Cabrillo College Linux Classes

[Wesley Jessup]

1.) Using BIND 9's dnssec-keygen to create the key used between dhcpd and named for communication:

dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

2.) /etc/dhcpd.conf config for ddns:

[root@nosmo root]# cat /etc/dhcpd.conf
ddns-update-style interim;
[color=#0000FF][b]allow client-updates;[/b][/color]
option time-offset -25200; #PDT
#
# Shire
#
subnet 172.30.4.0 netmask 255.255.255.0 {
option routers 172.30.4.1;
option subnet-mask 255.255.255.0;
option domain-name "Shire";
option domain-name-servers 172.30.4.107;

range dynamic-bootp 172.30.4.150 172.30.4.199;
default-lease-time 21600;
max-lease-time 43200;
}

[color=#0000FF][b]key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret IVPnmoTz49h6ENRV2eME7Q==;
};[/b][/color]

[color=#0000FF][b]zone SHIRE. {
primary 172.30.4.107;
key DHCP_UPDATER;
}

zone 4.30.172.in-addr.arpa. {
primary 172.30.4.107;
key DHCP_UPDATER;
}[/b][/color]

3.) /etc/named.conf config for ddns:

[root@r1 ~]# cat /etc/named.conf
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

[color=#0000FF][b]key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret IVPnmoTz49h6ENRV2eME7Q==;
};[/b][/color]

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "shire" IN {
type master;
file "db.shire";
[color=#0000FF][b]allow-update { key DHCP_UPDATER; };[/b][/color]
};

zone "4.30.172.in-addr.arpa" IN {
type master;
file "db.4.30.172";
[color=#0000FF][b]allow-update { key DHCP_UPDATER; };[/b][/color]
};

zone "rivendell" IN {
type master;
file "db.rivendell";
allow-update { none; };
};

zone "2.168.192.in-addr.arpa" IN {
type master;
file "db.2.168.192";
allow-update { none; };
};

zone "mordor" IN {
type master;
file "db.mordor";
allow-update { none; };
};

zone "3.168.192.in-addr.arpa" IN {
type master;
file "db.3.168.192";
allow-update { none; };
};

// A key file needs to be referenced for use by rndc
include "/etc/rndc.key";

[Wesley Jessup]

1.) Iptables for ddns:
Same as for regular dns, though I thought I might have to open udp port 68.

[root@r1 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
[color=#0000FF][b]-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT[/b][/color]
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

2.) SELinux settings and permissions for ddns:
Default SELinux settings, but automatically not set for files being updated by dhcpd. (Possibly because key encryption is
being used?). Named must be able to create files in /var/named and must be able to write to the zones dhcpd is
updating.
Note the .jnl files; I think they're for saving dns information in the event the server fails.

[root@r1 ~]# ls -lZ /etc/named.conf
-rw-r----- root named /etc/named.conf
[root@r1 ~]# ls -ldZ /var/named
[color=#0000FF][b]drwxrwx--- named named system_u:object_r:named_zone_t:s0 /var/named[/b][/color]
[root@r1 ~]# ls -lZ /var/named/
drwxr-x--- root named root:object_r:named_zone_t:s0 chroot
drwxrwx--- named named system_u:object_r:named_cache_t:s0 data
-rw-r----- root named user_u:object_r:named_zone_t:s0 db.2.168.192
-rw-r----- root named user_u:object_r:named_zone_t:s0 db.3.168.192
[color=#0000FF][b]-rw-r--r-- named named db.4.30.172
-rw-r--r-- named named db.4.30.172.jnl[/b][/color]
-rw-r----- root named user_u:object_r:named_zone_t:s0 db.mordor
-rw-r----- root named user_u:object_r:named_zone_t:s0 db.rivendell
[color=#0000FF][b]-rw-r--r-- named named db.shire
-rw-r--r-- named named db.shire.jnl[/b][/color]
-rw-r----- root named system_u:object_r:named_zone_t:s0 localdomain.zone
-rw-r----- root named system_u:object_r:named_zone_t:s0 localhost.zone
-rw-r----- root named system_u:object_r:named_zone_t:s0 named.broadcast
-rw-r----- root named system_u:object_r:named_conf_t:s0 named.ca
-rw-r----- root named system_u:object_r:named_zone_t:s0 named.ip6.local
-rw-r----- root named system_u:object_r:named_zone_t:s0 named.local
-rw-r----- root named system_u:object_r:named_zone_t:s0 named.zero
drwxrwx--- named named system_u:object_r:named_cache_t:s0 slaves

[Wesley Jessup]

1.) Dhcpd error message upon an attempt to update forward and reverse lookup zones:

[root@nosmo root]# tail -f /var/log/messages
<output omitted>
May 29 23:48:28 nosmo dhcpd: DHCPDISCOVER from 00:0c:29:0f:4c:2d (kate) via eth1
May 29 23:48:29 nosmo dhcpd: DHCPOFFER on 172.30.4.196 to 00:0c:29:0f:4c:2d (kate) via eth1
[color=#0000FF][b]May 29 23:48:29 nosmo dhcpd: if IN A kate.Shire domain doesn't exist add 10800 IN A kate.Shire 172.30.4.196 add 10800 IN TXT kate.Shire "00a8453d419f5338f6d5c0c6a98f150867":[/color] [color=#FF0000]clock skew too great.[/color][/b]
May 29 23:48:29 nosmo dhcpd: DHCPREQUEST for 172.30.4.196 (172.30.4.1) from 00:0c:29:0f:4c:2d (kate) via eth1
May 29 23:48:29 nosmo dhcpd: DHCPACK on 172.30.4.196 to 00:0c:29:0f:4c:2d (kate) via eth1
<output omitted>

2.) Named error message upon an attempt by dhcpd to update forward and reverse lookup zones:

[root@r1 ~]# tail -f /var/log/messages
<output omitted>
[b][color=#0000FF]May 27 20:37:33 r1 named[6005]: client 172.30.4.1#32769: request has invalid signature: TSIG DHCP_UPDATER: tsig verify failure[/color] [color=#FF0000](BADTIME)[/color][/b]

Date/time stamps for nosmo and Celebrian (r1):
[root@r1 ~]# date
Wed May 27 20:56:22 PDT 2009

[root@nosmo root]# date
Sat May 30 00:04:39 PDT 2009

Yes, a bit skewed.

[Wesley Jessup]

1.)
Use vmware-toolbox on Celebrian (r1) to sync it with host OS.
Use date command on nosmo to configure date to within 5 minutes of Celebrian.

2.) Dhcpd messages, showing DORA and dhcpd updating forward and reverse lookup zones:

[root@nosmo root]# tail -f /var/log/messages
<output omitted>
May 30 22:46:37 nosmo dhcpd: DHCPDISCOVER from 00:0c:29:0f:4c:2d (kate) via eth1
May 30 22:46:38 nosmo dhcpd: DHCPOFFER on 172.30.4.196 to 00:0c:29:0f:4c:2d (kate) via eth1
[color=#0000FF][b]May 30 22:46:38 nosmo dhcpd: if IN A kate.Shire domain doesn't exist add 10800 IN A kate.Shire 172.30.4.196 add 10800 IN TXT kate.Shire "00a8453d419f5338f6d5c0c6a98f150867": success.
May 30 22:46:38 nosmo dhcpd: delete IN PTR 196.4.30.172.in-addr.arpa. add 10800 IN PTR 196.4.30.172.in-addr.arpa. kate.Shire: success.[/b][/color]
May 30 22:46:38 nosmo dhcpd: DHCPREQUEST for 172.30.4.196 (172.30.4.1) from 00:0c:29:0f:4c:2d (kate) via eth1
May 30 22:46:38 nosmo dhcpd: DHCPACK on 172.30.4.196 to 00:0c:29:0f:4c:2d (kate) via eth1

Dhcpd is adding an A record for kate.shire, as well as some text. I think the text, [color=#0000FF][b]"00a8453d419f5338f6d5c0c6a98f150867"[/b][/color], may be used as a unique identifier to avoid possible confusion if there are multiple entities updating the same record in the same zone file.

3.) Named messages, showing dhcpd updating forward and reverse lookup zones:

[root@r1 ~]# tail -f /var/log/messages
<output omitted>
[color=#0000FF][b]May 30 22:46:56 r1 named[6005]: client 172.30.4.1#32769: updating zone 'shire/IN': adding an RR at 'kate.SHIRE' A[/b][/color]
May 30 22:46:56 r1 named[6005]: client 172.30.4.1#32769: updating zone 'shire/IN': adding an RR at 'kate.SHIRE' TXT
[color=#0000FF][b]May 30 22:46:56 r1 named[6005]: journal file db.shire.jnl does not exist, creating it[/b][/color]
May 30 22:46:56 r1 named[6005]: client 172.30.4.1#32769: updating zone '4.30.172.in-addr.arpa/IN': deleting rrset at '196.4.30.172.in-addr.arpa' PTR
[color=#0000FF][b]May 30 22:46:56 r1 named[6005]: client 172.30.4.1#32769: updating zone '4.30.172.in-addr.arpa/IN': adding an RR at '196.4.30.172.in-addr.arpa' PTR[/b][/color]
May 30 22:46:56 r1 named[6005]: journal file db.4.30.172.jnl does not exist, creating it

Named updating zone files on behalf of [color=#0000FF][b]172.30.4.1[/b][/color] (nosmo, the dhcp server). Note the journal files [color=#0000FF][b](.jnl)[/b][/color]; this is why named has to have write permissions to /var/named.

4.) Forward and reverse lookup zones, after dhcpd updates them:
Unfortunatly, posting seems to remove any tabs or spacing.
I've bolded in blue the changes made by named on behalf of dhcpd.

Forward lookup, after dhcpd updates it:
[root@r1 ~]# cat /var/named/db.shire
$ORIGIN .
$TTL 604800 ; 1 week
shire IN SOA r1.rivendell. root.rivendell. (
2009040301 ; serial
60 ; refresh (1 minute)
15 ; retry (15 seconds)
1209600 ; expire (2 weeks)
300 ; minimum (5 minutes)
)
NS r1.rivendell.
$ORIGIN shire.
[color=#0000FF][b]$TTL 10800 ; 3 hours
kate A 172.30.4.196
TXT "00a8453d419f5338f6d5c0c6a98f150867"[/b][/color]
$TTL 604800 ; 1 week
localhost A 127.0.0.1
nosmo A 172.30.4.1
r1 A 172.30.4.107

Reverse lookup, after dhcpd updates it:
[root@r1 ~]# cat /var/named/db.4.30.172
$ORIGIN .
$TTL 86400 ; 1 day
4.30.172.in-addr.arpa IN SOA r1.rivendell. root.rivendell. (
2007041401 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS r1.rivendell.
$ORIGIN 4.30.172.in-addr.arpa.
1 PTR nosmo.shire.
107 PTR r1.shire.
[color=#0000FF][b]$TTL 10800 ; 3 hours
196 PTR kate.Shire.[/b][/color]

[Wesley Jessup]

After rebooting all VM's, SELinux returned. The files previously thought to have no SELinux context now do. Fortunately, DDNS still works.

[root@r1 ~]# ls -lZ /etc/named.conf
-rw-r----- root named system_u:object_r:named_conf_t /etc/named.conf
[root@r1 ~]# ls -ldZ /var/named
drwxrwx--- named named system_u:object_r:named_zone_t /var/named
[root@r1 ~]# ls -lZ /var/named/
drwxr-x--- root named system_u:object_r:named_conf_t chroot
drwxrwx--- named named system_u:object_r:named_cache_t data
-rw-r----- root named user_u:object_r:named_zone_t db.2.168.192
-rw-r----- root named user_u:object_r:named_zone_t db.3.168.192
-rw-r--r-- named named system_u:object_r:named_zone_t db.4.30.172
-rw-r--r-- named named system_u:object_r:named_zone_t db.4.30.172.jnl
-rw-r----- root named user_u:object_r:named_zone_t db.mordor
-rw-r----- root named user_u:object_r:named_zone_t db.rivendell
-rw-r--r-- named named system_u:object_r:named_zone_t db.shire
-rw-r--r-- named named system_u:object_r:named_zone_t db.shire.jnl
-rw-r----- root named system_u:object_r:named_zone_t localdomain.zone
-rw-r----- root named system_u:object_r:named_zone_t localhost.zone
-rw-r----- root named system_u:object_r:named_zone_t named.broadcast
-rw-r----- root named system_u:object_r:named_conf_t named.ca
-rw-r----- root named system_u:object_r:named_zone_t named.ip6.local
-rw-r----- root named system_u:object_r:named_zone_t named.local
-rw-r----- root named system_u:object_r:named_zone_t named.zero
drwxrwx--- named named system_u:object_r:named_cache_t slaves

[Rich Simms]

Nice!

I take it you are using Red Hat 9 still on Nosmo (DHCP server) and CentOS 5.2 on R1 (DNS server)? BTW, this would make a GREAT addition to the student Howtos on the Resources page for the course!