%\documentclass[colorBG,slideColor,troispoints,pdf]{prosper} \documentclass[colorBG,total,slideColor,pdf]{prosper} %\documentclass[colorBG,slideColor,ps]{prosper} \usepackage{alltt,key,xr,cols,rcs,acro,nick,% graphicx,varioref,explanation,booktabs,color} \usepackage[nolineno,noindent]{lgrind} \definecolor{green}{rgb}{0,1,0} \RCS $Revision: 1.0 $ \renewcommand*{\bs}{\texttt{\char '134}} % Backslash `\' \newcommand*{\labTitle}{DHCP and DNS} \newcommand*{\subject}{Operating Systems and Systems Integration} \newcommand*{\emphcolour}[1]{\emph{\red#1}} \providecommand*{\RPM}{\acro{RPM}\xspace} \providecommand*{\CD}{\acro{CD}\xspace} \providecommand*{\IPC}{\acro{IPC}\xspace} \providecommand*{\UID}{\acro{UID}\xspace} \providecommand*{\GID}{\acro{GID}\xspace} \providecommand*{\SMP}{\acro{SMP}\xspace} \providecommand*{\API}{\acro{API}\xspace} \title{DHCP and DNS} \author{Nick Urbanik \texttt{}\\ \footnotesize{}Copyright Conditions: GNU FDL (see \url{http://www.gnu.org/licenses/fdl.html})} \institution{A computing department} \slideCaption{OSSI---DHCP and DN} %%\Logo{\includegraphics[width=15mm]{ict-logo-smaller}} \begin{document} \maketitle \begin{center} \LARGE{}Dynamic Host Configuration Protocol (DHCP)\\and\\ Domain Name System (DNS)\\{Nick Urbanik \\Copyright Conditions: GNU FDL (see }{http://www.gnu.org/licenses/fdl.html)} \end{center} \begin{center} Organising computers in a large network \end{center} \begin{center} Reference books: \end{center} \begin{center} \textit{{The DHCP Handbook}}{, Ralph Droms \& Ted Lemon, 2}$^{\mathrm{{nd}}}${ edition,} \end{center} \begin{center} \textit{DNS and Bind}, Paul Albitz and Cricket Liu, 4$^{\mathrm{th}}$ edition \end{center} \begin{center} \end{center} \item \end{slide} \begin{slide}{DHCP: Why?} \item Manually assigning IP addresses (the alternative to DHCP) causes: \item More work to set up \item Much more work to change \item IP address conflicts \item Unsatisfied users who configure their own machines to cause more conflicts \item \end{slide} \begin{slide}{DHCP: Why not?} \item Last year, on many Tuesday afternoons, our laboratories were disrupted by ``network failure'' \item This was caused by project students running DHCP servers on our network, \item \ldotsand also, by a small router running a DHCP server accidentally plugged into our campus network \item Solution: when detect this, run Ethereal listening on ports 67 and 68 \item identify culprit, and turn off rogue server \item \end{slide} \begin{slide}{What can DHCP do?} \item Current standard DHCP servers can: \item Allocate all IP parameters \item Divide hosts into classes, based on many criteria, such as: \item Manufacturer \item Explicitly putting individual machines into different classes \item Whether the machine is registered \item Offer different parameters to machines in different classes \item Dynamically update DNS servers \item Support a DHCP failover protocol \item \end{slide} \begin{slide}{Internet Software Consortium: ISC DHCP} \item ISC makes }\textit{{reference implementations}}{ of DNS, DHCP \item Available from http://www.isc.org/ \item Implemented by people directly involved with the standardisation process \item Provide the most standards compliant, most feature-rich implementations \item ISC DHCP server very robust \item Computer Centre in TY used MS DHCP on NT 4 \item Crashed twice, with complete loss of database containing MAC addresses of all computers on campus \item Out of action for two days at a time, long sessions of manual retyping of all the data again \item Replaced with system based on ISC DHCP server on a 486 \item Has worked well ever since (no down time) \item \end{slide} \begin{slide}{Characteristics of DHCP} \item \textit{\uline{{All}}}{ communication initiated by the client} \item Uses UDP on port 68 for client, port 67 for server \item One DHCP session has a common xid ("transaction ID" in Ethereal), randomly selected by the client \item Uses }\textit{\uline{{unicast}}}{ when client has IP address, [and client is }\textit{{not }}{in REBINDING state --- see later]; }\textit{\uline{{broadcast}}}{ otherwise \item Addresses offered from \item \textit{\uline{{address pools}}}{, or} \item Fixed addresses allocated to particular computers \item \end{slide} \begin{slide}{Leases} \item Server offers IP address and network parameters for a limited time (called a }\textit{\uline{{lease}}}{) \item In practice, leases may very from 30 minutes to a week or so \item Short lease: \item clients get updated parameters quickly \item Essential if have more clients than addresses \item requires more processing power on server \item Long lease: \item more reliable (clients may continue to operate for a week after DHCP server fails) \item but takes longer for all clients to get new settings if they change \item \end{slide} \begin{slide}{(Some) Standards for DHCP} \item RFC 2131 --- Basic DHCP operation \item excerpts from this appear in exams! \item RFC 2132 --- DHCP options: a list of the kinds of things a client can ask a DHCP server for \item IETF Drafts: \item draft-ietf-dhc-authentication-14.txt \item supports authentication between clients and servers \item draft-ietf-dhc-dhcp-dns-12.txt \item interaction between DHCP and DNS servers \item draft-ietf-dhc-failover-07.txt \item supports failover between 2 DHCP servers \item \end{slide} \begin{slide}{DHCP Messages 1} \item DHCPDISCOVER --- from client \item client has no address, asking for a new one \item DHCPOFFER --- from server \item Offer of address and other parameters \item DHCPREQUEST --- from client \item Client asks if can use the offered address and parameters \item DHCPACK --- from server \item Server says ``yes, go ahead, this address and these parameters are yours; the lease starts now.'' \item \end{slide} \begin{slide}{DHCP Messages 2} \item DHCPNAK --- from server \item ``no, you may not have that address; go to the INIT state'' \item DHCPDECLINE --- from client \item Client has detected another machine is using the offered address, and tells the server about this problem \item DHCPRELEASE --- from client \item Server expires the lease immediately \item DHCPINFORM --- from client \item Client already has an IP address, but wants other network settings from the server \item \end{slide} \begin{slide}{State Diagram for DHCP protocol} \item See page 3}{4}{ of RFC 2131 for a more complete state diagram. \item \item \item \end{slide} \begin{slide}{DHCP Client States 1} \item INIT (client is booting) \item no IP address yet. \item next message from client will be a broadcast DHCPDISCOVER. \item INIT-REBOOT (has unexpired lease) \item has IP address, but is not using it \item client will next broadcast DHCPREQUEST \item Will move to BIND state if no response \item SELECTING (has received at least one DHCPOFFER) \item Waiting for any other DHCPOFFERS \item BOUND (Client has an address) \item Initiated by client receiving DHCPACK to DHCPREQUEST \item Send no more messages until T1 (renewal time, configured in client by the server) \item \end{slide} \begin{slide}{DHCP Client States 2} \item RENEWING (client has reached }\textit{\uline{{renewal time}}}{ T1 in BOUND state) \item client }\textit{\uline{{unicasts}}}\textit{{ }}{DHCPREQUEST to server \item server}\textit{{ }}\textit{\uline{{unicasts}}}\textit{{ }}{DHCPACK to client \item T1 = lease time / 2 \item REBINDING (client has reached }\textit{\uline{{rebinding time}}}{ T2 without DHCPACK from server) \item client broadcasts DHCPREQUEST \item client is looking for another server \item T2 = lease time * 7/8 \item If lease expires, client goes back to INIT state \item Any network connections lost---bad for users!! Don't let it happen to them! \item \end{slide} \begin{slide}{Obtaining an initial configuration} \item The client is booting, with no IP lease \item \end{slide} \begin{slide}{Confirming an IP Address when restarting} \item The client's lease has not expired \item \end{slide} \begin{slide}{Extending a lease} \item Lease is extended at T1 before expires \item Unicast, because address is valid \item only case of unicast in DHCP protocol \item T1 = leasetime/2 \item \end{slide} \begin{slide}{Moving a computer to new subnet} \item Refuse old address, issue a new one \item \end{slide} \begin{slide}{Problems on the Network} \item Often a computer has a bad configuration \item Faulty hardware may also cause excessive resending of bad packets \item Less often, a person may be doing something naughty on purpose! \item Need some way to: \item track the location of a computer on the network \item determine if a computer is managed by the company or is a notebook brought in by a visitor \item Want some way to register company machines \item \end{slide} \begin{slide}{Ways of using DHCP} \item There are two fundamentally different ways of using DHCP \item Typified by implementation in Campus, and ICT (till yesterday) \item (both implemented by Nick!) \item Fixed addresses for registered clients (Campus network) \item Dynamic addresses for all comers (ICT till recently) \item Better: can provide automatic registration for clients: see chapter 20 of \textit{The DHCP Handbook} \item \huge{}/etc/dhcpd.conf \item This plain text configuration controls behaviour of ISC DHCP server \item ISC DHCP server supports conditional statements, switch statements, substring expressions \item Almost a complete programming language! \item This text file can be generated by software (Perl programs often used) \item \huge{}dhcpd.leases \item This plain text file is generated by the DHCP server \item Can be parsed by a Perl program \item Can be used to determine the MAC address of an unregistered computer \item \end{slide} \begin{slide}{Advantage of text configuration} \item Text can be easily generated by a program \item Can be easily checked by a human \item Microsoft DHCP server configuration and lease information is in an undocumented binary format \item reduces what can be done with it \item makes it hard to enter large amounts of information about many computers \item experience at Tsing Yi Computer Centre \item \end{slide} \begin{slide}{host records with fixed address} \item Can specify a fixed address for particular hosts: \item \# Machine type = COMPAQ DESKPRO Laboratory = A204c \item host a204c-03 \{ \item hardware ethernet 00:01:03:44:1d:62; \item fixed-address 172.19.80.003; \item \} \item \# Machine type = COMPAQ DESKPRO Laboratory = A204c \item host a204c-04 \{ \item hardware ethernet 00:01:03:45:2d:8f; \item fixed-address 172.19.80.004; \item \} \item Can generate these with a Perl program \item \end{slide} \begin{slide}{Method used by Computer Centre} \item Uses Samba, ISC DHCP \item Documented on our web site; see the link to ``DHCP and DNS System'' }{http://nicku.org/snm/dhcp-dns-system/ \item \item \end{slide} \begin{slide}{Older method used in ICT: free for all!} \item Each client is offered: \item an address in range 172.19.123.1 to 172.19.127.200 \item netmask /18 \item default gateway 172.19.127.254 \item domain name, tyict.vtc.edu.hk \item name servers }{172.19.64.52, 202.40.209.220 \item WINS servers }{192.168.68.240, 202.20.100.226 \item NTP server ntp.tyict.vtc.edu.hk \item a lease of 2 hours (7200 seconds / 3600) \item The DHCP server attempts to create a DNS record for the client \item A separate log file will be created (see man syslog) \item \end{slide} \begin{slide}{Older method used in ICT: free for all!} \item authoritative; \item log-facility local1; \item \item option domain-name "tyict.vtc.edu.hk"; \item ddns-update-style interim; \item option netbios-name-servers 192.168.68.240, 202.20.100.226; \item option domain-name-servers 172.19.64.52, 202.40.209.220; \item option ntp-servers ntp.tyict.vtc.edu.hk; \item subnet 172.19.64.0 netmask 255.255.192.0 \{ \item option routers 172.19.127.254; \item max-lease-time 7200; \item default-lease-time 7200; \item range 172.19.123.1 172.19.127.200; \item \} \item \end{slide} \begin{slide}{Troubleshooting DHCP 1} \item Our major problem: unauthorised DHCP servers giving DHCPNAK to all requests \item Solution: use }ethereal}}{ in promiscuous mode with filter\textbf{{ port 67 or port 68 \item Examine packets from rogue server \item Use} }}\textbf{{xnmap}}\textbf{{ {to gather more information about the rogue server \item Now go and talk with the person responsible \item \end{slide} \begin{slide}{Troubleshooting DHCP 2} \item Other problems: \item Examine the dhcpd log using tail --f \item shows all dhcp messages received and sent by the server \item Examine log on the client \item Use tcpdump or ethereal to collect data \item analyse it in Ethereal \item Compare with the client state diagram \item Compare with normal, expected behaviour \item \end{slide} \begin{slide}{Automatic Client Registration} \begin{center} Making it easy for customers to register their computers \end{center} \begin{center} Avoiding manual misconfigured settings \end{center} \item \end{slide} \begin{slide}{Automatic Client Registration} \item It is good to be able to map IP addresses to particular computers (and users) \item Often computers cause trouble without the user being aware \item e.g., project students with rogue DHCP servers \item Want convenience for user and sysadmin \item Can use the ISC DHCP server to implement such an automatic registration system. \item Depends on dividing IP hosts into two }\textit{{classes}}{: known and unknown. \item \end{slide} \begin{slide}{ISC DHCP host declarations} \item The file /etc/dhcpd.conf controls the behaviour of the ISC DHCP server \item It may be edited by external programs and host statements may be added: \item Examples: \item host a204-16 \{ \item hardware ethernet 00:08:02:1d:87:72; \item \} \item host a204-17 \{ \item hardware ethernet 00:08:02:1d:87:02; \item \} \item host a204-18 \{ \item hardware ethernet 00:08:02:1c:1c:43; \item \} \item \end{slide} \begin{slide}{Known and unknown hosts} \item A host is }\textit{{known}}{ if it has a host declaration \item subnet 172.19.64.0 netmask 255.255.192.0 \{ \item option routers 172.19.127.254; \item \item \# Unknown clients get this pool. \item pool \{ \item option domain-name-servers bogus.}}\textbf{{tyict.vtc.edu.hk}}\textbf{{; \item max-lease-time }}\textbf{{12}}\textbf{{0; \item range 172.19.12}}\textbf{{0}}\textbf{{.}}\textbf{{0}}\textbf{{ 172.19.12}}\textbf{{2}}\textbf{{.2}}\textbf{{55}}\textbf{{; \item allow unknown clients; \item \} \item \item \# Known clients get this pool. \item pool \{ \item option domain-name-servers ns.}}\textbf{{tyict.vtc.edu.hk}}\textbf{{; \item max-lease-time 28800; \item range range 172.19.123.1 172.19.127.200; \item deny unknown clients; \item \} \item \} \item \end{slide} \begin{slide}{Known and unknown hosts} \item So the hosts a204-16, a204-17 and }{a204-18}{ get full parameters \item Others (without a hosts declaration) get \item a short lease \item a bogus name server that redirects all web access to a registration server \item Block the IP addresses from unknown hosts at the firewall \item they get no Internet access \item users are motivated to register \item \end{slide} \begin{slide}{The registration server} \item All unregistered hosts }{get}{ a }{"bogus" }{name server that maps all hostnames to itself \item The web browser will go to the registration application, no matter URL entered \item Registration application edits }/etc/dhcpd.conf{ on DHCP server \item Adds the host as a }\textit{{known host} \item Gets the information from the DHCP lease \item User just needs to enter their user name and LDAP password \item \end{slide} \begin{slide}{Registration Application} \item A web application \item User interface is very simple --- enter only: \item user name \item password \item Application knows IP address from web server \item Looks up MAC address from DHCP leases file \item Edits /etc/dhcpd.conf, adds a host record \item Can assign a fixed or dynamic address \item \end{slide} \begin{slide}{Registered computer} \item Now the client can either reboot, or wait 60 seconds to T1, and get a long term lease \item The machine becomes a ``known host'' \item Client can now access Internet conveniently \item Could extend this by adding MAC address to access control list of the appropriate port on the main switch \item Unregistered computers blocked by switch \item Enforces limiting access to registered computers only \item \end{document}