User Tools

Site Tools


howtos:bind-dhcpd-apparmor
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


Last revision
howtos:bind-dhcpd-apparmor [02/12/2018 21:34] – created - external edit 127.0.0.1
Line 1: Line 1:
 +This is an addition to [[bind-apparmor]] and will automatically update bind when dhcp leases has been given out.
  
 +First check apparmor, mine looks like this:
 +
 +<file>
 +# Last Modified: Mon Oct  6 20:46:31 2008
 +#include <tunables/global>
 +/usr/sbin/named {
 +  #include <abstractions/base>
 +  #include <abstractions/nameservice>
 +  #include <abstractions/nis>
 +
 +  capability net_bind_service,
 +  capability setgid,
 +  capability setuid,
 +  capability sys_chroot,
 +
 +  /usr/sbin/named mr,
 +  /var/lib/named/dev/random r,
 +  /var/lib/named/etc/127.0.0 r,
 +  /var/lib/named/etc/bind/named.conf r,
 +  /var/lib/named/etc/bind/named.conf.local r,
 +  /var/lib/named/etc/bind/rndc.key r,
 +  /var/lib/named/etc/localhost r,
 +  /var/lib/named/etc/localtime r,
 +  /var/lib/named/etc/named.run a,
 +  /var/lib/named/etc/root.hints r,
 +  /var/lib/named/etc/sites/domingo.dk/** rw,
 +  /var/lib/named/etc/named.run rw,
 +  /var/lib/named/var/run/named.pid w,
 +}
 +</file>
 +It can be a really pain in the b*d but every time you make changes to your bind configuration (adding files and such), apparmor will block read/write access and prevent bind from working. Fortunately apparmor tells you what it has blocked so you can update your definition file and reload it.
 +
 +Next is to generate a shared secret for intercommunication between dhcpd and bind:
 +<code>
 +sudo dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
 +</code>
 +
 +Grab the key from the file:
 +<code>
 +sudo cat Kdhcp_updater.*.private|grep Key
 +</code>
 +
 +The output will be something like this:
 +<code>
 +Key: 9B7OkWhzwA+QZMenKqChVw==
 +</code>
 +
 +Now do some changes to /etc/bind/named.conf.local and insert our key and allow dhcp updating:
 +
 +<file>
 +key DHCP_UPDATER {
 +    algorithm HMAC-MD5.SIG-ALG.REG.INT;
 +    
 +        # Important: Replace this key with your generated key.
 + # Also note that the key should be surrounded by quotes.
 + secret "9B7OkWhzwA+QZMenKqChVw==";
 +};
 +
 +zone "domingo.dk" IN {
 + type master;
 + file "sites/domingo.dk/forward.zone";
 + allow-transfer { 127.0.0.1; };
 + allow-update { key DHCP_UPDATER; };    # This gives dhcp the update capabilities on the zone
 + allow-query { any; };
 + zone-statistics yes;
 + notify no;
 + also-notify {  };
 +};
 +
 +zone "1.16.172.in-addr.arpa" {
 + type master;
 + file "sites/domingo.dk/reverse.zone";
 + allow-transfer { 127.0.0.1; };
 + allow-update { key DHCP_UPDATER; };    # This gives dhcp the update capabilities on the reverse zone
 + allow-query { any; };
 + zone-statistics yes;
 + notify no;
 + also-notify {  };
 +};
 +
 +</file>
 +
 +Go into the dhcp server config file:
 +<code>
 +sudo nano  /etc/dhcp3/dhcpd.conf
 +</code>
 +
 +<file>
 +ddns-update-style interim;
 +ignore client-updates;      # Overwrite client configured FQHNs
 +ddns-domainname "domingo.dk.";
 +ddns-rev-domainname "in-addr.arpa.";
 +
 +one-lease-per-client false;
 +allow bootp;
 +option T150 code 150 = string;
 +
 +default-lease-time 600;
 +max-lease-time 7200;
 +
 +log-facility local7;
 +
 +key DHCP_UPDATER {
 +    algorithm HMAC-MD5.SIG-ALG.REG.INT;
 +
 +    # Important: Replace this key with your generated key.
 +    # Also note that the key should be surrounded by quotes.
 +    secret "9B7OkWhzwA+QZMenKqChVw==";
 +};
 +
 +zone domingo.dk. {
 +  primary 127.0.0.1;
 +  key DHCP_UPDATER;
 +}
 +
 +zone 1.16.172.in-addr.arpa. {
 +  primary 127.0.0.1;
 +  key DHCP_UPDATER;
 +}
 +
 +
 +subnet 172.16.1.0 netmask 255.255.255.0 {
 +    interface eth0;
 +    range 172.16.1.100 172.16.1.200;
 +    default-lease-time 6000;
 +    max-lease-time 7200;
 +    option domain-name "domingo.dk";
 +    option subnet-mask 255.255.255.0;
 +    option routers 172.16.1.1;
 +    option domain-name-servers 172.16.1.1 , 193.162.153.164 , 194.239.134.83;
 +    option time-offset -3600;
 +    option ntp-servers dk.pool.ntp.org;
 +</file>
 +
 +Now bounce the bind and dhcp services:
 +<code>
 +sudo /etc/init.d/bind9 restart
 +sudo /etc/init.d/dhcp3-server restart
 +</code>
 +
 +Now whenever a new lease is dealt out the DNS records should be updated accordingly.
 +
 +If you grain to a halt somewhere in the process a good place to look is in the syslog:
 +<code>
 +tail -f /var/log/syslog
 +</code>
 +I don't know why but I constantly end up being blocked by apparmor. So start looking for apparmor errors in the syslog when you head into trouble. 
 +
 +//Source: http://lani78.wordpress.com/2008/08/12/dhcp-server-update-dns-records///
howtos/bind-dhcpd-apparmor.txt · Last modified: 16/02/2023 07:04 by domingo