KEA DHCP DDNS Netzwerk und Serveradministration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (15 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | =Auf unserem Nameserver= | + | =Dynamic DNS mit Kea und BIND9= |
| + | |||
| + | ==Technischer Ablauf (Theorie)== | ||
| + | ;1. DHCP-Request | ||
| + | *Der Client sendet beim Request seinen Hostnamen (Option 12). | ||
| + | *Kea-DHCP4 weist eine IP zu und prüft die DDNS-Konfiguration. | ||
| + | |||
| + | ;2. NCR (Name Change Request) | ||
| + | *Kea-DHCP4 generiert eine Update-Anfrage. | ||
| + | *Durch "ddns-qualifying-suffix" wird aus dem Hostnamen "client" der FQDN "client.it213.int". | ||
| + | *Diese Anfrage geht intern an den Kea-DDNS-Daemon (Port 53001). | ||
| + | |||
| + | ;3. TSIG-Signierung | ||
| + | *Der Kea-DDNS-Daemon nimmt das Paket entgegen. | ||
| + | *Er nutzt den "it213.key" (HMAC-SHA256), um die Anfrage kryptografisch zu signieren. | ||
| + | *Dies stellt sicher, dass nur autorisierte Dienste den DNS-Server manipulieren dürfen. | ||
| + | |||
| + | ;4. DNS-Update (BIND9) | ||
| + | *BIND9 (10.88.213.21) empfängt das signierte Paket. | ||
| + | *Dank "allow-update" wird die Signatur akzeptiert. | ||
| + | *BIND schreibt den A-Record (Forward) und den PTR-Record (Reverse) in die Zonen-Dateien. | ||
| + | |||
| + | ;Wichtiger Hinweis | ||
| + | *Der DHCP-Server schreibt NICHT direkt in den DNS, sondern delegiert dies an den Kea-DDNS-Daemon. | ||
| + | |||
| + | ==Auf unserem Nameserver (10.88.213.21)== | ||
;Key erzeugen | ;Key erzeugen | ||
*cd /etc/bind | *cd /etc/bind | ||
| − | *tsig-keygen -a HMAC-SHA256 it213.key >> | + | *tsig-keygen -a HMAC-SHA256 it213.key >> /etc/bind/named.conf.local |
| − | ; | + | |
| + | ;Zonen und Key konfigurieren | ||
*cat /etc/bind/named.conf.local | *cat /etc/bind/named.conf.local | ||
| − | + | <syntaxhighlight lang="text"> | |
| − | + | key "it213.key" { | |
algorithm hmac-sha256; | algorithm hmac-sha256; | ||
secret "Y8zioRKf3L0lWlhZ5FReSdegcnWVD53IIqT9PPle5cU="; | secret "Y8zioRKf3L0lWlhZ5FReSdegcnWVD53IIqT9PPle5cU="; | ||
| − | + | }; | |
| − | + | ||
| − | + | zone "it213.int" { | |
type master; | type master; | ||
file "/var/cache/bind/it213.int"; | file "/var/cache/bind/it213.int"; | ||
allow-update { key "it213.key"; }; | allow-update { key "it213.key"; }; | ||
| − | + | }; | |
| − | + | ||
| − | + | zone "213.88.10.in-addr.arpa" { | |
type master; | type master; | ||
file "/var/cache/bind/213.88.10.in-addr.arpa"; | file "/var/cache/bind/213.88.10.in-addr.arpa"; | ||
allow-update { key "it213.key"; }; | allow-update { key "it213.key"; }; | ||
| − | + | }; | |
| − | + | zone "213.26.172.in-addr.arpa" { | |
type master; | type master; | ||
file "/var/cache/bind/213.26.172.in-addr.arpa"; | file "/var/cache/bind/213.26.172.in-addr.arpa"; | ||
allow-update { key "it213.key"; }; | allow-update { key "it213.key"; }; | ||
| − | + | }; | |
| + | </syntaxhighlight> | ||
| + | |||
| + | ;Nameserver neustarten | ||
| + | *systemctl restart named | ||
| + | |||
| + | ==Auf dem Kea Server== | ||
| + | ;Installation DDNS-Server | ||
| + | *sudo apt update | ||
| + | *sudo apt install kea-dhcp-ddns-server | ||
| + | |||
| + | ;kea-dhcp4.conf anpassen | ||
| + | *cat /etc/kea/kea-dhcp4.conf | ||
| + | <syntaxhighlight lang="json"> | ||
| + | { | ||
| + | "Dhcp4": { | ||
| + | "interfaces-config": { | ||
| + | "interfaces": [ "enp0s3" ] | ||
| + | }, | ||
| + | "control-socket": { | ||
| + | "socket-type": "unix", | ||
| + | "socket-name": "/run/kea/kea4-ctrl-socket" | ||
| + | }, | ||
| + | "lease-database": { | ||
| + | "type": "memfile", | ||
| + | "persist": true, | ||
| + | "name": "/var/lib/kea/kea-leases4.csv" | ||
| + | }, | ||
| + | "dhcp-ddns": { | ||
| + | "enable-updates": true, | ||
| + | "server-ip": "127.0.0.1", | ||
| + | "server-port": 53001 | ||
| + | }, | ||
| + | "ddns-send-updates": true, | ||
| + | "ddns-override-no-update": true, | ||
| + | "ddns-override-client-update": true, | ||
| + | "ddns-update-on-renew": true, | ||
| + | "ddns-qualifying-suffix": "it213.int", | ||
| + | "valid-lifetime": 7200, | ||
| + | "option-data": [ | ||
| + | { "name": "domain-name-servers", "data": "10.88.213.21" }, | ||
| + | { "name": "domain-name", "data": "it213.int" }, | ||
| + | { "name": "domain-search", "data": "it213.int" } | ||
| + | ], | ||
| + | "subnet4": [ | ||
| + | { | ||
| + | "id": 1, | ||
| + | "subnet": "172.26.213.0/24", | ||
| + | "pools": [ { "pool": "172.26.213.100 - 172.26.213.200" } ], | ||
| + | "option-data": [ { "name": "routers", "data": "172.26.213.1" } ], | ||
| + | "reservations": [ | ||
| + | { | ||
| + | "hw-address": "08:00:27:5d:76:5d", | ||
| + | "ip-address": "172.26.213.99", | ||
| + | "hostname": "client" | ||
| + | } | ||
| + | ] | ||
| + | }, | ||
| + | { | ||
| + | "id": 2, | ||
| + | "subnet": "10.88.213.0/24", | ||
| + | "pools": [ { "pool": "10.88.213.50 - 10.88.213.100" } ], | ||
| + | "option-data": [ { "name": "routers", "data": "10.88.213.1" } ] | ||
| + | }, | ||
| + | { | ||
| + | "id": 3, | ||
| + | "subnet": "10.213.1.0/24", | ||
| + | "pools": [ { "pool": "10.213.1.50 - 10.213.1.100" } ], | ||
| + | "option-data": [ { "name": "routers", "data": "10.213.1.1" } ] | ||
| + | } | ||
| + | ], | ||
| + | "loggers": [ | ||
| + | { | ||
| + | "name": "kea-dhcp4", | ||
| + | "output_options": [ { "output": "/var/log/kea/kea-dhcp4.log" } ], | ||
| + | "severity": "INFO" | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | } | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ;kea-dhcp-ddns.conf erstellen | ||
| + | *cat /etc/kea/kea-dhcp-ddns.conf | ||
| + | <syntaxhighlight lang="json"> | ||
| + | { | ||
| + | "DhcpDdns": { | ||
| + | "ip-address": "127.0.0.1", | ||
| + | "port": 53001, | ||
| + | "control-socket": { | ||
| + | "socket-type": "unix", | ||
| + | "socket-name": "/run/kea/kea-ddns-ctrl-socket" | ||
| + | }, | ||
| + | "tsig-keys": [ | ||
| + | { | ||
| + | "name": "it213.key", | ||
| + | "algorithm": "HMAC-SHA256", | ||
| + | "secret": "Y8zioRKf3L0lWlhZ5FReSdegcnWVD53IIqT9PPle5cU=" | ||
| + | } | ||
| + | ], | ||
| + | "forward-ddns": { | ||
| + | "ddns-domains": [ | ||
| + | { | ||
| + | "name": "it213.int.", | ||
| + | "key-name": "it213.key", | ||
| + | "dns-servers": [ { "ip-address": "10.88.213.21" } ] | ||
| + | } | ||
| + | ] | ||
| + | }, | ||
| + | "reverse-ddns": { | ||
| + | "ddns-domains": [ | ||
| + | { | ||
| + | "name": "213.88.10.in-addr.arpa.", | ||
| + | "key-name": "it213.key", | ||
| + | "dns-servers": [ { "ip-address": "10.88.213.21" } ] | ||
| + | }, | ||
| + | { | ||
| + | "name": "213.26.172.in-addr.arpa.", | ||
| + | "key-name": "it213.key", | ||
| + | "dns-servers": [ { "ip-address": "10.88.213.21" } ] | ||
| + | } | ||
| + | ] | ||
| + | }, | ||
| + | "loggers": [ | ||
| + | { | ||
| + | "name": "kea-dhcp-ddns", | ||
| + | "output_options": [ { "output": "/var/log/kea/kea-ddns.log" } ], | ||
| + | "severity": "INFO" | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | } | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Restart und Debuggen== | ||
| + | ;Dienste-Management | ||
| + | *systemctl restart kea-dhcp4-server kea-dhcp-ddns-server | ||
| + | |||
| + | ;Debugging-Hinweise | ||
| + | *'''Logs prüfen:''' tail -f /var/log/kea/kea-ddns.log | ||
| + | *'''Eintrag prüfen:''' dig @10.88.213.21 client.it213.int | ||
| + | *'''AppArmor:''' Falls Dateien nicht geöffnet werden können, Profile unter /etc/apparmor.d/disable/ prüfen. | ||
| + | *'''Schreibrechte:''' BIND benötigt Schreibrechte für /var/cache/bind/ für die .jnl Dateien. | ||
| + | *'''Wartung:''' Nach dem Debugging Log-Level von DEBUG auf INFO zurückstellen. | ||
Aktuelle Version vom 31. März 2026, 14:09 Uhr
Dynamic DNS mit Kea und BIND9
Technischer Ablauf (Theorie)
- 1. DHCP-Request
- Der Client sendet beim Request seinen Hostnamen (Option 12).
- Kea-DHCP4 weist eine IP zu und prüft die DDNS-Konfiguration.
- 2. NCR (Name Change Request)
- Kea-DHCP4 generiert eine Update-Anfrage.
- Durch "ddns-qualifying-suffix" wird aus dem Hostnamen "client" der FQDN "client.it213.int".
- Diese Anfrage geht intern an den Kea-DDNS-Daemon (Port 53001).
- 3. TSIG-Signierung
- Der Kea-DDNS-Daemon nimmt das Paket entgegen.
- Er nutzt den "it213.key" (HMAC-SHA256), um die Anfrage kryptografisch zu signieren.
- Dies stellt sicher, dass nur autorisierte Dienste den DNS-Server manipulieren dürfen.
- 4. DNS-Update (BIND9)
- BIND9 (10.88.213.21) empfängt das signierte Paket.
- Dank "allow-update" wird die Signatur akzeptiert.
- BIND schreibt den A-Record (Forward) und den PTR-Record (Reverse) in die Zonen-Dateien.
- Wichtiger Hinweis
- Der DHCP-Server schreibt NICHT direkt in den DNS, sondern delegiert dies an den Kea-DDNS-Daemon.
Auf unserem Nameserver (10.88.213.21)
- Key erzeugen
- cd /etc/bind
- tsig-keygen -a HMAC-SHA256 it213.key >> /etc/bind/named.conf.local
- Zonen und Key konfigurieren
- cat /etc/bind/named.conf.local
key "it213.key" {
algorithm hmac-sha256;
secret "Y8zioRKf3L0lWlhZ5FReSdegcnWVD53IIqT9PPle5cU=";
};
zone "it213.int" {
type master;
file "/var/cache/bind/it213.int";
allow-update { key "it213.key"; };
};
zone "213.88.10.in-addr.arpa" {
type master;
file "/var/cache/bind/213.88.10.in-addr.arpa";
allow-update { key "it213.key"; };
};
zone "213.26.172.in-addr.arpa" {
type master;
file "/var/cache/bind/213.26.172.in-addr.arpa";
allow-update { key "it213.key"; };
};
- Nameserver neustarten
- systemctl restart named
Auf dem Kea Server
- Installation DDNS-Server
- sudo apt update
- sudo apt install kea-dhcp-ddns-server
- kea-dhcp4.conf anpassen
- cat /etc/kea/kea-dhcp4.conf
{
"Dhcp4": {
"interfaces-config": {
"interfaces": [ "enp0s3" ]
},
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea4-ctrl-socket"
},
"lease-database": {
"type": "memfile",
"persist": true,
"name": "/var/lib/kea/kea-leases4.csv"
},
"dhcp-ddns": {
"enable-updates": true,
"server-ip": "127.0.0.1",
"server-port": 53001
},
"ddns-send-updates": true,
"ddns-override-no-update": true,
"ddns-override-client-update": true,
"ddns-update-on-renew": true,
"ddns-qualifying-suffix": "it213.int",
"valid-lifetime": 7200,
"option-data": [
{ "name": "domain-name-servers", "data": "10.88.213.21" },
{ "name": "domain-name", "data": "it213.int" },
{ "name": "domain-search", "data": "it213.int" }
],
"subnet4": [
{
"id": 1,
"subnet": "172.26.213.0/24",
"pools": [ { "pool": "172.26.213.100 - 172.26.213.200" } ],
"option-data": [ { "name": "routers", "data": "172.26.213.1" } ],
"reservations": [
{
"hw-address": "08:00:27:5d:76:5d",
"ip-address": "172.26.213.99",
"hostname": "client"
}
]
},
{
"id": 2,
"subnet": "10.88.213.0/24",
"pools": [ { "pool": "10.88.213.50 - 10.88.213.100" } ],
"option-data": [ { "name": "routers", "data": "10.88.213.1" } ]
},
{
"id": 3,
"subnet": "10.213.1.0/24",
"pools": [ { "pool": "10.213.1.50 - 10.213.1.100" } ],
"option-data": [ { "name": "routers", "data": "10.213.1.1" } ]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [ { "output": "/var/log/kea/kea-dhcp4.log" } ],
"severity": "INFO"
}
]
}
}
- kea-dhcp-ddns.conf erstellen
- cat /etc/kea/kea-dhcp-ddns.conf
{
"DhcpDdns": {
"ip-address": "127.0.0.1",
"port": 53001,
"control-socket": {
"socket-type": "unix",
"socket-name": "/run/kea/kea-ddns-ctrl-socket"
},
"tsig-keys": [
{
"name": "it213.key",
"algorithm": "HMAC-SHA256",
"secret": "Y8zioRKf3L0lWlhZ5FReSdegcnWVD53IIqT9PPle5cU="
}
],
"forward-ddns": {
"ddns-domains": [
{
"name": "it213.int.",
"key-name": "it213.key",
"dns-servers": [ { "ip-address": "10.88.213.21" } ]
}
]
},
"reverse-ddns": {
"ddns-domains": [
{
"name": "213.88.10.in-addr.arpa.",
"key-name": "it213.key",
"dns-servers": [ { "ip-address": "10.88.213.21" } ]
},
{
"name": "213.26.172.in-addr.arpa.",
"key-name": "it213.key",
"dns-servers": [ { "ip-address": "10.88.213.21" } ]
}
]
},
"loggers": [
{
"name": "kea-dhcp-ddns",
"output_options": [ { "output": "/var/log/kea/kea-ddns.log" } ],
"severity": "INFO"
}
]
}
}
Restart und Debuggen
- Dienste-Management
- systemctl restart kea-dhcp4-server kea-dhcp-ddns-server
- Debugging-Hinweise
- Logs prüfen: tail -f /var/log/kea/kea-ddns.log
- Eintrag prüfen: dig @10.88.213.21 client.it213.int
- AppArmor: Falls Dateien nicht geöffnet werden können, Profile unter /etc/apparmor.d/disable/ prüfen.
- Schreibrechte: BIND benötigt Schreibrechte für /var/cache/bind/ für die .jnl Dateien.
- Wartung: Nach dem Debugging Log-Level von DEBUG auf INFO zurückstellen.