I need to dynamically add/remove (virtual) hosts on the network of my company. I cannot use static IP because there may be conflict with DHCP given IP to my colleagues PCs. I also do not have the rights to update the corporate DNS.
I will install my own DNS (Bind server) which will contain the name of my machines and will forward all requests for unknown name to the corporate DNS.
Bind configuration
This is target to Debian distribution as Debian store Bind configuration file to /etc/bind
instead of /etc/
as many other distribution.
- Install the bind9 package
- Comment the
zone "."
section in/etc/bind/named.conf
. We are on a corporate network and we do not have access to the root DNSs. - Create a new root zone like this
zone "." { type forward; forwarders {10.1.1.100;10.1.1.101;}; };
where 10.1.1.100 and 101 are the corporate DNS IPs. I don’t know if this should be set in
named.conf
ornamed.conf.local
. I don’t even know if it’s matter. - Create the key which will be used to update the DNS from the client PCs. Assuming your e-mail address is admin@nospam.com, this look like this:
$ dnssec-keygen -a HMAC-MD5 -b 512 -n USER admin.nospam.com.
- Now create your zone in
named.conf.local
:key xrunhprof.corp. { algorithm hmac-md5; secret "hJUw1ggZk5d7yIVVt67qCNxlk2Wn8SAg0/6fuyCspcdEUuz1zumrfzYC Xb1B1i3nUwLXPCOXx8F2aVT0oB99xA=="; }; zone "xrunhprof.corp" { type master; file "/var/cache/bind/db.xrunhprof"; allow-update { key xrunhprof.corp.; }; };
The secret key can be found in the
.key
file created withdnssec-keygen
. - Create an empty zone file in
/var/cache/bind/db.xrunhprof
:$TTL 86400 @ IN SOA 10.1.10.145. xrunhprof.wordpress.com. ( 2008102201 ; serial number YYMMDDNN 28800 ; Refresh 7200 ; Retry 864000 ; Expire 86400 ; Min TTL ) NS 10.1.10.145. $ORIGIN xrunhprof.corp.
10.1.10.145 is the IP of the host running the Bind server.
- Restart Bind to take the changes into account.
Client configuration
The client need to update it’s DNS entries each time it does a DHCP request. Here is a script to do such update:
#! /bin/sh if [ "x$1" != "xlo" ]; then unset LANG IP=$(/sbin/ifconfig eth0 | sed -n 's/.*inet *addr:\([0-9\.]*\).*/\1/p') nsupdate -k $(dirname $0)/Kxrunhprof.corp.+157+05662.private << _ACEOF server 10.1.10.145 zone xrunhprof.corp update delete $HOSTNAME. A update add $HOSTNAME. 86400 A $IP show send _ACEOF fi
This script need to be in the same directory as .private and .key
files created with dnssec-keygen.
On Debian this script can be called with a post-up
directive in /etc/network/interface
. On Redhat like distribution (I tested with Mandriva) it can be set in /etc/sysconfig/network-scripts/ifup.d/
. In both case do not forget to chmod +x
the script.
Conclusion
I’m totally novice in Bind and DNS, so this how-to may contains error. For example I guess the update access control of my Bind server is a big security hole as any client can update the entry of any other client.