By pressing down a special key, it plays a little melody

Here are some of the fun exciting behaviors in store if you try to configure CentOS 7 or RedHat 7 as a combined DNS and DHCP server with dynamic DNS updates for a local network.  These notes are for an ipv4 network only; ipv6 is left as an exercise for the reader.

CentOS goes to some effort to silently but sincerely prevent you from doing this in the name of “security”.

You’ll want to do a fresh install and update of CentOS 7 and select Domain name server as the installation option.

Install some packages:

yum install bind-chroot bind dhcp

The key files you’ll be editing are /etc/rndc.conf, /etc/named.conf, /etc/rndc.keys, and /etc/dhcp/dhcpd.conf .

Follow Steven Carr’s advice on setting up more sane named logging. 

The zone files, normally stored in /var/named, are not given sufficient permissions to be read and written by the named process.  Move them to /var/named/dynamic.  Permissions, generally, are a bitch with this whole setup — expect that other files in /var/named may need to be chown’d to root.named and chmod’ed to 660 or 664.

SELinux silently prevents a lot of things that named and dhcpd want to do to maintain those zone files.  Convince it that this is OK by adding the following to /etc/sysconfig/named:

ENABLE_ZONE_WRITE=yes 

Also run this command as well:

setsebool named_write_master_zones on

You will find that named and dhcpd don’t start automatically at boot time when installed.  You’ll have to teach CentOS 7 to do this yourself.  Use systemctl enable to do this.

You can generate a secret key by running rndc-confgen.  The output will give you a hint as to what to put into rndc.conf as well as named.conf.

The secret key, usually stored in rndc.key, wants to be stored in several places, at least in /etc/rndc.key and /etc/rndc.conf and /etc/named.conf and /etc/dhcp/dhcpd.conf.  There is no public/private key exchange in named if you are just running a local DNS server; it’s all just one pre-shared secret key, which is neat.

nsupdate is your friend.  If you can’t manually get named to update by using this command to get to control port 953, do an experiment to see if you can add and delete records via the rndc interface by running rndc and issuing commands something like this:

update add dumb.yourdomain 900 IN A 10.1.1.1
debug on
show 
send

If you can’t do this yourself, then dhcpd won’t be any luckier; don’t bother trying to make dhcpd happy until named is properly responding to requests to update the zone files.

CentOS firewalls off all the relevant ports against you.  You’ll have to open these yourself.  

For setting up a dhcp server:

firewall-cmd --add-port=67/udp --zone=public --permanent
firewall-cmd --add-port=68/udp --zone=public --permanent

For setting up the dns sever:

firewall-cmd --add-port=53/tcp --zone=public --permanent