Configuring an Ubuntu (Debian) Server for DNS, DHCP, and WINS

I recently set up an Ubuntu home server and some of the things I wanted to run on it were a DNS server, a DHCP server, and a WINS server (for my Windows computer).

DNS Server

The DNS server is the the service that basically resolves names to IP addresses.

Install Necessary Software

root@ubuntu0001:~# apt-get install bind9 dnsutils

Caching Nameserver

The caching feature of the DNS server is the feature that caches DNS entries so lookups remain on the network instead of having to travel to an external source. This configuration is made in the /etc/bind/named.conf.options file. The configuration below has both OpenDNS and GoogleDNS saved, but only the OpenDNS servers active. To switch, the desired servers should be uncommented and the service restarted.

root@ubuntu0001:~# cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        forwarders {
                // Google Public DNS
                //8.8.8.8;
                //8.8.4.4;

                // OpenDNS
                208.67.222.222;
                208.67.220.220;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Primary Master

The primary master makes the DNS server the authoritative source for its zones. This configuration is made in the /etc/bind/named.conf.local file.

include

The include configuration makes the DNS server aware of the key. This key was generated and provided by the Ubuntu install.

controls

The controls directive tells the DNS server that it can be controlled by other services on the loopback interface that are aware of the key. This will be the DHCP server.

zones

The purpose of the zone definitions should be somewhat self-explanatory. The file tells the server where to find the definition, and the allow-update allows the zone to be updated by any service with the key in accordance with the controls configuration.

root@ubuntu0001:~# cat /etc/bind/named.conf.local
include "/etc/bind/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

zone "home.lan" {
        type master;
        file "/var/lib/bind/db.home.lan";
        allow-update { key "rndc-key"; };
};

zone "5.168.192.in-addr.arpa" {
        type master;
        file "/var/lib/bind/db.5.168.192";
        allow-update { key "rndc-key"; };
};

Zones

The actual zones themselves must be defined after the configurations have been made. Make sure these files are owned by bind:bind.

root@ubuntu0001:~# cat /var/lib/bind/db.home.lan
$ORIGIN .
$TTL 604800	; 1 week
home.lan		IN SOA	ubuntu0001.home.lan. root.home.lan. (
				205        ; serial
				604800     ; refresh (1 week)
				86400      ; retry (1 day)
				2419200    ; expire (4 weeks)
				604800     ; minimum (1 week)
				)
			NS	ubuntu0001.home.lan.
			A	192.168.5.100
$ORIGIN home.lan.
modem			A	192.168.5.1
router			A	192.168.5.50
ubuntu0001		A	192.168.5.100

root@ubuntu0001:~# cat /var/lib/bind/db.5.168.192
$ORIGIN .
$TTL 604800	; 1 week
5.168.192.in-addr.arpa	IN SOA	ubuntu0001.home.lan.5.168.192.in-addr.arpa. root.home.lan.5.168.192.in-addr.arpa. (
				150        ; serial
				604800     ; refresh (1 week)
				86400      ; retry (1 day)
				2419200    ; expire (4 weeks)
				604800     ; minimum (1 week)
				)
			NS	ubuntu0001.
1			PTR	modem.home.lan.
100			PTR	ubuntu0001.home.lan.
50			PTR	router.home.lan.

Restart

After all the configurations have been made, the DNS server should be restarted.

root@ubuntu0001:~# service bind9 restart

Test

The dig command can be used to test the DNS server. The output should display the source of the DNS lookups.

root@ubuntu0001:~# dig google.com

DHCP Server

The DHCP service is the service that distributes IPs and other information to hosts on the network.

Install Necessary Software

root@ubuntu0001:~# apt-get install isc-dhcp-server

Listening Interface

The initial startup should fail. This is because the listening interface has not been configured. This is done in the /etc/default/isc-dhcp-server file.

root@ubuntu0001:~# cat /etc/default/isc-dhcp-server 
INTERFACES="eth0"

Configuration

The remaining configuration is done in the /etc/dhcp/dhcpd.conf file. Some of the main configurations are mentioned below.

ddns

These configuration options determine how the DHCP server updates the DNS server.

include

This configuration makes the DHCP server aware of the key. This is the same key that the DNS server was made aware of.

option

These are optional parameters that are sent to DHCP clients.

subnet and zone

The zones are defined for a given subnet. Within the zones, the key configuration tells the DHCP server which key to use when updating the DNS server.

root@server:~# cat /etc/dhcp/dhcpd.conf
ddns-update-style interim;
include "/etc/bind/rndc.key";
zone home.lan {
	primary 192.168.5.100;
	key "rndc-key";
}
ddns-domainname "home.lan";
ddns-rev-domainname "in-addr.arpa.";
option domain-name "home.lan";
option domain-name-servers 192.168.5.100;
option routers 192.168.5.1;
option broadcast-address 192.168.5.255;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.5.0 netmask 255.255.255.0 {
	range 192.168.5.101 192.168.5.200;
	zone 5.168.192.in-addr.arpa. {
		primary 192.168.5.100;
		key "rndc-key";
	}
	zone home.lan. {
		primary 192.168.5.100;
		key "rndc-key";
	}
}

Restart

root@server:~# service isc-dhcp-server restart

Sambs Server

The Samba DHCP service is the service that communicates with Windows networks.

Install Necessary Software

root@ubuntu0001:~# apt-get install samba

Configuration

Configuring the WINS server is fairly simple. Without going through the other configuration options (configuring shares, security, etc.), this only involves three changes.

root@ubuntu0001:~# cat /etc/samba/smb.conf
[global]
   workgroup = WORKGROUP
   server string = %h server (Samba, Ubuntu)
 wins support = yes 
 dns proxy = yes
 name resolve order = lmhosts host wins bcast
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes
[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

Restart

root@ubuntu0001:/etc/samba# service smbd restart
root@ubuntu0001:/etc/samba# service nmbd restart
About these ads

14 responses to “Configuring an Ubuntu (Debian) Server for DNS, DHCP, and WINS

      • ubuntu version is 12.04.1

        i temporarily set permissions to rw-rw-rw-

        /etc/apparmor.d/local/usr.sbin.dhcpd contains:
        # Site-specific additions and overrides for usr.sbin.dhcpd.
        # For more details, please see /etc/apparmor.d/local/README.
        /etc/bind/ r,
        /etc/bind/** r,

      • root:root

        i rebooted the machine, I now get a different error message so it looks like the rndc.key problem is solved.

        i will let you know my final result.

      • it took me 2 hours but i finally got it to work.

        bind tries to create journal files (.jnl) in /etc/bind but got permission errors. whatever permissions i set on /etc/bind, i couldn’t fix this. yes, bind is running as user bind.
        to fix it i updated named.conf.local.
        for zone eom.nl i added line:
        journal “/var/lib/bind/db.eom.nl.jnl”;
        for zone 10.in-addr.apra i added line:
        journal “/var/lib/bind/db.10.jnl”;
        then it only worked for dynamic ip’s.
        to get it to work for static dhcp assigned ip addresses i had to add the following line to dhcpd.conf:

        update-static-leases on;

        now all works. thanks.

      • oh, and i had messages in /var/log/syslog like:

        error (chase DS servers) resolving ‘twimg.com/DS/IN’: 194.109.104.104#53
        named[1239]: error (insecurity proof failed) resolving ‘com/NS/IN’: 194.109.104.104#53

        turns out that the default installation of bind has the following line in /etc/bind/named.conf.options:
        dnssec-validation auto;

        i commented that out and the errors disappeared.

    • one more thing, i got errors in /var/log/kernel.log, like:

      Jan 17 20:10:47 mail02 kernel: [278877.050968] type=1400 audit(1358449847.706:1015): apparmor=”DENIED” operation=”mknod” parent=1 profile=”/usr/sbin/named” name=”/etc/bind/tmp-bkM6MWpxdc” pid=11795 comm=”named” requested_mask=”c” denied_mask=”c” fsuid=126 ouid=126

      following http://ubuntuforums.org/showthread.php?t=1658873, I moved my own zone files from /etc/bind to /var/lib/bind and modified /etc/bind/named.conf.local to reflect the file move and the errors were gone. maybe if I had placed my zone files there from the start I would have had no or less errors…

  1. I did all this again on another server and found that the problem with:

    Can’t open /etc/bind/rndc.key: Permission denied

    is solved by:

    1. adding the following lines to /etc/apparmor.d/local/usr.sbin.dhcpd:
    /etc/bind/ r,
    /etc/bind/** r,

    and

    2. changing the group for /etc/bind/rndc.key to “dhcpd”

    -Bart

    • Yeah, I think that should work. If you look in the AppArmor profile though, it seems like the Ubuntu guys wanted that stuff to go in /var, which is why I did it the way I did.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s