Dynamic DNS in the Lab

Posted by Brad on Sat 28 July 2018

I've gone through a number of provisioning methods in the lab. Foreman/Katello is nice but a bit overkill for my needs. I also tried using ansible to generate kickstart files, but that was a little too clunky. So lately I've just been using a basic VM template and manually allocating and assigning IPs/hostnames in dns. Well, I've been trying to figure out how to streamline this. Initially, I was thinking of having a script or ansible update the zone files on the dns server. Then I wondered if terraform could do it and sure enough it can. But this only solved half the problem, I still needed a method to assign IPs. I don't have (or need) a fancy IPAM tool but I do have a nice OPNsense firewall that can do dhcp. Even better, the OPNsense dhcp server can do dynamic dns as well, so I don't even need to worry about terraform. So here's how I configured dynamic dns in my lab to further streamline VM provisioning

Configuring the DNS Server

I'm using a basic setup of BIND on CentOS 7 for my dns server, and won't cover that here. To start we'll need a secret key to allow updates. Most will recommend using dnssec-keygen but that isn't really necessary and OPNsense didn't like the key when I used that so instead I did echo random_string | openssl enc -a to get a base64-encoded string. Now that we have that we can add the new dynamic zone to /etc/named.conf:

key my.key {
        algorithm hmac-md5;
        secret "cmFuZG9tX3N0cmluZwo=";
};
zone "myzone.lab" IN {
        type master;
        file "myzone.lab";
        allow-update { key "my.key"; };
};

Now we need to create the zone file. In my case I copied one of my others as a template, but some of this may not be necessary. In /var/named/myzone.lab

$ORIGIN myzone.lab.
$TTL 300        ; 5 minutes
myzone.lab        IN SOA  dns1.my.lab. hostmaster.my.lab. (
                                2018072800 ; serial
                                21600      ; refresh (6 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                300        ; minimum (5 minutes)
                                )
                        NS      dns1.my.lab.

During initial testing I came across an interesting security feature. In addition to updating the zone file itself, named will also create .jnl files to store changes temporarily. The named user doesn't have write access to /var/named by default, so it'll spit out the somewhat cryptic create: permission denied in /var/log/messages after having accepted the secret key from the client.

Configure the Firewall

The OPNsense configuration is even easier. Simply go to the dhcp configuration for the interface you want to enable it on and fill in the dynamic dns settings matching what we did above and save the changes.

Testing it Out

Configure a client for dhcp and tail /var/log/messages on the dns server and you'll see it process the update. You should then see the new record appear in the zone file and be able to query it.

Conclusion

You can see now we've eliminated several manual steps: the need to pick an IP address, update the dns zone, and configure the IP on the new server. The last piece of the puzzle will be getting vCenter to set the hostname when I deploy the template, but this is enough for one day.

tags: dns, opnsense