Make your DHCP server dynamically update your DNS records on Ubuntu Hardy Heron

Information
The steps in this post shows how to configure the DHCP server to automatically update the DNS records when giving out a new lease to a client computer. All on the Ubuntu Hardy Heron server.

Before continuing
These steps assumes that you already have a working copy of dhcp3-server and bind9 installed. If you don’t have that I suggest that you first read my two other posts on how to install them:

Setting up a DNS for the local network on the Ubuntu Hardy Heron server
Setting up a DHCP server on Ubuntu Hardy Heron

Step by step instructions

1. Move the files to a directory that bind can write to

Apparently the Ubuntu server is installed with an AppArmor profile that prevents bind to write to the /etc/bind directory. The default profile suggests that these files should be put in /var/lib/bind. If you have followed the steps in my previous post you might have your zone database files in /etc/bind/zones. We will start by copying the files so we have a backup remaining if anything goes wrong:

1.1 Copy the zone database files:

sudo cp /etc/bind/zones/* /var/lib/bind/

1.2 Change the owner and group of the files to bind, so that bind will have file permissions that allows it to write to the files:

sudo chown bind:bind /var/lib/bind/*

2. Create a secret shared between the DHCP server and the DNS

We don’t wont anybody to be able to update our DNS, so we need to create a secret, a key, that the DCHP server must know in order to be able to update the DNS.

2.1 Generate a new key:

sudo dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

2.2 Show the generated key:

sudo cat Kdhcp_updater.*.private|grep Key

2.3 Now copy the key to the clipboard so that you can paste it into the configuration file later on.

3 Configure the DNS

We now need to add the key to the bind configuration and tell it what zones that we want it to allow updates on. I’ve included the whole contents of my file here and marked the changes that I’ve made in bold.

3.1 Edit /etc/bind/named.conf.local:

sudo nano /etc/bind/named.conf.local

3.2 Changes are marked with bold:

# The secret key used for DHCP updates.
key DHCP_UPDATER {
    algorithm HMAC-MD5.SIG-ALG.REG.INT;

    # Important: Replace this key with your generated key.
    # Also note that the key should be surrounded by quotes.
    secret "asdasddsaasd/dsa==";
};

zone "home.lan" {
    type master;

    # Change the path of the database file to the writable copy in /var/lib/bind
    file "/var/lib/bind/home.lan.db";

    # Tell this zone that we will allow it to be updated from anyone
    # that knows the secret specified in the DHCP_UPDATER key.
    allow-update { key DHCP_UPDATER; };
};

zone "10.10.10.in-addr.arpa"  {
    type master;

    # Change the path of the database file to the writable copy in /var/lib/bind
    file "/var/lib/bind/rev.10.10.10.in-addr.arpa";

    # Tell this zone that we will allow it to be updated from anyone
    # that knows the secret specified in the DHCP_UPDATER key.
    allow-update { key DHCP_UPDATER; };
};

4 Configure the DHCP server to send updates to the DNS

4.1 Edit dhcpd.conf:

sudo nano  /etc/dhcp3/dhcpd.conf

4.2 Changes are marked with bold:

#
# Make sure to change the ddns update style to interim:
ddns-update-style interim;
ignore client-updates;      # Overwrite client configured FQHNs
ddns-domainname "home.lan.";
ddns-rev-domainname "in-addr.arpa.";

# option definitions common to all supported networks...
option domain-name "home.lan";
option domain-name-servers ubuntu.home.lan;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

key DHCP_UPDATER {
    algorithm HMAC-MD5.SIG-ALG.REG.INT;

    # Important: Replace this key with your generated key.
    # Also note that the key should be surrounded by quotes.
    secret "asdasddsaasd/dsa==";
};

zone home.lan. {
  primary 127.0.0.1;
  key DHCP_UPDATER;
}

zone 10.10.10.in-addr.arpa. {
  primary 127.0.0.1;
  key DHCP_UPDATER;
}

# This is a very basic subnet declaration.
subnet 10.10.10.0 netmask 255.255.255.0 {
  range 10.10.10.100 10.10.10.200;
  option routers router.home.lan;
}

5 Tighten the permissions on the configuration files

The configuration files now contains our secret key. We should not let just anyone read our secret key, so lets remove the general read rights from them:

sudo chmod o-r /etc/bind/named.conf.local
sudo chmod o-r /etc/dhcp3/dhcpd.conf 

We should now have a fully working dynamic dns system for our local network, lets hold our thumbs and restart the services.

6 Restart the services to reload the configuration.

sudo /etc/init.d/bind9 restart
sudo /etc/init.d/dhcp3-server restart

7 Testing the setup

7.1 If you have an Ubuntu client that uses DHCP you can restart its network to make the DHCP-client request a new ip-address from the server:

sudo /etc/init.d/networking restart

7.2 You should now be able to lookup your client computer in your DNS:

host lani-desktop

Result:
lani-desktop.home.lan has address 10.10.10.100

7.3 And the reverse should now also work for your client computer address:

host 10.10.10.100

Result:
100.10.10.10.in-addr.arpa domain name pointer lani-desktop.home.lan.

8 Cleanup

8.1 Remove the generated key files:

 sudo rm Kdhcp_updater.*

8.2 Remove the old zone db files:

sudo rm -R /etc/bind/zones

Done 🙂

Some “important” pointers

Database files being rewritten by bind
The dns database files are now being rewritten by the bind service. Some people have mentioned that they think that bind messes up these files so that they are impossible to maintain. I don’t think that they are that bad and personally I don’t have any problem editing them after that bind has rewritten them. I’m not sure how often that bind rewrites these files, but at least it seems to always happen when you stop the bind service. What I think is more important is to always stop the bind service before making any changes to the database files, otherwise they might be overwritten by bind.

Examples of how to stop and start the bind service:

sudo /etc/init.d/bind9 stop
sudo /etc/init.d/bind9 start

The only way that I can think of to avoid this problem is to split your domains into two sub domains, for example dyn.home.lan. and static.home.lan. You could then have the DCHP server to only update the dyn.home.lan domain. But I didn’t want this and I’m not going to update these files that often that it matters for me. Please let me know if you know of a better solution.

Key generation
When using the dnssec-keygen to generate the secret key I passed it the parameter “-r /dev/urandom”. I’ve seen some pointers about that this will generate a less secure key. But for me the dnssec-keygen would just halt without that parameter. One other suggestion that I’ve seen it that you should switch to another terminal window on the server and run some commands that make some work on the server, to make it fill up the default /dev/random. I think that I would have done this if I would set this up in a corporate environment. But for my own home network I really think that the /dev/urandom will be sufficient.

Troubleshooting
There must be many more ways to troubleshoot any problems. But I managed to get it working by checking the system log for clues when a service didn’t start or when the DHCP server didn’t update the DNS records:

tail /var/log/syslog

That’s it!
I’ve really tried to make these steps as accurate as possible, following my own steps to get this to work. Please let me know if you think that I’ve missed something. Thank you.

Advertisements

Setting up a DHCP server on Ubuntu Hardy Heron

Update: There is now an updated version of this guide for Ubuntu 12.04: Setting up a DHCP server on Ubuntu 12.04 (Precise Pangolin) server.

This is my really short installation log of how I installed and configured a DHCP server on Ubuntu Hardy Heron.

1: Make sure that the latest version is installed:

sudo apt-get install dhcp3-server

Note: Don’t be alarmed if the startup fails; that’s because you haven’t configured it yet.

2.1: Edit the DHCP server configuration:

sudo nano /etc/dhcp3/dhcpd.conf 

2.2: The contents of my configuration file, for me the comments already in the file was what I needed to make the necessary changes:

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
option domain-name "home.lan";
option domain-name-servers ubuntu.home.lan;

default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# This is a very basic subnet declaration.
subnet 10.10.10.0 netmask 255.255.255.0 {
  range 10.10.10.100 10.10.10.200;
  option routers router.home.lan;
}

3: Start the DHCP server (it should now start without problems):

sudo /etc/init.d/dhcp3-server start

Done 🙂

Setting up a DNS for the local network on the Ubuntu Hardy Heron server

There is now an updated guide for Ubuntu 12.04: Setting up a DNS for the local network on the Ubuntu 12.04 (Precise Pangolin) server

Condensed version

This is my really condensed step by step procedure that I took to setup my local dns for our local network at home. It really isn’t more than just a shorter version of the great guides posted by Sam Davis:

BIND Caching Name Server Setup
BIND Master Server Setup

I really recommend that you read his two post to get some more information, then you can check my pointers and maybe my configurations posted below if you want yet another example to look at.

Step by step instructions

1: Make sure that the latest version of bind9 is installed (that’s the dns-server software):
sudo apt-get install bind9

2.1: Configure the DNS to cache requests:
sudo nano /etc/bind/named.conf.options

2.2: Uncomment or add the forwarders section and replace the x:es with the ip-address to the primary and secondary dns of your isp:

forwarders {
        x.x.x.x;
        x.x.x.x;
};

3.1: Make the server use its own DNS for lookups:
sudo nano /etc/resolv.conf

3.2: Change or add the nameserver directive to point to the local machine:
nameserver 127.0.0.1

3.3: You can also add a search directive, to that you don’t have to type the whole fully qualified domain name every time, just the computer name instead:
search home.lan

Note: This must also be done for other Ubuntu clients that use a static IP. But then it should point to the IP of the DNS server. If you have a DHCP server you should specify your DNS IP in its settings, as well as the search domain.

4.1: Define the zones for the local domain:
sudo nano /etc/bind/named.conf.local

4.2: Add a zone for the local domain:

zone "home.lan" IN {
    type master;
    file "/etc/bind/zones/home.lan.db";
};

4.3: Also add a zone for reverse dns lookups for the local network:

zone "10.10.10.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/rev.10.10.10.in-addr.arpa";
};

Note: Make sure that it’s literal quotes that is used, so that they not are converted if you copy and past them to the terminal. You get literal quotes on a Swedish keyboard by pressing “Shif+2”, on an English keybord it might be “Shif+,” ?

5: Create the zones directory:
sudo mkdir /etc/bind/zones

6.1: Configure the local domain:
sudo nano /etc/bind/zones/home.lan.db

6.2: My settings, change to your match your host names and ip-addresses:

; Use semicolons to add comments.
; Do NOT add empty lines.
; Host-to-IP Address DNS Pointers for home.lan
; Note: The extra “.” at the end of addresses are important.
; The following parameters set when DNS records will expire, etc.
; Importantly, the serial number must always be iterated upward to prevent
; undesirable consequences. A good format to use is YYYYMMDDII where
; the II index is in case you make more that one change in the same day.
home.lan. IN SOA ubuntu.home.lan. hostmaster.home.lan. (
    2008080901 ; serial
    8H ; refresh
    4H ; retry
    4W ; expire
    1D ; minimum
)
; NS indicates that ubuntu is the name server on home.lan
; MX indicates that ubuntu is (also) the mail server on home.lan
home.lan. IN NS ubuntu.home.lan.
home.lan. IN MX 10 ubuntu.home.lan.
; Set the address for localhost.home.lan
localhost    IN A 127.0.0.1
; Set the hostnames in alphabetical order
print-srv    IN A 10.10.10.9
router       IN A 10.10.10.10
server       IN A 10.10.10.5
ubuntu       IN A 10.10.10.1
xbox         IN A 10.10.10.2

7.1: Create and edit the reverse lookup configuration file:
sudo nano /etc/bind/zones/rev.10.10.10.in-addr.arpa

7.2: My settings, reversed of the above:

; IP Address-to-Host DNS Pointers for the 10.10.10.0 subnet
@ IN SOA ubuntu.home.lan. hostmaster.home.lan. (
    2008080901 ; serial
    8H ; refresh
    4H ; retry
    4W ; expire
    1D ; minimum
)
; define the authoritative name server
           IN NS ubuntu.home.lan.
; our hosts, in numeric order
1         IN PTR ubuntu.home.lan.
2         IN PTR xbox.home.lan.
5         IN PTR server.home.lan.
9         IN PTR print-srv.home.lan.
10        IN PTR router.home.lan.

8: Restart bind to use the new settings:
sudo /etc/init.d/bind9 restart

9: Test that the dns lookups works with the local server:
host ping.sunet.se

The response should be:
ping.sunet.se has address 192.36.125.18
ping.sunet.se has IPv6 address 2001:6b0:7::18

10: Test that all of your computers are listed with the following command:
host -l home.lan

The output should list all of your entered hosts:

home.lan name server ubuntu.home.lan.
localhost.home.lan has address 127.0.0.1
print-srv.home.lan has address 10.10.10.9
router.home.lan has address 10.10.10.10
server.home.lan has address 10.10.10.5
ubuntu.home.lan has address 10.10.10.1
xbox.home.lan has address 10.10.10.2

11: Test that the reverse lookup works:

 host 10.10.10.1

Response:
1.10.10.10.in-addr.arpa domain name pointer ubuntu.home.lan.

Final words
Do not forget to update the serial every time you make any changes to a zone file.

Referenses:
BIND Caching Name Server Setup
BIND Master Server Setup

Generate a ssh key and disable password authentication on Ubuntu server

Update:There is now an updated version of this guide for Ubuntu 12.04: Generate a ssh key and disable password authentication on the Ubuntu 12.04 (Precise Pangolin) server

1. Generate the ssh key pair on the desktop computer:
ssh-keygen

2. Copy the public key to the server:
scp ~/.ssh/id_rsa.pub user@10.10.10.1:

3. Connect to the server:
ssh user@10.10.10.1

4. Append the public key to authorized_keys and remove the uploaded copy:
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub

5. Edit the ssh server configuration to make sure that public key authentication is enabled (it should be enabled by default):
sudo nano /etc/ssh/sshd_config

5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes

6. Reload the configuration:
sudo /etc/init.d/ssh reload

7. Disconnect from the server:
exit

8. Try connecting without the need to give the password to the ssh-client:
ssh user@10.10.10.1

You might need to give a password now to access your private key file, but you should not need to give the password to the ssh program.

9. Disable password authentication:
sudo nano /etc/ssh/sshd_config

9.1 The following settings should be set to no:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

9.2. Reload the configuration:
sudo /etc/init.d/ssh reload

10. Test that password authentication really is disabled:
10.1 Disconnect from the server:
exit

10.2 Rename your private key file:
mv ~/.ssh/id_rsa ~/.ssh/id_rsa.backup

10.3 Try to reconnect to the server:
ssh user@10.10.10.1

This should produce a permission denied message: “Permission denied (publickey).”

10.4 Restore your private key file:
mv ~/.ssh/id_rsa.backup ~/.ssh/id_rsa

Done 🙂


Referens

Debuntu

Change to static ip on the Ubuntu Hardy Heron server

There is now an updated guide for Ubuntu 12.04: Change to static ip on the Ubuntu 12.04 (Precise Pangolin) server

1.1: Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

1.2: Change from dhcp to static:

- iface eth0 inet dhcp
+ iface eth0 inet static
+        address 10.10.10.1
+        netmask 255.255.255.0
+        gateway 10.10.10.10
+        network 10.10.10.0
+        broadcast 10.10.10.255

2: Make sure that the name server is specified in ‘/etc/resolv.conf’:
nameserver 10.10.10.10

3: Uninstall the dhcp-client (otherwise it will overwrite your changes on the next renew cycle!):
sudo apt-get remove dhcp3-client

4: Restart the network to use the new settings:
sudo /etc/init.d/networking restart

Done 🙂

Automatically update Ubuntu Hardy Heron server with a ruby script

Needs

I wanted my newly installed Ubuntu server to check for updates every day and then automatically update itself if there were any new updates found. I search the web trying to find an existing solution that would work out of the box for me. But I am of course very picky of what I want, so I could not found anything that met all my needs:

  • Automatically check for updates every day.
  • Automatically download and install any updates that were found.
  • Report both success and failures to my e-mail and show me in the subject if the update failed or succeeded.
  • Use an external smtp-server with authentication.

As I am also trying to learn the Ruby programming language, besides from Linux, I decided to use it to create my update script.

Installing Ruby

Ruby is not installed by default on Hardy Heron but can easily be installed from the Ubuntu repositories:

sudo apt-get install ruby

The Script


#!/usr/bin/ruby
##### Information ##############################################
# DESC:	This is an update script for Ubuntu Hardy Heron 8.04.
#	It will fetch any availible updates with aptitude and
#	install them. An e-mail with the result is then sent
#	using the configured smtp-server.
# AUTH:	Niklas "Lani" Lagergren
# REV.:	1.0 2008-08-06
#	* Initial release.
#
# COPY: No copyright claimed. No rights reserved. No warranty
#       given.
################################################################

##### Configurable mail server options: ########################
# These parameters needs to be changed to match your enviorment
################################################################
@mail_server = 'your.mail-server.com'
@mail_port   = 25
@mail_domain = 'your.mail-domain.com'
@mail_user   = 'username'
@mail_pass   = 'password'
@mail_from   = 'from@your.mail-domain.com'
@mail_to     = 'to@somewhere.nil'

require 'net/smtp'

# Format date according to rfc 2822, example:
# Fri, 11 Jul 2008 09:13:20 +0200
def time_to_rfc2822(time)
  time.strftime('%a, %d %b %Y %H:%M:%S ') +
    if time.utc?
      '-0000'
    else
      off = time.utc_offset
    sign = off < 0 ? '-' : '+'
    format('%s%02d%02d', sign, *(off.abs / 60).divmod(60))
  end
end

# Send e-mail according to the configuration in the instance variables.
def send_mail(subject, body)
  msg = "From: Ubuntu Server <#{@mail_from}>\r\n" +
    "To: Server Administrator <#{@mail_to}>\r\n" +
    "Subject: #{subject}\r\n" +
    "Date: #{time_to_rfc2822(Time.new)}\r\n" +
    "Message-Id: <#{Time.new}@#{@mail_domain}>\r\n" +
    "\r\n#{body}\r\n"

    Net::SMTP.start(@mail_server, @mail_port, @mail_domain, @mail_user,
      @mail_pass) do |smtp|
      smtp.send_message msg, @mail_from, @mail_to
    end
end

# Run aptitude commands to update the system and capture it's output.
puts 'Running aptitude...'
body = `aptitude update 2>&1`
body << `aptitude dist-upgrade -y 2>&1` if $? == 0
body << `aptitude clean 2>&1` if $? == 0

subject = "#{@mail_domain} update #{$? == 0 ? 'succeded' : 'FAILED'} #{Time.new}"

puts 'Sending mail...'
send_mail subject, body
puts 'Mail sent.'

Set the script to run every day
Obviously you need to change the mail settings in the script as the comment suggest. Then save the script, I named it “autoupdate”. To run the script on a daily basis copy it to “/etc/cron.daily”. And don’t forget to set execute permissions on the script (and as I have the password stored in the file I also removed all permissions from “others”:

sudo chmod 770 autoupdate

Test the script
The easiest way to test the script is of course to just execute it:
sudo ./autoupdate

If you really want to make sure that it will execute when executed in the same way as when execute by the cron job you could run:

sudo run-parts /etc/cron.daily

Note that this will execute all scripts in the cron.daily folder. Another side note is that it probably won’t run with the same permissions as when executed from the cron job, and it will probably take a long time to execute.

Now check your mailbox or the log files for the result:

cat /var/log/aptitude

Hopefully someone out there can benefit from this script as it is, or if you’re like me; tweak it to suite your own needs 😉