...
Note: SELinux has to be turned off for sipX, which means that the Fedora security policy for the named DNS server is turned off as well. You therefore should run named in a chroot jail, which we will do in a second step. Refer to man named.
You should not use the domain name __"example.com"_ - you should register a real domain name; there are many ISPs and DNS providers that can help you with setting this up._
...
Make sure the host on which you plan to install DHCP and DNS servers has a fixed IP address as well as a properly assigned host and domain name. In this example we use domain.com for the domain name and sipx for the hostname.
...
File: /etc/dhcpd.conf
| Code Block |
|---|
authoritative; # No other DHCP servers on this subnet
ddns-update-style interim; # Supported update method - see man dhcpd.conf
# ddns-update-style ad-hoc; # Add this instead of "interim" if not using ddns
ignore client-updates; # Overwrite client configured FQHNs
ddns-domainname "domain.com.";
ddns-rev-domainname "in-addr.arpa.";
key rndckey { # Key for DNS updates
algorithm hmac-md5;
secret "JIjUPfT2GZZ172o5IdcK1Q=="; # Same as used for bind - see /etc/rndc.key
};
zone domain.com. { # Forward zone to be updated
primary 127.0.0.1;
key rndckey;
}
zone 5.168.192.in-addr.arpa. { # Backward zone to be updated
primary 127.0.0.1;
key rndckey;
}
subnet 192.168.5.0 netmask 255.255.255.0 {
range 192.168.5.200 192.168.5.250;
default-lease-time 21600;
max-lease-time 43200;
option routers 192.168.5.1; # Default gateway
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.5.145; # loopback address does not work here
# option nis-domain "example.com";
option time-offset -18000; # Eastern Standard Time
option tftp-server-name "sipx.example.com"; # required for phones to pickup profiles
option ntp-servers 192.168.5.145;
# option netbios-name-servers 192.168.5.145;
# option netbios-node-type 8; # try WINS servers first, broadcast if necessary
# Example for resource reservations:
# host xyz {
# ddns-hostname "host.example.com"; # use for hosts that do not send a hostname
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 192.168.5.x;
# }
}
|
...
File: Generated /etc/rndc.key file
| Code Block |
|---|
key "rndckey" {
algorithm hmac-md5;
secret "JIjUPfT2GZZ172o5IdcK1Q==";
}; |
...
| Panel |
|---|
controls { |
The following options section and two zone definitions were added manually:
| Panel |
|---|
options { |
| Panel |
|---|
zone "example.com" IN { |
| Panel |
type master; |
| Panel |
|---|
zone "5.168.192.in-addr.arpa" { |
| Panel |
type master; |
Optional: DNS Security
...
File: Additions to /etc/named.conf
| Code Block |
|---|
// prevent zone transfers:
options {
allow-transfer {none;};
};
// restrict access:
acl "trusted-subnet" {192.168.5.0/24; }; |
...
| Panel |
|---|
; |
| Panel |
|
| Panel |
|
| Panel |
|
...
File: /etc/sysconfig/named
| Code Block |
|---|
# This line needs to be added
ENABLE_ZONE_WRITE=yes
# This line enables the chroot and was configured automatically when installing the chroot jail
ROOTDIR=/var/named/chroot |
...
{{Box File| /etc/named.conf or /var/named/chroot/etc/named.conf|
| Code Block |
|---|
// add the following section. A log file "dns-security.log" will be created
// in the named directory
logging {
category dnssec { security_log; };
category update { security_log; };
category security { security_log; };
channel security_log {
file "dns-security.log" versions 5 size 20m;
// every time the log grows over 20 Mbyte, it will
// backup and rollover. Maximum 5 backups will be kept.
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
}; |
...