Configuration of DHCP and DNS Services on the sipXecs Host

The sipX system needs properly configured DHCP and DNS servers to operate. If such servers do not already exist in your network, you might want to run them on the same host as the sipx system. This page describes how to setup Linux DHCP and DNS servers on the sipX host that will provide the required services to your network. Note that only one DHCP server can be authoritative per LAN segment.

Adding a mail server required for voicemail notification by email is described on this page: Sendmail for Email Notification. Adding an NTP server for time synchronization is described on this page: NTP Server Configuration.

This page initially is intended for Red Hat / Fedora users. We might add info for other distros later.

Note: SELinux has to be turned off for sipX, which means that the Fedora security policy for the named DNS server is turned off as well. You therefore should run named in a chroot jail, which we will do in a second step. Refer to man named.

You should not use the domain name __"example.com"_ - you should register a real domain name; there are many ISPs and DNS providers that can help you with setting this up._

DHCP Server Configuration

Make sure the host on which you plan to install DHCP and DNS servers has a fixed IP address as well as a properly assigned host and domain name. In this example we use domain.com for the domain name and sipx for the hostname.

File: /etc/hosts

Pick a suitable private address range for your internal LAN (If you don't know what they are use 192.168.1.x and a netmask of 255.255.255.0).

Installing the DHCP Server

We need the ISC DHCP server version 3, which is the default on FC4:

Configuring the DHCP Server

We configure the DHCP server for dynamic updating with the DNS server. The DHCP server has the ability to dynamically update the Domain Name System. Within the configuration files, you can define how you want the Domain Name System to be updated. These updates are RFC 2136 compliant so any DNS server supporting RFC 2136 should be able to accept updates from the DHCP server. The advantage of this scheme is that if a new host is connected and obtains its IP address, its name is automatically inserted into the DNS system, For security reasons a key is required to communicate between the DHCP and DNS servers. Refer to "man dhcpd.conf" for more information.

File: /etc/dhcpd.conf

 authoritative;              # No other DHCP servers on this subnet
 ddns-update-style interim;  # Supported update method - see man dhcpd.conf
# ddns-update-style ad-hoc;  # Add this instead of "interim" if not using ddns
 ignore client-updates;      # Overwrite client configured FQHNs
 ddns-domainname "domain.com.";
 ddns-rev-domainname "in-addr.arpa.";



 key rndckey {               # Key for DNS updates
    algorithm hmac-md5;
    secret "JIjUPfT2GZZ172o5IdcK1Q=="; # Same as used for bind - see /etc/rndc.key
 };

 zone domain.com. {          # Forward zone to be updated
    primary 127.0.0.1;
    key rndckey;
 }

 zone 5.168.192.in-addr.arpa. { # Backward zone to be updated
    primary 127.0.0.1;
    key rndckey;
 }

subnet 192.168.5.0 netmask 255.255.255.0 {

  range                         192.168.5.200 192.168.5.250;
  default-lease-time            21600;
  max-lease-time                43200;

  option routers                192.168.5.1;   # Default gateway
  option subnet-mask            255.255.255.0;
  option domain-name            "example.com";
  option domain-name-servers    192.168.5.145; # loopback address does not work here

#  option nis-domain            "example.com";

  option time-offset            -18000;        # Eastern Standard Time
  option tftp-server-name       "sipx.example.com";  # required for phones to pickup profiles

  option ntp-servers            192.168.5.145;
# option netbios-name-servers   192.168.5.145;
# option netbios-node-type      8; # try WINS servers first, broadcast if necessary

# Example for resource reservations:
#       host xyz {
#               ddns-hostname "host.example.com";  # use for hosts that do not send a hostname
#               hardware ethernet 12:34:56:78:AB:CD;
#               fixed-address 192.168.5.x;
#       }
}

}}

Note: The key and the keyfile /etc/rndc.key is first generated with the rndc-confgen -a command (see DNS server configuration below). It needs to be manually copied into the /etc/dhcpd.conf file.

Note: For further information refer to man dhcpd.conf.

Starting the DHCP Server

Add to runlevels: chkconfig --levels 235 dhcpd on. The leases database is in the file /var/lib/dhcp/dhcpd.leases.

DNS Server Configuration

The Linux DNS Server is called bind or named; we need version 9. It should already be installed on your system, which can be verified using rpm -q bind.

The following files need to be configured:

• /etc/named.conf
• /var/named/example.com.zone
• /var/named/192.168.5.zone
• /etc/resolv.conf
• /etc/sysconfig/named

Generate Key required to exchange updates between DHCP and DNS

The tool rndc-confgen, using the -a option, can auto-generate the necessary keys as well as the configuration required by bind. It generates /etc/rndc.conf and /etc/rndc.key files. The key still needs to be manually inserted in the the DHCP configuration file /etc/dhcpd.conf.

File: Generated /etc/rndc.key file

 key "rndckey" {
        algorithm hmac-md5;
        secret "JIjUPfT2GZZ172o5IdcK1Q==";
 }; 

}}

The /etc/named.conf File

The following two sections were added automatically when running the rndc-confgen -a command:

The following options section and two zone definitions were added manually:

Optional: DNS Security

There are lots of options to secure access to the DNS resources on your LAN. The following provides some simple mechanisms.

File: Additions to /etc/named.conf

 // prevent zone transfers:
 options {
    allow-transfer {none;};
 };

 // restrict access:
 acl "trusted-subnet" {192.168.5.0/24; }; 

}}

The /var/named/example.com.zone File

Note: If a name (hostname or domainname) is followed by a period "." nothing is appended. If there is no period, the domain name of the current context is automatically appended.

The /var/named/192.168.5.zone File

Change Zone File Ownership

In order for the named server to be able to update the zone files as it receives dynamic update requests from the DHCP server, it has to have write permission for all the zone files. If you created your zone files as root, you have to change permissions as follows:

Enable named to write Zone Files

If SELinux is disabled (required for sipX), then allow named to write its zone files and create files in its $ROOTDIR/var/named directory; this is necessary for dynamic updates (DDNS) and slave zone transfers.

File: /etc/sysconfig/named

# This line needs to be added
 ENABLE_ZONE_WRITE=yes
# This line enables the chroot and was configured automatically when installing the chroot jail
 ROOTDIR=/var/named/chroot  

}}

The /etc/resolv.conf File

Starting the DNS Server

Add to runlevels: chkconfig --levels 235 named on.

Important: Editing the Zone files while dynamic updates are active
When dynamic update is enabled for a zone, the zone can no longer be manually edited as normal. Attempting to do so may work in some cases, but will usually result in a name server error.

The DNS server keeps a journal (.jnl) file of incoming updates. The file is not automatically syncronized with the zone file, but can be forced with the "rndc stop" command. Extreme care has to be exercised when manually updating a zone subject to dynamic updates.

When using BIND 9.3 the following can be used, which does not require that named be stopped:

Remember to increment the serial number in the zone file as you make changes.

Install the chroot Jail to run named in a Secure Environment

Note: The SELinux policy for bind under Fedora or Red Hat Linux is said to be more secure than running named in a chroot jail. Since sipX does not yet have an SELinux policy, we were able to turn it off and use a chroot jail instead as the next best solution.

The bind-chroot RPM installs the necessary directory tree in /var/named/chroot and copies all the necessary configuration files from your existing non-chroot installation. The old files in /etc and /var/named are automatically replaced with symbolic links to the new locations.

Make sure that going forward you edit the configuration files in the chroot jail:

• /etc/named.conf -> /var/named/chroot/etc/named.conf
• /etc/rndc.conf -> /var/named/chroot/etc/rndc.conf
• /etc/rndc.key -> /var/named/chroot/etc/rndc.key
  /var/named/ -> /var/named/chroot/var/named/*

Starting named now should start it in the chroot environment. This can be verified by issuing ps aux | grep named. The named daemon should have been started with the -u and -t command line options (refer to man named).

The root directory (default: /var/named/chroot) got configured in the file /etc/sysconfig/named also during the installation process of the named-chroot RPM.

Configuring DHCP Clients

For dynamic DNS updates to work, the DHCP client has to send its hostname to the DHCP server. Windows typically does this, but lots of linux clients need to be told. If you use dhclient, make sure you have the following line in your /etc/dhclient-eth0.conf file (Ubuntu: This file is in /etc/dhcp3/dhclient.conf. Debian Sarge: Look in /etc/dhclient.conf). If the file does not exist, create it (i.e FC4). Only enter the hostname and not the FQHN and don't forget the ";".

File: /etc/dhclient-eth0.conf

Troubleshooting DHCP

If your phones are unable to get an IP address inspite everything seems configured right, you can try the following. Using tcpdump on the machine on which the DHCP server runs, you can monitor the DHCP broadcast request and the answer from the server.

"-n" tells tcpdump to disable resolving addresses to names, and "-e" tells it to show the layer 2 headers. The port filters show any packets with a source or destination port of 67 and 68, which are the udp ports used for DHCP.

You can also run the DHCP server from the console instead of as a service. This way the DHCP server prints diagnostics and error messages to the console. The "-d" option produces more dubigging output.

Most often problems with DHCP relate to an incompatible Ethernet switch that is unable to auto-detect speed and mode (i.e. full duplex). If the link LEDs are all light, try replacing the switch.

Diagnostics

There are various ways how you can troubleshoot DHCP and DNS servers. All of the tools below have good man pages.

Check Configuration

named-checkzone

Logs

Syslog:

Turn on logging for the named daemon:

{{Box File| /etc/named.conf or /var/named/chroot/etc/named.conf|

 // add the following section. A log file "dns-security.log" will be created
 // in the named directory
 logging {
    category dnssec   { security_log; };
    category update   { security_log; };
    category security { security_log; };

    channel security_log {
        file "dns-security.log" versions 5 size 20m;
            // every time the log grows over 20 Mbyte, it will
            // backup and rollover. Maximum 5 backups will be kept.
        print-time yes;
        print-category yes;
        print-severity yes;
        severity info;
    };
 };   

Note: If logging is turned on as shown above all log messages will be in /var/named/chroot/var/named/dns-security.log and no longer in the syslog file.

Controlling named

The name server control utility rndc is used to control named while it is running. Please refer to man rndc for further details.

DNS Lookups

dig is a powerful utility to verify DNS settings. The option "AXFR" initiates a zone transfer that if allowed displays the currently active zone information for easy verification.

Other utilities include nslookup and host. Please refer to the respective man pages.

host