Okay... so I made some changes, and let it run for a few days to see if there were any hiccups. So far so good (except for a tiny problem I will detail at the end).
I thought I'd share my experience, and configuration, in case someone else ever has this headache:
First, some perspective: Attached to this post, see the file "jonesNet.png." The two servers named "Tigger" and "Pooh" (yes, I have small children) were the www and email servers respectively; while "minister" is the utility server that provides DNS, DHCP, RADIUS authentication and etc.
My DNS server is behind a firewall with the rest of the network. So, while it is configured as authoritative. It is only authoritative to the computers on my LAN. The outside world does not see behind the firewall.
--Though, formerly, I had a DNS provider that pointed all www and email traffic to the WAN interface of my firewall. As that is no longer necessary, those holes have been plugged. And if you want my www presence, it is handled by the hosting company's DNS server.
NOW, after switching from Comcast business Internet service to TDS telecom (fiber to the curb) meant no more static IP (it's a residential account), but it's cheaper enough that + offsite hosting was still less overall than Comcast.
HOWEVER...what to do about the network, and DNS server?
In the end, the changes were minor, and this is what they look like:
/etc/bind/named.conf (-rw-r--r-- 1 bind:bind)
-----------------------------------------------------
Code:
key "rndc-key" {
algorithm hmac-md5;
secret "mysupersecretkeyhere";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
/etc/bind/named.conf.local (-rw-r--r-- 1 bind:bind)
-----------------------------------------------------------
Code:
/Secret key used for DHCP updates
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
# Important: Replace this key with your generated key.
# Also note that the key should be surrounded by quotes.
secret "mysupersecretkeyhere";
};
//
// Do any local configuration here
//
zone "familynetwork.us" {
type master;
file "/var/lib/bind/db.familynetwork.us";
allow-update { key DHCP_UPDATER; };
allow-query { any; };
};
zone "29.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/db.29";
allow-update { key DHCP_UPDATER; };
allow-query { any; };
};
the db file (below) was where I made the bulk of the changes. Note how just adding the offsite IP address was sufficient. AND there've been no timeouts
/var/lib/bind/db.familynetwork.us (-rw-r--r-- 1 bind:bind)
--------------------------------------------------------------------
Code:
$ORIGIN .
$TTL 604800 ; 1 week
familynetwork.us IN SOA minister.familynetwork.us. ron.familynetwork.us. (
20140134 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2419200 ; expire (4 weeks)
604800 ; minimum (1 week)
)
NS minister.familynetwork.us.
A <routable offsite IP>
MX 0 familynetwork.us.
$ORIGIN familynetwork.us.
$TTL 10800 ; 3 hours
android-d1d889b1bf83e4b1 A 192.168.29.129
TXT "311a26c3432b6d74fee5fe0170284383c9"
$TTL 604800 ; 1 week
APJones1 A 192.168.29.3
APJones2 A 192.168.29.5
cpanel A <routable offsite IP>
firewall A 192.168.29.1
$TTL 10800 ; 3 hours
Iffound58181299 A 192.168.29.128
TXT "31ba5038574666be3cdf9ca1742b8ac3ec"
$TTL 604800 ; 1 week
localhost A 127.0.0.1
minister A 192.168.29.2
webmail A <routable offsite IP>
whm A <routable offsite IP>
www CNAME familynetwork.us.
If I run the "dig" command from my desktop, to get more information about the domain (remember, I'm asking my own DNS server, to tell me about my domain)...
dig familynetwork.us returns:
Code:
; <<>> DiG 9.8.1-P1 <<>> familynetwork.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55402
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;familynetwork.us. IN A
;; ANSWER SECTION:
familynetwork.us. 604800 IN A <routable offsite IP>
;; AUTHORITY SECTION:
familynetwork.us. 604800 IN NS minister.familynetwork.us.
;; ADDITIONAL SECTION:
minister.familynetwork.us. 604800 IN A 192.168.29.2
;; Query time: 2 msec
;; SERVER: 192.168.29.2#53(192.168.29.2)
;; WHEN: Wed Jan 29 15:38:57 2014
;; MSG SIZE rcvd: 87
THE ONLY PROBLEM I have is that the dhcp daemon now no longer updates the zone file. I know this, because when I ping aanother computer on the network by name, I get the "ping: unknown host <hostname>" response.
I suspect it is a file permission/ownership issue (the 'supersecretkey' is in all the right spots....but I have not yet been able to find out how to troubleshoot the problem.
/etc/dhcp/dhcpd.conf (-rw-r----- 1 dhcpd:dhcpd)
---------------------------------------------------------
Code:
# DHCP.conf for familynetwork.us
#
#
ddns-update-style interim;
ignore client-updates;
ddns-domainname "familynetwork.us.";
ddns-rev-domainname "in-addr.arpa.";
# option definitions common to all
default-lease-time 86400;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.29.255;
option routers 192.168.29.1;
option ntp-servers 192.168.29.2;
option domain-name-servers 192.168.29.2;
option domain-name "familynetwork.us";
# This is the official DHCP server for familynetwork.us
authoritative;
# used to send dhcp log messages
log-facility local7;
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret "mysupersecretkeyhere";
};
zone familynetwork.us. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 29.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
allow unknown-clients;
subnet 192.168.29.0 netmask 255.255.255.0 {
range 192.168.29.100 192.168.29.150;
}
Bookmarks