Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Automatically Updating named (bind9) with local address translations
  • From: "J J" <c_peto@xxxxxxxxxxx>
  • Date: Sun, 14 Sep 2003 10:49:33 +0000
  • Message-id: <Sea2-F3825FXmgoV3dU00006b65@xxxxxxxxxxx>
Yes, this isn't too hard.

(I used to run a configuration almost exactly like the one you say. The differences were trivial - masquerading instead of proxy and SuSEfirewall instead of SuSEfirewall2.)

The first thing you need to do after installing BIND9 is set it to run automatically, configure it to forward DNS requests to your ISPs DNS servers and set the dhcp daemon so that clients query your gateway's server instead of the ISPs DNSes. You said that was "easy" so I won't go on about it here, tell me if you have any problems with that! :)

You'll need to create "zone definition" files for the computers on your local network and refer to them in /etc/named.conf. Taking the example of my network, which is running on 192.168.0.0 subnet mask 255.255.255.0...

You'll probably already have the following entries in named.conf:

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

Copy these entries to create new entries for your subnet, e.g.

zone "bookman-headoffice.co.uk" in {
type master;
file "bookman-headoffice.zone";
allow-update { 192.168.0/24; 127/8; };
};

zone "0.168.192.in-addr.arpa" in {
type master;
file "192.168.0.zone";
allow-update { 192.168.0/24; 127/8; };
};

Note the extra clause in each entry? That's the critical bit. It allows the dhcp server to update the DNS server.

In the DNS directory (I think /var/lib/named for the SuSE 8.2 BIND9 package), copy the zone definition files for localhost as a template for your new zone definition files.

For example:

$ORIGIN co.uk.
bookman-headoffice 172800 IN SOA localhost. root.localhost. (
20021086 10800 900 604800 86400 ) ;Cl=3
172800 IN NS localhost. ;Cl=3
172800 IN MX 10 gateway.bookman-headoffice.co.uk. ;Cl=3
172800 IN A 192.168.0.127 ;Cl=3

$ORIGIN bookman-headoffice.co.uk.

host1 172800 IN A 192.168.0.127 ;Cl=3

It's going to be too complex for me to explain zone definition files on this mailing list but the documentation with BIND9 seems good (I use BIND8 in production) and the example files look good. You won't need to put in all the host definitions, of course, because we're hoping that dhcp will do that for you!

Next set the dhcpd.conf file to trigger these automatic updates:

ddns-update-style interim;

And you should be away. When the dhcp server grants a lease it should also update the DNS server with the hostname that the client gives it.

I couldn't get M$ clients to update the DNS server themselves - probably some proprietory protocol stuff - but setting them all with useful hostnames and all to get their IP address from my SuSE 7.2 gateway got round the problem, as I've described.

Hope this helps. Tell me if you succeed!

Carl
(aka. "JJ")

From: "Philip B Cook" <philipbcook@xxxxxxxxxxxx>
To: <suse-security@xxxxxxxx>
Subject: [suse-security] Automatically Updating named (bind9) with local address translations
Date: Sat, 13 Sep 2003 17:00:40 +0100

I am successfully using SuSE Linux as a gateway, router and http proxy.

I am connected to the internet via a Cable Modem. The Linux machine is running Squid, SuSEfirewall2, dhcpcd and Samba (smbd and nmbd).

My local machines get their IP addresses from the dhcpcd server, these are allocated dynamically. DHCPCD tells each machine to use the Cable Companies two DNS servers for name resolution. I would like to use named (BIND9) to provide a local cache of internet addresses, which is easy, but how can I also provide name resolution for each of the local machines from BIND9 without having to use static IP addresses on my local network or use fixed addressing for each MAC address in DHCPD.

Once a local machine gets an IP address from DHCPCD can this information be given to BIND9 so that it will do local lookups as well as caching internet addresses. Can this be done by either the server or the hosts.

Thanks ...

Philip





_________________________________________________________________
Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger


< Previous Next >
Follow Ups