Solved

Dynamic DNS on Fedora Core 5 with Bind9

Posted on 2006-06-15
18
385 Views
Last Modified: 2013-12-16
Hi,

I have a private network at home with a Windows 2k3 server, XP workstation and a Linux server running FC5. The Linux box has 2 NICs (one for incoming DSL and one for internal LAN) and I use it for internal dns and firewall. The dns routes a dummy domian to the 2k3 server for development web stuff and everything else on to my ISP. Anyway, I have Active Directory installed on the 2k3 box and it has worked just fine updating the dns on the Linux box until shortly before I upgraded to FC5. Since it quit working before I actually did the upgrade, I'm guessing it was a patch or other update in either Windows 2k3 or BIND. I have no idea.

It's been awhile, but I'm almost certain that when I set it up the first time, the only thing I had to do was add
"allow-update { 192.168.0.2; };" to the named.conf file where the dummy domain is declared for Active Directory to be able to update dns. There is no firewall interference inside the LAN, so I'm sure that's not the issue. Is there something else I'm missing that has to be configured for ddns?

Thanks,

John
0
Comment
Question by:danburyit
  • 9
  • 6
18 Comments
 
LVL 22

Expert Comment

by:pjedmond
ID: 16912875
You need to add a little more to stipulate which domain the update is referring to :

zone "dummy.dom" IN {
  type slave;
  file "dummy.dom.zone";
  allow-update {192.168.0.2; };
};

As appropriate for your setup. Effectively, this means that this BIND server is a slave DNS server for dummy.dom, and 192.168.0.2 (your Win 2K3 server which controls dummy.dom) is allowed to update it.

Worth reading this:

http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-namedconf.html

HTH:)
0
 
LVL 1

Author Comment

by:danburyit
ID: 16913052
Well, yes, of course. I have the whole zone statement. The type is 'master' and I have the zone file in place and it's valid and everything. (I did mention that it was working before.) What I meant was, other than specifying the ip in the allow-update statement for the machine that want to perform dns updates, is there some other configuration that I've missed that would explain why the 2k3 server is not able to update the dns? I'm hoping to rule out the possibility that the issue is a Linux one. (Then I can go ask questions on the Windows forum.)

Thanks again.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16913565
Strictly speaking if the Win2K3 server is giving out, and allocating IPs to systems, then it is the master for the domain dummy.dom,  and the linux BIND daemon is a slave for this domain. This will potentially cause confusion if the W2K3 server and the linux box is ever likely to be queried by the same client PC. However, if the linux system is the *only* DNS server that clients are aware of then this is not a problem.

What you now need to do is ensure that both the forward and reverse DNS information for dummy.dom is 'notified' to this server. To do that you need to right click on the SOA of the forward and reverse domains on the Win 2K3 DNS server, and select the zone transfers tab. There should eb a notify button somewhere if I remember correctly, and you need to add your linux server to the list of servers to be notified.

HTH:)
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16913596
From what you've said, I'd say that the problem is with the Windows side....but then I'm biased!

logs in /var/log/named/ may provide you with further information as to what is going on, and whether any updated DNS information is being received.

HTH:)
0
 
LVL 1

Author Comment

by:danburyit
ID: 16913877
I will check the log file and see if there is any info there. But Windows is not running dns at all. The Linux machine is the only dns sever on the LAN. Sorry if I didn't make that clear.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16914215
OK - In which case, you are quite right for it to be a master domain:)

All you need to add then is 1 entry to the dummy.dom domain, and that's for the W2K3 server. In addition, you'd need to make an entry for the XP workstation.

But my next question, is why is this Dynamic DNS? What is allocating the IP address to the Server and XP workstation?

The fact you mentioned it was a server, I started 'assuming' - "I have Active Directory installed on the 2k3 box and it has worked just fine updating the dns on the Linux box".....What DNS is the 2K3 box updating on the Linux box? It can't update the Bind server, unless it is running DNS?

If the Win2K3 server is allocating a dynamic IP to the XP server, then it has to tell the FC5 Bind server, if that is going to be your only DNS server for the internal network....or is the W2K3 server IP dynamic?

I suggest that you decide on a fixed IP address for the W2K3 server and your XP Workstation, and add fixed entries to both the forward and reverse zone on your FC Bind server. Much simpler, and a lot more sane.

If that's not achieving what you are trying to do, then please explain more carefully what you need as an end result.

HTH:)
0
 
LVL 1

Author Comment

by:danburyit
ID: 16916092
OK, let me see if I can explain fully. Inside my LAN I have a w2k3 server with a static ip of 192.168.0.2 running IIS and Active Directory. I also have an XP workstation with a static ip. Out in front is my Linux server running FC5 (newly installed) and running BIND9 for dns and also running dhcp for the laptops that are occasionally plugged into the LAN. The Linux box also has two NICs, one with a static ip on the LAN side and the other is connected to the DSL modem and get its ip from the ISP. Linux also provides my firewall and nat. The w2k3 server is running Active Directory with a few accounts set up for other people in the house to log in so they can use the computer and the internet and not muck up any my stuff, and AD is what needs to update the dns server on the Linux box. I know it's overkill for three (sometimes four with the laptop) computers, but it's good practice. Also, I have web development projects that I work on that are hosted on the 2k3 server, visible only from inside the LAN, that I can browse from the XP machine because the Linux dns directs all the "dummy.com" traffic to the 2k3 server and all other internet traffic gets forwarded on through the ISP.

So the problem comes in where Active Directory needs a dns server to function. It has to be able to add several records to the zone file for various things. It worked just fine for over a year but lately I can't seem to get it going again. I could just set up the dns server on the 2k3 machine for Active Directory, but I'd rather not have to run two dns servers as I managed just fine with only one for so long.

Hope that helps.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16916208
OK - making more sense.

In which case,  as previously suggested, add the fixed ips to the forward and reverse lookups.

...and at that stage, the network should be fine (not including the laptops that log in on an occassional basis).

Once we log in with a new laptop, then the linux server provides an IP address to it. Does it really need any active directory information? The only additional element is possibly related to allocation of a PC name, in which case, I'd probably not go about it this way, but perhaps identify the laptops by MAC address - I know that can be spoofed, but it only has an effect ont eh DNS name allocated.

e.g:

        host llaptop2{
                hardware ethernet 08:00:2b:4c:a3:82;
                fixed-address 192.168.0.120;
        }

        host laptop1 {
                hardware ethernet 08:00:2b:4c:a4:17;
                fixed-address 192.168.0.121;
        }

etc

This is more than ample for the a small number of laptops.

However, regardless of whether the DNS server is running, the only way that the W2K3 server can update any BIND data is using the aforementioned notification process which tells it to notify the Linux DNS server.

HTH:)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Author Comment

by:danburyit
ID: 16916543
"notification process"?
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16917061
From my post above:
---------8X---------
What you now need to do is ensure that both the forward and reverse DNS information for dummy.dom is 'notified' to this server. To do that you need to right click on the SOA of the forward and reverse domains on the Win 2K3 DNS server, and select the zone transfers tab. There should eb a notify button somewhere if I remember correctly, and you need to add your linux server to the list of servers to be notified.
---------8X---------
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16917067
Unfortunately, I can't claim to be an expert on this:( due to the fact it is a particularly bizarre way of doing this, but if you previously had AD using a BIND server, then the only way that the DNS settings can be updated on the linux server is via a 'notify', and the only place that I know of one of those existing in a windows server is in the DNS server, so I suspect that it must be used even if the DNS server is not running?
0
 
LVL 1

Author Comment

by:danburyit
ID: 16917583
OK. Thanks for trying. I've been digging around and finding other people posting this same issue and I've seen no resolution yet. So it must be a tough one.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16920433
I don't really thing that it's likely to be that tough....it's more a case of the fact that it's not exactly a common problem that people would want to solve (and hence document). There are much easier ways of providing the services on an internal network than the setup that you have. Unfortunately for that type of thing, I'd probably need to set up a test config in order to analyse exactly what is happening. Sorry I couldn't be of more help.
0
 
LVL 1

Author Comment

by:danburyit
ID: 16968442
I agree it's not a problem that many people are likely to encounter, but after digging through some other forums I've found it's not completely unheard of. You probably won't see many people with a small LAN in their house who are having issues with this, but I did run across some posts from people in companies that have Windows LANs in their offices but use Linux or Unix for their DNS and run their Active Directory domain contollers off the non-Windows DNS servers. Unfortunately, I haven't yet found where anyone has solved their dilemma.
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16968523
Perhaps it really isn't that easy? If no-one appears to have solved this dilemma, perhaps it isbecause AD is fairly tightly knit. All the AD installations I've seen are using the DNS on the windows server (or another windows server on the domain), and if access is required to an external DNS server (only if the system for which information is required is not part of the domain...in which case it has no right to use the same Domain Name), then the request for info is forwarded via a DNS server within the domain.

(   (()
(`-' _\
 ''  ''
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17355643
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now