StefanoLaguardia.eu

[Linux server] How to update DNS entries from DHCP to BIND9

After talking about this topic with a friend during last week, I decided to start running a local DNS server in my home network. The goals of the server are: first, have my own local domain and, second, use it as DNS cache. In this ways I can recall my local servers/devices using their assigned names in the domain and I can have a local cache to very quickly resolve the names for the sites I use more often. Of course I have a local GNU/Linux server that will be used for this and I used BIND9 to setup the DNS server.

The Web is full of articles on how to setup BIND9 on different GNU/Linux distributions so I will not cover this topic at all. What, on the contrary, I found a little bit more complicted to do (not too much to be honest, but still worth to talk about) is how to have a DHCP server running on a different hardware to update the DNS entries everytime a new device asks for an IP. In my network I have the DHCP server running on PfSense firewall that is of course installed on a dedicated hardware. I will then conver the configurations of both PfSense to forward updates to BIND9 and DNS server to accept the updates. Let’s immediately jump on the configuration part.

We will start preparing the configuration on BIND9. So, connect to the GNU/Linux server CLI and run the following command:

# rndc-confgen -a

This will create a key file in the directory /etc/bind/ that you have to use to validate updates coming from the DHCP server. The file created (rndc.key) is a simple text file like the following:

key “rndc-key” {
algorithm hmac-md5;
secret “This_Is_Your_Secret“;
};

By default the secret is already provided with a random value in base64. After that just change the owner and group of the rndc.key file and its rights:

# chown root:bind /etc/bind/rndc.key
# chmod 640 /etc/bind/rndc.key

It’s now time to modify the BIND9 files to allow updates from devices that are using the key we just created. To do that edit the file /etc/bind/named.conf.local adding at the very beginning of it the following string:

include “/etc/bind/rndc.key”;

In the same file, go to the zones configurations and add the following in bold for each zone you want to be allowed to be updated:

zone “YOURZONE.local” {
type master;
file “/etc/bind/forward.YOURZONE”;
allow-update { <ip_of_your_DHCP_server>; key rndc-key; };
};

It is very important that you add the IP of the DHCP server – in my case and this example PfSense – that will be allowed. On DBINd9 we are ready. Let’s restart it:

# service bind9 restart

We are now ready to jump on PfSense to finish the configuration. After you login in the webinterface go to Services –> DHCP Server. In the DNS Server Tab add as first line the IP of your BIND9 server. On the second and following raws you can add external servers or – if you have it – the secondary DNS IP server:

Configure PFSense DHCP ServrNext scroll down on the same page till the Dynamic DNS section and tick the Enable registration of DHCP client names in DNS option. This is where you add details about your DNS zone as well as the key to update BIND9. Of course it is fundamental that you add the name of the key you created (we called it rndc-key) as well as the full passphrase:

DNS updateLast step is to save the options in PfSense. Now, the dynamic update should work. Everytime a new device will ask to DHCP for in IP our PfSense will assign it and will inform BIND9 about the name of the device with the new assigned IP. We can double check that this is happening in BIND9 logs:

named[5802]: client <your_PfSenseIP> #46591: updating zone ‘<your_zone.local>/IN’: adding an RR at ‘NewDevice.zeno.local’ A
named[5802]: client <your_PfSenseIP> #46591: updating zone ‘<your_zone.local>/IN’: adding an RR at ‘NewDevice.zeno.local’ TXT

Of course from now on you can also reach the above device directly using its name instead of the IP.

If you would like to be informed about new posts I will publish on the blog you can subscribe to the newsletter:


 

Comments

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.