DHCP / DNS Server (dnsmasq)
My home network is quite limited (two to three workstations, plus android phones, android tablet, an ipad mini, an HP networked printer / scanner, a raspberry pi controlling the water sprinklers in the garden, a smarttv...), so instead of setting up a complete bind / dhcp solution, I prefer a simpler dnsmasq setup.
On CentOS is simple, just:
sudo yum install dnsmasq dnsmasq-utils
I add the following configuration in /etc/dnsmasq.d/main.conf
#Centos 7 Changed the interface naming
interface=enp2s0
domain-needed
bogus-priv
server=/local.lan/0.0.0.0
local=/local.lan/
expand-hosts
domain=local.lan
resolv-file=/etc/resolv.conf.dnsmasq
# These are arbitrary
dhcp-range=xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,12h
dhcp-host=00:00:00:00:00:00,HPxxxx,xxx.xxx.xxx.xxx # Printer
# dhcp router option
dhcp-option=option:router,xxx.xxx.xxx.xxx
dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,0.0.0.0 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
dhcp-option=vendor:MSFT,2,1i
dhcp-authoritative
#I check with logging everything is working ok
log-queries
log-dhcp
What I am saying here:
- the interface dnsmasq will bind on is enp2s0 (beware the network interface name changing) - interface
- no DNS request will be forwarded if plain name or non routed address space - domain-needed / bogus-priv (docs say that these option make me a better netizen...)
- The name server for "local.lan" (internal domain) will be 0.0.0.0 (this server) - server
- The "local.lan" will be answered through /etc/hosts or dhcp leases - local
- A domain will be added to simple entries in a /etc/hosts file - expand-hosts
- The local domain (domain dhcp option) and name of the domain for the previous option - domain
- The DNS to forward requests to are in an external file, not in the resolv conf - resolv-file
Remaining options enable the dhcp server (dhcp-range), set a specific address for the netwok printer (dhcp-host), and set some options for the network.
Additional DNS / DHCP information
For my purposes, the little server should resolve names in the network as well. This works, but to resolve self, I've found that /etc/hosts it's not enough. I have to put 127.0.0.1 as the first nameserver, so for my setup I modify the /etc/sysconfig/network-scripts/ifcfg-enp2s0 with the following option:
- DNS1=127.0.0.1
This is because at boot (or network restart) settings inside this file will replace what is in the /etc/resolv.conf file.Please remind that my setup is for a small server with fixed IP address (configured as such during installation).
In the external file (option resolv-file above) the format will be the same of the /etc/resolv.conf file, in my case:
nameserver 8.8.8.8
nameserver 8.8.4.4
Yes, so now you know - I use Google's DNSs....
After that sudo systemctl enable dnsmasq and sudo systemctl start dnsmasq.
After that sudo systemctl enable dnsmasq and sudo systemctl start dnsmasq.
ToDo
DNS Security Extension (DNSSEC) should be an add on in network security, and good practice - current version of dnsmasq in CentOS is 2.66, last stable version is 2.72, first version with DNSSEC is 2.69. When setup is complete, I will explore the option to create an updated package. This will add dependencies on nettle and gmp libraries, both of them are already in the repositories.
The Firewall (firewalld)
Among other things, CentOS 7, or better, RH 7 changed the firewall. While it would be easier to scale back to IPTables, I see the rationale in FirewallD - updating rules while not dropping connections. Not exactly my use case, but still an interesting direction.
Keeping up with firewalld what I did was:
Additionally, just to be coherent with NetworkManager settings, I add the following line to the /etc/sysconfig/network-scripts/ifcfg-enp2s0:
That's it.
Keeping up with firewalld what I did was:
sudo firewall-cmd --set-default-zone=home
sudo firewall-cmd --permanent --zone=home --add-service=dns
sudo firewall-cmd --permanent --zone=home --add-service=dhcp
sudo firewall-cmd --permanent --add-interface=enp2s0
sudo firewall-cmd --reload
Additionally, just to be coherent with NetworkManager settings, I add the following line to the /etc/sysconfig/network-scripts/ifcfg-enp2s0:
- ZONE=home
That's it.
References
https://wiki.archlinux.org/index.php/Dnsmasq
https://fedoraproject.org/wiki/FirewallD
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html
https://fedoraproject.org/wiki/Systemd
https://fedoraproject.org/wiki/FirewallD
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html
https://fedoraproject.org/wiki/Systemd
No comments:
Post a Comment