How to Configure a DNS/DHCP Server

inc
DNS Server

DNS/DHCP SERVER

sudo apt install dnsutils

DNSMASQ

TEST :

A records
dig +nocmd +noall +answer +multiline asterisk.uruk.kan a
TXT records
dig +nocmd +noall +answer +multiline asterisk.uruk.kan txt
/etc/dnsmasq.d/kvm-net
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
### DHCP SERVER CONFIG ###

domain=kalacmul.uruk.kan
interface=eno1
interface=vmbr0
no-dhcp-interface=eno1

dhcp-range=10.14.17.50,10.14.17.200,12h
dhcp-option=vmbr0,3,10.14.17.1
#dhcp-option=option:router,10.14.17.1
#dhcp-option=option:ntp-server,10.0.0.10
dhcp-option=option:dns-server,10.14.17.1,1.1.1.1,8.8.8.8
dhcp-option=option:netmask,255.255.255.0

# define statics
dhcp-host=f6:d4:f8:12:a3:f1,10.14.17.100
dhcp-authoritative

### DNS SERVER CONFIG ###

#strict-order
domain-needed
bogus-priv
#no-hosts
no-resolv
dns-forward-max=150
cache-size=1000
#no-negcache
neg-ttl=3600
#resolv-file=/etc/resolv.dnsmasq
#no-poll

# pools
conf-file=/etc/dnsmasq.d/kvm-banned-hosts.conf

conf-file=/etc/dnsmasq.d/kvm-allowed-hosts.conf

log-queries
log-dhcp
/etc/dnsmasq.d/kvm-allowed-hosts.conf
1
2
3
4
5
6
7
8
9
# asterisk,uruk.kan
address=/asterisk.uruk.kan/10.14.17.100
txt-record=asterisk.uruk.kan,"v=spf1 a -all"
cname=phone.uruk.kan,asterisk.uruk.kan

# mail,uruk.kan
address=/mail.uruk.kan/10.14.17.110
txt-record=mail.uruk.kan,"v=spf1 a -all"
cname=email.uruk.kan,mail.uruk.kan
/etc/dnsmasq.d/kvm-banned-hosts.conf
1
address=/caliente.mx/127.0.0.1
/etc/resolv.conf
1
2
3
nameserver 127.0.0.1
nameserver 1.1.1.3
nameserver 8.8.8.8
/etc/network/interfaces
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback


#### Configuration for VM as nat ####
#Uncomment when are in use :
allow-hotplug eno1
auto eno1
iface eno1 inet manual
        address 192.168.1.224
        netmask 255.255.255.0
        gateway 192.168.1.254
        ethernet-wol g
dns-search invalid


# cloudfare
#
#Malware Blocking Only
#Primary DNS: 1.1.1.2
#Secondary DNS: 1.0.0.2
#
#Malware and Adult Content
#Primary DNS: 1.1.1.3
#Secondary DNS: 1.0.0.3

# OpenDNS FamilyShield
# Preferred DNS Server: 208.67.222.123
# Alternate DNS Server: 208.67.220.123

#Norton ConnectSafe
#Security + Pornography + Non-Family Friendly
#Preferred DNS Server: 198.153.192.60
#Alternate DNS Server: 198.153.194.60

dns-nameservers 127.0.0.1 1.1.1.3 8.8.8.8
#up ip route replace 10.114.7.0/24 via 192.168.0.1 dev eno1


#Uncomment when are in use :
allow-hotplug vmbr0
auto vmbr0
iface vmbr0 inet static
        address 10.14.17.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
#    bridge_waitport 0
        bridge_fd 0

# up route add -net 10.0.3.0 netmask 255.255.0.0 gw 10.14.17.1
        up ip route add 10.14.17.0/24 via 10.14.17.1 dev vmbr0

  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up iptables -t nat -A POSTROUTING -s '10.14.17.0/24' -o eno1 -j MASQUERADE
# NOTE ADD routes to ediq.mx
  post-up   iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 4443 -j DNAT --to-destination 10.14.17.105:443
  post-down iptables -t nat -D POSTROUTING -s '10.14.17.0/24' -o eno1 -j MASQUERADE

#    post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
#    post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
#

#
# Autostart Wifi Source
#

# allow-hotplug wlp3s0
# auto wlp3s0
iface wlp3s0 inet dhcp
iface wlp3s0 inet static
address 192.168.1.153
netmask 255.255.255.0
gateway 192.168.1.254
dns-search invalid
dns-nameservers 1.1.1.1 192.168.1.254
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
/etc/hosts/
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
127.0.0.1    localhost
192.168.1.224        kalacmul.uruk.kan       kalacmul

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

207.244.226.77 hypervisor
62.171.154.150 hypercloud
207.244.226.189 hypervpn


# Tunnel maps
10.44.45.1 tun45.baizabal.xyz
10.44.46.1 tun46.baizabal.xyz

#Integranas 192.168.20.168
187.190.252.166 integranas


#internal VM


10.14.17.100 asterisk.uruk.kan
10.14.17.110 mail.uruk.kan
# 10.14.17.105 bms
# 10.14.17.127 books


# Hypervisor trough tunnel
10.0.8.221 integramail
10.8.0.9 ironman
10.8.0.242 integraocs
/etc/hostname
1
kalacmul

CNAME

Source

You have to keep in mind, that the to be resolved hostname has to be added to the /etc/hosts file too E.g.: the right part in the hosts file:

CNAME Example
10.1.1.1 ip1.example.com

dnsmasq.conf entry: cname=cname.example.com,ip1.example.com

Test:

That’s all it takes ;-)
1
2
3
ping  cname.example.com
PING ip1.example.com (10.1.1.1) 56(84) bytes of data.
64 bytes from ip1.example.com (10.1.1.1): icmp_seq=1 ttl=64 time=0.063 ms

ISC-DHCP-SERVER

/etc/default/isc-dhcp-server
15
16
17
18
# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#   Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACESv4="eno1 vmbr0"
INTERFACESv6=""
/etc/dhcp/dhcpd.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "Kalacmul.uruk";
option domain-name-servers 1.1.1.1, 8.8.8.8;


subnet 10.14.17.0 netmask 255.255.255.0 {
    range 10.14.17.100 10.14.17.200;
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.14.17.255;
    option routers 10.14.17.1;
    option domain-name-servers 1.1.1.1, 8.8.8.8 ;
}


default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

DHCP PROTOCOL

dnsmasq logs

for avaya example :

IP phone ack to dhcp
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
Oct 10 20:53:28 uxmal systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Oct 10 20:54:56 uxmal dnsmasq-dhcp[168841]: 3597900336 available DHCP range: 192.168.1.50 -- 192.168.1.200
Oct 10 20:54:56 uxmal dnsmasq-dhcp[168841]: 3597900336 client provides name: AVX51DA20
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 DHCPDISCOVER(enp1s5) 00:1b:4f:51:da:20
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 tags: enp1s5
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 DHCPOFFER(enp1s5) 192.168.1.54 00:1b:4f:51:da:20
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 requested options: 1:netmask, 28:broadcast, 3:router, 6:dns-server,
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 requested options: 15:domain-name, 42:ntp-server, 242
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 next server: 192.168.1.1
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  1 option: 53 message-type  2
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option: 54 server-identifier  192.168.1.1
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option: 51 lease-time  12h
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option: 58 T1  6h
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option: 59 T2  10h30m
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option: 28 broadcast  192.168.1.255
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option:  3 router  192.168.1.1
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size: 14 option: 15 domain-name  uxmal.uruk.kan
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size: 12 option:  6 dns-server  192.168.1.1, 1.1.1.3, 8.8.8.8
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option: 42 ntp-server  173.212.200.183
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3597900336 sent size:  4 option:  1 netmask  255.255.255.0
Oct 10 20:54:59 uxmal dnsmasq-dhcp[168841]: 3140276212 available DHCP range: 192.168.1.50 -- 192.168.1.200

for cisco

Cisco
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 available DHCP range: 192.168.1.50 -- 192.168.1.200
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 vendor class: Cisco Systems, Inc. IP Phone CP-6941
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 client provides name: SEP1CE6C798A582
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 DHCPREQUEST(enp1s5) 192.168.1.147 1c:e6:c7:98:a5:82
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 tags: enp1s5
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 DHCPACK(enp1s5) 192.168.1.147 1c:e6:c7:98:a5:82 SEP1CE6C798A582
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 requested options: 1:netmask, 28:broadcast, 3:router, 6:dns-server,
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 requested options: 15:domain-name, 35:arp-timeout, 66:tftp-server,
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 requested options: 150:tftp-server-address
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 next server: 192.168.1.1
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 broadcast response
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  1 option: 53 message-type  5
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  4 option: 54 server-identifier  192.168.1.1
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  4 option: 51 lease-time  12h
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  4 option: 58 T1  6h
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  4 option: 59 T2  10h30m
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  8 option: 15 domain-name  uruk.kan
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size: 12 option:  6 dns-server  192.168.1.1, 1.1.1.3, 8.8.8.8
Oct 11 16:39:51 uxmal dnsmasq-dhcp[650460]: 1979671737 sent size:  4 option:  1 netmask  255.255.255.0

Pretty Log dnsmasq

Log file can be parsed in real-time with tail+awk:

$ vi dnsmasq.awk

    #!/usr/bin/awk -f

    BEGIN {
      OFS = ",";
    }

    $5 == "query[A]" {
      time = mktime( \
        sprintf("%04d %02d %02d %s\n", \
          strftime("%Y", systime()), \
          (match("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3, \
          $2, \
          gensub(":", " ", "g", $3) \
        ) \
      );
      query = $6;
      host = $8;
      print time, host, query;
    }

$ chmod +x dnsmasq.awk

$ tail -f /tmp/dnsmasq.log | ./dnsmasq.awk

1468999090,192.168.1.100,google.com
1468999092,192.168.1.101,youtube.com
1468999095,192.168.1.102,facebook.com
1468999097,192.168.1.100,qa.sockets.stackexchange.com

More advanced method is sending log via filebeat to ELK in realtime.

Last update: Jan 03, 2025