DNS and DHCP

[scienzia]

Hi,

I manage a LAN with windoz clients and a linux that is the gateway to internet, firewall , dhcp server and runs named.
I would like to update my dns inside my lan with dhcpd.
I saw some examples about this, but they all talk about a domain name (usually "example.com"....) . I don't have a domain in my LAN, what shall I put instead of "example.com"?

Would this dns updating make my LAN faster?

Thanks in advance

 

[thedaver]

If you tell your named that the specifc domain "marypoppins" is to be answered for your internal network IPs only, then you can potentially use that for internal DNS.

Yes, I'm aware of Dynamic DNS tools to complement DHCP environments... never used one.

http://www.surfinbox.com/hosting/

 

[cdlvj]

Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. Has nothing to do with dhcp, or making your LAN faster. dhcp assigns ip address' dynamically for your LAN.

The named program maintains a list of domain names and the corresponding ip address all over the world. You have to have a domain. There are many root servers all over the world with this info which is propogated throughout the isps, and name servers.

 

[thedaver]

You have to have a domain.

Not true. You can setup named to respond to requests for entirely fictional domains, illegal top level domains (i.e. .xyz), etc.

You dare not expose the responses to a public network, but it is entirely legal to configure your named to respond only to private network IPs with fictional DNS structure.

Whether this is the best way to solve this issue is another question.

DNS is also linked to DHCP in this issue's context, although the question is more linked to the traditional use of WINS instead of pure DNS as we traditionally think of it.

http://www.surfinbox.com/hosting/

 

[scienzia]

By "making LAN faster" I meant that when someone tries to find a pc in the LAN, it immediately finds its ip, so the net might look faster, not talking about bandwidth.

My domain shouldn't be visible outside my lan, I don't own a domain.
I'm doing this operation only for internal purposes.

These are my config files:

#dhcp.conf

DHCPDARGS=eth1;
server-identifier firewall.mmm;
authoritative;

ddns-update-style interim;
ddns-updates on;

key "DHCP_UPDATER" {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "aaa";
};

default-lease-time 600;
max-lease-time 7200;

option subnet-mask 255.255.255.0;
option routers 192.168.0.254;
option domain-name-servers 192.168.0.254;
option domain-name-servers 212.216.112.112;

zone mmm. {
	primary 192.168.0.254;
key "DHCP_UPDATER";
}

zone 0.168.192.in-addr.arpa. {
primary 192.168.0.254;
key "DHCP_UPDATER";
}

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.199;
}

#named.conf
// generated by named-bootconf.pl
acl "home" { 192.168.0.0/24; 127.0.0.1;};

key "DHCP_UPDATER" {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "aaa";
};

options {
	directory "/var/named";
        allow-query { "home"; };
};

controls {
  inet 127.0.0.1 port 953
  allow { 127.0.0.1; 192.168.0.254; } keys { "DHCP_UPDATER"; };
};

zone "mmm" {
  type master;
  notify no;
  file "mmm";
  allow-update { key "DHCP_UPDATER"; };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "named.lan";
    notify no;
    allow-update { key "DHCP_UPDATER"; };
};

zone "0.0.127.in-addr.arpa" {
    type master;
    file "named.local";
    notify no;

};

zone "." IN {
	type hint;
	file "named.ca";
};

Are these ok?

Thanks in advance.

 

[marsd]

Yecchh.
I hate the 'secure dns' crypto stuff.
Slower and unwieldy.
Just keep up to date and allow queries that
allow axfr and recursive querying to trusted
hosts. Then lock tcp transfers via iptables
to these same hosts. You are safe if you keep
updated and have a clue.

 

[scienzia]

I already configured iptables properly so that there is no entrance from outside.
I am working to make my LAN faster, and it would be nice to let my dhcp server resolve LAN pc names (and it doesn't work with those scripts....)

I hate the 'secure dns' crypto stuff.

you mean the keys, right?

Do you think there is something else wrong or to be added in the config files?

 

[marsd]

Your dhcp server has to support dynamic updates as well.
Using the isc dhcpd the line:

ddns-update-style ad-hoc;

does the trick for my home network, but for some
(win32) clients the parameters need to be tuned or
completely altered (Freebsd).

My complaints were about the bind 9.x security features which complicate things in a way that should not be necessary IMO
except for large public facilities(ISPs,etc..) where I can
see the benefit.