This is NOT a detailed step by step guide on how to do this,  it’s just a rough sketch mainly intended for my future self so that I can reference it if I ever need to set this up again.  If you found this by searching google or something then there are more useful sites out there and I’ll name a couple that I found useful at the bottom of this post.

So,  I have 2 network cards,  eth0 and eth1.  eth0 is on 192.168.1.x where my DSL router lives and eth1 is on 192.168.100.x and is for whatever I want to sit behind the router. I typically have my gateway’s eth0 at 192.168.1.1 and eth1 192.168.100.254.

You’ll need a dnssec key, generate it by running “dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate” then you get 2 files,  the key generated is in the .key file so use that wherever I talk about a secret key.

Install the required things : bind, bind-chroot, bind-utils and dhcp

Here are the config files that I use, slightly censored.

ifcfg-eth0

 DEVICE=eth0
 BOOTPROTO=static
 DHCPCLASS=
 HWADDR=00:11:11:11:11:10
 IPADDR=192.168.1.1
 NETMASK=255.255.255.0
 ONBOOT=yes
 PEERDNS=no

ifcfg-eth1

 DEVICE=eth1
 BOOTPROTO=static
 DHCPCLASS=
 HWADDR=00:03:33:33:33:93
 IPADDR=192.168.100.254
 NETMASK=255.255.255.0
 DNS1=192.168.100.254
 ONBOOT=yes
 PEERDNS=no

dhcpd.conf

authoritative;
ddns-updates on;
ddns-update-style interim;
ddns-rev-domainname "in-addr.arpa.";
option domain-name "domain.local"; # insert your own desired domain instead of domain.local
option domain-name-servers 192.168.100.254; # Gateway's IP
#option ntp-servers us.pool.ntp.org;
ignore client-updates;
update-static-leases on;
use-host-decl-names on;
default-lease-time 43200;
max-lease-time 43200;
key dhcpupdate {
  algorithm hmac-md5;
  secret <insert your secret key here>;
}
zone domain.local. {
  primary 192.168.100.254;
  key dhcpupdate;
}
zone 100.168.192.in-addr.arpa. {
  primary 192.168.100.254;
  key dhcpupdate;
}
subnet 192.168.100.0 netmask 255.255.255.0
{
  option routers 192.168.100.254;
  option subnet-mask 255.255.255.0;
  range 192.168.100.200 192.168.100.250; # I usually only have a limited range for dhcp hosts.
  # example in case you want to set a fixed address for some hosts,  useful for example if you 
  # have a laptop that you wan't to always have the same address but not wanting to set the IP manually every time
  host ex1 { 
    hardware ethernet 00:08:00:A6:71:00;
    fixed-address 192.168.100.100;
  }
}

named.conf

options {
 listen-on port 53 { 127.0.0.1; 192.168.100.254;};
 listen-on-v6 port 53 { ::1; };
 directory       "/var/named";
 dump-file       "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-query     { localhost; 192.168.100.0/24; };
 allow-transfer  { localhost; 192.168.100.254; };
 forwarders      { 8.8.8.8; 8.8.4.4; }; # The "real" DNS you want to talk to,  this is usually your ISP's DNS servers but here I use Google's DNS servers.
 forward only;
 recursion yes;
//##  I had problem with dnssec and didn't want to solve them so I just disabled
 //##   it, shouldn't matter since this isn't a public DNS server.
 //      dnssec-enable yes;
 //      dnssec-validation yes;
 //      dnssec-lookaside auto;
        /* Path to ISC DLV key */
 //      bindkeys-file "/etc/named.iscdlv.key";
 };
logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
 };
key dhcpupdate {
 algorithm hmac-md5;
 secret "<insert your secret key here>";
 };
zone "domain.local" {
 type master;
 file "master/domain.local";
 allow-update { key dhcpupdate; };
 };
zone "100.168.192.in-addr.arpa" {
 type master;
 file "master/domain.local-rev";
 allow-update { key dhcpupdate; };
 };
include "/etc/named.rfc1912.zones";

master/domain.local

$ORIGIN .
 $TTL 43200      ; 12 hours
 domain.local            IN SOA  mygateway.domain.local. root.domain.local. (
 2012040241 ; serial
 900        ; refresh (15 minutes)
 900        ; retry (15 minutes)
 604800     ; expire (1 week)
 3600       ; minimum (1 hour)
 )
 NS      mygateway.domain.local.
 $ORIGIN domain.local.
 mygateway              A       192.168.100.254

master/domain.local-rev

$ORIGIN .
 $TTL 43200      ; 12 hours
 100.168.192.in-addr.arpa IN SOA mygateway.domain.local. root.domain.local. (
 2012040238 ; serial
 900        ; refresh (15 minutes)
 900        ; retry (15 minutes)
 604800     ; expire (1 week)
 3600       ; minimum (1 hour)
 )
 NS      mygateway.domain.local.
 $ORIGIN 100.168.192.in-addr.arpa.
 $TTL 43200      ; 12 hours
 254                     PTR     mygateway.domain.local.

/etc/dhcp/dhclient-enter-hooks (To prevent dhclient from updating resolv.conf)

#!/bin/sh
 make_resolv_conf(){
  :
 }

/etc/resolv.conf

nameserver 192.168.100.254
 search domain.local

iptables

# Generated by iptables-save v1.4.7 on Sat Jun 23 01:38:35 2012
 *nat
 :PREROUTING ACCEPT [209:23979]
 :POSTROUTING ACCEPT [26:2950]
 :OUTPUT ACCEPT [89:8677]
 -A POSTROUTING -o eth0 -j MASQUERADE
 COMMIT
 # Completed on Sat Jun 23 01:38:35 2012
 # Generated by iptables-save v1.4.7 on Sat Jun 23 01:38:35 2012
 *filter
 :INPUT ACCEPT [23:4055]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1201:165556]
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 # You would need to add some custom port rules here but I just allow everything from those two networks
 # This is a very BAD idea if this is a DMZ gateway where you DO NOT want to allow everything on eth0
 -A INPUT -s 192.168.1.0/24 -j ACCEPT
 -A INPUT -s 192.168.100.0/24 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth1 -o eth0 -j ACCEPT
 COMMIT
 # Completed on Sat Jun 23 01:38:35 2012

iptables-config

# Remember to set those two to yes.  Leave the rest as they are unless you need something specific.
IPTABLES_SAVE_ON_STOP="yes"
 IPTABLES_SAVE_ON_RESTART="yes"

Make sure “net.ipv4.ip_forward = 1″ is in /etc/sysctl.conf

And if you’re using SELinux then run this

setsebool -P named_write_master_zones 1

That’s all I can remember having changed.  reboot and see if everything works.  If you run into problems then just look at the log files and google the error… also remember to check if SELinux is causing problems.

Sites I found useful while configuring my gateway.

http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/

http://lani78.wordpress.com/2008/08/12/dhcp-server-update-dns-records/

http://www.debianadmin.com/howto-setup-dhcp-server-and-dynamic-dns-with-bind-in-debian.html

http://spin.atomicobject.com/2012/04/03/setting-up-bind9-and-dhcp3-on-ubuntu-with-dynamic-dns/

http://www.linuxquestions.org/questions/linux-server-73/dynamic-dhcp-update-to-dns-921318/

http://agix.com.au/blog/?p=2284

http://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/

Tagged with: