Services DNS DHCP
1. Protocoles
Adaptez les pare-feux !
1.1. NTP
Client/Serveur à protéger des tentatives de connexions vers le serveur et de tentatives de configuration
UDP 123
1.2. DNS
- UDP/TCP 53
- Vérifier le transfert
On ira relire utilement les chapitres du document :
Déploiements :
- Serveur Master/Slave pour une zone
- Serveur Resolver (cache)
- Serveur Forwarding (proxy)
- Serveur Split
- Serveur View Based
1.3. DHCP
- UDP 67 (Serveur) / UDP 68 (Client)
Déploiements :
- Serveur DHCP
- Relay DHCP
1.4. Neighbor Discovery ND ICMPv6
1.5. DHCPv6
UDP 547 (Serveur) / UDP 546 (Client)
- Stateful
- Stateless
2. Logiciels
Dnsmasq
RADVD
ISC-DHCP-Server
Bind9
3. Topologie de lab
4. Mise en place de srv01
4.1. Configuration réseau
Par exemple, pour changer le nom d'hôte :
hostnamectl set-hostname srv01
systemctl restart systemd-hostnamed
systemctl status systemd-hostnamed
En changeant le nom d'hôte, on enfreint des règles SELinux.
- On peut ré-étiqueter tout le système en créant un fichier vide
.autorelabelà la racine du système et en redémarrant la machine.
# touch /.autorelabel
reboot
Modifier ou créer le fichier
/etc/sysconfig/network-scripts/ifcfg-eth0 pour fixer l'adresse IP du serveur srv01 et d'autres paramètres.
DEVICE=eth0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=static
HOSTNAME=srv01
IPADDR=192.168.22.1
NETMASK=255.255.255.0
GATEWAY=192.168.22.254
+++ connexion IPv6
Ensuite, on éteindra la machine virtuelle afin d'éditer la définition de la VM avec virsh edit srv01 et de remplacer la ligne <source bridge='virbr0'/> par <source bridge='virbr1'/>.Après redémarrage la machine devrait obtenir une connectivité locale et globale :
- Interface
# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ef:72:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.22.1/24 brd 192.168.22.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:feef:72b6/64 scope link
valid_lft forever preferred_lft forever
- Connectivité locale
# ping -c 1 192.168.22.254
PING 192.168.22.254 (192.168.22.254) 56(84) bytes of data.
64 bytes from 192.168.22.254: icmp_seq=1 ttl=64 time=0.324 ms
--- 192.168.22.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.324/0.324/0.324/0.000 ms
- Connectivité globale
# ping -c 1 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=127 time=47.7 ms
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 47.775/47.775/47.775/0.000 ms
- Mais la résolution de nom est absente
# ping -c 1 www.google.com
ping: unknown host www.google.com
- En effet, il n'y a pas de serveur de nom renseigné dans
/etc/resolv.confsinon la référence originale qu'il faut modfier en valeur temporairenameserver 8.8.8.8
# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 8.8.8.8
- Maintenant une connectivité minimale est établie
# ping -c 1 www.google.com
PING www.google.com (62.4.253.244) 56(84) bytes of data.
64 bytes from 244.253-4-62.akamai.com (62.4.253.244): icmp_seq=1 ttl=127 time=43.7 ms
--- www.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 43.717/43.717/43.717/0.000 ms
4.2. Service DHCP
# yum -y install dhcp
Créer un fichier /etc/dhcp/dhcpd.conf
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.22.0 netmask 255.255.255.0 {
range 192.168.22.100 192.168.22.150;
option domain-name-servers 192.168.22.1;
option domain-name "domain.lan";
option routers 192.168.22.254;
option ntp-servers 192.168.22.1;
default-lease-time 86400;
max-lease-time 86400;
}
#host srv02 {
# hardware ethernet aa:bb:cc:dd:ee:ff;
# fixed-address 192.168.22.2;
#}
Activation et démarrage du service
# systemctl enable dhcpd
# systemctl start dhcpd
Baux attribés
# cat /var/lib/dhcpd/dhcpd.leases
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5
lease 192.168.22.100 {
starts 3 2016/03/09 18:21:24;
ends 4 2016/03/10 18:21:24;
tstp 4 2016/03/10 18:21:24;
cltt 3 2016/03/09 18:21:24;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 52:54:00:ef:05:b3;
client-hostname "wks41";
}
lease 192.168.22.101 {
starts 3 2016/03/09 18:32:01;
ends 4 2016/03/10 18:32:01;
tstp 4 2016/03/10 18:32:01;
cltt 3 2016/03/09 18:32:01;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 52:54:00:ef:38:81;
client-hostname "srv02";
}
server-duid "\000\001\000\001\036s%\241RT\000\357r\266";
Journal Centos / Debian (pour mémoire)
journalctl -u dhcpd || journalctl -u isc-dhcp-server
4.3. DNS
Une lecture de ce document https://access.redhat.com/documentation/fr-FR/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-DNS_Servers.html en français expose les principes de configuration de Bind9.
Installation de Bind9
yum -y install bind bind-utils
Configuration cache DNS
Editer le fichier /etc/named.conf
- Création d'une ACL
- Mise à l'écoute sur le LAN
- Ajout des Forwarders
# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Les ajouts sont indiqué //!!!
//!!! Création d'une ACL "trusted"
acl trusted {
192.168.22.0/24; localhost;
};
options {
//!!! Mise à l'écoute sur l'adresse 192.168.122.1
listen-on port 53 { 127.0.0.1; 192.168.22.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//!!! Autoriser les requêtes correspondant à l'ACL "trusted"
allow-query { trusted; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
//!!! Ajouter des serveurs de noms publics (exemple)
forwarders { 8.8.8.8; 8.8.4.4; };
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Activation et démarrage du service DNS
# systemctl enable named
# systemctl start named
# systemctl status named
Toute opération future nécessite un redémarrage du démon named :
rndc reload
Ajout des paramètres locaux tels quels dans /etc/resolv.conf
# echo "domain domain.lan" > /etc/resolv.conf
# echo "search domain.lan" >> /etc/resolv.conf
# echo "nameserver 127.0.0.1" >> /etc/resolv.conf
# cat /etc/resolv.conf
domain domain.lan
search domain.lan
nameserver 127.0.0.1
Mais aussi une mise-à-jour du fichier de résolution locale /etc/hosts semble indiquée.
# echo "127.0.0.1 srv01 srv01.domain.lan" >> /etc/hosts
# echo "::1 srv01 srv01.domain.lan" >> /etc/hosts
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
127.0.0.1 srv01 srv01.domain.lan
::1 srv01 srv01.domain.lan
Diagnostic
# ss -antp | grep named
LISTEN 0 10 192.168.22.1:53 *:* use
rs:(("named",pid=8864,fd=21))
LISTEN 0 10 127.0.0.1:53 *:* users:
(("named",pid=8864,fd=20))
LISTEN 0 128 127.0.0.1:953 *:* users:
(("named",pid=8864,fd=23))
LISTEN 0 10 ::1:53 :::* users:((
"named",pid=8864,fd=22))
LISTEN 0 128 ::1:953 :::* users:((
"named",pid=8864,fd=24))
# journalctl -e -u named
# dig +short @127.0.0.1 www.google.com
216.58.211.100
# dig +short @192.168.22.1 www.google.com
216.58.211.100
named-checkconf
named-checkzone [zone] [zone file path]
Test à partir de wks41
[root@wks41 ~]# nslookup www.google.com
Server: 192.168.22.1
Address: 192.168.22.1#53
Non-authoritative answer:
Name: www.google.com
Address: 216.58.211.68
Hébergement d'une zone locale
Déclaration des fichiers de zone. On ajoutera ces lignes à la fin du fichier /etc/named.conf
zone "domain.lan" {
type master;
file "db.domain.lan";
#allow-update { key rndc-key; };
};
zone "22.168.192.in-addr.arpa" {
type master;
file "db.192.168.22";
#allow-update { key rndc-key; };
};
Ajout des fichiers de zone
Editer un nouveau fichier /var/named/db.domain.lan
$TTL 604800
@ IN SOA srv01.domain.lan. francois.domain.lan. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS srv01.domain.lan.
srv01 IN A 192.168.22.1
ns1 IN CNAME srv01
gw01 IN A 192.168.1.254
Editer un nouveau fichier/var/named/db.192.168.22
$TTL 604800
@ IN SOA srv01.domain.lan. francois.domain.lan. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS srv01.
1 IN PTR srv01.domain.lan.
254 IN PTR gw01.domain.lan
Fixer les droits
# chown named:named /var/named/db*
# ls -l /var/named/db*
-rw-r--r--. 1 named named 447 Mar 9 20:28 /var/named/db.192.168.22
-rw-r--r--. 1 named named 472 Mar 9 20:26 /var/named/db.domain.lan
Redémarrage du service
# systemctl restart named
Vérification de la configuration des zones
# named-checkconf -z
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone domain.lan/IN: loaded serial 1
zone 22.168.192.in-addr.arpa/IN: loaded serial 1
Tests locaux et distants avec dig srv01.domain.lan
Chaque fois qu'un fichier de zone connaît un changement, il faut incrémenter la valeur de champ serial.
4.4. Chroot Bind
Sans SELinux, un environnement chroot pour Bind est peut-être recommandé.
# yum install -y bind-chroot
# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# systemctl disable named
# systemctl stop named
# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
# systemctl start named-chroot
# yum install -y tree
# tree /var/named/chroot/
/var/named/chroot/
├── dev
│ ├── null
│ ├── random
│ └── zero
├── etc
│ ├── localtime
│ ├── named
│ ├── named.conf
│ ├── named.iscdlv.key
│ ├── named.rfc1912.zones
│ ├── named.root.key
│ ├── pki
│ │ └── dnssec-keys
│ └── rndc.key
├── run
│ └── named
│ ├── named.pid
│ └── session.key
├── usr
│ └── lib64
│ └── bind
└── var
├── log
├── named
│ ├── chroot
│ │ ├── dev
│ │ │ ├── null
│ │ │ ├── random
│ │ │ └── zero
│ │ ├── etc
│ │ │ ├── localtime
│ │ │ ├── named
│ │ │ ├── named.conf
│ │ │ ├── named.iscdlv.key
│ │ │ ├── named.rfc1912.zones
│ │ │ ├── named.root.key
│ │ │ ├── pki
│ │ │ │ └── dnssec-keys
│ │ │ └── rndc.key
│ │ ├── run
│ │ │ └── named
│ │ ├── usr
│ │ │ └── lib64
│ │ │ └── bind
│ │ └── var
│ │ ├── log
│ │ ├── named
│ │ ├── run -> ../run
│ │ └── tmp
│ ├── data
│ │ └── named.run
│ ├── dynamic
│ │ ├── managed-keys.bind
│ │ └── managed-keys.bind.jnl
│ ├── named.ca
│ ├── named.empty
│ ├── named.localhost
│ ├── named.loopback
│ └── slaves
├── run -> ../run
└── tmp
34 directories, 27 files
[root@00 ~]#
4.5. DHCP/DNS dynamique
- Nom : srv01.domain.lan
- Type : Authoritative
- Forward Lookup Zone : domain.lan.
- Reverse Lookup Zone : 22.168.192.in-addr.arpa.
Il faut adapter le fichier /etc/named.conf avec la clé d'authentification "rndc-key"
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Les ajouts sont indiqué //!!!
//!!! Création d'une ACL "lan"
acl trusted {
192.168.22.0/24; localhost;
};
options {
//!!! Mise à l'écoute sur l'adresse 192.168.122.1
listen-on port 53 { 127.0.0.1; 192.168.22.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//!!! Autoriser les requêtes correspondant à l'ACL "trusted"
allow-query { trusted; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
//!!! Ajouter des serveurs de noms publics (exemple)
forwarders { 8.8.8.8; 8.8.4.4; };
//!!! restrict recursion
allow-recursion {
trusted;
};
allow-transfer {
trusted;
};
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
//!!! adapté
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "domain.lan" {
type master;
file "db.domain.lan";
allow-update { key rndc-key; };
};
zone "22.168.192.in-addr.arpa" {
type master;
file "db.192.168.22";
allow-update { key rndc-key; };
};
//!!! Ajouté
include "/etc/rndc.key";
Mais quelle est cette clé ? Chacun aura la sienne. Notez la bien.
# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "QD54SMYw8Zpthvk1e6oAoA==";
};
# ls -l /etc/rndc.key
-rw-r-----. 1 root named 77 Mar 9 19:55 /etc/rndc.key
SELinux interdit l'écriture dynamique des fichiers de zones
Configurer SELinux en conséquence
setsebool named_write_master_zones true
On va renseigner directement cette clé dans le fichier /etc/dhcp/dhcpd.conf ici adapté
Faisons-en une sauvegarde et adaptons le fichier :
cp /etc/dhcp/dhcpd.conf ~/dhcpd.conf.bak
# cat /etc/dhcp/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
ddns-updates on;
ddns-update-style interim;
key "rndc-key" {
algorithm hmac-md5;
secret "QD54SMYw8Zpthvk1e6oAoA==";
};
#ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.22.0 netmask 255.255.255.0 {
range 192.168.22.100 192.168.22.150;
option domain-name-servers 192.168.22.1;
option domain-name "domain.lan";
option routers 192.168.22.254;
option ntp-servers 192.168.22.1;
default-lease-time 86400;
max-lease-time 86400;
}
zone domain.lan {
primary srv01;
key rndc-key;
}
zone 22.168.192.in-addr.arpa {
primary srv01;
key rndc-key;
}
Fixer le propriétaire et le groupe named sur le répertoire /var/named et redémarrer les deux services
# chown -R named:named /var/named/
# systemctl restart named && systemctl restart dhcpd
Après avoir redémarré wks41, vérifier sa résolution de nom
dig wks41
4.6. NTP côté Serveur
Srv01 est aussi serveur NTP pour le réseau. NTP est un service qu'il faudrait dupliquer et qui devrait disposer de sa propre entrée dans la zone. Une idée serait de disposer d'un nom round robin qui distribuerait la charge des synchronisation sur plusieurs serveurs.
Fixer et vérifier la zone horaire
# timedatectl set-timezone Europe/Brussels
# timedatectl
Installer et activer ntpd local
# yum -y install ntp
# systemctl enable ntpd
# systemctl start ntpd
Examiner le fichier de configuration
# cat /etc/ntp
ntp/ ntp.conf
[root@localhost user]# cat /etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor
Ce fichier /etc/ntp.conf devrait être adapté pour accepter des synchronisations du réseau local et sur les serveurs maîtres :
server 0.be.pool.ntp.org iburst
server 1.be.pool.ntp.org iburst
server 2.be.pool.ntp.org iburst
server 3.be.pool.ntp.org iburst
restrict 192.168.22.0 mask 255.255.255.0 nomodify notrap
Statut NTP
# ntpq -p
Mise-à-jour forcée
# systemctl stop ntpd
# ntpdate -u 0.be.pool.ntp.org
# systemctl start ntpd
4.7. NTP côté client
Du côté client, pour wks41 par exemple dans notre topologie, il est peut-être judicieux d'activer le démon chrony qui se synchronisera notamment sur srv01.
# yum -y install chrony
# cat /etc/chrony.conf
# systemctl enable chronyd
# systemctl start chronyd
# chronyc tracking
# chronyc sources -v
4.8. Configuration du pare-feu
Firewalld :
# for i in dhcp dns ntp; do firewall-cmd --permanent --add-service $i; done
Iptables :
...