| blob | f64a677159c81ee98fbe0bbe3f5b29c4603ebebb |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3 <chapter id="DNSDHCP">
4 <chapterinfo>
5 &author.jht;
6 </chapterinfo>
8 <title>DNS and DHCP Configuration Guide</title>
10 <sect1>
11 <title>Features and Benefits</title>
13 <para>
14 <indexterm><primary>Dynamic Host Configuration Protocol</primary><see>DHCP</see></indexterm>
15 <indexterm><primary>Domain Name System</primary><see>DNS</see></indexterm>
16 There are few subjects in the UNIX world that might raise as much contention as
17 Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP).
18 Not all opinions held for or against particular implementations of DNS and DHCP
19 are valid.
20 </para>
22 <para>
23 We live in a modern age where many information technology users demand mobility
24 and freedom. Microsoft Windows users in particular expect to be able to plug their
25 notebook computer into a network port and have things <quote>just work.</quote>
26 </para>
28 <para>
29 <indexterm><primary>ADS</primary></indexterm>
30 UNIX administrators have a point. Many of the normative practices in the Microsoft
31 Windows world at best border on bad practice from a security perspective.
32 Microsoft Windows networking protocols allow workstations to arbitrarily register
33 themselves on a network. Windows 2000 Active Directory registers entries in the DNS namespace
34 that are equally perplexing to UNIX administrators. Welcome to the new world!
35 </para>
38 <para>
39 <indexterm><primary>ISC</primary><secondary>DNS</secondary></indexterm>
40 <indexterm><primary>ISC</primary><secondary>DHCP</secondary></indexterm>
41 <indexterm><primary>Dynamic DNS</primary><see>DDNS</see></indexterm>
42 The purpose of this chapter is to demonstrate the configuration of the Internet
43 Software Consortium (ISC) DNS and DHCP servers to provide dynamic services that are
44 compatible with their equivalents in the Microsoft Windows 2000 Server products.
45 </para>
47 <para>
48 This chapter provides no more than a working example of configuration files for both DNS and DHCP servers. The
49 examples used match configuration examples used elsewhere in this document.
50 </para>
52 <para>
53 <indexterm><primary>DNS</primary></indexterm>
54 <indexterm><primary>DHCP</primary></indexterm>
55 <indexterm><primary>BIND9.NET</primary></indexterm>
56 This chapter explicitly does not provide a tutorial, nor does it pretend to be a reference guide on DNS and
57 DHCP, as this is well beyond the scope and intent of this document as a whole. Anyone who wants more detailed
58 reference materials on DNS or DHCP should visit the ISC Web site at <ulink noescape="1"
59 url="http://www.isc.org"> http://www.isc.org</ulink>. Those wanting a written text might also be interested
60 in the O'Reilly publications on DNS, see the <ulink
61 url="http://www.oreilly.com/catalog/dns/index.htm">O'Reilly</ulink> web site, and the <ulink
62 url="http://www.bind9.net/books-dhcp">BIND9.NET</ulink> web site for details.
63 The books are:
64 </para>
66 <orderedlist>
67 <listitem><para>DNS and BIND, By Cricket Liu, Paul Albitz, ISBN: 1-56592-010-4</para></listitem>
68 <listitem><para>DNS & Bind Cookbook, By Cricket Liu, ISBN: 0-596-00410-9</para></listitem>
69 <listitem><para>The DHCP Handbook (2nd Edition), By: Ralph Droms, Ted Lemon, ISBN 0-672-32327-3</para></listitem>
70 </orderedlist>
72 </sect1>
74 <sect1>
75 <title>Example Configuration</title>
77 <para>
78 <indexterm><primary>WINS</primary></indexterm>
79 <indexterm><primary>DNS</primary></indexterm>
80 The DNS is to the Internet what water is to life. Nearly all information resources (host names) are resolved
81 to their Internet protocol (IP) addresses through DNS. Windows networking tried hard to avoid the
82 complexities of DNS, but alas, DNS won. <indexterm><primary>WINS</primary></indexterm> The alternative to
83 DNS, the Windows Internet Name Service (WINS) &smbmdash; an artifact of NetBIOS networking over the TCP/IP
84 protocols &smbmdash; has demonstrated scalability problems as well as a flat, nonhierarchical namespace that
85 became unmanageable as the size and complexity of information technology networks grew.
86 </para>
88 <para>
89 <indexterm><primary>RFC 1001</primary></indexterm>
90 <indexterm><primary>RFC 1002</primary></indexterm>
91 WINS is a Microsoft implementation of the RFC1001/1002 NetBIOS Name Service (NBNS).
92 It allows NetBIOS clients (like Microsoft Windows machines) to register an arbitrary
93 machine name that the administrator or user has chosen together with the IP
94 address that the machine has been given. Through the use of WINS, network client machines
95 could resolve machine names to their IP address.
96 </para>
98 <para>
99 The demand for an alternative to the limitations of NetBIOS networking finally drove
100 Microsoft to use DNS and Active Directory. Microsoft's new implementation attempts
101 to use DNS in a manner similar to the way that WINS is used for NetBIOS networking.
102 Both WINS and Microsoft DNS rely on dynamic name registration.
103 </para>
105 <para>
106 Microsoft Windows clients can perform dynamic name registration to the DNS server
107 on startup. Alternatively, where DHCP is used to assign workstation IP addresses,
108 it is possible to register hostnames and their IP address by the DHCP server as
109 soon as a client acknowledges an IP address lease. Finally, Microsoft DNS can resolve
110 hostnames via Microsoft WINS.
111 </para>
113 <para>
114 The following configurations demonstrate a simple, insecure dynamic DNS server and
115 a simple DHCP server that matches the DNS configuration.
116 </para>
118 <sect2>
119 <title>Dynamic DNS</title>
121 <para>
122 <indexterm><primary>DNS</primary><secondary>Dynamic</secondary></indexterm>
123 The example DNS configuration is for a private network in the IP address
124 space for network 192.168.1.0/24. The private class network address space
125 is set forth in RFC1918.
126 </para>
129 <para>
130 <indexterm><primary>BIND</primary></indexterm>
131 It is assumed that this network will be situated behind a secure firewall.
132 The files that follow work with ISC BIND version 9. BIND is the Berkeley
133 Internet Name Daemon.
134 </para>
136 <para>
137 The master configuration file <filename>/etc/named.conf</filename>
138 determines the location of all further configuration files used.
139 The location and name of this file is specified in the startup script
140 that is part of the operating system.
141 <programlisting>
142 # Quenya.Org configuration file
144 acl mynet {
145 192.168.1.0/24;
146 127.0.0.1;
147 };
149 options {
151 directory "/var/named";
152 listen-on-v6 { any; };
153 notify no;
154 forward first;
155 forwarders {
156 192.168.1.1;
157 };
158 auth-nxdomain yes;
159 multiple-cnames yes;
160 listen-on {
161 mynet;
162 };
163 };
165 # The following three zone definitions do not need any modification.
166 # The first one defines localhost while the second defines the
167 # reverse lookup for localhost. The last zone "." is the
168 # definition of the root name servers.
170 zone "localhost" in {
171 type master;
172 file "localhost.zone";
173 };
175 zone "0.0.127.in-addr.arpa" in {
176 type master;
177 file "127.0.0.zone";
178 };
180 zone "." in {
181 type hint;
182 file "root.hint";
183 };
185 # You can insert further zone records for your own domains below.
187 zone "quenya.org" {
188 type master;
189 file "/var/named/quenya.org.hosts";
190 allow-query {
191 mynet;
192 };
193 allow-transfer {
194 mynet;
195 };
196 allow-update {
197 mynet;
198 };
199 };
201 zone "1.168.192.in-addr.arpa" {
202 type master;
203 file "/var/named/192.168.1.0.rev";
204 allow-query {
205 mynet;
206 };
207 allow-transfer {
208 mynet;
209 };
210 allow-update {
211 mynet;
212 };
213 };
214 </programlisting>
215 </para>
217 <para>
218 The following files are all located in the directory <filename>/var/named</filename>.
219 This is the <filename>/var/named/localhost.zone</filename> file:
220 <programlisting>
221 $TTL 1W
222 @ IN SOA @ root (
223 42 ; serial (d. adams)
224 2D ; refresh
225 4H ; retry
226 6W ; expiry
227 1W ) ; minimum
229 IN NS @
230 IN A 127.0.0.1
231 </programlisting>
232 </para>
234 <para>
235 The <filename>/var/named/127.0.0.zone</filename> file:
236 <programlisting>
237 $TTL 1W
238 @ IN SOA localhost. root.localhost. (
239 42 ; serial (d. adams)
240 2D ; refresh
241 4H ; retry
242 6W ; expiry
243 1W ) ; minimum
245 IN NS localhost.
246 1 IN PTR localhost.
247 </programlisting>
248 </para>
250 <para>
251 The <filename>/var/named/quenya.org.host</filename> file:
252 <programlisting>
253 $ORIGIN .
254 $TTL 38400 ; 10 hours 40 minutes
255 quenya.org IN SOA marvel.quenya.org. root.quenya.org. (
256 2003021832 ; serial
257 10800 ; refresh (3 hours)
258 3600 ; retry (1 hour)
259 604800 ; expire (1 week)
260 38400 ; minimum (10 hours 40 minutes)
261 )
262 NS marvel.quenya.org.
263 MX 10 mail.quenya.org.
264 $ORIGIN quenya.org.
265 frodo A 192.168.1.1
266 marvel A 192.168.1.2
267 ;
268 mail CNAME marvel
269 www CNAME marvel
270 </programlisting>
271 </para>
273 <para>
274 The <filename>/var/named/192.168.1.0.rev</filename> file:
275 <programlisting>
276 $ORIGIN .
277 $TTL 38400 ; 10 hours 40 minutes
278 1.168.192.in-addr.arpa IN SOA marvel.quenya.org. root.quenya.org. (
279 2003021824 ; serial
280 10800 ; refresh (3 hours)
281 3600 ; retry (1 hour)
282 604800 ; expire (1 week)
283 38400 ; minimum (10 hours 40 minutes)
284 )
285 NS marvel.quenya.org.
286 $ORIGIN 1.168.192.in-addr.arpa.
287 1 PTR frodo.quenya.org.
288 2 PTR marvel.quenya.org.
289 </programlisting>
290 </para>
292 <para>
293 <indexterm><primary>BIND</primary></indexterm>
294 <indexterm><primary>dynamic registration files</primary></indexterm>
295 The configuration files shown here were copied from a fully working system. All dynamically registered
296 entries have been removed. In addition to these files, BIND version 9 will
297 create for each of the dynamic registration files a file that has a
298 <filename>.jnl</filename> extension. Do not edit or tamper with the configuration
299 files or with the <filename>.jnl</filename> files that are created.
300 </para>
302 </sect2>
304 <sect2 id="DHCP">
305 <title>DHCP Server</title>
307 <para>
308 The following file is used with the ISC DHCP Server version 3.
309 The file is located in <filename>/etc/dhcpd.conf</filename>:
310 </para>
312 <para>
313 <programlisting>
314 ddns-updates on;
315 ddns-domainname "quenya.org";
316 option ntp-servers 192.168.1.2;
317 ddns-update-style ad-hoc;
318 allow unknown-clients;
319 default-lease-time 86400;
320 max-lease-time 172800;
322 option domain-name "quenya.org";
323 option domain-name-servers 192.168.1.2;
324 option netbios-name-servers 192.168.1.2;
325 option netbios-dd-server 192.168.1.2;
326 option netbios-node-type 8;
328 subnet 192.168.1.0 netmask 255.255.255.0 {
329 range dynamic-bootp 192.168.1.60 192.168.1.254;
330 option subnet-mask 255.255.255.0;
331 option routers 192.168.1.2;
332 allow unknown-clients;
333 }
334 </programlisting>
335 </para>
337 <para>
338 In this example, IP addresses between 192.168.1.1 and 192.168.1.59 are
339 reserved for fixed-address (commonly called <constant>hard-wired</constant>) IP addresses. The
340 addresses between 192.168.1.60 and 192.168.1.254 are allocated for dynamic use.
341 </para>
343 </sect2>
345 </sect1>
346 </chapter>