General index of the series: Computer Networks for SMEs: Introduction
Hello friends!. To understand and follow correctly this article is essential reading its predecessors:
They explain theoretical and practical concepts to which we will not refer in this one. We will change distribution in the current year to Debian 8.6 "Jessie" and we will continue with the same parameters that we use in BIND and Active Directory®.
- The procedure described in this post is also valid for CentOS 7. The configuration file / etc / dnsmasq is the same. I declare it because I consider it unnecessary to make a separate article for Dnsmasq and Active Directory® based on CentOS. Fortunately, the directories related to documentation and configuration are the same,
- The Dnsmaq is a creation of Simon Kelley
Limits on the use of Dnsmasq
Due to its importance we repeat the LIMITS that supports the Dnsmasq -run man dnsmasq- which reflects exactly following:
LIMITS
- The default values for resource limits are generally conservative, and appropriate for use on router-type devices. stuck with slow processors and low memory. In hardware more capable, it is possible to increase the limits, and support many more customers. The following applies to dnsmasq-2.37: previous versions do not they climbed so well.
- Dnsmasq is capable of supporting DNS and DHCP at least one thousand (1,000) customers. Lease times should not be too short (less than one time). The value of –dns-forward-max can be increased: start with the equivalent of the number of clients and increase it if the DNS. Note that DNS performance also depends on the servers Upstream DNS. DNS cache size can be increased: the limit Required is 10,000 names and the default (150) is very low. Sending a SIGUSR1 to dnsmasq makes bitacore information that is Useful for fine-tuning the cache size. See the NOTES section for details.
- The built-in TFTP server is capable of supporting multiple transfers simultaneous files: the absolute limit is related to the number of file-handles allowed to a process and the ability of the sys‐tem call select () to support large numbers of file-handles. If the limit is set too high with –tftp-max it will be de-scaled and the actual limit will be clocked at startup. Note that more transfers are possible when the same file is sent what when each transferencia sends a different file. It is possible to use dnsmasq to deny Web advertising using a list of well known banner servers, all resolving to 127.0.0.1 or 0.0.0.0 in / etc / hosts or in an additional hosts file. The list can be very long. Dnsmasq has been tested successfully with a million names. That file size needs a 1GHz CPU and approximate60MB RAM.
- Dnsmasq is capable of supporting DNS and DHCP at least one thousand (1,000) love Lóleo.
Let's install and configure Jessie and Dnsmasq
We will start from a new and clean installation of a server based on Debian 8 "Jessie". That is, the operating system without any graphical interface or another package installed. The network parameters will be the same as those used in the article BIND and Active Directory®:
Domain name mordor.fan LAN Network 10.10.10.0/24 ==================================== ========================================== Servers IP Address Purpose (Servers with OS Windows) =============================================== =============================== sauron.mordor.fan. 10.10.10.3 Active Directory® 2008 SR2 mamba.mordor.fan. 10.10.10.4 Windows File Server dns.mordor.fan 10.10.10.5 DnsMasq Server on Jessie darklord.mordor.fan. 10.10.10.6 Proxy, gateway and firewall on Kerios troll.mordor.fan. 10.10.10.7 Blog based on ... can't remember shadowftp.mordor.fan. 10.10.10.8 FTP server blackelf.mordor.fan. 10.10.10.9 Full e-mail service blackspider.mordor.fan. 10.10.10.10 WWW service palantir.mordor.fan. 10.10.10.11 Chat on Openfire for Windows Real CNAME ============================= sauron ad-dc mamba fileserver darklord proxyweb troll blog shadowftp ftpserver blackelf mail blackspider www palantir openfire
Initial dns.mordor.fan server settings
root @ dns: ~ # nano / etc / hostname dns root @ dns: ~ # nano / etc / hosts 127.0.0.1 localhost 10.10.10.5 dns.mordor.fan dns # The following lines are desirable for IPv6 capable hosts :: 1 localhost ip6-localhost ip6-loopback ff02 :: 1 ip6-allnodes ff02 :: 2 ip6-allrouters root @ dns: ~ # nano / etc / network / interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces (5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface allow-hotplug eth0 iface eth0 inet static address 10.10.10.5 netmask 255.255.255.0 network 10.10.10.0 broadcast 10.10.10.255. 10.10.10.1 gateway 127.0.0.1 # dns- * options are implemented by the resolvconf package, if installed dns-nameservers XNUMX dns-search mordor.fan
Let's install the Dnsmasq and htop
root @ dns: ~ # aptitude install dnsmasq htop
After installing the package htop we can check the CPU and memory consumption of the equipment. It was only consuming about 71 megabytes of RAM. If we want to lower consumption even more, we can install the package SSMTP -simple MTA- which in turn purges the package exim4 that Debian always installs by default and that we really do not need according to the use that we will give to this server:
root @ dns: ~ # aptitude install ssmtp root @ dns: ~ # aptitude purge ~ c root @ dns: ~ # aptitude clean root @ dns: ~ # aptitude autoclean root @ dns: ~ # systemctl reboot
After restarting the computer, the consumption is as follows:
Low, right? Let's move on.
Let us indicate that Dnsmasq also consult Microsft® DNS
To test the possible Dnsmasq configurations on your computer dns.mordor.fan, we must include a statement that indicates that the Microsoft DNS of the server is consulted sauron.mordor.fan. We can do it including the directive server = / mordor.fan / 10.10.10.3 in the File dnsmasq.conf -as we will see later- or adding the line nameserver 10.10.10.3 in the File / Etc / resolv.conf. As we have not yet configured the Dnsmasq according to our needs, we choose the second way:
root @ dns: ~ # nano /etc/resolv.conf
domain mordor.fan
nameserver 127.0.0.1
nameserver 10.10.10.3
We can now resolve DNS queries
With the default configuration of Dnsmasq provided by its main file /etc/dnasmq.conf, and with what is declared in the file / Etc / resolv.conf from the server itself «dns«, Any client connected to the LAN -and that has declared as DNS server dns.mordor.fan- you can resolve DNS queries at the expense of Microsoft® DNS for now…
- It is very important to check the response speed of the Dnsmasq when displaying its status as Forwarder by the mere inclusion of the IP 10.10.10.3 in your file / Etc / resolv.conf.
From my administrative workstation and support of all the paraphernalia through which I write, I run:
buzz @ sysadmin: ~ $ cat /etc/resolv.conf # Generated by NetworkManager domain mordor.fan nameserver 10.10.10.5 buzz @ sysadmin: ~ $ nslookup > dns Server: 10.10.10.5 Address: 10.10.10.5 # 53 Name: dns.mordor.fan Address: 10.10.10.5 > sauron Server: 10.10.10.5 Address: 10.10.10.5 # 53 Non-authoritative answer: Name: sauron.mordor.fan Address: 10.10.10.3 > 03296249-82a1-49aa-a4f0-28900f5d256b._msdcs.mordor.fan Server: 10.10.10.5 Address: 10.10.10.5 # 53 03296249-82a1-49aa-a4f0-28900f5d256b._msdcs.mordor.fan canonical name = sauron.mordor.fan. Name: sauron.mordor.fan Address: 10.10.10.3 > 10.10.10.3 Server: 127.0.0.1 Address: 127.0.0.1 # 53 3.10.10.10.in-addr.arpa name = sauron.mordor.fan. > 10.10.10.9 Server: 127.0.0.1 Address: 127.0.0.1 # 53 9.10.10.10.in-addr.arpa name = blackelf.mordor.fan. > 10.10.10.5 Server: 127.0.0.1 Address: 127.0.0.1 # 53 5.10.10.10.in-addr.arpa name = dns.mordor.fan. > mail Server: 10.10.10.5 Address: 10.10.10.5 # 53 Non-authoritative answer: mail.mordor.fan canonical name = blackelf.mordor.fan. Name: blackelf.mordor.fan Address: 10.10.10.9> exit buzz @ sysadmin: ~ $
Let's take a closer look at the following aspects:
- dns.mordor.fan directly answers DNS queries that it can resolve according to your current Dnsmasq settings. If you can't solve them, it works like Forwarder and asks IP 10.10.10.3 if it can answer the query. When asked for the IP of the equipment «dns«, He answers directly. When the Dnsmasq is asked who is it «sauron",?, make forwarding to 10.10.10.3 -You cannot answer directly because you have not registered it yet- who returns a correct Non-Authoritarian Answer.
- When asked who is «03296249-82a1-49aa-a4f0-28900f5d256b._msdcs.mordor.fan"?, make forwarding again and this time you receive an Authoritative Response from Microsoft® DNS.
- The high response speed of Dnsmasq for any type of query.
They are small details that make a love great ;-).
Fundamental differences between Dnsmasq and BIND integrated with an Active Directory®
Let's run a couple of DNS queries on the records SOA y NS of the domain mordor.fan, to each of the nameservers involved:
buzz @ sysadmin: ~ $ host -t SOA mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: mordor.fan has SOA record sauron.mordor.fan. hostmaster.mordor.fan. 56 900 600 86400 3600 XNUMX buzz @ sysadmin: ~ $ host -t SOA mordor.fan 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: mordor.fan has SOA record sauron.mordor.fan. hostmaster.mordor.fan. 56 900 600 86400 3600 XNUMX buzz @ sysadmin: ~ $ host -t NS mordor.fan 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: mordor.fan name server sauron.mordor.fan. buzz @ sysadmin: ~ $ host -t NS mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: mordor.fan name server sauron.mordor.fan.
The answers are identical - which is logical - because always answer back sauron.mordor.fan. before a DNS query about records SOA o NS, although look like what does he answer dns.mordor.fan. However it differs from what is seen in the article BIND and Active Directory® where we had completely removed the functionality of Microsoft® DNS. In that article ALL DNS queries about the Domino Namespace mordor.fan The BIND answered them, because we configured it that way, and because the BIND does answer queries SOA y NS in addition to allowing the scheme Master - Slave, Transfer of Zones, etc., and therefore it is a more complete DNS server - complex.
Perhaps those are the main differences between the DNS of the Dnsmasq and the BIND ... but BIND -there can always be one or more buts- does not have a DHCP server that integrates seamlessly with a DNS server in a single daemon, and without the need for TSIG keys, configuration files, Zone databases, etc., as we have seen in previous articles.
- I think that by now, Dear Readers will have realized that I do not hate BIND nor do I prefer Dnsmasq to BIND. Future discussions about it are a total waste of time, as it has a lot to do with needs, demands, tastes, preferences and .... each solution has its charm ;-).
- In similar scenarios, each one installs and configures the software of their choice and that they know more about. and that everything works as expected.
Advantages of the combination Dnsmasq + Active Directory®
With this combination we have the complete range of responses to DNS queries and an efficient means of leasing IP addresses for our SME LAN. As we will see later, it works correctly for any situation regarding whether or not the computer is joined to the Microsoft® Active Directory® Domain Controller. In addition, we have a DNS and DNS server Forwarder par excellence, plus a very fast DHCP server. And all with little demand for resources. Do you want more?
Is it possible Dnsmasq + BIND?
Definitely yes. Although I recommend they be installed on different computers so that there are no collisions due to the much loved port 53 of the DNS service. Maybe we'll see something about it when we get to the Samba 4-based AD-DC. Who knows?
Tips about Dnamasq
- The essential work files for Dnsmasq to provide DHCP and DNS services on a LAN are: /etc/dnsmasq.conf, / Etc / hosts, /var/lib/misc/dnsmasq.leases, and / Etc / resolv.conf. The file dnsmasq.leases it is created when you lease your first IP address.
- Another job file you can use is / etc / ethers. If such a file exists, the directive read-ethers declared in the config file, tells Dnsmasq to read it. It is very useful when we relate MAC addresses / host names for certain purposes.
- The DNS service can be completely disabled using the directive port = 0 in the dnsmasq.conf.
- DHCP service for one or more network interfaces can be disabled by directives -one for each line- no-dhcp-interface = eth0, no-dhcp-interface = eth1, and so on. Very useful when we are in front of a team with 2 -or more- network interfaces and we want the DHCP service to be provided only by one of them or by none. Of course, if we disable the DHCP service for all interfaces, we will only leave the DNS service running. If we disable both services, then why do we need Dnsmasq? 😉
- To declare to other DNS Domain Name Servers that No. are public or external to the LAN -as in the case of Microsoft DNS- we do it through the directive server = / domain name / DNS server IP in the File /etc/dnsmasq.conf. Example: server = / mordor.fan / 10.10.10.3.
- To tell Dnsmasq that queries about local domains are answered only from the file / Etc / hosts or through your DHCP, we must add the directive local = / localnet / in the main file of your configuration. Example: local = / mordor.fan /.
- To properly configure the file / Etc / resolv.conf - solve we suggest reading its manual using the command man resolv.conf. If you install Debian 8.6 "Jessie" you will find that it is well written in Spanish.
- Dnsmasq does not use Zones files to answer direct or reverse queries.
- To know the meaning of each field «special»That is used in the declaration of an SRV Resource Record, you should consult BIND and Active Directory®. The syntax of the SRV records in the file /etc/dnsmasq.conf is:
srv-host = , , , ,
Readers who want to know more, please read the original file carefully /etc/dnsmasq.conf or existing documents in the directory / usr / share / doc / dnsmasq-base.
root @ dns: ~ # ls -l / usr / share / doc / dnsmasq-base / total 128 -rw-r - r-- 1 root root 883 May 5 2015 copyright -rw-r - r-- 1 root root 36261 5 May 2015 1 changelog.archive.gz -rw-r - r-- 11297 root root 5 May 2015 1 changelog.Debian.gz -rw-r - r-- 26014 root root 5 May 2015 1 changelog.gz -rw-r - r-- 2084 root root 5 May 2015 1 DBus-interface. gz -rw-r - r-- 4297 root root 5 May 2015 2 doc.html drwxr-xr-x 4096 root root 19 Feb 17 52:1 examples -rw-r - r-- 9721 root root 5 May 2015 1 FAQ.gz -rw-r - r-- 4180 root root 5 May 2015 1 README.Debian -rw-r - r-- 12019 root root 5 May 2015 XNUMX setup.html
Let's configure Dnsmasq and Resolver
We will take as an initial guide - changing the names and others, of course - the configuration file used in the article «Dnsmasq on CentOS 7.3«.
Let's not forget the next step:
[root @ dns ~] # mv /etc/dnsmasq.conf /etc/dnsmasq.conf.original
Fixed IP addresses
The addresses of the servers or equipment that require a fixed IP -both IPv4 as IPv6- are declared in the file / Etc / hosts:
[root @ dns ~] # nano / etc / hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts :: 1 localhost ip6-localhost ip6-loopback ff02 :: 1 ip6-allnodes ff02 :: 2 ip6-allrouters # Servers and computers with fixed IPs. 10.10.10.1 sysadmin.mordor.fan 10.10.10.3 sauron.mordor.fan 10.10.10.4 mamba.mordor.fan 10.10.10.5 dns.mordor.fan 10.10.10.6 darklord.mordor.fan 10.10.10.7 troll.mordor.fan 10.10.10.8. 10.10.10.9 shadowftp.mordor.fan 10.10.10.10 blackelf.mordor.fan 10.10.10.11 blackspider.mordor.fan XNUMX palantir.mordor.fan
Let's create the /etc/dnsmasq.conf file
[root @ dns ~] # nano /etc/dnsmasq.conf
# ------------------------------------------------- ------------------ # GENERAL OPTIONS # ----------------------------- -------------------------------------- domain-needed # Do not pass names without the domain part bogus-priv # Do not pass addresses in unrouted space expand-hosts # Automatically add domain to host interface = eth0 # Interface. BEWARE of the Interface # except-interface = eth1 # DO NOT listen for this NIC strict-order # Order in which you consult the /etc/resolv.conf file # Include many more configuration options # through a file or by locating the configuration # files additional in a directory # conf-file = / etc / dnsmasq.more.conf conf-dir = / etc / dnsmasq.d # Relating to Domain Name domain = mordor.fan # Domain Name # Time Server is 10.10.10.1. 10.10.10.1 address = / time.windows.com / XNUMX # Sends an empty option of the WPAD value. Required for # Windos 7 and later clients to behave properly. ;-) dhcp-option = 252, "\ n" # File where we will declare the HOSTS that will be "banned" addn-hosts = / etc / banner_add_hosts # Consult the Microsoft® DNS server "sauron" if we # let it run server = / mordor.fan / 10.10.10.3 # Queries about local domains will be answered # from / etc / hosts or through local DHCP = / mordor.fan / # Queries about PTR or Reverse records will be answered # by the servers "dns" and "sauron" in that order server = / 10.10.10.in-addr.arpa / 10.10.10.5 server = / 10.10.10.in-addr.arpa / 10.10.10.3 # ------- -------------------------------------------------- ---------- # REGISTROSCNAMEMXTXT # ------------------------------------- ------------------------------ # This type of registration requires an entry # in the / etc / hosts # file eg: 10.10.0.7 troll.mordor.fan troll # cname = ALIAS, REAL_NAME cname = ad-dc.mordor.fan, sauron.mordor.fan cname = fileserver.mordor.fan, mamba.mordor.fan cname = proxyweb.mordor.fan , darklord.mordor.fan cname = blog.mordor .fan, troll.mordor.fan cname = ftpserver.mordor.fan, shadowftp.mordor.fan cname = mail.mordor.fan, blackelf.mordor.fan cname = www.mordor.fan, blackspider.mordor.fan cname = opendire .mordor.fan, palantir.mordor.fan # MX RECORDS # Returns an MX record with the name "mordor.fan" destined # to the blackelf.mordor.fan team and priority of 10 mx-host = mordor.fan, mail. mordor.fan, 10 # The default destination for MX records created # using the localmx option will be: mx-target = mail.mordor.fan # Returns an MX record pointing to mx-target for ALL # local localmx machines # TXT records.
dhcp-lease-max = 222 # Maximum number of addresses to lease
# by default is 150
# IPV6 Range # dhcp-range = 1234 ::, ra-only # Options for RANGE # OPTIONS dhcp-option = 1,255.255.255.0 # NETMASK dhcp-option = 3,10.10.10.253 # ROUTER GATEWAY dhcp-option = 6,10.10.10.5 .15 # DNS Servers dhcp-option = 19,1, mordor.fan # DNS Domain Name dhcp-option = 28,10.10.10.255 # option ip-forwarding ON dhcp-option = 42,10.10.10.1 # BROADCAST dhcp-option = 40. 41,10.10.10.3 # NTP # dhcp-option = 44,10.10.10.3, MORDOR # NIS Domain Name # dhcp-option = 45,10.10.10.3 # NIS Server # dhcp-option = 73,10.10.10.3 # WINS # dhcp-option = 46,8 # NetBIOS datagrams # dhcp-option = XNUMX # Finger Server # dhcp-option = XNUMX # NetBIOS node dhcp-authoritative # Authoritative DHCP in the subnet # ------------- -------------------------------------------------- ---- # --------------------------------------------- ---------------------- # LOGGING tail -f / var / log / syslog or journalctl -f # ------------ -------------------------------------------------- ----- log-queries # ----------------------------------------- -------------------------- # Re A and SRV records corresponding to Active Directory # ----------------------------------------- --------------------------
# Records A
address = / gc._msdcs.mordor.fan / 10.10.10.3 address = / DomainDnsZones.mordor.fan / 10.10.10.3 address = / ForestDnsZones.mordor.fan / 10.10.10.3
# Microsoft DNS Zone CNAME record _msdcs.mordor.fan
cname=03296249-82a1-49aa-a4f0-28900f5d256b._msdcs.mordor.fan,sauron.mordor.fan
# SRV records
# srv-host = , , , ,
# Global Catalog # Microsoft DNS zone _msdcs.mordor.fan
srv-host = _ldap._tcp.gc._msdcs.mordor.fan, sauron.mordor.fan, 3268,0,0 srv-host = _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.mordor .fan, sauron.mordor.fan, 3268,0,0
# Microsoft DNS zone mordor.fan
srv-host = _gc._tcp.mordor.fan, sauron.mordor.fan, 3268,0,0 srv-host = _gc._tcp.Default-First-Site-Name._sites.mordor.fan, sauron.mordor.fan .3268,0,0
# Modified and private LDAP of an Active Directory
# Microsoft DNS zone _msdcs.mordor.fan
srv-host=_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.dc._msdcs.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.18d3360d-8fdb-40cf-a678-d7c420b6d775.domains._msdcs.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.pdc._msdcs.mordor.fan,sauron.mordor.fan,389,0,0
# Microsoft DNS zone mordor.fan
srv-host=_ldap._tcp.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.DomainDnsZones.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.Default-First-Site-Name._sites.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.mordor.fan,sauron.mordor.fan,389,0,0
srv-host=_ldap._tcp.ForestDnsZones.mordor.fan,sauron.mordor.fan,389,0,0
#
# KERBEROS modified and private from an Active Directory
srv-host=_kerberos._tcp.Default-First-Site-Name._sites.mordor.fan,sauron.mordor.fan,88,0,0
srv-host=_kerberos._tcp.mordor.fan,sauron.mordor.fan,88,0,0
srv-host=_kpasswd._tcp.mordor.fan,sauron.mordor.fan,464,0,0
srv-host=_kerberos._udp.mordor.fan,sauron.mordor.fan,88,0,0
srv-host=_kpasswd._udp.mordor.fan,sauron.mordor.fan,464,0,0
# END of the /etc/dnsmasq.conf file
# ------------------------------------------------- ------------------
Let's create the / etc / banner_add_host file
[root @ dns ~] # nano / etc /banner_add_hosts 127.0.0.1 windowsupdate.com 127.0.0.1 ctldl.windowsupdate.com 127.0.0.1 ocsp.verisign.com 127.0.0.1 csc3-2010-crl.verisign.com 127.0.0.1 www.msftncsi.com 127.0.0.1 ipv6.msftncsi.com 127.0.0.1 teredo.ipv6.microsoft.com 127.0.0.1 ds.download.windowsupdate.com 127.0.0.1 download.microsoft.com 127.0.0.1 fe2.update.microsoft.com 127.0.0.1 crl.microsoft.com 127.0.0.1 www .download.windowsupdate.com 127.0.0.1 win8.ipv6.microsoft.com 127.0.0.1 spynet.microsoft.com 127.0.0.1 spynet1.microsoft.com 127.0.0.1 spynet2.microsoft.com 127.0.0.1 spynet3.microsoft.com 127.0.0.1. 4 spynet127.0.0.1.microsoft.com 5 spynet127.0.0.1.microsoft.com 15 office127.0.0.1client.microsoft.com 127.0.0.1 addons.mozilla.org XNUMX crl.verisign.com [root @ dns ~] # dnsmasq --test dnsmasq: syntax check OK. [root @ dns ~] # systemctl restart dnsmasq.service [root @ dns ~] # systemctl status dnsmasq.service
Let's modify the file /etc/resolv.conf - Resolver
root @ dns: ~ # nano /etc/resolv.conf
domain mordor.fan search mordor.fan
Why don't we have the usual lines declared in the file resolve.conf? Because we declare in the dnsmasq.conf the following directives:
# Consult the Microsoft® DNS server "sauron" if we # let it run server = / mordor.fan / 10.10.10.3 # Queries about local domains will be answered # from / etc / hosts or via DHCP local = / mordor.fan / # Queries about PTR or Reverse records will be answered # by the "dns" and "sauron" servers in that order server = / 10.10.10.in-addr.arpa / 10.10.10.5 server = / 10.10.10.in-addr.arpa / 10.10.10.3
Queries from sysadmin.mordor.fan
The file / Etc / resolv.conf of this team is:
buzz @ sysadmin: ~ $ cat /etc/resolv.conf # Generated by NetworkManager search mordor.fan nameserver 10.10.10.5
buzz @ sysadmin: ~ $ host -t To spynet4.microsoft.com spynet4.microsoft.com has address 127.0.0.1 buzz @ sysadmin: ~ $ host -t To www.download.windowsupdate.com www.download.windowsupdate.com has address 127.0.0.1 buzz@sysadmin: ~ $ dig dns buzz @ sysadmin: ~ $ dig dns.mordor.fan ;; QUESTION SECTION:; dns.mordor.fan. IN A ;; ANSWER SECTION: dns.mordor.fan. 0 IN A 10.10.10.5 buzz @ sysadmin: ~ $ host -t SRV _ldap._tcp.gc._msdcs buzz @ sysadmin: ~ $ host -t SRV _ldap._tcp.gc._msdcs.mordor.fan _ldap._tcp.gc._msdcs.mordor.fan has SRV record 0 0 3268 sauron.mordor.fan. buzz @ sysadmin: ~ $ dig _ldap._tcp.gc._msdcs.mordor.fan ;; QUESTION SECTION:; _ldap._tcp.gc._msdcs.mordor.fan. IN A ;; ANSWER SECTION: _ldap._tcp.gc._msdcs.mordor.fan. 0 IN A 10.10.10.3 buzz @ sysadmin: ~ $ dig mordor.fan axfr buzz @ sysadmin: ~ $ dig 10.10.10.in-addr.arpa axfr
And that way, how many consultations we need
Dnsmasq + Active Directory® + Microsoft® Windows Clients
Renaming a Microsoft® Windows Client
seven.mordor.fan leased IP address:
root @ dns: ~ # cat /var/lib/misc/dnsmasq.leases 1488006009 00:0c:29:d6:14:36 10.10.10.115 seven 01:00:0c:29:d6:14:36
Let's rename the «seven»-Which is not joined to the Active Directory Domain- by«eucalyptus«. After the change and the restart we check:
root @ dns: ~ # cat /var/lib/misc/dnsmasq.leases 1488006633 00:0c:29:d6:14:36 10.10.10.115 eucaliptus 01:00:0c:29:d6:14:36
The history of the changes can be seen from "sysadmin":
buzz @ sysadmin: ~ $ host -t A seven seven.mordor.fan has address 10.10.10.115
After the name change
buzz @ sysadmin: ~ $ host -t A seven seven has no A record buzz @ sysadmin: ~ $ host -t A eucaliptus eucaliptus.mordor.fan has address 10.10.10.115
Queries from the client eucaliptus.mordor.fan
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C: \ Users \ buzz> nslookup Default Server: dns.mordor.fan Address: 10.10.10.5 > sauron Server: dns.mordor.fan Address: 10.10.10.5 Name: sauron.mordor.fan Address: 10.10.10.3 > mordor.fan Server: dns.mordor.fan Address: 10.10.10.5 Name: mordor.fan Address: 10.10.10.3 > eucalyptus Server: dns.mordor.fan Address: 10.10.10.5 Name: eucaliptus.mordor.fan Address: 10.10.10.115 > 03296249-82a1-49aa-a4f0-28900f5d256b._msdcs.mordor.fan Server: dns.mordor.fan Address: 10.10.10.5 Name: sauron.mordor.fan Address: 10.10.10.3 Aliases: 03296249-82a1-49aa-a4f0-28900f5d256b._msdcs.mordor.fan > set type = SRV > _kerberos._udp.mordor.fan Server: dns.mordor.fan Address: 10.10.10.5 _kerberos._udp.mordor.fan SRV service location: priority = 0 weight = 0 port = 88 svr hostname = sauron.mordor.fan sauron.mordor.fan internet address = 10.10.10.3. XNUMX > _ldap._tcp.18d3360d-8fdb-40cf-a678-d7c420b6d775.domains._msdcs.mordor.fan Server: dns.mordor.fan Address: 10.10.10.5 _ldap._tcp.18d3360d-8fdb-40cf-a678-d7c420b6d775.domains._msdcs.mordor.fan SRV service location: priority = 0 weight = 0 port = 389 svr hostname = sauron .mordor.fan sauron.mordor.fan internet address = 10.10.10.3 > exit C: \ Users \ buzz>
Windows clients registration in Microsoft® DNS
Windows Clients Not Joined to the Active Directory® Domain
We must check if the IP addresses leased by the different Windows clients from Dnsmasq are correctly registered in Microsoft® DNS. It can influence the way we turn on Dynamic Updates - Dynamic updates in the Microsoft® DNS Zones of the Active Directory®. We start from the default configuration of Microsoft DNS which allows only Secure Dynamic Updates - Dynamic updates -> Secure only, in each of its Zones.
Note that the client with the current FQDN eucalyptus.mordor.fan No. is attached to the Active Directory Domain (or a Samba4 AD-DC), and is an exception to the Microsoft rule that «Only clients registered in My Domain will have permission through My Update Mechanism -which I only know- to register in My DNS«. Good thing the Samba4 AD-DC teaches us something about it.
eucalyptus.mordor.fan leased IP 10.10.10.115:
buzz @ sysadmin: ~ $ host -t A eucaliptus eucaliptus.mordor.fan has address 10.10.10.115
Let's change its name to «mahogany«, Let's restart Windows 7, and see what happens when we ask for the names«eucalyptus" Y "mahogany»To each of the DNS, first to Microsoft DNS and then to Dnsmasq:
buzz @ sysadmin: ~ $ host -t A eucaliptus.mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: Host eucaliptus.mordor.fan not found: 3 (NXDOMAIN) buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: Host mahogany.mordor.fan not found: 3 (NXDOMAIN) buzz @ sysadmin: ~ $ host -t A eucaliptus.mordor.fan 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: Host eucaliptus.mordor.fan not found: 3 (NXDOMAIN) buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: mahogany.mordor.fan has address 10.10.10.115
We can change the name of the Windows 7 client that No. is attached to the Domain mordor.fan of the Active Directory® as many times as we want, that the Microsoft® DNS does not find out about these changes or that such a client exists. Is it possible that it is only because we have selected the option Dynamic updates -> Secure only in each Zone of the Micorosft DNS ?.
In order for Mr. Microsoft® DNS to know about the changes, we must select Dynamic updates -> Nonsecure and secure. This option, Dear Readers, implies a significant vulnerability of the security of any Domain Name Server that is respected, be it Microsft® or UNIX® / Linux. The Microsoft® DNS warns about the vulnerability because in the end it is nothing more than a modified and privatized BIND to offer us «Security for Darkness«. If not, why do you recommend saving on your famous Registration all DNS settings and records of your Microsoft® DNS when we are implementing an Active Directory® ?. In addition to supporting non-secure updates to Microsoft® DNS, the following modification is required in the Windows 7 client network card configuration:
Let's check:
buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: mahogany.mordor.fan has address 10.10.10.115 buzz @ sysadmin: ~ $ host 10.10.10.115 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: 115.10.10.10.in-addr.arpa domain name pointer mahogany.mordor.fan. buzz @ sysadmin: ~ $ host -t A mahogany 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: mahogany.mordor.fan has address 10.10.10.115 buzz @ sysadmin: ~ $ host 10.10.10.115 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: 115.10.10.10.in-addr.arpa domain name pointer mahogany.mordor.fan.
Yes now. What a nice synchronism for two DNS servers not synchronized by any means, right?
Windows Clients Joined to Active Directory® Domain
Let's unite the client mahogany.mordor.fan to the Domain, but not before eliminating the modification that we made in the configuration of your network card, if at some point we did it to check the point of the previous chapter. Also delete the entry for «mahogany»In the Microsoft® DNS, and return the Dynamic Updates to their point of origin of «Secure only«. By the way, it is valid to restart the Microsoft service® DNS.
After joining the Domain, and despite all our efforts, the client «mahogany»Is not registered in Microsoft® DNS. We even declared in the dnsmasq.conf -temporary- that the first DNS server is 10.10.10.3.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C: \ Users \ saruman> ipconfig / all
Windows IP Configuration Host Name. . . . . . . . . . . . : MAHOGANY Primary Dns Suffix. . . . . . . : mordor.fan Node Type. . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : mordor.fan Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : mordor.fan Description. . . . . . . . . . . : Intel (R) PRO / 1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-D6-14-36 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled. . . . : Yes Link-local IPv6 Address. . . . . : fe80 :: 352a: b954: 7eba: 963e% 12 (Preferred) IPv4 Address. . . . . . . . . . . : 10.10.10.115 (Preferred) Subnet Mask. . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, February 25, 2017 8:19:05 AM Lease Expires. . . . . . . . . . : Saturday, February 25, 2017 4:20:36 PM Default Gateway. . . . . . . . . : 10.10.10.253 DHCP Server. . . . . . . . . . . : 10.10.10.5 DHCPv6 IAID. . . . . . . . . . . : 251661353 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-3B-69-81-00-0C-29-D6-14-36
DNS Servers. . . . . . . . . . . : 10.10.10.3
10.10.10.5
NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.mordor.fan: Media State. . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix. : mordor.fan Description. . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled. . . . : Yes Tunnel adapter Local Area Connection * 9: Media State. . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix. : Description. . . . . . . . . . . : Microsoft Teredo Tunneling Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled. . . . : And it is
C: \ Users \ saruman>
buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.3
Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: Host caoba.mordor.fan not found: 3 (NXDOMAIN)
buzz@sysadmin: ~ $ host -t To mahogany.mordor.fan
mahogany.mordor.fan has address 10.10.10.115
- The only way the client is registered «mahogany»In the Microsft® DNS is modifying your network card as indicatedó in the previous image, that is, explicitly stating that: the DNS suffix for the connection is mordor.fan, that it registers the address of the connection in DNS, and that it uses the declared DNS suffix when registering the connection.
buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: mahogany.mordor.fan has address 10.10.10.115 buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan mahogany.mordor.fan has address 10.10.10.115
Let's change the name from "mahogany" to "cedar"
buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: Host caoba.mordor.fan not found: 3 (NXDOMAIN) buzz @ sysadmin: ~ $ host -t To cedar.mordor.fan 10.10.10.3 Using domain server: Name: 10.10.10.3 Address: 10.10.10.3 # 53 Aliases: cedro.mordor.fan has address 10.10.10.115 buzz @ sysadmin: ~ $ host -t A mahogany.mordor.fan 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: Host caoba.mordor.fan not found: 3 (NXDOMAIN) buzz @ sysadmin: ~ $ host -t To cedar.mordor.fan 10.10.10.5 Using domain server: Name: 10.10.10.5 Address: 10.10.10.5 # 53 Aliases: cedro.mordor.fan has address 10.10.10.115
And all normal, as Microsoft® clients and Microsoft® DNS like things to be.
Let's work with Microsoft® DHCP and Microsoft® DNS
Dear Readers, this chapter is out of the context of a blog dedicated to Free Software. See Microsoft® help. They do not believe?. 😉
Conclusions
There are several ways to work the Microsoft® DNS when we make it coexist in a SME Network with the Dnsmasq. Among them we will mention only the following:
- Completely stop the Microsoft® DNS service on the computer where it is running, indicating afterwards that the service startup is disabled. Uncheck in the configuration of the network card of each Microsoft® client the option to Register the address of the connection in DNS. Remove from file /etc/dnsmasq.conf Directive server = / mordor.fan / 10.10.10.3. Notes:
- Even if inquiries about the records are not answered SOA y NS, the network will work correctly, as well as the union of the different clients -Microsoft® and Linux- to the Active Directory® Domain.
- It has the advantage that in the SME LAN there will only be one Domain Name Server -machote- and it will be Dnsmasq. ;-). On the other hand, the possibility of inconsistencies between the DNS records stored in Microsoft® DNS and those available through Dnsmasq is eliminated.
- Leave Microsoft® DNS running to answer only DNS queries about SOA and NS records. Notes:
- Modify the configuration of the network card of each Windows client, unchecking the option to Register the connection address in DNS.
- We think that this solution is a waste of resources.
- Configure the services as we have seen throughout the article, which shows a solution more to the liking of the Microsoft® philosophy -not FreeBSD / Linux- Ok ?.
Summary
- The Microsoft® DNS proposal is very closed. It leaves no room for other solutions that are not in accordance with its hermetic philosophy.
- Mother Nature teaches us that we exist in a diverse universe. The normal thing is to have a mixed LAN, moving towards Free Software, and rich in life and variety.
- It seems that for Microsoft®, customers who do not Join His Philosophy are Outcasts, and therefore should not bother to take them into consideration.
- How difficult it is to work with Private Software! I'd rather spend a bit of work setting up Free Software and be truly Free, damn it!
"The Best Criterion of Truth is Practice."
Great article you have written, Federico!
Tremendous article my dear. And the summary is the best XD
Balances;
I don't think I have seen a more complete and detailed guide for sysadmin on the internet (in Spanish language), the work you are doing in Networks for SMEs is to frame.
Although the work is arduous and reaching that level of detail is a matter of many hours, I believe that you are creating a reference point that will be used as it becomes known by a large number of SysAdmin that have the key in your articles teacher for many of the activities she faces every day.
As for dnsmasq and active directory, I think I have never had the opportunity to work with both, but in my laboratory in the absence of a windows client, everything seems to have been fine, and it is no wonder with this excellent step by step.
Rescue your phrase «How difficult it is to work with Private Software !. I'd rather spend a bit of work configuring Free Software and be truly Free, damn it! »… Let's go that spending a little work configuring free software skips over time, mostly for documentation like yours and from many other people, how also with the constant humanization of free software.
Congratulations FIco… We move on.
Zodiac: Your words are an incentive to keep writing. Do not hesitate, many good hours - buttocks are necessary to write a modest article like this one.
Julio León: Greetings to you too, dear Julio. Hopefully, you continue with us on the path of knowing a little more about Free Software.
Lagarto: The days and hours spent are well worth it when I read comments like the ones in this post. They are the best reward for our work. I passed the link to the article to Simon Kelley himself and he was kind enough to reply to me.
I want to take advantage of this space to say that in the DNS and DHCP issue we start - by strategy - from the complex to the easy. Dnsmasq is a very valid solution for SME Networks, and it is much easier to implement than the BIND + Isc-Dhcp-Server duo. The subject may seem a bit technical to many readers. With time and practice they will realize that this is not the case. It is well worth studying the Principles of an Infrastructure Server, a title that would encompass the 6 articles written about DNS and DHCP services, without forgetting NTP.
Congratulations to all… We move on!
Thanks Federico for another great article with tremendous detail and extensive theory about Dnsmasq, a tool that we already see is extremely useful for sysadmins.
GREAT everything related to the insertion in your /etc/dnsmasq.conf configuration file of the Microsoft DNS Zone "_msdcs.mordor.fan" by means of your SRV records that use the services: _gc, _ldap, _kerberos and _kpasswd with The goal is to use Microsoft DNS ("server = / mordor.fan / 10.10.10.3" statement) in addition to Dnsmasq ("local = / mordor.fan /" statement) to resolve DNS queries.
GREAT is also the example developed that for Microsoft DNS to register Windows clients with IP changes on the LAN, you have to select in the DNS configuration, the "Dynamic updates" as "Nonsecure and secure" and what that implies in the vulnerability of the security of any Domain Name Server that is respected, be it Microsoft or UNIX / Linux. Besides being necessary the modification in the configuration of the Windows client network card.
Nothing that with each new post you raise the stop! Eagerly awaiting the next articles!
Thank you very much for your evaluation and comment, IWO. In every article I publish, I always wait for your opinion, as it is supported by your occupation, knowledge and practice. Congratulations IWO. We will see you in the next article
Very good job, as always posting these gems for sysadmins. Thanks a thousand!
Give Microsoft's DNS a chance, you haven't even let it show. We do not know if he is still alive or even if he has any shame left. Excellent article.
A jewel like no other, saved in favorites for consultation. Excellent article.
Thank you HO2Gi for your assessment. I recommend you -and in general to EVERYONE- visit https://blog.desdelinux.net/redes-computadoras-las-pymes-introduccion/. It was edited again with an index of all the published posts and the topics to be discussed. Greetings and continue with us.
Excellent document like the one available in https://blog.desdelinux.net/bind-active-directory/
I just want to make a recommendation, and please take it as constructive criticism; To exemplify the configuration, it would have been better if instead of using the 10.10.10.0/24 network, I had used one where each block had different numbers, such as the 192.168.1.0/24 network.
This would make it clearer the points where the network addresses go in reverse, such as when you have to add values of the type ".in-addr.arpa"
Thank you for sharing so much good quality knowledge.
Best regards.