Sunday, January 11, 2015

Upgrading to CentOS 7 - Part Two

DHCP / DNS Server (dnsmasq)

My home network is quite limited (two to three workstations, plus android phones, android tablet, an ipad mini, an HP networked printer / scanner, a raspberry pi controlling the water sprinklers in the garden, a smarttv...), so instead of setting up a complete bind / dhcp solution, I prefer a simpler dnsmasq setup.
On CentOS is simple, just:
sudo yum install dnsmasq dnsmasq-utils

I add the following configuration in /etc/dnsmasq.d/main.conf

 
 #Centos 7 Changed the interface naming 
 interface=enp2s0   
 domain-needed  
 bogus-priv  
 server=/local.lan/0.0.0.0  
 local=/local.lan/  
 expand-hosts  
 domain=local.lan 
 resolv-file=/etc/resolv.conf.dnsmasq

 # These are arbitrary
 dhcp-range=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,12h  
 dhcp-host=00:00:00:00:00:00,HPxxxx,xxx.xxx.xxx.xxx # Printer 
 # dhcp router option
 dhcp-option=option:router,xxx.xxx.xxx.xxx 
   
 dhcp-option=44,0.0.0.0   # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)  
 dhcp-option=45,0.0.0.0   # netbios datagram distribution server  
 dhcp-option=46,8         # netbios node type  
 dhcp-option=vendor:MSFT,2,1i  
 dhcp-authoritative  
 #I check with logging everything is working ok
 log-queries  
 log-dhcp  


What I am saying here:
  • the interface dnsmasq will bind on is enp2s0 (beware the network interface name changing) - interface
  • no DNS request will be forwarded if plain name or non routed address space - domain-needed / bogus-priv (docs say that these option make me a better netizen...)
  • The name server for "local.lan" (internal domain) will be 0.0.0.0 (this server) - server
  • The "local.lan" will be answered through /etc/hosts or dhcp leases - local
  • A domain will be added to simple entries in a /etc/hosts file - expand-hosts
  • The local domain (domain dhcp option) and name of the domain for the previous option - domain
  • The DNS to forward requests to are in an external file, not in the resolv conf - resolv-file
Remaining options enable the dhcp server (dhcp-range), set a specific address for the netwok printer (dhcp-host), and set some options for the network.

Additional DNS / DHCP information

For my purposes, the little server should resolve names in the network as well. This works, but to resolve self, I've found that /etc/hosts it's not enough. I have to put 127.0.0.1 as the first nameserver, so for my setup I modify the /etc/sysconfig/network-scripts/ifcfg-enp2s0 with the following option:
  • DNS1=127.0.0.1
This is because at boot (or network restart) settings inside this file will replace what is in the /etc/resolv.conf file.Please remind that my setup is for a small server with fixed IP address (configured as such during installation). 
In the external file (option resolv-file above) the format will be the same of the /etc/resolv.conf file, in my case:
 nameserver 8.8.8.8
 nameserver 8.8.4.4

Yes, so now you know - I use Google's DNSs....
After that sudo systemctl enable dnsmasq and sudo systemctl start dnsmasq.

ToDo

DNS Security Extension (DNSSEC) should be an add on in network security, and good practice - current version of dnsmasq in CentOS is 2.66, last stable version is 2.72, first version with DNSSEC is 2.69. When setup is complete, I will explore the option to create an updated package. This will add dependencies on nettle and gmp  libraries, both of them are already in the repositories.

The Firewall (firewalld)

Among other things, CentOS 7, or better, RH 7 changed the firewall. While it would be easier to scale back to IPTables, I see the rationale in FirewallD - updating rules while not dropping connections. Not exactly my use case, but still an interesting direction.
Keeping up with firewalld what I did was:
sudo firewall-cmd --set-default-zone=home
sudo firewall-cmd --permanent --zone=home --add-service=dns
sudo firewall-cmd --permanent --zone=home --add-service=dhcp
sudo firewall-cmd --permanent --add-interface=enp2s0
sudo firewall-cmd --reload
I change the default zone to home (my server won't go anywhere), and add dns and dhcp services to the zone.
Additionally, just to be coherent with NetworkManager settings, I add the following line to the /etc/sysconfig/network-scripts/ifcfg-enp2s0:

  • ZONE=home

That's it.

References



Post a Comment