "intra.example.com" dn: cn=xendns, ou=DHCP,dc=intra,dc=example,dc=com cn: xendns objectClass: top objectClass: dhcpServer dhcpServiceDN: cn=DHCP Config, ou=DHCP,dc=intra,dc=example,dc=com dn: cn=xenclient, cn=DHCP Config, ou=DHCP,dc=intra,dc=example,dc=com cn: xenclient objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 00:16:3e:3d:eb:87 dhcpStatements: fixed-address 192.168.1.111
You can add the LDIF to the LDAP-database like so:
/opt/fedora-ds/slapd-xenfds/ldif2ldap "cn=Directory Manager" yourpassword /opt/dhcp-ldap.ldif
As an alternative you might use the available perl-script to convert your current dhcpd.conf to LDIF.
Finally start your DHCP-server and you’re done. In case any debugging is needed, start with the files /var/log/dhcp-ldap-startup.log and /var/log/daemon.log, however Brian’s patch and the ISC server do have additional options.
Below is an example of dhcpd.conf that enables running a dhcp3-server without LDAP backend.
Remember, our project doesn’t support DDNS (yet).
Install the software
apt-get install dhcp3-server
Content of /etc/dhcp3/dhcpd.conf
allow booting;
allow bootp;
ddns-update-style none;
option domain-name "intra.example.com";
option domain-name-servers 192.168.1.11, 192.168.1.31;
option netbios-name-servers 192.168.1.16;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
default-lease-time 6000;
max-lease-time 72000;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.150 192.168.1.200;
}
In case of more than one NIC or when using a Xen domU als vehicle for your server, edit /etc/default/dhcp3-server
INTERFACES="eth1"
Start the DHCP-server
/etc/init.d/dhcp3-server start