The Gate/Migrating away from dnsmasq

From Hackerspace Brussels
Jump to: navigation, search

Contents

[edit] This is historical and not accurate anymore

[edit] Replace it with what ?

The well known trio: bind, ISC DHCPd and tftpd-hpa

[edit] Why ?

dnsmasq is a nice all-in-one solution for embedded devices and simple networks. However, our network is growing and getting more complex.

  • We have:
    • several subnets with IPv6
    • access to the dn42 network
    • netboot
  • we want:
    • full public DNS for our IPv6 hosts
    • Fully working reverse DNS records
    • Secondary DNS for our space
    • DNS records with reverse on dn42
    • to get rid of stupid and useless DNS-level censorship from our ISP.

dnsmasq cannot be set up to directly query the root nameservers and advanced setup quickly get nasty, it has to go for the sake of freedom of speech and maintainability.

[edit] Getting started

Stop dnsmasq. It is bound to many sockets that will interfere with our migration

# /etc/init.d/dnsmasq stop

Copy the config file to a safe place. You may need it as reference in case you already have a complex setup that you need to adapt. Now, we remove dnsmasq and we install the bind, ISC DHCPd and tftpd-hpa pachages

# apt-get remove --purge dnsmasq
# apt-get install bind9 isc-dhcp-server tftpd-hpa sipcalc

During installation of the tftp daemon, it will ask you the directory where your boot files are installed. Once you answered the question, that's already 1 over 3 packages set up and out of the way.

The bind9 DNS server is quite open by default. It will happily resolve any query it receive from anywhere. We'll lock it down later. At the moment it is fully operational and will directly query the root nameservers. That's 2 out of 3 set up.

[edit] The DHCP server

These are the options that must be activated:

ddns-update-style none;
# Those two lines are equivalent to the enable-tftp option of dnsmasq
allow booting;
allow bootp;
default-lease-time 2400;
max-lease-time 7200;
authoritative;
log-facility local7;

# subnet declaration: equivalent to the following option in dnsmasq:
# dhcp-range=br0,172.22.33.130,172.22.33.220,255.255.255.128,4h
subnet 172.22.33.128 netmask 255.255.255.128 {
    range 172.22.33.130 172.22.33.220;
    option routers 172.22.33.129;
    option domain-name-servers 172.22.33.129;
# Equivalent to the dhcp-boot option of dnsmasq
    filename "pxelinux.0";
    next-server 172.22.33.129;
}

# Fixed IP address for a host. Equivalent dnsmasq option below:
# dhcp-host=00:30:18:a4:13:7f,172.22.33.254,wanderingstar_eth0
host wanderingstar_eth0 {
  hardware ethernet 00:30:18:a4:13:7f;
  fixed-address 172.22.33.254;
}

... (add more entries here)