Versions Compared

Version Old Version 7 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

File: /etc/dhcpd.conf

Code Block
  authoritative;              # No other DHCP servers on this subnet
 ddns-update-style interim;  # Supported update method - see man dhcpd.conf
# ddns-update-style ad-hoc;  # Add this instead of "interim" if not using ddns
 ignore client-updates;      # Overwrite client configured FQHNs
 ddns-domainname "domain.com.";
 ddns-rev-domainname "in-addr.arpa.";



 key rndckey {               # Key for DNS updates
    algorithm hmac-md5;
    secret "JIjUPfT2GZZ172o5IdcK1Q=="; # Same as used for bind - see /etc/rndc.key
 };

 zone domain.com. {          # Forward zone to be updated
    primary 127.0.0.1;
    key rndckey;
 }

 zone 5.168.192.in-addr.arpa. { # Backward zone to be updated
    primary 127.0.0.1;
    key rndckey;
 }

subnet 192.168.5.0 netmask 255.255.255.0 {

  range                         192.168.5.200 192.168.5.250;
  default-lease-time            21600;
  max-lease-time                43200;

  option routers                192.168.5.1;   # Default gateway
  option subnet-mask            255.255.255.0;
  option domain-name            "example.com";
  option domain-name-servers    192.168.5.145; # loopback address does not work here

#  option nis-domain            "example.com";

  option time-offset            -18000;        # Eastern Standard Time
  option tftp-server-name       "sipx.example.com";  # required for phones to pickup profiles

  option ntp-servers            192.168.5.145;
# option netbios-name-servers   192.168.5.145;
# option netbios-node-type      8; # try WINS servers first, broadcast if necessary

# Example for resource reservations:
#       host xyz {
#               ddns-hostname "host.example.com";  # use for hosts that do not send a hostname
#               hardware ethernet 12:34:56:78:AB:CD;
#               fixed-address 192.168.5.x;
#       }
}

...

File: Generated /etc/rndc.key file

Code Block
  key "rndckey" {
        algorithm hmac-md5;
        secret "JIjUPfT2GZZ172o5IdcK1Q==";
 };

...

Panel

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";

The following options section and two zone definitions were added manually:

Panel

options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
};

Panel

zone "example.com" IN {

Panel

    type master;
    file "example.com.zone";
    allow-update { key "rndckey"; };
    notify yes;
};

Panel

zone "5.168.192.in-addr.arpa" {

Panel

    type master;
    file "192.168.5.zone";
    allow-update { key "rndckey"; };
    notify yes;
};

Optional: DNS Security

...

File: Additions to /etc/named.conf

Code Block
  // prevent zone transfers:
 options {
    allow-transfer {none;};
 };

 // restrict access:
 acl "trusted-subnet" {192.168.5.0/24; };

...

Panel

;
; Reverse zone file for domain.com
;

Panel


$TTL 3D
@ IN SOA ns1.example.com. root.example.com. (
    200602132 ; serial#
    3600 ; refresh, seconds
    3600 ; retry, seconds
    3600 ; expire, seconds
    3600 ) ; minimum TTL, seconds

Panel


NS ns1.example.com. ; Inet Address of nameserver
;
1 1      PTR localhost.
145 145  PTR sipx.example.com.

Panel


; Don't specify any reverse pointer records for addresses in the
; DHCP range. Dynamic updates will define those as necessary.

...

File: /etc/sysconfig/named

Code Block

# This line needs to be added
 ENABLE_ZONE_WRITE=yes
# This line enables the chroot and was configured automatically when installing the chroot jail
 ROOTDIR=/var/named/chroot

...

{{Box File| /etc/named.conf or /var/named/chroot/etc/named.conf|

Code Block

 // add the following section. A log file "dns-security.log" will be created
 // in the named directory
 logging {
    category dnssec   { security_log; };
    category update   { security_log; };
    category security { security_log; };

    channel security_log {
        file "dns-security.log" versions 5 size 20m;
            // every time the log grows over 20 Mbyte, it will
            // backup and rollover. Maximum 5 backups will be kept.
        print-time yes;
        print-category yes;
        print-severity yes;
        severity info;
    };
 };

...