Professional Documents
Culture Documents
Legal Notices
Read this page to ascertain important legal information and warnings.
Copyright
Copyright 20002008, BlueCat Networks (USA) Inc. All rights reserved. Company names and/or data used in screens and sample output are fictitious, unless otherwise stated.
Trademarks
BlueCat Networks, the BlueCat Networks logo, Adonis, the Adonis logo, Meridius, the Meridius logo, Proteus, and the Proteus logo are trademarks of BlueCat Networks (USA) Inc. Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation. Intel and Pentium are registered trademarks of Intel Corporation. RPD is a trademark of Commtouch Software Ltd. All other product and company names are registered trademarks or trademarks of their respective holders.
Export Warningc
This is a Class A product. In a domestic environment, this product may cause radio interference, in which case you may be required to take appropriate measures.
FCC Compliance
This equipment generates, uses, and may emit radio frequency energy. This equipment has been type tested and found to comply with the limits for a Class A digital device pursuant to part 15 of FCC rules that are designed to provide reasonable protection against such radio frequency interference. Operation of this equipment in a residential area may cause interference that may require you to take reasonable measures to correct at your expense. Any modifications to this device, unless expressly approved by the manufacturer, can void the users authority to operate this equipment under part 15 of the FCC rules.
Disclaimer
a) b) Read this guide before installing or using the product. For more information, see other relevant documents in the distribution. Failure to follow the prescribed instructions will void the product warranty. BlueCat Networks (USA) Inc. (BlueCat) has granted you the right to use this manual. BlueCat believes the information it furnishes to be accurate and reliable, but BlueCat assumes no responsibility for, or arising out of, your use of the manual except to the extent expressly set out in the end-user agreement (EUA) associated with the product. No license is granted by implication or otherwise under any patent, copyright or other intellectual property right of BlueCat Networks (USA) Inc. except as specifically described in the above noted EUA. BlueCat Networks (USA) Inc. reserves the right to change specifications at any time without notice.
c)
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Chapter 1: Introduction
DNS and DHCP ................................................................................................ 11 Adonis Overview ............................................................................................. 11 How is Adonis Organized? .............................................................................. 11 Two Consoles: Two Tasks .............................................................................. 12 Project Files ............................................................................................. 12 Deployment .............................................................................................. 12 Security .................................................................................................. 12 IPv6 Support ............................................................................................. 12 Advanced Implementations ................................................................................ 13 Adonis and Proteus IPAM ................................................................................... 13
Version 5.5
Version 5.5
Contents Setting up an Initial DNS Service ..................................................................... 73 Selecting a DNS Network Architecture .............................................................. 73 Opening and Saving Files .............................................................................. 84 Checking Files Into and Out Of an Adonis Server .................................................. 85 Modifying File Location Settings ...................................................................... 88 Editing a Project File ....................................................................................... 88 Adding Servers .......................................................................................... 89 Checking and Correcting a File ....................................................................... 90 Checking the Data ...................................................................................... 91 Modifying Data Check Issue Settings ................................................................. 91 Deploying the Project File ................................................................................. 92 Importing a Project ......................................................................................... 96 Importing from a Previous Version ................................................................... 96
Version 5.5
Contents Integrating Active Directory ............................................................................. Enabling Active Directory Support ................................................................. Windows Active Directory Synchronization ....................................................... Checking the Data ......................................................................................... Data Check ............................................................................................. Using the DNS Fixup Wizard ......................................................................... Live Data Check ....................................................................................... The Whois Lookup Tool .............................................................................. DNS Configuration Statistics ........................................................................ Transaction Signatures .................................................................................... DNS Queries ................................................................................................ Using BIND Views ..................................................................................... Managing Access Control Lists ...................................................................... Query Logging ......................................................................................... DNS and IPv6 ............................................................................................... AAAA Records .......................................................................................... Reverse Lookup ....................................................................................... NS Records ............................................................................................. Mixed Environments .................................................................................. 130 130 131 132 132 132 135 136 139 140 144 144 146 148 151 151 152 153 153
Version 5.5
Contents
Version 5.5
Contents Recommended Topologies ........................................................................... Setting Up DHCP Failover ............................................................................ Configuring DHCP Failover on a Pool ................................................................... Modifying Settings for a Failover Pool ............................................................. 215 218 219 220
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Version 5.5
Preface
Welcome to the Adonis Administration Guide. This guide explains how to add an Adonis appliance to your network and how to administer it on an ongoing basis.
References
Working with a DNS/DHCP system requires in-depth knowledge of many subject areas, including DNS, DHCP, and General Networking. The following references are provided for readers who require more background knowledge before working with Adonis. The DHCP Handbook by Ralph Droms and Ted Lemon, SAMS Publishing, ISBN 0-67232-327-3 Pro DNS and BIND by Ron Aitchison, Apress, ISBN 1-59059-494-0 DNS and BIND by Paul Albitz and Cricket Liu, OReilly Media, ISBN 0-596-00158-4 The Internet System Consortium website (www.isc.org). This site also hosts the BIND FAQ at www.isc.org/sw/bind.
Typographic Conventions
This guide uses the following conventions:
Bold Bold blue Command line options and user input to be typed. Button names, fields, tabs, and icons in the user interface. Cross references and hypertext links within the document. Hypertext links to external URL entries. Source code examples and terminal output. Variables in code examples.
Version 5.5
Preface
Normal Italic
New terms being defined. Emphasis within a concept description. Dialog box, window, and screen names. This icon appears alongside a Caution. Cautions usually appear where performing an action may be dangerous to the user or to the equipment, or where data may be corrupted or incomplete if the caution is not observed. This icon appears alongside a Note. Notes give additional detail about the material presented in concepts and procedures. This icon appears alongside a Tip. Tips are similar to Notes and suggest alternative ways to accomplish a task or provide ideas for using the product in the most effective way.
10
Version 5.5
Chapter 1
Introduction
The Internet has grown to the point where it is indispensable. During this period of growth another phenomenon has occurred: Internet Protocol (IP)-based networks supplanted almost all other ISO layer 3 networking technologies. However, increased complexity and security issues can threaten the viability of these technologies and their use within critical corporate infrastructures. These networks were often constructed on an ad hoc basis, and further management and planning are required to manage and secure them properly. The Internet and other IP-based networks depend on the idea of a unique IP address to route data between network clients. These addresses are organized into smaller blocks or subnets as a means of delegating maintenance to different organizations.
Adonis Overview
Adonis is an appliance server. It is designed to be intuitive, even for users who have very little background knowledge, but it also contains the advanced tools and settings required by DNS and DHCP experts. Adonis is the logical next generation of DNS/DHCP service provision. It is designed on a secure hardware platform, with a firewall-grade operating system. Updates to the software and operating system are completely automated and encrypted thanks to the known hardware and software combinations implicit with appliances.
Version 5.5
11
Chapter 1: Introduction Adonis appliances operate with very few open ports; it includes an encrypted control port for connecting it to the Management Console on the administrators PC. Ports are opened only if they are required for the project being deployed on the appliance. Operating behind this dynamically configured packet-filtering firewall, the Adonis appliance is well suited to network conditions anywhere including hostile environments such as DMZs or the Internet. BlueCat Networks Linux-based operating system is stripped down to its essential code, so the kernel does not load new modules during runtime. The DNS daemon (service) also runs in a chroot jailed environment to prevent the server from being compromised in the highly unlikely event that the service is breached.
Project Files
Adonis stores configurations in project files (file extension .dns) that contain all the settings the appliance needs. The Management Console uses project files to reload the server and service settings saved from a previous session.
Deployment
Adonis separates the design phase of DNS and DHCP rollouts from the actual production environment. You can design and test several different network models before going live. Because deployment is available on an ad hoc basis, configuration changes have minimum impact on service availability.
Security
The Adonis appliance is extremely safe and is designed to operate in the most exposed network environments. For information about specific Adonis appliance safety measures, see Appliance Management on page 35.
IPv6 Support
Adonis includes support for IPv6 addresses. IPv6 is designed to replace IPv4 by conserving its proven and established mechanisms, discarding its known limitations, and extending its scalability and flexibility. IPv6 is designed to handle the growth rate of the Internet while providing reliable service. In most cases, Adonis accepts IPv6 input in the same places as it accepts IPv4 input. Where the two types of address work slightly differently, these differences are noted in the documentation.
12
Version 5.5
Advanced Implementations
Advanced Implementations
Adonis is easily configured through the Management and Administration Consoles, but some advanced configurations require expert advice. BlueCat Networks support and professional services personnel are trained to analyze these situations and provide resources for customers. For more information about these services, ask your BlueCat Networks account manager. Bluecat Networks provides online and on-site training resources. Pre-defined courses can be arranged in certain major cities, or at your location. Professional Services provide advanced network analysis, design and configuration both remotely and on-site. These resources and services should be considered in addition to the information provided in this guide. White papers and other materials are available to registered users through the Resource Center on our public web site (http://www.bluecatnetworks.com). Registration is free, and access is immediate. These white papers discuss topics that are beyond the scope of this document, such as high availability and VoIP.
Version 5.5
13
Chapter 1: Introduction
14
Version 5.5
Chapter 2
Administration Console
The Adonis Administration Console controls the functionality of your appliance. This chapter includes the following topics: Using the Adonis Administration Console on page 15 introduces the Administration Console. Main Mode on page 16 describes Main mode commands. Configuration Mode on page 16 describes Configuration mode commands.
Version 5.5
15
Main Mode
When you log in to the Administration Console, you are in main mode by default. Main mode does not allow you to change many settings, so you are confined to viewing existing settings. Where you can change settings the changes take effect immediately; you can undo them only by changing the setting again.
The following list shows the full set of help possibilities: help help configure help configure object help sample help command
Configuration Mode
Configuration mode allows you to change Adonis settings. Adonis does not apply your changes immediately, but it keeps track of them, so you can save them or discard them later. This provides a level of safety because it prevents you making inappropriate changes accidentally. Saving a setting modifies the operational state of the appliance to reflect the changes.
16
Version 5.5
Administration Console Modes Configuration mode includes several separate functions: Network configuration Query logging configuration Routing table configuration Time zone configuration NTP configuration SNMP configuration Syslog configuration Anycast configuration Each configuration function allows you to make changes only to a specific area.
Mode Help on page 16). In addition, there are help pages for specific configuration functions.
To get general help on configuration, type help configure, and then press Enter. To get help about a specific configuration function, type help configure object, and then press Enter.
Version 5.5
17
You can use the up and down arrow keys to scroll through the commands you typed previously. This feature is useful when you need to repeat previous commands.
18
Version 5.5
Chapter 3
Management Console
The Adonis Management Console is a client-side Java GUI application that serves as a front-end for the appliance. There is some crossover with the Administration Console because it includes some configuration functions and the Management Console contains some real-time controls for the appliance. This places the controls that you may need for any given task in the appropriate interface when you need them. This chapter includes the following topics: Getting Started on page 19 gives an overview of the Management Console. User Management and Access Control on page 23 discusses users and user access control. Configuring External Authenticators on page 29 discusses external authenticators.
Getting Started
You use the Management Console to create and deploy DNS and DHCP configurations.
You can find this executable in the home directory of the user who installed the Management Console. You can create a symbolic link or application launcher for the executable in the location of your choice.
Version 5.5
19
The Toolbar
The toolbar gives you quick access to commonly used functions. The tools are organized into functional groups from left to right: New File , Open , Save
These tools allow you to work with the Management Console files stored on your local machine. Undo , Redo
These tools undo or redo your recent changes. Adonis maintains undo information for the actions you performed since you opened or saved the current file. Search , Replace
These tools access the search and replacement features. Use these to navigate within a configuration or to quickly propagate a modification throughout it. Cut , Copy , Paste
These tools cut, copy, and paste certain types of items in the tree-view and detail panes.
20
Version 5.5
Getting Started
Rename
, Delete
These tools allow you to rename and delete certain types of objects in the tree-view and detail panes. Move Up , Move Down
These tools move certain types of objects in the tree-view pane up or down relative to their siblings in the hierarchy. Check Data , Live Data Check
These tools access the DNS error-checking functions. Deploy , Server Control
These allow the Management Console to connect to the Adonis appliance to distribute project file changes, gather server data, and perform server commands.
Some tabs have specific toolbars or other custom buttons. These buttons perform tasks related specifically to objects displayed in the current tab. For example, the Resource Records tab for a master DNS zone has a toolbar with a button for each type of record you can add. For more information about Resource Records see, Resource Records on page 101.
Version 5.5
21
To go to an object:
1 On the toolbar click Search. The Data Navigator dialog box opens. 2 Select the Go To tab, and then type the name of the object you want to locate in the Go To field. 3 Click Go. Go To locates the object, and then the Data Navigator dialog box closes.
2 In the Search field, type the name of the object you want to find, and then click Search.
You can search for whole words, abbreviations, file name extensions, or numbers. The search tool is not case-sensitive and returns all types of objects that meet the search criteria.
3 To search only the DNCS or DHCP service click the Target down arrow, and then select the service you want to search from the drop-down list. 4 To restrict your search to specific object types click (...). The Select Target Objects dialog box appears.
22
Version 5.5
User Management and Access Control The Select Target Objects dialog contains checkboxes for DNS or DHCP objects, depending on the service you chose in step 3. 5 Select the checkboxes for the objects you want to search, and then click OK. 6 In the Data Navigator dialog box click Search. Objects that match the search criteria appear in the results table. 7 Double-click one of the objects in the table: the object is selected in the tree-view pane. 8 Click Close.
2 Type the name of the object you want to find in the Find What field, and then click Find.
You can use whole words, abbreviations, or numbers, but not file extensions or wildcards. To make the find tool case-sensitive select the Case Sensitive checkbox.
3 To find an object by IP address click the Type down arrow, and then select IP from the dropdown list. 4 To replace an object name or IP address, type the new information in the Replace With field, and then click Replace.
If you do not want to replace every object you found, clear the appropriate checkboxes in the Replace column.
5 Click Close.
Version 5.5
23
Chapter 3: Management Console security, the administration and deployment passwords are still required to make changes to the appliance, but changes can be made to the project file (.dns) without a password. Some network policies require that users be authenticated centrally by a single system. Adonis project file users can be authenticated either by Adonis or by an external authentication server on the network. For more information, see Configuring External Authenticators on page 29.
Managing Users
You can set and enforce user and group level access control over the project file at the server, view, and zone levels, as well as individual DNS and DHCP service levels.
2 Type the new administrator password in the Password and Re-enter Password fields. 3 Click OK. The User Management dialog box appears.
4 To enable user level access control for the project file, select the Enable user level access checkbox.
24
Version 5.5
User Management and Access Control If you do not enable this feature, authentication and user management are not performed when this file is accessed.
After you enable user level access control, you are prompted to enter a user name (Administrator) and password when you close the User Management dialog box.
2 Type values in the User Name, Full Name, and Adonis Password fields. Confirm the password, and then select the applicable user options.
A user who can deploy configurations can change server settings directly, as opposed to adding changes to a project file.
User cannot change passwordonly an Administrator can change the users login password. Password must be changed next logincurrent Adonis password is valid only for this login; user must change the password. User disableduser cannot login to Adonis.
Version 5.5
25
Chapter 3: Management Console User can deploy configurationuser has permission to deploy project files to Adonis. Full Accesscreates an Administrator user who can access the Administration menu and change any detail in the project file. The name of the new user appears in the list on the Users and Groups tab. 3 Click OK.
Group Accounts
Group accounts make administration easier. By collecting individual users into groups you can assign the same access rights to all members in the group.
2 Type a name for the new group. To add members to the group click Add, and then select the new group members from the Users List dialog box.
3 Click OK.
26
Version 5.5
2 The Change Password dialog box opens. Type the old password, the new password, and then type the new password again to confirm.
3 Click OK.
Access Control
Access rights control access to the project file. A newly created user or group has no access rights to any object within a project file. Before users can perform any actions you must assign access rights to the appropriate user or group account. You can modify the user permissions for system objects that reside within servers, views, and zones. This is a two-stage process: adding a list of users or groups for each type of object modifying the user permissions for each type of object
Version 5.5
27
The Access Inherited From field does not appear for server objects. Views and zones always reside within server objects.
2 To add users or groups, click Add. The Add User or Group dialog box opens.
28
Version 5.5
Configuring External Authenticators 3 Select a user (or group), and then click OK. The Access Control dialog box displays the added user and the users access rights.
4 To see the access rights available for any sub-level of the current object, click the downarrow to the right of the Filter drop-down list. The drop-down list changes depending on which object you chose in the tree-view pane. For example, the Server object shows the complete list: All DHCP Group DHCP Service DHCP Shared Network DHCP Subnet DHCPv6 Service DNS Service Master Zone Name Server View 5 In the Enable column of the Access Rights area, modify the rights granted to this user (or group) by selecting the appropriate checkboxes for the access rights you want to modify. 6 In the Permission column, click in one of the rows, and then select the level of access control for each kind of object from the drop-down list: Hide, Read-Only, Change, or Full. 7 Click OK.
You can replicate the attributes of parent objects to child objects by right-clicking the appropriate object in the Access Right column, and then selecting Replicate To Child Attributes.
Version 5.5
29
Chapter 3: Management Console authenticate them through an organizations existing LDAP, RADIUS, or Kerberos/Active Directory servers. Although users do not normally require a user account to log in to Adonis, when the user management sub-system is enabled they are prompted for a user name and password when opening project files. When you are creating or editing a user, you can switch authentication methods between the internal Adonis system and external systems by selecting an external authenticator. To access an external authentication server, the details of the connection to this server are consolidated in an Adonis authenticator object. You can add authenticators as part of the user management subsystem (File > User Management). When you enable user management the Authenticators tab appears in the User Management dialog box.
Enabling user management requires a login for all future sessions using this configuration in the Management Console.
If the authenticator information that is displayed does not appear to be current, you can update it by restarting the Management Console.
To add an authenticator:
1 Right-click in the empty region of the Authenticators tab, and then select New. The Add Authenticator dialog box opens. 2 Use the Add Authenticator dialog box to add authenticator objects for servers running LDAP, Radius, or Kerberos/Active Directory authentication.
The fields that appear in the Add Authenticator dialog box differ for each of the available external authentication servers.
Kerberos Authenticators
A Kerberos server issues a temporary permission ticket to an authenticated user. This ticket is authenticated and distributed using a Key Distribution Center(KDC). Kerberos authentication is also used for authentication in Microsoft Active Directory environments. For more information on integrating Adonis into Microsoft Active Directory environments, see Active Directory Integration on page 231.
30
Version 5.5
NameThe name of this Kerberos authenticator object within Adonis. HostThe host name or IP address of the Kerberos server that you are contacting to authenticate Adonis users. RealmThe realm represents the administrative domain for the Kerberos server. This must be typed as ALL CAPS. KDCThe host name or IP address of the Kerberos Key Distribution Center. 2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 3 To create this Kerberos authenticator object, click OK.
RADIUS Authenticators
RADIUS authentication is used in many embedded systems, including routers. It is often found running on servers as the default authentication systems for networks. RADIUS authentication support on Adonis is supported through the creation of a RADIUS authenticator object.
Version 5.5
31
NameThe name of this Radius authenticator object within Adonis. HostThe host name or IP address of the Radius server. Shared SecretThe shared secret between the client and the server passed as a text string. This value needs to be obtained from your Radius server configuration. Auth PortThe port used when authenticating users, usually 1812. This port should not be changed unless your implementation requires another port to be supported. The port must be set properly here in order for the Adonis firewall to be reconfigured. Acct PortThe port used for Radius accounting, usually 1813. This port should not be changed unless your implementation requires another port to be supported. The port must be set properly here in order for the Adonis firewall to be reconfigured. MethodSelect either the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP) depending which authentication method this server is accepting. 2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 3 To create this Radius authenticator object, click OK.
LDAP Authenticators
Lightweight Directory Access Protocol (LDAP directories are server services used to store user information centrally, thereby providing a single log on for a network.
32
Version 5.5
NameThe name of this LDAP authenticator object within Adonis. HostThe host name or IP address of the LDAP server. PortThe TCP port used for communication between Adonis and the LDAP server. Search BaseThe location within the LDAP directory structure where the search for authenticating users begins. 2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 3 To create this LDAP authenticator object, click OK.
Version 5.5
33
34
Version 5.5
Chapter 4
Appliance Management
Adonis delivers reliable and secure DNS and DHCP. It can reside within any part of a network, including DM zones close to the Internet where security threats are greatest. A packet-filtering/statefulinspection firewall protects the appliance from inbound threats from the network. Adonis is designed on a secure hardware platform with a hardened Linux-based operating system that does not load kernel modules while it is running, and runs BIND in a jailed environment. All of these precautions mean that Adonis operates wherever it is needed, rather than needing to be hidden in a secure portion of the network. This chapter includes the following topics: Setting Default Appliance Options on page 35 explains how to set appliance options. Appliance Authentication Management on page 38 describes Adonis security measures. Management Console Server Controls on page 54 describes function you can perform through the Management Console. Deploying a Project on page 56 describes the process of deploying a project file.
General Options
These settings control the global behaviors of the Management Console.
Version 5.5
35
2 To display the splash screen each time you launch the Management Console, select the Show splash screen on startup checkbox. 3 To check through the project files for errors and logical inconsistencies before it is deployed, select the Set auto data check before deployment checkbox. 4 To create a extra copy of the project file each time it is saved, select the Backup files before saving (.bak extension) checkbox.
Backup files let you revert to an earlier version of the file. Backups have the same name as the project file, but use the extension .bak. To keep several iterations, manually archive the files using different names.
5 To autosave a project file when it is being checked in or out of the appliance, select the Auto save local copy for check in/out checkbox. 6 To maintain reverse pointers globally, select the Maintain reverse lookup record checkbox. You can override this option for individual host records. 7 To add a trailing dot to these records to fully qualify them within the domain select the Auto add trailing dot for MX, CNAME, and NS records checkbox. 8 To select the number of project files that appear in the Welcome dialog box use the arrows next to the Number of Recent Files list. This value also affects the number of files listed in the Recent Files section of the File menu.
The value is 5 by default, but you can use any number between 1 and 20.
9 Click OK.
Product Updates
These settings control the update behavior for the Adonis appliance.
36
Version 5.5
2 Update Server is set to the Use Default option. If you want to specify a different server, select Specify Address, and then type the URL of the server. If you want to select a specific file select Specify File, and then click Browse. Navigate to the file you want to use, and then click Open.
This is generally not necessary, because updates are downloaded directly from the BlueCat Networks website.
3 Click OK.
Version 5.5
37
2 If you want Adonis to use a proxy during the update process, select the Use proxy for web connections checkbox, and then provide the following information: Proxy TypeHTTP or SOCKS Proxy Serverthe Fully Qualified Domain Name or FQDN Proxy Portthe port number for the proxy server within your network 3 If the proxy requires authentication, select the Proxy requires authentication checkbox, and then type the user name and password for the proxy in the corresponding fields. 4 Click OK.
38
Version 5.5
2 To add a certificate to the list, click Add. The Connect To Server dialog box opens.
3 Choose a server from the drop-down list, type the password, and then click OK.
If you select the Remember password checkbox you do not need to type a password every time you connect to the server.
4 To delete a certificate, select it and then click Remove. The certificate is removed from the list in the Certificate Browser dialog box. 5 To change a certificate, click Change. The Connect To Server dialog box opens and connects to retrieve the modified certificate for this server. Changing a certificate is similar to adding one. 6 When you are finished, click Close.
Version 5.5
39
3 Click the path beside Certificates. The Select Directory dialog box opens. Use it to select another location or define a new folder.
4 Click OK. If secure communication between the client and the appliance is not possible, you may need to repopulate the keystore on the appliance and subsequently re-install server certificates on client workstations. For example, communication may be affected if problems occurred during deployment. It might be necessary to delete any installed keystore files on the client machine as well as the certificate keystore (cert.ks) on the appliance. To repopulate the keystore on the appliance, restart the command server. For more information, contact BlueCat Technical Support at: clientcare@bluecatnetworks.com.
40
Version 5.5
Passwords
Passwords are managed from the Management Console and from the Administration Console. You can set the administration password to any value, as well as reset the deployment password to its factoryset value using the Administration Console.
Version 5.5
41
LCD
The Liquid Crystal Display (LCD) on the front panel of the Adonis appliance gives you quick access to important settings without setting up an SSH connection (for example, the appliances IP address). You can enable and disable the LCD in main mode. To enable the LCD, type enable lcd, and then press Enter. To disable the LCD, type disable lcd, and then press Enter.
42
Version 5.5
To view the network settings for a specific interface, open network configuration mode, type show network interface interface (where interface is the name of the interface), and then press Enter.
To delete a network interface completely, type del interface, where interface is the name of the interface such as eth1. To access network configuration mode, type configure network, and then press Enter.
Version 5.5
43
Chapter 4: Appliance Management To set the IP address, subnet mask, or gateway individually, type set network interface setting address, where setting is ip, netmask, or gateway, and address is the appropriate address or mask, and then press Enter. For example:
:configure:network>set eth0 ip 192.168.127.2 :configure:network>set eth0 netmask 255.255.255.0 :configure:network>set eth0 gateway 192.168.127.1
44
Version 5.5
To access time zone configuration mode, type configure timezone, and then press Enter.
Version 5.5
45
Chapter 4: Appliance Management 2 Select an area from the numbered list, and then press Enter:
1 2 3 4 5 6 7 8 9 10 11 12 Africa America US time zones Canada time zones Asia Atlantic Ocean Australia Europe Indian Ocean Pacific Ocean Use System V style time zones None of the above
3 If you chose an option from 1 to 10, select a city or zone from the numbered list, and then press Enter. The options change depending on the area you chose in the previous step. 4 If you chose option 11, select one of the 13 System V time zones. 5 If you chose option 12, select one of the 35 possible time zones, based on Greenwich Mean Time (GMT).
46
Version 5.5
2 At the :adonis> prompt, type configure ntp, and then press Enter. 3 At the :configure:ntp:> prompt, type add server, and then press Enter. 4 Type appropriate answers to the questions that appear on the screen, and then type, save. autokeytype Y for ntp authentication using the Autokey protocol versionthe version to use for outgoing ntp packets (4 is the default) burstsend a burst of 8 packets, instead of one packet prefermark the reference clock as preferred, so this host is chosen for synchronization minpollthe minimum polling interval for the reference clock maxpollthe maximum polling interval for the reference clock This server is added to the top of the list and is queried first. Adonis contacts the servers starting at the top of the list and continues until it receives a response. As long as the ntp server allows the Adonis server to be an NTP client, time is synchronized each time the Adonis server boots. To delete an NTP server from the pre-defined list of servers, type del server address where address is the IP address of the ntp server. To display the list of NTP servers, open configure ntp mode, and then type show server. When Adonis is managed by Proteus, the Proteus IP address is automatically added to the top of the list. For these Adonis appliances time is synchronized upon deployment and upon every reboot.
Version 5.5
47
NTP Servers
The Adonis NTP service sets its own time through NTP. The Adonis server acts as a client for another NTP server. NTP Servers can be added to the list that is queried. Typing the command show ntp in main mode displays the list of NTP servers.
:adonis>show ntp-server server 127.0.0.1 autokey burst version 3 prefer server 0.north-america.pool.ntp.org server 0.europe.pool.ntp.org server 127.127.1.0
NTP Logs
You can specify a custom location for logging the NTP service. In configuration mode, type the command set logconfig and specify an absolute path for the log including the log file name. To display the log location type the command show logconfig.
To access routing table configuration mode, type configure routetable, and then press Enter.
Flags U UG
Metric 0 0
Ref 0 0
Use 0 0
The first line states that all requests for hosts in the 192.168.1.0/24 network should be routed directly to the host, and therefore do not require a gateway. This is possible because these hosts are on the same subnet as the Adonis appliance. The second line states that all other requests should be directed to the router at 192.168.1.1. The columns contain the following information: DestinationThe destination subnet or host of a packet.
48
Version 5.5
Administration Console Server Controls GatewayThe gateway through which to route a packet. GenmaskThe bits of the packets intended destination that must match the value in the destination column. FlagsThe flag value indicates the type of route. RThis is a reinstate route for dynamic routing. MThis is a modified route, probably modified using the mod option. CThis is a route from the kernel routing cache. UThis route is up. GThis is a gateway route. IInternal route using the loopback interface for other than loopback purposes. !Datagrams to this route are rejected. MetricThis is the distance to the target destination, usually measured in hops. RefThis is the number of references to this route by other systems. UseThis is the count of lookups for the route, or the number of times it has been looked up by IP. IfaceThe network interface that routes the packets.
Adding Routes
Although Adonis maintains the routing table, you may want to add a permanent route to the table to improve the routing efficiency.
Deleting Routes
If you no longer require a route, you can delete it by specifying its address, netmask, and gateway.
To delete a route:
1 Type del routetable, and then press Enter. 2 Type the destination address for the route, and then press Enter. 3 Type the netmask for the route (i.e., the netmask determining the subnet that a packet must match), and then press Enter. 4 Type the IP address of the gateway for the route, and then press Enter.
For XHA, the routing table must be set identically on both Adonis nodes through their respective Administration Consoles.
Version 5.5
49
Configuring Anycast
Anycast is a technique for assigning a common IP address to multiple servers that provide the same service; it allows load balancing and redundancy. A client asking for that IP address is directed to the geographically closest server using Open Shorter Path First (OSPF). The Anycast technique is useful for large DNS applications that handle a high volume of requests. For example, the DNS root servers use Anycast to distribute their service throughout the world. Although most root servers are nominally located in the United States, most of the physical machines are located elsewhere and share a U.S. IP address. Adonis uses the Zebra daemon to broadcast Anycast addresses to the appropriate routers.
50
Version 5.5
Command Server
The command server allows the Management Console to communicate with the appliance. It is an agent program that provides communication and reporting between the appliance and the Management Console, and implements the server control and deployment commands issued by the Management Console. When you make major changes to the appliance, for example, changes in the Administration Console, you may need to restart the command server. To start the command server, type start commandserver, and then press Enter. To stop the command server, type stop commandserver, and then press Enter. To restart the command server, type restart commandserver, and then press Enter. To check whether the command server is running, type isrunning commandserver, and then press Enter.
XHA
To check whether this unit is a member of a high-availability cluster, use the command isrunning xha. The answer shows you whether or not the XHA heartbeat is present; if it is this appliance is a member of an XHA pair. For more information, see Crossover High Availability (XHA) on page 201.
Firewalls
Adonis includes a powerful firewall to protect your DNS and DHCP services against malicious network traffic. The firewall is usually running, but you can disable it for diagnostic purposes. You can also view the current status and settings of the firewall.
Adonis rejects ICMP packets including pings while the firewall is in place.
Version 5.5
51
Firewall Requirements
Adonis uses the ports shown in the following table: Port #
22 53 67 68 69 80 88 123 123, 102365535 161 162 389 443 647/847 694 1812 10042 10044 10045 10046
Protocol
TCP TCP/UDP UDP UDP UDP TCP TCP/UDP UDP
Notes
SSH2 (secure shell) DNS DHCP DHCP TFTP MAC Authentication Kerberos NTP
Purpose
SSH/SCP connectivity to appliances DNS server DHCP server DHCP server TFTP service for file transfer MAC Authentication portal Kerberos/Active Directory authentication Network Time (client) (in from user ports) Network Time (client) SNMP management SNMP management LDAP authentication MAC Authentication portal DHCP Failover communication ports XHA State information (heartbeat) Radius authentication Secure management / connectivity to Proteus appliances File and state synchronization Adonis to Proteus notification (DDNS, IP leases, etc.) XHA File Sync port
In/Out
Bidirectional Bidirectional In Out Bidirectional Bidirectional Bidirectional In
Optional
Optional Optional Optional Optional Optional Optional Optional Optional
UDP UDP UDP TCP/UDP TCP TCP UDP TCP/UDP TCP UDP TCP/UDP UDP
NTP SNMP Polling SNMP Traps LDAP MAC Authentication DHCP Failover XHA Radius Adonis Management Port XHA Notification Port XHA
Out Bidirectional Out Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional Bidirectional
Optional Optional Optional Optional Optional Optional Optional Optional Required Optional Required Optional
To enable the firewall, type enable firewall, and then press Enter. To disable the firewall, type disable firewall, and then press Enter. To see the current port protection settings used by the firewall, type show firewall, and then press Enter. To scroll down, press Enter.
52
Version 5.5
Administration Console Service Control To exit the firewall viewer, press Q. To enable or disable the firewall on startup, use the command enable startup firewall or disable startup firewall.
The firewall can also be enabled or disabled using the checkbox on the Security and Admin Settings tab for the server in the Management Console.
SSH
Version 2 Secure Socket Shell (ssh) allows a client to communicate with the appliance and access the Administration Console remotely. You can enable or disable ssh access to Adonis. By default, Adonis ships with ssh disabled for security purposes. To enable ssh, type enable ssh, and then press Enter. To disable ssh, type disable ssh, and then press Enter.
Startup Services
Certain services can be set to start up or not start up the next time the appliance is rebooted. To enable a startup service, type enable startup service, and then press Enter, where service is firewall, ntp, ntp-server, or snmp.
SNMP requires you to enter the IP address of an SNMP controller.
To disable a startup service, type disable startup service, and then press Enter, where service is firewall, ntp, snmp or anycast. To check the status of a startup service. type isenabled startup service, and then press Enter, where service is firewall, ntp, snmp or anycast.
Network Services
These network services are controlled, and to some extent configured from the Administration Console in Adonis.
BIND/DNS
Adonis uses the Berkeley Internet Naming Daemon (BIND) to provide its DNS service. The executable file for BIND is called named, the name daemon. This service can be managed from the main mode of the Administration Console. To start BIND, type start bind, and then press Enter. To stop BIND, type stop bind, and then press Enter. To restart BIND, type restart bind, and then press Enter. To view some statistics on the DNS service, type show status bind, and then press Enter. To check whether BIND is running, type isrunning bind, and then press Enter.
Version 5.5
53
DHCP/DHCPv6
Adonis uses the ISC DHCP server to provide its DHCP service. The executable file for ISC DHCP is called the DHCP daemon or dhcpd. To manage the IPv6 DHCP service on Adonis, use dhcpv6 instead of dhcp as a token. To start DHCP, type start dhcp, and then press Enter. To stop DHCP, type stop dhcp, and then press Enter. To restart DHCP, type restart dhcp, and then press Enter. To check whether DHCP is running, type isrunning dhcp, and then press Enter.
TFTP
Adonis provides a TFTP service to store extra files for configuration and firmware management for certain client devices. The TFTP service is set up using the Management Console, but the TFTP service itself can be managed from the Administration Console. To start the TFTP service, type start tftp, and then press Enter. To stop the TFTP service, type stop tftp, and then press Enter. To restart the TFTP service, type restart tftp, and then press Enter. To check whether the TFTP service is running, type isrunning tftp, and then press Enter.
54
Version 5.5
Management Console Server Controls 2 Select the server, type the password, and then select the appropriate actions.
3 To perform the selected action, click Execute. 4 To see the full range of options, scroll through the Action list: Server Version Queryretrieves the server version number. High Availability Status Queryretrieves the status of the XHA system on this Adonis. Set HA Failure Detection Timethe time interval before a failover occurs. Perform HA Failoverforces a HA failover on the selected Adonis appliance. Detect Servers Appliance Typechecks to see which type of Adonis appliance is installed. Restart Serverreboots the operating system and services on the selected appliance. Shutdown Serverphysically powers off the appliance. Change Deployment Passwordallows an administrator to change the password. Restart Namedrestarts the named daemon (DNS service). Stop Namedstops the named daemon. Start Namedstarts the named daemon. Restart DHCPrestarts the dhcp daemon. Stop DHCPstops the dhcp daemon. Start DHCPstarts the dhcp daemon. Enable Firewallre-enables the firewall after debugging or connectivity testing. Disable Firewalldisables the firewall for debugging purposes or connectivity testing. The firewall is automatically re-enabled when you restart the server. Enable Query Loggingenables the servers query logging feature. Enable SSHenables Version 2 Secure Socket Shell (SSH). Disable SSHdisables Version 2 Secure Socket Shell (SSH). Disable Query Loggingdisables the servers DNS query logging feature.
Version 5.5
55
Chapter 4: Appliance Management Query DHCP Failover Stateif an Adonis is a DHCP failover peer, this command can determine whether it is in the normal, communication-interrupted, or partner-down state. Start DHCP Failover Monitorstarts the servers DHCP failover monitor (fomon) service. Stop DHCP Failover Monitorstops the servers DHCP failover monitor service. Set DHCP Failover Stateforces an Adonis that is a DHCP failover peer into normal, communication-interrupted, or partner-down state. Start Adonis Mirage Adapterstarts the Mirage Adapter service. Stop Adonis Mirage Adapterstops the Mirage Adapter service. Start DHCPv6enables support for IPv6 within the DHCP service. Restart DHCPv6restarts support for IPv6 within the DHCP service. Stop DHCPv6disables support for IPv6 within the DHCP service.
Deploying a Project
When you are satisfied with a project file, you can deploy it to the appropriate appliances and activate your DNS and DHCP services. For more information about file checking, see Checking and Correcting a File on page 90. For more information about deployment, see Deploying the Project File on page 92.
2 Select the server from the drop-down list, and then type its administration password. 3 From the Log Type drop-down list, specify the log you want to view:
56
Version 5.5
Viewing System Logs Command Server DNS System Update DHCP 4 Specify how much of the log you want to see by selecting a value from the Nr. of lines dropdown list. 5 Click View Log. The View Log dialog box opens showing the specified text from the log file.
6 Use the icons to save or explore the data: Copy to Clipboardcopy the file so you can paste it into another application. Save to Filesave the log file so you can open it in another program, for example, a spreadsheet or word-processor. Reload Log Filereloads the current log file. Select Log Filecalls the View Log Files dialog box so you can select another log file. Searchcalls a dialog box that prompts you to search the log file for specific text. Go Tocalls a dialog box that prompts you to type a line number in the log file. 7 Click Close.
Version 5.5
57
Chapter 4: Appliance Management Adonis automatically enables system log redirection if you have created any configuration statements. In configuration mode, you can configure the system log services daemon to have multiple redirection destinations and redirection selectors.
Viewing Logs
Adonis keeps several logs that you can view for debugging purposes: commandserver is the command server log. It contains information on commands that have been sent from the Management Console. bind contains information related to the DNS service. syslog is the general system log file. update contains information about server updates.
58
Version 5.5
Enabling SNMP
You enable SNMP from the main mode of the Administration Console. To enable the SNMP service type enable snmp, and then press Enter. Type the address of an SNMP manager that is responsible for monitoring Adonis. After you change SNMP settings on Adonis you may need to restart the service by disabling it, and then enabling it again. To disable the SNMP service type disable snmp, and then press Enter. To see the configuration for the SNMP service on Adonis, type show snmp, and then press Enter.
Configuring SNMP
You configure SNMP from the configuration mode of the Administration Console. To enter this mode, type the command configure snmp. In SNMP configuration mode you can use all of the commands listed below. Changes you make in configuration mode do not become active until you have saved or updated them.
Version 5.5
59
Chapter 4: Appliance Management 2 Type set password password, and then press Enter. 3 To display the username type show username, and then press Enter. 4 To display the password, type show password, and then press Enter.
Polling
Adonis SNMP service periodically polls inside the appliance for new values for each of its SNMP objects based on a polling period setting. When the polling period interval elapses, SNMP gathers information about the state of the appliance, and then updates the SNMP objects whose values have changed. For SNMPv3 traps, if an objects new value triggers a trap threshold, then a trap for that object is sent to the SNMP trap server.
60
Version 5.5
Simple Network Management Protocol 4 Type the level of security to which the Adonis appliance conforms or the version 3 protocol. Choices are 1 for noAuthNoPriv, 2 for authNoPriv, and 3 for authPriv. 5 Type the name for the trap server user. 6 Type either 1 (for MD5) or 2 (for SHA) as the authentication type to use. 7 Type an authentication passphrase. This is your SNMP v3 password. 8 Type a privacy passphrase. This is a second level of authentication available in SNMP v3. 9 Type a context, if one has been provided. This enables a limited view of the available trap objects. 10 To display the settings you have configured for the trap server configuration, type the command "show trap". 11 If you are satisfied with the trap settings, type save and then press Enter.
System Name
You can obtain the SNMP name variable from the SNMP service. This is set to the DNS address of the appliance and the SNMP service using an FQDN. To set the system name on Adonis, type the command set sysname sysname where sysname is the FQDN for the appliance. To see the system name type the command show sysname.
Version 5.5
61
Number of successful queries made to the server since the DNS daemon was started Number of queries that resulted in referral responses since the DNS daemon was started Number of queries that resulted in non-existent record set since the DNS daemon was started Number of queries that resulted in non-existent domain responses since the DNS daemon was started Number of queries that required the server to perform recursive lookups since the DNS daemon was started Number of failed queries that did not result in non-existent domain or record set since the DNS daemon was started DHCP Objects
dhcpDaemonRunning
The IP address the DHCP Alerts SNMP trap is sent to. Current lease table Information about a particular DHCP lease IP address of the lease Start time of the lease End time of the lease Timestamp of the lease The state of this lease
62
Version 5.5
SNMP Object dhcpLeaseHardwareAddress dhcpLeaseHostname dhcpSubnetTable dhcpSubnetEntry dhcpSubnetIP dhcpSubnetMask dhcpSubnetSize dhcpSubnetUsed dhcpSubnetAlert dhcpPoolTable dhcpPoolEntry dhcpPoolSubnetIP dhcpPoolStartIP dhcpPoolEndIP dhcpPoolSize dhcpPoolUsed dhcpPoolAlert dhcpDefaultLeaseTime dhcpMinLeaseTime dhcpFixedIPTable dhcpFixedIPEntry DhcpFixedIPEntry
Description The hardware address (MAC address) of this lease The client hostname of this lease Current subnet table Information about a particular DHCP subnet IP address of the subnet IP mask of the subnet Size of the subnet The number of used IPs in the subnet Alert level in the subnet Current pool table Information about a particular DHCP pool Subnet IP address of the pool Start IP address of the pool End IP address of the pool The size of the pool The number of used IPs in the pool The alert level of the pool Default lease time in configuration Minimum lease time in configuration Current DHCP subnet tables in configuration Information about a particular DHCP subnet One of the current fixed IP addresses in the DHCP configuration Adonis Appliance Objects
haServiceRunning
haServiceNodeType
Type of high availability node 0 - HA not running 1 - Active Node 2 - Passive Node
commandServerDaemonRunning
Current running state of the command server daemon. 0 - Not running 1 - Running
Version 5.5
63
Adonis Traps
The ADONIS-DNS-MIB.txt file also contains trap objects. The Adonis-specific traps fall into four groups: DNS DHCP XHA command server Each of these groups can trap various parameters on the Adonis appliance. The DNS trap group includes both a daemon trap with attributes and a statistics trap with attributes. The daemon trap is called dnsDaemonRunning. It has the following attributes: dnsDaemonZoneTransfersInProgress dnsDaemonZoneTransfersDeferred dnsDaemonSOAQueriesInProgress dnsDaemonQueryLoggingState dnsDaemonNumberOfZones dnsDaemonDebugLevel The DNS services trap is called dnsStatsSuccess. It has the following attributes: dnsStatsReferral dnsStatsNXRRSet dnsStatsNXDomain dnsStatsRecursion dnsStatsFailure The DHCP trap group includes information about the DHCP daemon and the leases table. The trap dhcpDaemonRunning indicates whether the DHCP daemon is running on Adonis. The trap dhcpLeaseTable passes DHCP statistics, including lease information. XHA monitoring uses two traps. The haServiceRunning trap is sent if the XHA service stops running. It has an attribute of haServiceNodeType to describe the node sending the trap. There is also a trapHAServiceFailOver trap that indicates when an XHA failover has occurred. The Adonis command server includes a trap called commandServerDaemonRunning that shows if the command server is running. It also includes a trap for command server notifications called trapCommandServerDaemon.
Updating Adonis
You can update Adonis in one of two ways: online from the BlueCat Networks website, or manually.
Online Updates
The Management Console and appliance are updated regularly to add new features, resolve known issues, and generally enhance product quality. These updates are hosted online at the BlueCat Networks website.
If your organization uses a proxy server for connections to the Web, it should be configured on Adonis before proceeding with updating the software. For more information, see Specifying Proxy Settings on page 37.
64
Version 5.5
Updating Adonis You can find the current Management Console version by clicking Help > About. The versions for each server can be found using a server version query as described in Management Console Server Controls on page 54. To check for updates (including operating system and application upgrades) follow the procedure described below. If updates are available, the Update Wizard guides you through the installation process.
Version 5.5
65
Chapter 4: Appliance Management 3 The Server Connection page appears. For each server that you want to update, select the Connect checkbox, type the server password, and then click Next.
The Update Wizard returns a list of servers that you can update. 4 To update a server, select the appropriate Update checkbox (selected by default) and then click Next.
Servers are rebooted one at a time after the update finishes. Ensure that any servers that received updates of any kind remain selected.
66
Version 5.5
Updating Adonis 5 Select the action you want to perform on any server selected on the previous screen, and then click Next.
Version 5.5
67
Chapter 4: Appliance Management 7 The downloaded updates are sent to the servers that require them. Click Next.
8 To apply the server updates, each server must be rebooted sequentially. Click Start Reboot Sequence. Each server in the list reboots and starts its services before the next one reboots.
9 After the update is installed, click Next. 10 To execute the client update (if any) or to finish, click Finish.
If you need to update a client, save your files and accept the installation.
The Management Console Install Wizard guides you through the same installation process used when the program was originally installed. During this process you are asked to determine the local storage
68
Version 5.5
Updating Adonis path and the menu location for the Management Console. The wizard suggests default settings, but these may differ from your current settings.
Manual Updates
To update Adonis manually you must first obtain a copy of the update.jar file from BlueCat Networks, and then place this file in the root of the c: drive on the workstation running the Management Console. Adonis uses this file to update the Management Console and the server.
Version 5.5
69
70
Version 5.5
Chapter 5
Project Files
Adonis works within a client-server architecture that allows you to configure multiple servers from a single client interface and store this configuration in a project file. Project files define most of the functionality for the DNS, DHCP, and TFTP services that Adonis supplies. The project file does not contain the controls for the appliance itself: these are found in the Administration Console and the Management Console. Additionally, project files also define the server architecture for high availability configurations such as XHA and DHCP Failover. This chapter includes the following topics: Creating a New Project File on page 71 describes how to use the New Project Wizard. DNS and DHCP services are created initially in a new project file and TFTP services are added later. Opening and Saving Files on page 84 describes how to open and save local files, as well as check files in and out of an appliance. Both project and certificate files can also be stored in a custom location. Editing a Project File on page 88 describes how to edit a project file to modify the DNS and DHCP service configurations before they are redeployed. Checking and Correcting a File on page 90 describes the tools you use to verify the structure and syntax of a project file. Projects can be checked locally in the Management Console before deployment, and can also be verified live on the network and/or the Internet. The settings for the data check can also be modified in the Management Console. Deploying the Project File on page 92 describes how to deploy your project during testing or production. Deploying a project configures and restarts network services on the appliance. Importing a Project on page 96 describes how to import project files created with a previous version of Adonis.
Many of the procedures described in this section apply when adding servers to an existing project and when adding services to an existing server. The process is the same in all of these situations.
Version 5.5
71
Chapter 5: Project Files For more information about editing project files to update and modify DNS, DHCP, and TFTP services, see Adding Servers on page 89 , Adonis DNS on page 97 and Adonis DHCP on page 155.
To select an appliance:
1 On the File menu select New. The New Project Wizard opens.
72
Version 5.5
Creating a New Project File 2 Click Next. The Configuration Setup page appears.
3 Select an appliance type from the Appliance Type drop-down list. Your selection must match the type of appliance you purchased. Adonis 1750, 1000, 750, XMBThese appliances each support one DNS service and one DHCP service. Adonis 500This model supports only the DHCP service. Adonis 250This model runs a restricted DNS server that can have only stub zones, forwarding zones, and a caching zone. 4 If you selected Adonis 1750, 1000, 750, or XMB, select the checkboxes to configure the services you want to run on the server. 5 Click Next.
Version 5.5
73
Chapter 5: Project Files roles on the network. This step does not appear for the Adonis 500, Adonis 250, or for a server being set up to provide only DHCP. 1 Select a DNS network architecture. To scroll through the options, click the right and left arrows in the upper-right corner of the Select Architecture page.
2 Select an appropriate architecture, and then click Next. The following topics describe the types of architecture available. Single Name ServerAlso known as a master-only architecture, this is useful if your company has a limited budget or you have a company intranet readily available. It is a simple architecture: an inhouse DNS solution and affordable for a small network. However, this is not an architecture recommended for the enterprise or for the Internet, as security is a concern because all clients connect to the master server and there is no redundancy.
Advantages: Simple configuration for in-house DNS solution. Affordable for small networks. Disadvantages: All clients connect to the master server creating security concerns. No redundancyif your server is down you do not have DNS service.
74
Version 5.5
Creating a New Project File Front-End Master with Slave(s)A typical master/slave setup assumes that a company has one master server and one or more slaves in a flat arrangement. These components are structured horizontally across the network rather than vertically, allowing for the ability to load-balance the queries across multiple servers.
Advantages: Redundant DNS configuration. The slave servers are kept consistent with master server. The load can be distributed among the master and its slaves. Disadvantages: The master is not protected from the outside world. Not recommended for external DNS because the NS record can be viewed. In this scenario, if the master or slave fails, one of the remaining servers accepts its load and carries on. If the master server fails, you can promote a slave to become the master until you can bring the master back online. This is a redundant DNS architecture because slave servers are kept consistent with the master server and the load is distributed among the master and its slaves. However, the master is not protected from the outside world. Consequently, this architecture is not recommended for Internet DNS. Front-End Slaves with Hidden MasterThis architecture allows you to place the master server behind a firewall and hide it. In addition to increased security, the load can be distributed among the slaves. It does require at least 3 servers (2 slaves and 1 master) and may require networking expertise especially if the slaves are on different networks.
Version 5.5
75
Chapter 5: Project Files If a failure causes the master to go down, there is little loss of service to external clients because they do not query it directly. Performance on a master server increases, especially when performing zone transfers for a large number of zones. Disadvantages: Needs at least 3 serverstwo slaves and a master to provide the necessary redundancy. May need networking expertise if the slaves are on a different network. The increased security of this architecture makes it the best solution for Internet DNS. This architecture features an option in the Add Slave Servers page to designate a slave (secondary) server as the master server for SOA records. Setting a slave as a primary server (instead of a master server) for SOA records avoids exposing the hidden masters IP address because other name servers query the designated SOA Primary Server instead of the hidden master.
DNS Caching ServerCaching servers decreases the time needed for name lookups by retrieving and caching other servers DNS information. This type of server performs the lookup, and then stores it in memory for a pre-determined time. At the end of this time, the information is deleted unless a query comes in before the time is up, in which case, the information is refreshed.
Advantages:
76
Version 5.5
Creating a New Project File Caching server can reduce the time needed for name lookups. Can stand-alone, or can forward unresolved queries to another name server. Windows Active DirectoryThis architecture enables the appliance to host DNS services for a Windows Active Directory environment. Select this configuration if your appliances are participating in an Active Directory infrastructure.
Advantages: Configures the server to operate within the Windows Active Directory environment. Custom ConfigurationThis architecture allows you to define name server parameters and the form of your network. It is useful for networks that do not fit into any of the more traditional network architectures, or those that involve a more complex architecture with many servers.
Version 5.5
77
78
Version 5.5
Add each slave using the following information: Namea meaningful name (FQDN) for each slave server (for example, ns2.example.com). IP addressthe IP address for each slave server (for example, 192.168.127.3).
Version 5.5
79
Chapter 5: Project Files If you are using the Front-End Slaves with Hidden Master architecture, you can select a slave server to act as the start of authority (SOA). This server plays the role on behalf of the hidden master so that none of the slaves carries a direct reference to the master for any required functionality.
80
Version 5.5
Creating a New Project File Click Add, and then enter the IP address for one of your domain controllers.
Repeat the above procedure for all required domain controllers, click Next, and then click Finish.
Configuring DHCP
If you are using a multi-server architecture, you must choose one server to host the initial DHCP service for this project.
Version 5.5
81
Chapter 5: Project Files 3 Type the information for the new DHCP server, and then click Next. The Get DHCP Group Information page appears.
4 Type a group name for the DHCP service, and then click Next. The Get DHCP Subnet Information page appears.
5 Select either the Network or Subnet option. If you select Network, type the network identifier using classless internet domain routing (CIDR) notation, for example 192.25.200.0/24. If you select Subnet, type the network identifier for example 192.25.200.0 in the Subnet field and the subnet mask, for example 255.255.255.0 in the Mask field.
82
Version 5.5
Creating a New Project File Optionally, you can select the Add the DHCP subnet to a new shared network checkbox. Type the name of a shared network in the Shared Network field that appears beneath the checkbox.
You can create a subnet range or a pool range: you cannot create both. Because pools offer additional functionality, we recommend pools and pool ranges instead of subnet ranges.
7 To add a subnet range or a DHCP pool, click Add. The Add Address Range dialog box appears.
8 Type the IP address at the start and at the end of the range. To add an exclusion range within the range you are creating, right-click the Exclude Ranges area of the Add Address Range dialog box, and then select New Exclude Range from the context menu. Type the IP addresses at the beginning and end of the exclusion range, and then click OK. 9 In the Add Address Range dialog box, click OK to add the range.
Version 5.5
83
To create a pool:
1 In the Add DHCP Subnet/Pool Ranges dialog box select the Create a new pool for the DHCP subnet checkbox. The pool ranges area appears in the dialog box.
2 Click Add, and then type the beginning and end addresses. 3 Click Next, and then click Finish. The DHCP service appears in the directory tree under the selected server at the same level as the DNS service for the server.
Like the DNS service, the DHCP configuration can be checked for errors before deployment. In some cases, the errors may simply be informational.
The Management Console creates a new project file using the settings you have specified. No changes are made to the appliances at this point. The appliance configurations and services are updated and restarted when you deploy the project.
84
Version 5.5
Creating a New Project File Networked storage is useful for ensuring that the file is always backed up to a central location. In many environments, this can be achieved by storing the file on a network drive that is backed up centrally. To open a file, from the File menu select Open. Select the .dns project file as you would any other type of file. To save a file, from the File menu select Save or Save As. Save the project file as you would any other type of file.
Before checking the project file in or out, you can view the log of all check-in/check-out server activity by clicking View Log. This log indicates who has checked the project file in or out of the appliance.
Version 5.5
85
Chapter 5: Project Files 4 After you deploy the project, select Check-In from the File menu. The Check-In dialog box appears.
5 Type a comment describing the changes you have made to the file, and then click Check-In. Adonis performs an SSL handshake to ensure that you have the correct credentials to check-in the project. The current project is checked-in and overwrites any existing file on the appliance.
After you check-in a project, it disappears from the Management Console. This is very important: it is impossible to deploy a project file after you check it in. You can force a check-in, if necessary. If another administrator had the configuration file checked-out and you needed to check in a different version select the Force check-in (break existing lock) checkbox. You need to be particularly careful when forcing a check-in. Are you absolutely sure your changes are more important than somebody elses?
86
Version 5.5
2 Type the server IP address in the Server field (if necessary). 3 Type your deployment password in the Password field (if necessary). 4 Click Check-Out. Adonis performs an SSL handshake, and then removes the project from the server and displays it in the Management Console.
The name of the file that you have checked out is always the named listed after the IP address of the server itself. If you need to check out a file, but it is locked, select Force check-out (break existing lock). However, before you do this make sure another administrator is not currently using the file.
3 Click Check-Out to get a local copy of the project and lock it.
Version 5.5
87
Chapter 5: Project Files 4 Make the necessary configuration changes, and then deploy the project to activate your changes immediately.
If you do not want to activate the changes, you can check the project back in, and deploy it later.
5 When deployment is complete, select Check-In from the File menu to place the project file back on the appliance. 6 When the project has been checked back in to the server, the session is complete and you can close the Management Console.
End the session by checking the project file back in to the server to make it available for future management sessions.
2 Click in the Project Files or Certificates box to display the Select Directory dialog box and browse to the new location. Alternatively, you can type the directory name manually. 3 Click Select, and then click OK.
88
Version 5.5
Adding Servers
Adding a server or service to an existing project file is similar to defining the server for a new project file.
If you want to create a DHCP service, follow the steps in Configuring DHCP on page 81 now or after you have configured the DNS server.
6 Click Next.
Version 5.5
89
Chapter 5: Project Files 7 Type the appropriate server information. This screen shows different fields, depending on the options you selected in the previous screen.
8 Because you are creating a new server in an existing project, select Master, Master Hidden, Slave, or Caching as the type of server. 9 If you are creating a slave server, select its corresponding master from the Master Server list. 10 Type a FQDN in the Server Name field: do not use a relative name for this server. This FQDN creates a forward zone in a default DNS view based on the name you specify containing a name server record and a glue record for this server. The server name is also used to populate the Start of Authority (SOA) record for the zone. If you use an FQDN for a DHCP-only server name it is automatically added into any new DNS service you add later. 11 Type an IPv4 or IPv6 address in the IP Address field. This creates a corresponding reverse DNS zone that contains a name server record for this server. 12 In the Contact e-mail field type an e-mail address (without periods) before the @ sign. 13 In the Phone Number field type a phone number (use hyphens as separators). This field is optional. 14 In the Mobile Number field type a mobile phone number. This field is optional. 15 In the Dept./Division field type a department or division. This field is optional. 16 Click Next. 17 Click Finish.
90
Version 5.5
2 Use this list to review issues that exist in your project file. The Type column identifies three types of issues: Errorsserious problems that interfere with the correct operation of the server Warningsless serious problems that still require your attention Informationitems of interest that do not affect deployment 3 Double-click an issue. The left and right panes display the location of the issue within the project file and the setting that needs to be modified (you can also select the issue, and then click Go to...). 4 To see an explanation of the issue, click Explain. 5 Make the modifications necessary to resolve the issue. 6 Repeat the previous steps to continue checking your data until the Management Console reports that there are no problems with your project file.
Click Re-check to run the data check again. Click Explain to see an explanation for the issue you selected.
Version 5.5
91
2 To change a setting, select the severity for an issue, and then select the desired severity level to be reported from the corresponding drop-down list. 3 Click OK.
92
Version 5.5
Deploying the Project File 2 Click Next. The Server Connection dialog box opens.
3 Select the checkbox for each server you want to deploy, and then type the password. 4 Click Next. 5 After the connection is made, the following screen appears.
Version 5.5
93
Chapter 5: Project Files 6 When connection is established, click Next. The Select Action dialog box appears.
7 Select one of the following actions: Do NothingNo processing is required. Update ClientTransfer data from the server to the client. This uses configuration data from the server to rebuild the configuration file on the client. Refresh ClientTransfer dynamic updates from the server to the client so that the client has a snapshot of the running services and information about the current state for dynamic objects such as DHCP leases, DDNS entries, and MAC Authentication status. Update ServerTransfer data from the client to the server. Once you have finished making changes to a configuration file, use this option to transfer it to an Adonis appliance and start the services. Update Server (Force)Normally, updating a server involves making iterative changes to the configuration files. In the event that an appliance has been upgraded or is in an indeterminate functional state, this option should be used. The force option completely rewrites all of the configuration files on the appliance.
94
Version 5.5
Deploying the Project File 8 To continue the deployment and display a status screen, click Next.
Version 5.5
95
Importing a Project
There are several ways to import existing data into the Management Console. You can import data from a previous version of the Management Console, import an external DNS or DHCP configuration (for example, a BIND 9 configuration), or perform a live zone transfer. This section covers importing a project file created with an earlier version of the Management Console. Imports from external sources are discussed in Migration Tools on page 223.
2 Type the password for each server, and then click Detect Type. Closing the detection screen without detecting the appliance type sets the type to Adonis 1000 by default. If the appliance type is set to Adonis1000 and the appliance itself is a different type, the configuration cannot be deployed. If the appliance type is not detected, a warning message appears when you start deploying the project. All appliances must be detected before the project can be deployed.
If the appliance type is not being successfully detected, try using the Detect Appliance Type function from the Server Control menu.
96
Version 5.5
Chapter 6
Adonis DNS
DNS is a wide-ranging topic and a detailed explanation is beyond the scope of this administration guide. Server configuration and administration is intuitive with Adonis, and the critical topics are covered. This chapter includes the following topics: Adonis DNS Implementation on page 97 describes the Adonis-specific implementation of DNS services. DNS Services on page 98 explains how DNS services are controllable through the Administration Console. Managing Servers and Zones on page 104 describes how DNS zones and sub-zones form the hierarchical structure of the DNS system. Resource Records on page 101 describes how resource records define the characteristics of the individual hosts that are referred to in a DNS zone. Managing Resource Records on page 117 describes how resource records can change dramatically and how to manage those changes using the tools provided with Adonis.
Version 5.5
97
Chapter 6: Adonis DNS servers containing undelegated zone data of no interest. Root delegation only is a server option enabled directly from the Management Console. It is used to enforce delegation-only for top-level domains (TLD) and root zones, with the option to add specific domains to exclude or load the default list. Enable/Disable Resource RecordsWhen a zone is disabled, the Management Console selectively disables dependent records outside the zone without the manual intervention of the administrator. This is similar to the enable/disable zone feature, but on a per-record basis. Auto GenerateAuto generate can be used where a BIND $GENERATE statement is employed. It creates a series of resource records differing only by an iterator (for easily generating the record sets required to support sub-/24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation). The process of automatically generating resource records creates a single host entry in the project file. When synchronized, Adonis creates the actual records on the server. Configuration MigrationExisting DNS configurations can be migrated with the Management Console, eliminating tedious recreation and re-entering of zone data. Migration imports DNS files created with both current and earlier releases of the BIND software (including versions 4.x, 8.x, and 9.x). Microsoft Windows DNS configurations can be extracted with the Adonis Extraction Tool. After importing the configuration into the Management Console, check for previous errors and perform data validation using Data Checker, and the Live Data Check and Validation tools. Automatic Serial Number GenerationThe Start of Authority (SOA) resource record for a zone identifies which primary master name server is authoritative the best source of information for the zone. SOA records contain important settings for refreshing the data in the zone. One of these settings is the serial number, a unique identifying number that applies to all data in the zone. This option is set by default to auto, enabling a special algorithm to determine the correct setting. Configuration StatisticsGenerate a statistical summary of your DNS configuration using the Management Console. Statistics on the number of servers, zones, and addresses provide useful data on the size of your network infrastructure. Supported DNS RFCsAdonis is fully compliant with the following DNS RFCs: 1034, 1035, 1995, 1996, 2136, 2317, 2782.
DNS Services
Adonis uses ISC BIND to provide its DNS service. Normally, this service is configured in a text editor. Adonis provides graphical configuration of this network service. You can create a DNS service in three different ways: Creating a new project file is described in Creating a New Project File on page 71. Creating a DNS service on an existing server is described in Editing a Project File on page 88. Creating a new server in an existing project file is described in Adding Servers on page 89.
98
Version 5.5
DNS Services To check whether BIND is running, type isrunning bind, and then press Enter.
3 Using the Display drop-down list in the Version Information section, select the version information to display when a version query is issued to the server. 4 Choose from the following options to specify the response given to a server version query: [Disabled]Send no response. Adonis ServerSend the version of the appliance. [BIND Version]Send the version of BIND that is running on the appliance. Custom TextSend a customized text response. 5 If you select Custom Text, click Browse, and then type the version text in the Edit Version Text dialog box.
Version 5.5
99
3 To change a server option, double-click it. A dialog box appears to allow you to make changes to that particular option. For some options, deselect the Use default checkbox, to enable the other options in the dialog box. 4 Make the necessary changes, using Add, Edit, Remove, Move Up and Move Down on the dialog boxes to open additional dialog boxes, whenever applicable.
For numeric options, you can type a number in the available field. For yes/no options, you can select yes, no, or default. For the transfer-format option, select one-answer, many-answers or default. For some options, the Add and Edit dialog boxes include an Exclude option which, when selected, indicates that the address should be ignored. This lets you add an entire subnet, and exclude individual IP addresses.
5 Click OK.
100
Version 5.5
Resource Records are inherited by all zones within that view and take precedence over the options configured at the DNS service level. Options configured at the zones level only affect the zone itself and take precedence over the options configured at both the DNS service level and the views level.
Resource Records
You create Resource Records on the Resource Records tab in the detail pane. The Resource Records toolbar appears when you select a zone and includes tools that allow you to create the following types of record:
New Host Record (A) A host record resolves a Fully Qualified Domain Name (FQDN) to an IP address for a device. A host record requires a name and an IP address (multiple addresses may exist for the same device). You can set the TTL for this record to override the value assigned in the SOA record. New Quad-A Record (AAAA)You can use host records in Adonis to indicate IPv6 hosts by including an IPv6 address rather than an IPv4 address in the record. Using the AAAA host record format several names can refer to a single address. This can be done with multiple host records rather than using a CNAME or Alias record. Also, a single name can refer to several different addresses. When multiple host records are associated this way, they should be listed together, as BIND processes them in a round-robin fashion in responding to queries. IPv4 and IPv6 addresses can be mixed together within the same zone. New Alias Record (CNAME)This is a Canonical Name record, used to specify an alias for a host name. The Alias record type only requires a name to be supplied. You can set the TTL for this record to an override value. New Name Server Record (NS)Name Server records are always used in conjunction with a host record, also known as a glue record. The NS record refers to the DNS name for the server that hosts this zone. With DNS delegation a subzone can be hosted on any server, so these records are essential in answering DNS queries and making the system work. This NS record is qualified within the same zone by a host record that points to the actual IP address of the server. Along with the SOA record for the zone, this defines the server that has been delegated the hosting for this zone. New Mail Exchanger Record (MX)A Mail Exchanger record designates the host name and preference value for a mail server or exchanger for this zone as defined in RFC 974. An MX record requires a name and a priority value (an integer value). Priorities with lower values are chosen first in assessing delivery options. You can set the TTL for this record to an override value. New Service Record (SRV)Service records define services that are available within the zone, such as LDAP. A Service record requires a name by which it is known within Adonis. You can set the TTL for this record to an override value.
Options
Priority Port Weight
Description
The lowest value has greatest precedence. This is an integer. The port on which the service is available. If two services within Adonis have equal priority, the weight value is checked. If the weight for one object is higher than another, the one with the higher weight has its resource records returned first. This is an integer.
Version 5.5
101
New Pointer Record (PTR)Pointer records are used to resolve IP addresses to FQDNs. They can
be thought of as the opposite of a host record. Within an in-addr.arpa zone, PTR records associate an IP address with DNS information. For more information, see Reverse DNS on page 123.
New Text Record (TXT)Text records can be used to associate arbitrary text with a host name.
They include Name and Text fields, and support record types such as those used in Sender Policy Framework (SPF) email validation. You can set the TTL for this record to an override value.
New Naming Authority Record (NAPTR)NAPTR records are used to specify settings for
applications such as VoIP. They are used in Adonis to populate ENUM zones. For more information, see
ENUM and VoIP on page 123. New Custom Resource Recordcreate custom resource records.
102
Version 5.5
Resource Records
Version 5.5
103
Chapter 6: Adonis DNS TypeThis field appears in the New Other dialog box. For more information, see Custom Resource Records on page 102. TextShows descriptive text. This field appears in the New Text dialog box. WeightThis value controls the distribution of load balancing for a service running on multiple servers. It accepts values between 0 and 65535. Higher values are used more often than lower values. A value of zero indicates load balancing does not occur. This field appears in the New Service dialog box.
Adding Zones
You can add the following zone types: Master Zones (see Adding a Master Zone on page 105) Slave Zones (see Adding a Slave Zone on page 106) Cache Zones (see Adding a Cache Zone on page 108) Forwarding Zones (see Adding a Forwarding Zone on page 109) Stub Zones (see Adding a Stub Zone on page 110) Delegation Only Zones (see Adding a Delegation Only Zone on page 110)
104
Version 5.5
2 In the Name field type the name of the zone, and then click OK.
To apply a template to the new zone, select the Apply Template checkbox. This checkbox and the associated drop-down list are inactive until you create at least one zone template.
Version 5.5
105
Chapter 6: Adonis DNS 2 From the Zone Type drop-down list, select Reverse Zone.
To apply a template to the new zone, select the Apply Template checkbox. This checkbox and the associated drop-down list are inactive until you create at least one zone template.
3 Specify the zone parameters using one of these options: By Address Type in-addr.arpa notation 4 If you choose By Address Type, select one of the following classes from the Size Type dropdown list: Class A Class B Class C Class C (subnet)
If you select Class C (subnet), you must also indicate the Zone Format, Start Offset, Size, and Separator.
5 Complete the Partial Address field, and then click OK. 6 If you choose in-addr.arpa notation, type the zone address, and then click OK.
106
Version 5.5
2 Specify the zone name using one of these options: Choose MasterUse this option if the master zone that this slave mirrors resides within the same Adonis configuration (which it should). Click the field for this option to display the Select Master Zone dialog box and select a zone to associate with the slave zone. Provide MasterUse this option if the master zone does not reside within the same Adonis configuration and a remote server is being referenced. Enter a zone name in the Name field and the IP address for the server containing the master zone in the IP Address field. 3 Modify the allow transfer and notify options on the master to include this slave.
Version 5.5
107
Chapter 6: Adonis DNS When these options are set to yes (default) and a query is being answered from authoritative data, the additional data section of the reply is completed using data for this alias record from other authoritative zones. If only additional-from-cache is set to yes, then the server provides the extra data if it is available within its cache. All other combinations generate a REFUSED response to the query. This option is used at the service and views levels. auth-nxdomainIf this option is set to yes, the name server can answer authoritatively when returning an nxdomain (domain does not exist) response. If it is set to no, the server cannot answer authoritatively.
Recursive DNS
Recursive DNS is necessary for answering queries that are not within a zone for which the DNS server is authoritative. A query can automatically be sent to another name server through the use of a forwarder or stub zone, but often recursive DNS is used to refer to a non-authoritative DNS server taking responsibility for a query. The caching DNS server uses iterative queries to all of the required DNS servers starting at the root zone, then to a top-level domain server and so on, until it has a final answer for the client or resolver. This section describes the zone types and DNS options related to recursive DNS.
To use this option, select the Use Custom Root Servers checkbox.
When you provide new zone information, the new zone appears beneath the name of the view or zone in the tree-view pane of the Management Console.
108
Version 5.5
Managing Servers and Zones max-cache-sizeThis option uses an unsigned 16-bit integer value to define the maximum size for the DNS cache in bytes. This option is used at the service and views levels. max-cache-ttlThis option defines the upper limit in seconds of the Time to Live (TTL) for cached records. The default setting is 604800 seconds (one week). This option is used at the service and views levels. max-ncache-ttlThis option limits the TTL in seconds for cached negative records. The default setting is 10800 seconds (three hours). This option is used at the service and views levels. root-delegation-onlyThis option enables the enforcement of delegation-only in TLD and root zones, with an optional execute list. This option is used at the service level. Sort ListThis creates a list of IP addresses that the server uses to sort the results of a name lookup. If a query generates multiple addresses, the resolver refers to the sort list and tries the items in the list. This option is used at the service and views levels. cleaning-intervalThis is the time period in minutes for which the server checks for, and removes, expired resource records from the cache (default is 60 minutes). This option is used at the service and views levels. lame-ttlThis option specifies the time interval in seconds that the server avoids requesting data from a remote server that is listed as authoritative, but is not responding authoritatively. The default value for this option is 600 seconds. This option is used at the service level.
2 Specify the zone name using one of these options: Choose MasterUse this option if the master zone resides on an Adonis appliance. Click the field to the right of this option to open the Select Master Zone dialog box and select a zone. Provide MasterUse this option if the master zone does not reside on an Adonis appliance, or if you are referencing a remote server. Type the Name and IP Address of the master zone in the available fields.
Version 5.5
109
Chapter 6: Adonis DNS Forwarding zones require recursion to be enabled. You must set the Allow Recursion option for the view or DNS service to Yes. Two DNS options apply directly to forwarders. ForwardingThis is a list of the IP addresses of servers that are designated as forwarders. Off-site queries requiring recursive resolution are sent to these forwarders, thereby helping to efficiently manage traffic on your network. These addresses are listed by order or preference. This option is used at all levels. Forwarding ModeThis option indicates whether requests are forwarded to the forwarders with precedence only, or are forwarded there first, and if not answered, are answered by this server. This option is used at the DNS service level.
2 Specify the zone name using one of these options: Choose MasterUse this option if the master zone resides on an Adonis appliance. Click the field to the right of this option to open the Select Master Zone dialog box and select a zone. Provide MasterUse this option if the master zone does not reside on an Adonis appliance, or if you are referencing a remote server. Type the Name and IP Address of the master zone in the available fields.
110
Version 5.5
2 Type the zone name in the Name field, and then click OK.
Renaming Zones
To rename a zone:
1 In the tree-view pane, right-click the zone that you want to rename, and then select Rename from the context menu. The Rename Zone dialog box opens.
2 Type the new name in the Zone Name field. 3 To allow Adonis to update all your resource records within this zone and reflect changes, select the Rename all sub-zones checkbox. 4 Click OK. The dialog box closes and the new name displays in the tree-view pane.
Refreshing Zones
If you are using DDNS to update master DNS zones automatically (for example, to keep up-to-date with your DHCP service) the changes take place on the Adonis server, but not in the Management Console.
Version 5.5
111
2 Type the server password. 3 Click OK. This updates the entries in the Management Console. After you have refreshed a zone, the connection to the server stays open. If you need to refresh the same zone again or another zone, click Refresh from Server.
Deleting Zones
To delete a zone:
1 In the tree-view pane, right-click the zone that you want to delete, and then select Delete from the context menu.
If you accidentally delete a zone, from the Edit menu, select Undo. This function can be used to step back through multiple changes in the console.
Disabling Zones
You can create live configurations and serve DNS data only for zones that are fully prepared (for example, all web, email, and database servers are online and ready for production). When you disable a zone, Adonis automatically disables all resource records associated with that zone. For more information, see Editing and Deleting Resource Records on page 121.
To disable a zone:
1 In the tree-view pane of the Management Console, right-click the zone you want to disable. 2 Select Disable Zone from the context menu. The zone is now disabled.
To enable a disabled zone, right-click the zone and then select Enable Zone.
112
Version 5.5
3 To change a setting, double-click the option. An option-specific dialog box opens. Use it to make changes for that particular option. For some options, you must clear the Use default checkbox first to enable the other options in the dialog box. 4 Make the necessary changes using Add, Edit, Remove, Move Up, and Move Down. Additional dialog boxes may open, depending on the option you select.
For most options, the Add and Edit dialog boxes have an Exclude checkbox, which indicates that the address should be ignored. You can then add an entire subnet and exclude individual IP addresses.
5 Click OK.
Version 5.5
113
2 Clear the Default Settings checkbox, and then type new values in the fields you want to change: Primary ServerThe name of the primary master name server for the zone. Contact e-mailThe zone administrators email address. Serial #A unique identifying number that applies to all data in the zone.
The serial number is set to auto because Adonis uses a special algorithm to determine the correct setting : you cannot change it.
Refresh IntervalThe time period in seconds that slaves for the zone check to make sure the zone data is up-to-date. The default setting is 10800 seconds (three hours). Retry IntervalThe time period in seconds that slaves try to reconnect to the master name server if the first attempt failed after the refresh interval. The default setting is 3600 seconds (one hour). Expiry TimeThe time period in seconds after which slaves that have failed to connect with the master name server stops providing information about the zone. After the time has passed, the resource records for the zone are considered too old to be useful. The default setting is 604800 seconds (one week). Minimum TTLThe minimum duration in seconds that the caching server stores zone data before discarding it and acquiring updated data. The default setting is 86400 seconds (one day). Default TTLThe default duration in seconds that the master name server caches zone data before discarding it and acquiring updated data. The default setting is 3600 seconds (one hour). 3 Select the time values you want to use from the drop-down lists, and then click OK. 4 To see your edited values click a master zone, and then select its Start of Authority tab.
114
Version 5.5
2 To modify a setting, click the field you want to edit. A dialog box opens for you to make the necessary changes. 3 Type a new value, and then select a time value from a drop-down list. 4 To return a setting to its default value, select the Use Default Setting checkbox. 5 Click OK.
Zone Templates
Adonis supports the use of zone templates for creating zones. A template is a generic zone with settings that can be applied to a new or existing zone. Records in the template are automatically added to the zone, as are configuration settings. Records added to the template are updated in each zone whenever they are updated in the template. However, template configurations are not updated when they are modified in the template after a zone is updated once. Manually editing a record or setting in a zone linked to a template breaks the link between the record or setting in the template and the zone .
Records in a particular zone that came from a template are no longer updated from the template after they have been updated once in that zone.
Version 5.5
115
Chapter 6: Adonis DNS 3 In the detail pane click the the Template tab. 4 Click the Link To: field. The Select Zone Template dialog box opens.
5 Select a template from the list, and then click OK. To unlink a zone template: 1 In the tree-view pane of the Management Console highlight the zone you want to unlink. 2 In the detail pane click the the Template tab. 3 Click the Link To: field. The Select Zone Template dialog box opens. 4 Select the Unlink zone from template option, and then click OK.
Access Controls
These options control whether transfers takes place, and which servers are notified of changes to master zones. Allow TransferThis option prevents zone transfers between Adonis and any IP addresses except those specified in the option. As a zone option, it restricts transfers of one particular zone. As a server option, it restricts all zone transfers and is set by default to allow only your slave servers to transfer zones (you can expand this permissions list). The list for a particular zone overrides the list for the corresponding server. This option is used at all levels. notifyThis option indicates whether or not zone transfers from the primary master to the slaves occur immediately after zone updates on the master. The default setting is yes, which helps to avoid lengthy propagation times. This option is used at all levels. Notify ListThis option is a list of IP addresses that receives zone transfers from the primary master immediately after zones are updated on the master. For servers, the default list includes the IP addresses of all name servers that you have set up within the Management Console. This option is used at all levels.
116
Version 5.5
Transfer Controls
These options control the relevant time intervals, format, number of connections and dial-up properties associated with zone transfers. max-transfer-idle-inThis option is only applicable to master servers. It is the maximum time in minutes that an inbound zone transfer remains idle without timing out. The default for both servers and zones is 60 minutes. This option is used at all levels. max-transfer-idle-outThis option is only applicable to master servers. It is the maximum time in minutes that an outbound Zone Transfer remains idle without timing out. The default for both servers and zones is 60 minutes. This option is used at all levels. max-transfer-time-inThis option is the maximum time in minutes allowed for a single inbound zone transfer connection to a slave server. The default for both servers and zones is 120 minutes. This option is used at all levels. max-transfer-time-outThis option is the maximum time in minutes allowed for a single outbound zone transfer connection to a slave server. The default for both servers and zones is 120 minutes. This option is used at all levels. transfer-formatThis option controls whether the format of zone transfers from the master to the slaves is one-answer, which carries only one resource record in each DNS message, or many-answers, which carries as many resource records as possible in each DNS message. The default setting is manyanswers. This option is used at the service and views levels. transfers-inThis option limits the total number of inbound zone transfers from all remote servers that the local name server requests at any one time. The default setting is 10 transfers. Increasing this setting may speed up the convergence of slave zones, but it may also increase the load on the local system. This option is used at the service level. transfers-outThis option limits the total number of concurrent outbound zone transfers per master server to all remote servers. The default value is 10. This option is used at the service level. transfers-per-nsused by slave servers, this option limits the total number of inbound zone transfers from any single remote name server that this server requests at any one time. The default is 10 transfers. This option is used at the service level. dialupThis option marks whether or not zone transfers occur as if they are across a dial-on-demand dialup link. For servers, this option refers to all of the servers zones. The setting for a particular zone overrides the setting for the corresponding server. The default for both servers and zones is no. This option is used at all levels. heartbeat-intervalThis option indicates the frequency in minutes at which the name server brings up its dial-on-demand connection for all zones marked as dialup (default is 60 minutes). This is a service level option.
Version 5.5
117
3 In the Start and End fields, type the values to start and stop numbering your records. 4 In the Step field, type the increment that you want to use between iterations. 5 In the Name field, type the name for your auto-generated records. Type the dollar symbol ($) as a place-holder for the generated number. For example, if the Start value is set at 5, the
118
Version 5.5
Managing Resource Records End value is 25, the Step value is 5, and the Name value is mytest$, Adonis auto-generates the following incremental records: Mytest5 Mytest10 Mytest15 Mytest20 Mytest25 6 From the Type list, select a type of record (Alias, Host, Name Server, or Pointer). 7 In the Host field, type the IP address for the first auto-generated record, using $ as the place holder for the auto-generated integer. The following list shows the auto-generated record addresses: 172.16.0.5 172.16.0.10 172.16.0.15 172.16.0.20 172.16.0.25 8 Click OK. The Auto-Generated records appear in the detail pane of the Management Console. These records are created on the appliance when you deploy the project file and it synchronizes with the server.
Version 5.5
119
Chapter 6: Adonis DNS 2 On the Resource Records toolbar, click Generate Records Incrementally. The Generate Records Incrementally dialog box opens.
3 In the Start and End fields, type a value for the start and end numbers of your records. 4 In the Step field, type the increment that you want to use between iterations. For example, type 1 if you want to step up one at a time. 5 In the Name field, type a name for your incremental records. Type the dollar symbol ($) as a place-holder for the generated number. For example, if the Start value is 5, End value is 25, Step is 5, and Name is mytest$, Adonis generates the following incremental records: mytest5 mytest10 mytest15 mytest20 mytest25 6 From the Type list, select a type of record (Alias, Host, Name Server, or Pointer). 7 In the Host field, type the name or IP address of the host with which the records are to be associated: For Alias, Name Server, and Pointer records type the host name. For Host records type the host IP address.
To create and maintain reverse address pointers for host records, select the Add reverse entries checkbox. This checkbox is not active until you select Host as the record type.
8 To prevent a record from being created if one already exists, select the Prevent duplicate records checkbox. 9 Click OK. The list of incremental records appears in the detail pane.
120
Version 5.5
Version 5.5
121
122
Version 5.5
Chapter 7
Advanced DNS
Adonis has advanced DNS capabilities that can support complicated network topologies. This chapter includes the following topics: Reverse DNS on page 123 discusses Reverse DNS as an integral part of modern dynamic networks. Dynamic DNS on page 128 explains how Dynamic DNS can update reverse DNS zones with information about dynamic network clients. Integrating Active Directory on page 130 contains information about integrating Microsoft Active Directory (AD) with Adonis. Checking the Data on page 132 discusses the tools available to check the integrity and efficiency of the DNS data in a project file. Transaction Signatures on page 140 introduces Transaction Signatures (TSIG) and how they provide a certificate-based authentication system for DNS and DDNS from DHCP servers. This enables trusted transfers and modifications of DNS information. Adonis appliances use TSIGs to protect all transfers between them. DNS Queries on page 144 describes how Adonis can control access for DNS queries and deliver a customized response using DNS Views. Sophisticated query logging capabilities also provide Adonis with in-depth DNS tracking and auditing. DNS and IPv6 on page 151 describes how to use DNS in an IPv6 environment with Adonis.
Reverse DNS
Reverse DNS is used to translate IP addresses into DNS names. It is a critical component in dynamic networks to ensure proper routing. The zones used to store this information contain special records (for example, PTR and NAPTR records) that are designed to provide reverse DNS information for a given address. Reverse DNS is an essential component of the Microsoft Active Directory service, and it provides the DNS functionality necessary to operate VoIP packet-based telephony. Reverse DNS is often populated using DDNS in conjunction with a DHCP server. For more information, see Dynamic DNS on page 128. Some ISPs delegate the responsibility for maintaining reverse DNS to their clients. For more information, see Delegating Subnets on page 126.
Version 5.5
123
Chapter 7: Advanced DNS devices as defined in RFC 3401. Reverse DNS is used to discover the relevant information for a device based on its phone number alone and NAPTR records are used to represent this information. ENUM zones, also known as in-addr.arpa zones or e.164 zones, provide VoIP functionality within a DNS server. ENUM zones contain special sub-zones called prefixes that represent telephone exchanges and can contain the records for the actual devices. Within the prefixes, the last four digits of the phone number after the exchange are the only ones entered for the record. The structure of the zones and prefixes dictates the exchange and area code for this number. Provisioning a VoIP service requires many systems, including DNS to manage the phone numbers associated with client end points. Adonis uses a reverse DNS zone to create the ENUM structure for each desired area code. This reverse zone is populated with sub-zones that represent all of the required telephone exchanges. Finally, NAPTR records are added to represent the individual VoIP devices. The naming convention for the ENUM and prefix zones involves reversing the numbers and placing a dot between each number. Thus, for the phone number 1-416-555-1212, the ENUM zone is 6.1.4.1, and the prefix zone is 5.5.5. This could also be represented with a 1 zone for the country exchange with a 6.1.4 ENUM zone beneath it, depending on your requirements. When you add the ENUM zone, a reverse master zone is added with the button highlighted for the in-addr.arpa notation option. The following figure shows an ENUM zone within the Management Console.
124
Version 5.5
Reverse DNS
2 Type information in the following fields: NameThe name for the record. OrderSpecifies the order in which NAPTR records are read, with the lowest match being selected first. PreferenceDetermines the order in which NAPTR records with the same order should be processed. It functions similarly to the preference field in an MX record. FlagsValues 09 and az can be used as flags to control aspects of the rewriting and interpretation of the fields in the NAPTR record. Because different replacements and interpretations can be required when using NAPTR records, these flags can be useful in dictating behaviors for the host VoIP application. ServiceThe service that this NAPTR record uses. The available service types are described in the IANA ENUM Service definition, available from IANA. A client attempts to match against this service type. Regular ExpressionRegular Expressions or URIs are strings that are used in the Dynamic Delegation Discovery System as described in RFC 3401. ReplacementIf the regular expression statement is being used as a simple replacement, this field can provide a domain name. Returning both fields is considered an error, so simple replacement using the regular expression field is the only case where this field should be used. TTLThis is a standard Time To Live value for this record. CommentType any comments that should be associated with this record. 3 Click OK.
Version 5.5
125
Delegating Subnets
The Subnet Delegation Wizard enables the management of a block of addresses for delegation to another reverse DNS server. This is useful, for example, where an ISP wants to delegate management of a organizations reverse DNS resolution to that company. The ISP delegates a block of addresses and the company maintains all of the reverse-PTR Records for the subnet. When DNS changes occur, they can be managed by the organization instead of the ISP. This feature also enables organizations to manage their own DNS architecture and security. For more information, see Adding a Master Zone on page 105.
126
Version 5.5
Reverse DNS 4 Specify the offset from the beginning of the zone for the subnet that is delegated, choose the CIDR notation to indicate the proper size for the subnet, select a separator, and then click Next.
5 Click Add, and then type the name server address in the New Delegate dialog box.
6 Click Next, and then click Finish. On the Resource Records tab Adonis adds an auto-generated Alias record and Name Server records.
Version 5.5
127
To edit a delegation:
1 On the Resource Records tab, double-click the Name Server record for the delegated server. The Name Server dialog box appears.
2 Edit the Name and Host information, and then type a TTL and an optional comment. 3 Click OK.
To delete a delegation:
1 On the Resource Records tab, right-click the record for the delegated server. 2 From the context menu select Delete.
Dynamic DNS
Dynamic DNS (DDNS) is the system by which updates to DHCP address assignments are reflected in the DNS records for these hosts. DDNS is a essential part of reverse DNS. It also plays a critical role in Microsofts Active Directory technology, because it looks up dynamically configured hosts using reverse DNS. DDNS enables a DNS server to accept updates regarding the IP addresses of dynamic IP or DHCP clients. Every time a dynamic client changes its IP addresses the DNS server receives an update, and the DNS server associates this IP address with a DNS name for the client. Dynamic data for an address is maintained if the DDNS Updates option is deployed in the DHCP range that contains that address. Any records that are generated dynamically are clearly marked as such when looking at the records for this zone. Dynamic updates are always deployed immediately to the Adonis server where they were generated. DNS on the internal side often allows dynamic updates to the DNS server. DDNS allows hosts to update zone data dynamically. This process makes administration easier, especially with internal DNS, when it is common for a large number of internal hosts to be represented as records in the DNS database. Dynamic DNS eliminates the need to enter large numbers of records manually. Rather than using dynamic updates, authorized users, or DHCP servers themselves, can add, delete and change records on the fly. However, making use of DDNS does have the potential to open your network to certain vulnerabilities. In the wrong hands, dynamic updates can allow a user to dynamically update records on an organizations DNS server with bogus information. As such, dynamic updates should be restricted
128
Version 5.5
Dynamic DNS as much as possible. Best practice dictates ensuring that the DHCP servers are the only source of dynamic updates to records on the DNS server. This can be further secured using TSIG keys on the DHCP server. The Allow Dynamic Updates DNS option should be employed to create an Access Control list (ACL) for each dynamically updated zone. Only addresses matched on this list are allowed to send updates to the server for that zone.
Allow Update ForwardingThis option lets you specify which hosts are allowed to submit DDNS updates to slave zones to be forwarded to the master. The default is none, which means that no update forwarding occurs. Specifying values other than none is counterproductive unless required with Active Directory, because the responsibility for update access control must rest with the master, not the slaves.
Enabling the update forwarding feature on a slave could expose master servers to cache poisoning attacks by relying on an insecure slave IP address-based access control. This option is used at the service and views levels.
Version 5.5
129
Configuring DDNS
DDNS works by notifying a name server of any changes to a hosts IP address. This is useful when you are using DHCP to lease IP addresses dynamically. To set the IP address of the name server to which you want to send updates, type this command set name-server address, and then press Enter, replacing address with the appropriate address. To view the current address of the DDNS name server, type show name-server, and then press Enter.
On an XHA cluster, both Adonis nodes should be set to the same name server through their respective consoles.
In network configuration mode you can manage other DDNS settings and the name server: To set the DDNS name server, domain, or search suffix, use the following commands:
set ddns name-server data set ddns domain data set ddns search data
where name-server, domain or search is used as the parameter being set, and data is the data to populate the domain or search setting. To delete these settings, use del instead of set in the command. To display all of the DDNS settings use show ddns in network configuration mode.
130
Version 5.5
Integrating Active Directory 3 Click Next. The Add Domain Controllers page appears.
4 To add the IP addresses of each of your Active Directory domain controllers, click Add. The Add Active Domain Controller dialog box opens.
5 Type the IP address of the Active Directory domain controller, and then click OK. 6 Repeat steps 4 and 5 until you have added all the Active Directory domain controllers. 7 Click Next, and then click Finish. Your zone icon changes to red, showing that you have enabled Active Directory.
An ACL is automatically created for your Active Directory domain controller(s). It is also added to the Allow Transfer and Allow Update options, which you can view by clicking the Options tab of the zone.
The Active Directory synchronization procedure may take hours, depending on the replication schedule of your Active Directory domain controllers. To shorten the synchronization time, type the following command at the command prompt on your Active Directory domain controller:
C:\>IPCONFIG /registerdns
After synchronization takes place, _SRV (service records) are displayed in the Active Directory zone in the Management Console. Service records have the following format:
Version 5.5
131
An alternate synchronization method is to restart the Active Directory service on the Windows servers using the Net stop netlogon and Net start netlogon commands.
Data Check
Before transferring the project file to the appliance, you should perform a data check on the information. This procedure takes a few minutes, but it saves you time in the long run because it allows you to resolve issues in advance. If you have imported a project, this step is strongly recommended. For more information, see Checking the Data on page 91. You can customize data check rules for an Adonis project. For more information, see Modifying File
132
Version 5.5
Checking the Data 2 Click Next. The Choose Action page appears.
3 Select one of these options: Auto Match Resource RecordsIn an imported project file, this synchronizes all records in the zone with any correlated records and creates the required glue records. Auto Create PTR RecordsCreates the PTR records required for matching host records in a zone. Add Delegation Records To Parent ZonesEnsures that all required NS records for a given zone exist in the Adonis project. Delete Orphan PTR RecordsDeletes PTR records that do not have a matching forward DNS entry.
Version 5.5
133
Chapter 7: Advanced DNS 4 Click Next. The Select Name Server, View, and Zone page appears.
5 Select the server from the Name Server drop-down list. 6 If this server has BIND views implemented, select a view from the View drop-down list. 7 To select the master zone select the Select Zone checkbox. If this checkbox is clear, all zones for the view in question are selected. 8 Click Select master zone... and then select a zone in the Select Zone dialog box. 9 Click Next. The Inspecting Resource Records For Fixup page appears.
10 After viewing the results, click Next, and then click Finish.
134
Version 5.5
2 From the Name Server drop-down list select the server that you want to check. 3 From the View drop-down list select the view that you want to check. 4 Click an option to specify the location from which you want to resolve issues: Name ServerThe name server itself that you previously specified. Another ServerA different name server with another IP address or host name that you must specify in the available field. 5 If you want recursion, select the Allow recursion checkbox. 6 To perform recursive queries when recursion is not enabled on the server, select the Perform recursive queries when recursion is not available checkbox. The client performs recursive queries when checking data. 7 Select the communication method from the Communication Method list. The options are UDP (Datagram) or TCP (Socket). 8 Click Check.
Version 5.5
135
Chapter 7: Advanced DNS The data check begins and displays a progress bar to show you the status as it processes the queries. When the data check is complete, the Live Data Check Results dialog box appears.
9 Correct any outstanding errors. 10 When you are finished reviewing the results, click Close.
136
Version 5.5
2 In the Domain field, type the name of the domain you want to examine, and then click Look Up. A list of results appears in the Whois Lookup dialog box.
Version 5.5
137
Chapter 7: Advanced DNS 3 To select a Whois Server to perform the lookup, click []. The Whois Servers List dialog box appears.
4 To add a server to a domain, select the domain, and then click Add. The New Server dialog box opens.
5 Type the FQDN of the server you want to add, select the appropriate server port from the drop-down list, and then click OK. 6 To edit a server select it, and then click Edit. The Edit Server dialog box opens.
7 Edit the server name or change the server port, and then click OK. 8 To restore default values click Restore Defaults. The Restore Defaults dialog box opens.
138
Version 5.5
Checking the Data 9 Select the appropriate option, and then click OK.
2 In the left pane you can select from the following choices: SummaryView a summary of all servers in the project file. Server nameView a summary of the statistics for a particular server. 3 In the right pane, scroll through the list to see the details. 4 Click Close.
Version 5.5
139
Transaction Signatures
By default, Adonis uses Transaction Signatures (TSIGs) to authenticate systems such as DHCP servers initiating DDNS updates and other DNS servers participating in zone transfers. When more than one Adonis appliance is deployed on a network, a shared secret TSIG key is configured on both appliances to secure all transfers of DNS information between them. A custom TSIG key can also be configured between the Adonis appliance and another kind of DNS or DHCP (DDNS) server. The DNS service on Adonis computes a hash value to determine if the TSIG key that the other machine is passing with the DNS information is authentic. TSIG uses a shared secret and a one-way hash function to certify the data source and integrity for every zone transfer or dynamic update. This is much more secure than an ACL, because the data source is more difficult to spoof and the data integrity is also assured. This system works by including a special type of resource record with every transfer. The TSIG resource record contains a special hashed signature and it is never cached by either server. This signature is created through a one-way hash function, ensuring that it accurately represents the original data without revealing the original data. This hash function has two inputs: data being transferred the shared secret key (TSIG) Thus, the receiving server can ensure that the correct shared secret is present and that the data has not been modified in transit. If either of these conditions fails the transfer or update is rejected. Because TSIG is based on a shared secret rather than public key cryptography, there is an issue about transporting the key to all of the servers that need it. Any time that the key is exposed during transfer is an opportunity for it to be compromised. Traditionally, these keys are transported using secure email, SSH, or by courier. The Management Console handles all of these details on behalf of users, ensuring that keys are securely deployed to the required appliances during project file deployment. When configuring keys to additional servers, alternative methods must be employed. The additional key is securely deployed to Adonis, but must be manually configured on the other server. The default TSIG configuration set up when the Adonis appliance is deployed should ensure the appropriate level of security for most situations. However, the following situations exist where additional TSIGs besides the defaults may be required: Adonis acting as a master DNS server for a remote DNS slave server Adonis acting as a slave to a remote DNS master server Restricting DDNS updates between two Adonis appliances or Adonis and a remote server With all three of these types of TSIG implementation situations, the DNS allow transfer option is implemented and the TSIG keys are used to validate the transfer. Because allow transfer accepts a TSIG key as a valid condition to check against, a server presenting the correct TSIG is allowed to perform a transfer of DNS information, whether it be a zone transfer or a DDNS update.
140
Version 5.5
Transaction Signatures
To configure TSIGs when using Adonis with a non-Adonis DNS slave server:
1 In the tree-view pane select your master DNS service, and then click the Security tab.
2 Right-click in the Keys section. On the context menu, select New. The New Key dialog box appears.
3 To generate a transfer key, type a name for the new key, click Generate, and then click OK.
If a key is currently in use on the DNS slave, you can type it into this field. Alternatively, you can use the drop-down list to select Link to Another.
4 If you select the Link to Another option from the drop-down list, browse and select the transfer key from the Select key dialog box. The available keys are any TSIGs explicitly configured on another server within the same project file. Click OK.
Version 5.5
141
Chapter 7: Advanced DNS 5 To add a remote (slave) server, right-click the Remote Servers area, and then select New. The New Remote Server dialog box opens.
6 Type the IP address of the remote server, or select Item from the drop-down list. 7 If you selected Item, click [...], the Select Remote Server dialog box opens.
8 Locate the remote server, select it, and then click OK. 9 In the New Remote Server dialog box select the key you want to use, and then click OK. After you have set up TSIG you must configure the Adonis master server or zone to use the key to authenticate all zone transfers and updates.
142
Version 5.5
Transaction Signatures 2 Select the Options tab, and then double-click the Allow Transfer option. The Allow Transfer dialog box appears.
3 Clear the Use default checkbox, and then click Add. The Add dialog box appears.
4 From the drop-down list select the key, or the IP address of the slave server that contains the key. Click OK. 5 Double-click the Notify List option, and then add the IP address of the remote slave server. 6 Double-click the notify option, and then select Yes (default). 7 Set up the Allow Transfer option on the remote slave server to permit transfers from the Adonis master.
Version 5.5
143
Chapter 7: Advanced DNS The options described in Dynamic DNS on page 128 should be implemented on both the Adonis DNS master and on the remote DHCP server. If all of the required options are configured and the key is configured then DDNS updates from the remote DHCP server are protected by TSIG.
DNS Queries
This section describes the tools available in Adonis DNS to restrict queries, deliver selective responses, and log all of this on the appliance for later reference.
Matching Order
The most important consideration when setting up views is the matching order for the views. Views are matched against an ACL of client addresses. If the clients address matches an ACL entry, then that client is granted access to a view. This process actually grants a client access to the first view that is a match for the client address. Thus, if the first view listed matched against any address, all other views are ignored. This could present challenges to the desired view design. Also, if many clients are being matched against a large number of views, processing considerations come into play. When designing the matching order for views you should ensure that the desired logic is achieved in the client matching, and then adjust the order such that each client is testing against the fewest possible number of view ACLs. Refining the matching order in this way ensures that the system operates as efficiently as possible. Views can be reordered using the up and down buttons in the Management Console. For more information, see Queries and the DNS Service on page 148.
144
Version 5.5
DNS Queries
3 Type a name for the view and specify a Published Address. This is the address that a client uses to resolve authority records for master and slave zones for this view.
Version 5.5
145
Chapter 7: Advanced DNS 4 Click OK. The Match Clients page appears. Use this screen to add, edit or remove addresses served by this view.
5 On the Match Clients page, click Add. The Add dialog box appears.
6 From the drop-down list select one of the following options: IP or BlockSelect this item to match clients by address. ACLSelect which pre-configured ACL you want to match against. ItemClick [...] to browse to the item within the main Adonis interface that should be matched against. 7 Click OK. 8 To edit an address, click Edit, and then type the information in the Edit dialog box. 9 To remove an address, select it, and then click Remove. 10 To update your project file click Next, and then Finish.
146
Version 5.5
DNS Queries You can use ACLs while setting server options or zone options. The Management Console makes it easy to create new ACLs for your network, including populating these lists with IP addresses, and then editing them later to satisfy your network's changing requirements. ACLs consist of two elements, the list itself and the IP addresses that make up the list. ACLs are given a name that is used as a unique identifier.
3 Type a name in the Name field, and then click Add. The Add dialog box opens. 4 Type the IP address for the ACL, or click the down arrow and then select an Item or ACLfrom the drop-down list. 5 Click OK. The ACLs appear in the detail pane of the Management Console.
Version 5.5
147
Chapter 7: Advanced DNS 4 Select an IP address, and then click Edit. The Edit dialog box opens.
5 To delete an ACL, right-click it, and then click Delete, or press the Delete key on your keyboard.
If you delete an ACL accidentally, click Undo. Alternatively, you can select Undo from the Edit menu.
Query Logging
Adonis includes a powerful query logging feature that creates detailed DNS logs according to the settings that you specify. Although you must configure query logging in configuration mode, you can view query logs in normal mode.
Query Logging is a powerful feature that can create large logs that require a log management strategy.
148
Version 5.5
DNS Queries
To access query logging configuration mode, type configure querylogging, and then press Enter.
Adding a Channel
When you create a channel, you must specify a name, a file path, the maximum number of versions of the file to create, a file size, a severity level, and a message category. You must also specify whether the query logging system should mark each entry with its time, severity, and category.
To add a channel:
1 Type add querylogging channel, and then press Enter. 2 Type a channel name. If your name includes spaces place quotation marks around it, and then press Enter. 3 Type the absolute path for the log file (for example, /var/log/named/mynamed.log) and then press Enter. 4 Type a value that defines the maximum number of log file versions to create (by appending a number to the input file starting with 0). The maximum is 99. Press Enter. 5 Type the number of bytes to allocate to the log file (1024 = 1kB, 1048576 = 1MB). Press Enter. 6 Type a value for the severity level, as defined in the following table, and then press Enter.
Version 5.5
149
Chapter 7: Advanced DNS Severity levels are cascaded, so each error level includes all the messages from the previous severity levels. Value
1 2 3 4 5 6 7
7 To include a time stamp, severity stamp, or category stamp on each message, type 0. To exclude these stamps, type 1. Press Enter. 8 Type a value for a message category, as described in the following table, and then press Enter.
Value 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Category database security config resolver xfer-in xfer-out notify client network update queries dispatch dnssec lame-servers general default Description Name server database messages Requests that are approved or denied Parsing and processing of the configuration file Name resolution (including recursive lookups) Details about the zone transfers received by the server Details about the zone transfers sent by the server NOTIFY operations Client requests Network operations DDNS transactions Query transactions Incoming packets dispatched to the server modules Processing of DNSSEC and TSIG protocols Lame serverfor example, when the NS record for a domain specifies a server that is not authoritative for the domain Default category Logs values not defined in category statements
150
Version 5.5
Deleting a Channel
To delete a channel:
1 Type del querylogging channel, and then press Enter. 2 Type a channel name. If your name includes spaces, place quotation marks around it. Press Enter. 3 Type the name of the channel you want to delete, and then press Enter.
AAAA Records
The AAAA record maps a domain name to a 128-bit IPv6 address. The address is presented in eight 16bit blocks in hexadecimal notation, separated by a colon. For example: 2001:0DB8:0000:0000:0202:B3FF:FE1E:8329 To make the notation simpler, you can delete leading zeros (zeros before any other digit) in a 16-bit block. For example, the block 0202 may be written as simply 202. The next line shows a simplified form of the previous example: 2001:DB8:0:0:202:B3FF:FE1E:8329 To further simplify notation, you can use a double colon to replace single or consecutive blocks with a value of 0. For example, the two blocks between DB8 and 202: 2001:DB8::202:B3FF:FE1E:8329 However, in addresses that contain two or more non-consecutive zero blocks, you can replace only one with the double colon; otherwise the notation is ambiguous. In the following example, the first 0 block is separated from the other two by 56. This means that you can use a double colon to replace either this block or the two consecutive 0 blocks after 56, but not both. For example: 2001:DB8:0:56:0:0:EF12:1234 may be presented as 2001:DB8::56:0:0:EF12:1234 or 2001:DB8:0:56::EF12:1234
Version 5.5
151
Chapter 7: Advanced DNS 2 Click New Quad-A Record in the toolbar on the Resource Records tab. The New Quad-A dialog box appears.
3 In the Name field, type the host name. 4 In the Address field, type the address using the notation guidelines above. 5 Select the Maintain reverse lookup record checkbox.
If you do not select this checkbox you must the reverse lookup pointer record manually: this is very tedious in IPv6.
Reverse Lookup
The reverse lookup domain for IPv6 is ip6.arpa. Pointer records are written with the hexadecimal digits of the address in reverse order and separated by a period. For example, the address 4321:0:1:2:3:4:567:89ab might have this pointer record in the ip6.arpa zone: b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4. The Management Console usually maintains reverse lookup records automatically.
152
Version 5.5
DNS and IPv6 2 In the Resource Records toolbar click New Pointer Record . The New Pointer dialog box opens.
3 In the Name field, type the reverse lookup address in the format described above. 4 In the Host field, type the host name. 5 Optionally, edit the Time to Live or type a comment. 6 Click OK.
NS Records
NS records behave exactly the same in IPv6 as they do in IPv4. The record only needs to contain the name of the server that is authoritative for the zone (for example, ns1 in the example.com zone).
Mixed Environments
Mixed IPv4 and IPv6 environments are fully supported. A single host can have both an IPv4 address and one or more IPv6 addresses. In this case, you can create an A record and one or more AAAA records for the host.
Version 5.5
153
154
Version 5.5
Chapter 8
Adonis DHCP
Adonis DHCP (Dynamic Host Configuration Protocol) securely supports many different types of network clients with advanced network configuration options. This chapter contains topics useful for designing, building, and managing DHCP implementations, even in the largest networks. This chapter is supplemented by white papers available on the BlueCat Networks web site, especially with respect to DHCP VoIP support and integration. This chapter includes the following topics: Background on page 155 describes the DHCP protocol and its role in the network. Adonis DHCP Implementation on page 156 describes the implementation specifics of Adonis DHCP. Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see Configuring DHCP on page89. on page 172 describes the different kinds of settings tabs for DHCP services. DHCP Client Options on page 165 describes DHCP client options that can provide advanced configurations to client devices. DHCP Advanced Options on page 171 explains how DHCP advanced options control the behavior of DHCP clients and servers.
Background
To be a member of a TCP/IP network, a client requires configuration of network settings, including a valid IP address. DHCP automates and centralizes your TCP/IP network configuration for client computers. The Adonis appliance can dynamically allocate IP addresses for hosts on your network from a pool of available addresses. New hosts, or frequently relocated hosts, can automatically acquire new IP addresses for a limited time period through a process known as leasing an IP address. DHCP services are available with all Adonis appliances except the Adonis 250 appliance. On all of these appliances, the Adonis DHCP service runs the ISC DHCP server. DHCP is also important for assigning parameters such as default gateway, DNS servers, and several other parameters. DHCP networks are divided by groups, shared networks that share physical hardware, and subnets. DHCP server level configurations include various client and advanced options. A DHCP server can communicate with a DNS server and a failover peer, and can be configured to receive communications with an OMAPI (Open Mobile Application Processor Interface) client.
Version 5.5
155
Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see Configuring DHCP on page89. on page 172.
156
Version 5.5
Typically, relay agents are configured on router or switch interfaces. The Adonis 1750, 1000, 750, XMB and 500 servers can also perform as relay agents, if required. However, an appliance cannot be both a DHCP server and a relay agent at the same time.
2 Specify the DHCP relay address, and then click OK. 3 On the General tab in the details pane, select the Append Agent Information checkbox to have the relay agent append an agent option field to each DHCP request before forwarding the request to the server.
Option 82
Adonis includes support for DHCP option 82, which allows you to see DHCP relay agent information in the lease viewer. A router or switch configured to support DHCP Relay Information (a Relay Agent) allows communication between a DHCP client and a DHCP server on different subnets. No specific DHCP options are required to configure a DHCP Relay Agent; however, the benefit of option 82 is that it allows a DHCP server to receive DHCP client information from a specially configured Relay Agent.
An Adonis DHCP server that does not have option 82 configured ignores Option 82 fields.
You can also use option 82 to configure an Adonis DHCP server to limit the number of IP leases handed out to a specific subnet. For example, when a DHCP client located on a remote subnet issues a DHCPDISCOVER request for a new IP address, a Relay Agent forwards information about the subnet in the form of a circuit ID to the Adonis DHCP server. You can configure this circuit ID to use a DHCP Class to limit the number of assigned leases. The Adonis Lease Viewer displays both Circuit ID and Remote ID parameters for DHCP allocations. For more information, see DHCP Lease Viewer on page 196.
Version 5.5
157
158
Version 5.5
Adonis DHCP Services Some options such as OMAPI port, shared secret key information, and failover peer servers are configured only at the DHCP service level. Client or custom options set at this level are inherited by all declarations set at lower levels unless overridden. Vendor profiles are also set at the DHCP service level.
DHCP Groups
You can declare groups to provide a common scope for hosts with the same parameters. At least one group declaration is mandatory for a DHCP service. A group provides a common scope for whatever is declared within it. You can use groups in different ways: You can declare a group to represent each physical location for an organization. You can declare a group to provide a common scope for hosts requiring the same network configuration parameters on the same or different subnets.
Declaring Groups
To declare a host group for the DHCP service:
1 In the tree-view pane of the Management Console right-click the DHCP service, and then select New Group.
2 Type a name for the new group, and then click OK. 3 Select the group in the tree-view pane, and the set the client and advanced options for the group using the tabs in the detail pane.
Subnets
Subnets let you divide the local network into several parts and logically separate it in a way that makes sense and makes packet routing more efficient. A DHCP server needs to know about all network segments, or subnets, so that it can properly respond to address requests on those segments. For each subnet, there must be a subnet declaration on the server, even if the given subnet has no dynamically allocated addresses.
Version 5.5
159
Chapter 8: Adonis DHCP After you have declared a subnet, you can create a range of IP addresses to serve DHCP clients. Exclusion ranges can be set within a single subnet range to reserve addresses for statically-addressed clients. Both client and advanced options can be set at the subnet level.
Declaring Subnets
You can use any name for a subnet, although it is best to use a descriptive name. For example, the name might refer to a department or a location within a building. Address ranges are used to specify the addresses available on this subnet.
2 Name the subnet and specify the network with CIDR notation, or by using a network and subnet address combination. Click OK.
Classless Inter Domain Routing (CIDR) is a method for assigning IP addresses without using the standard IP address classes like Class A, Class B, or Class C.
3 To specify an address range, right-click the Range section of the General tab of the new subnet, select New Address Range, and then specify the range limits. 4 Click OK. 5 Set the client and advanced options for the subnet using the tabs in the detail pane.
You can copy a row of information from one subnet to another. For example, you can copy a DHCP host entry from one subnet to another.
Shared Networks
Shared networks can be declared when IP subnets share the same physical network. Like a subnet declaration, the shared-network declaration describes a network segment. However, it is used when more than one logical subnet is located on the same physical network segment. This is helpful because all hosts on a shared network receive link-layer broadcasts sent by other hosts. Therefore, hosts that require different DHCP options can still reside on the same segment and communicate using ARP broadcasts, rather than using routed packets. Options set at this level are inherited by all member subnets.
160
Version 5.5
2 Type a name for the new shared network, and then click OK. 3 Set the client and advanced options for the shared network.
Shared networks are used to inform the DHCP service that the subnets declared are connected to the same network segment.
Pools
You can declare unique IP address pools at the shared network and subnet levels. These are the pools from which addresses are allocated to clients. They also provide a rich level of configuration options. Often, a pool range is configured in favor of a subnet range because you can configure the permit lists and class memberships for pools. Pool ranges can be used in place of subnet ranges. Pools are also required when using DHCP failover between two servers. Pools can be defined at the shared network or subnet level. On the shared network level, the pools must be within the range of a previously declared subnet within the same shared network.
Permit Lists
Address allocation within pools can be controlled using permit lists. Permit lists govern whether a client is able to receive a DHCP configuration and address from the pool. You can set allow or deny flags to differentiate between clients based on any of the following criteria: all clients dynamic bootp clients known/unknown clients known/unknown status For example, permit lists can be set up so that only clients with host declarations (known clients) receive an IP address. All others are denied an IP address. To configure this, unknown clients are set to deny and all others are set to allow. Pools can also be configured to allocate addresses based on whether the client is a bootp client or not.
Declaring Pools
Declaring pools requires you to set the client and advanced options for the pool. For more information, see Required DHCP Service Options on page 129 and Optional DHCP Service Options on page 129.
Version 5.5
161
To declare a pool:
1 In the tree-view pane of the Management Console, right-click the relevant subnet. On the context menu, select New > Pool. The New Pool dialog box opens.
2 Type a name for the new pool, and then specify its address range. 3 Click OK. The new pool appears in the detail pane. 4 To edit the address range, double-click the pool. The Edit Address Range dialog box opens. 5 To add a new address range to the pool right-click the pool, and then select New Address Range from the context menu. The New Address Range dialog box opens. 6 Type the address range you want to add, and then click OK. 7 On the Flags tab click the relevant row of the Value column, and then use the drop-down list to select whether to allow or deny the following options: All ClientsDetermines allocation from the pool to all clients. Dynamic Bootp ClientsDetermines allocation from the pool to any bootp client. Known ClientsDetermines allocation from the pool to any client that has a (known) host declaration.
A client is known if it has a host declaration in any scope, not just the current scope.
Unknown ClientsDetermines allocation from the pool to any (unknown) client that has no host declaration. 8 On the Members tab, select the checkbox in the Include column of any relevant class that you created at the DHCP service level. 9 To allow access to the pool to be differentiated by class membership, click the Access column. 10 From the drop-down list select whether to allow or deny allocation from this pool to any client that is a member of the named class.
Hosts
Hosts can be declared at the DHCP service, group, shared network, and subnet levels, provided that a host name is never duplicated within a single DHCP service. The host declaration provides a way for a DHCP server to identify a specific DHCP client.
162
Version 5.5
Adonis DHCP Services There are three main reasons to use a host declaration: Assigning a static IP address to a client. This acts like a reservation to ensure that the client gets a specific IP address and no other host can get that address. Declaring a client as known. A client with a host declaration is considered known whereas a client without a host declaration is considered unknown. This can control the way addresses are handed out when used in conjunction with a permit list. Assigning specific options to the a particular host. For example, a host can be assigned the address of a specific DNS server.
Declaring Hosts
Declaring a host involves selecting the relevant DHCP level. You must provide a name for the host, specify its hardware address, and the type of interface in use (Ethernet, Token Ring, or FDDI). You can also specify a fixed IP address and add a comment if you want to. For more information, see Required DHCP Service Options on page 129, Optional DHCP Service Options on page 129, and Declaring Classes on page 176.
To declare a host:
1 In the tree-view pane of the Management Console select the relevant DHCP service, group, shared network, or subnet for the host declaration. 2 Click the Hosts tab in the detail pane. 3 Right-click in the detail pane, and then select New from the context menu. The New Host dialog box appears.
4 Type a name in the Host Name field, and then type a 48-bit hexidecimal address in the Hardware field. 5 Select the appropriate type of interface (Ethernet, Token Ring, or FDDI) from the drop-down list, and then click OK. The new host name and MAC address appear in the detail pane of the Management Console.
Version 5.5
163
Chapter 8: Adonis DHCP 6 In the detail pane, double-click the new host. The Edit Host Details dialog box appears.
7 On the General tab, you can specify the DDNS Host Name, and the Site Option Space (if any). The DDNS Host Name parameter lets you set a different hostname in dynamic DNS. By default, DHCP uses the supplied hostname of the client computer when it updates dynamic DNS. The Site Option Space parameter specifies options above 128 used to implement options for sitespecific uses but are sometimes used by vendors of embedded hardware that contain DHCP clients. 8 On the Flags tab you can set each of the following parameters to allow, deny or ignore: bootingDetermines whether the DHCP server responds to queries from the client. If it is disabled, the client cannot get an address from the DHCP server. Booting is allowed by default. bootpDetermines whether the DHCP server responds to bootp queries. Bootp queries are allowed by default. client-updatesDetermines whether the DHCP server honors the client's intention to update its A record. It is only relevant when doing interim DNS updates. Updates are allowed by default. declinesDetermines whether the DHCP server honors DHCPDECLINE messages. If set to deny or ignore in a scope, the DHCP server does not respond to DHCPDECLINE messages. This situation occurs where the client has determined through other means that the network address being offered is already in use. Declines are allowed by default. duplicatesIf the DHCP server receives a request from a client that matches the MAC address of a host declaration, any other leases matching the MAC address should be discarded by the server, even if the UID is not the same. (This is a violation of the DHCP protocol, but it can prevent clients whose identifiers change regularly from holding many leases at the same time.) Duplicates are allowed by default. 9 On the Fixed Address tab you can specify a fixed address for the host, if you did not include one in step 4. This is similar to using an address reservation applied only to a single host. You can also add a comment, or edit an existing comment in the Edit Fixed Address dialog box.
164
Version 5.5
DHCP Client Options 10 On the Client Options tab, set the appropriate DHCP Client options. Options defined at the host level apply only to that host. 11 On the Advanced Options tab, set the appropriate Advanced DHCP options. Options defined at the host level apply only to that host.
Subnet Mask
The subnet mask specifies the network in which a particular address resides by stipulating the portions of the IP address that represent the network and the host identifiers. RFC 950, Internet Standard Subnetting Procedure defines this system.
Version 5.5
165
Servers
These options define some of the servers that clients can reference: Time Servers (4)Option code 4 indicates RFC 868 time servers that are available to a client. The data consists of one or more IP addresses. IEN Name Servers (5)Option code 5 is used to specify IEN name servers: these are not the same as BIND name servers. Log Servers (7)Option code 7 specifies a log server for the client to use. It is an UDP log server identified with an IPv4 address. This option could be a list of IPv4 addresses, with the first address entered taking precedence. Cookie Servers (8)Option code 8 refers to Quote of the Day servers as described in RFC 865. They are specified with IPv4 addresses. LPR Servers (9)Option code 9 is a list of line printer servers as defined in RFC 1179. They are defined using a list of IPv4 addresses and are matched in the order specified. Impress Servers (10)Option code 10 is a list of Imagen Impress servers. They are defined using a list of IPv4 addresses and are matched in the order specified. Resource Location Servers (11)Option code 11 is a list of resource location server addresses for the client to use on the local network as specified in RFC 887. They are defined using a list of IPv4 addresses and are matched in the order specified.
Client-side
These options configure functionality on the DHCP client: Time Offset (2)Option code 2 specifies the time offset from GMT for the DHCP client. This offset is expressed in seconds, with a negative value representing locations west of Greenwich. Thus Eastern Standard Time, which is 5 hours behind Greenwich Mean Time, could be expressed as -18000. Host Name (12)Option code 12 specifies a host name for the client. This can be qualified with the local domain name. Boot Size (13)Option code 13 describes the size of the boot file image for the client, expressed as a number of 512-byte segments. Merit Dump File (14)Option code 14 is the complete path and file name of the server to which the client dumps its core image in the event that the client crashes. Domain Name (15)Option code 15 specifies the domain name for the client system. Swap Server (16)Option code 16 specifies a swap server for the client. Root Path (17)Option code 17 specifies the path as a text value. A root disk contains essential startup file for client system in several schemes, including NFS. Extensions Path (18)Option code 18 specifies the path to a file as a text value. The file contains options or vendor-specific configuration settings to be used in DHCP device configuration.
166
Version 5.5
IP Forwarding
These options deal specifically with IP Forwarding: IP Forwarding (19)Option code 19 is a Boolean value. It indicates whether a client with more than one network interface should forward packets between its interfaces. Non-Local Source Routing (20)Option code 20 is a Boolean value. It indicates whether a client should forward packets from a non-local source. Policy Filter Masks (21)Option code 21 is a list of one or more addresses and submasks used with IP forwarding. If this option is specified, a forwarded packet goes to one of these addresses as its next hop or else the packet is dropped.
Packets
These options define the clients packet handling: Max Datagram Reassembly (22)Option code 22 is an unsigned 16-bit integer value. It specifies the maximum size of datagrams that the client should be prepared to reassemble. This minimum legal value is 576 and the maximum should not exceed the limits of the 16-bit integer (65535). Default IP TTL (23)Option code 23 specifies the Time-To-Live (TTL) value that clients should specify for outgoing packets. This is expressed as an unsigned 16-bit integer with a value between 1 and 255. Path MTU Aging Timeout (24)Option code 24 specifies the aging timeout for PMTU values in seconds as an unsigned 32-bit integer. For more information about PMTU, refer to RFC 1191.
Interface-Specific Options
The following DHCP options are applied to a specific interface on the client. Therefore, it is possible for a client-device containing multiple interfaces to have different values for these options for each interface: Interface MTU (26)Option code 26 specifies the Maximum Transfer Unit (MTU) size for packets being sent from a specific interface. This is specified as an unsigned 16-bit integer value. All Subnets Local (27)Option code 27 indicates whether all local subnets have the same MTU as the network to which the client is attached. This is specified using a Boolean value. Perform Mask Discovery (29)Option code 29 is a Boolean value that indicates whether an ICMP address mask request message is sent to the gateway to receive a subnet mask. This process is explained in RFC 950. Mask Supplier (30)Option code 30 is a Boolean value that indicates whether or not a client responds to subnet mask requests using ICMP. This process is explained in RFC 950. Router Discovery (31)Option code 31 is a Boolean value that indicates whether the client performs Router Discovery as explained in RFC 1256. A router can be specified with DHCP option 32. Router Solicitation Address (32)Option code 32 is an address used in conjunction with DHCP Option 31. It specifies a particular router address with an IPv4 address. This address is used by the client when submitting router discovery messages in accordance with RFC 1256. Static Routes (33)Option code 33 is a list of static routes for the client to store in its routing cache. The first address specified is the destination address; the second address is the router for that address. The route 0.0.0.0 is an illegal entry for this option.
Version 5.5
167
168
Version 5.5
DHCP Client Options 8H-node NetBIOS Scope ID (47)Option code 47 is text that specifies the NetBIOS Scope ID for a client. These options are X-Windows specific: X-Window Font Servers (48)Option code 48 is a list of X-Window font servers (RFC 1198). They are specified in order of preference using IPv4 addresses. X-Window Display Manager (49)Option code 49 is a list of X-Window Display Manager servers (RFC 1198) available to the client. It is specified using IPv4 addresses in order of preference. This option identifies a client uniquely: DHCP Client Identifier (61)Option code 61 is a unique identifier used to specify individual DHCP clients. This value should be unique for all clients on a network and is defined in RFC 2132. These options identify NIS services: NIS+ Domain (64)Option code 64 is a text value that identifies, using the ASCII character set, the name of the NIS+ domain to which the client belongs. NIS+ Servers (65)Option code 65 is a list of NIS+ servers specified using IPv4 addresses in order of preference. These options configure clients requiring advanced information such as Preboot eXecution Environment (PXE) clients: TFTP Server Name (66)Option code 66 identifies, using a text field for input, the name of a TFTP server. Boot File Name (67)Option code 67 identifies, using a text field for input, the name of the boot file for this client. This option configures Mobile IP home agents: Mobile IP Home Agent (68)Option code 68 is a list of the Mobile IP home agents available to the client. They are specified using IPv4 addresses in order of preference. These options configure commonly used Internet services. SMTP Server (69)Option code 69 is a list of the Simple Mail Transfer Protocol (SMTP) servers available to the client. They are specified using IPv4 addresses in order of preference. POP3 Server (70)Option code 70 is a list of the POP servers available to the client. They are specified using IPv4 addresses in order of preference. NNTP Server (71)Option code 71 is a list of the Network News Transfer Protocol (NNTP) servers available to the client. They are specified using IPv4 addresses in order of preference. WWW Server (72)Option code 72 is a list of the World Wide Web (WWW) servers available to the client. They are specified using IPv4 addresses in order of preference. Finger Server (73)Option code 73 is a list of the Finger servers available to the client. They are specified using IPv4 addresses in order of preference. IRC Server (74)Option code 74 is a list of the IRC servers available to the client. They are specified using IPv4 addresses in order of preference. These options configure StreetTalk services: StreetTalk Server (75)Option code 75 is a list of the StreetTalk servers available to the client. They are specified using IPv4 addresses in order of preference. StreetTalk Directory Assistance Server (76)Option code 76 is a list of the StreetTalk Directory Assistance servers available to the client. They are specified using IPv4 addresses in order of preference.
Version 5.5
169
Chapter 8: Adonis DHCP These options configure SLP services: SLP Directory Agent (78)Option code 78 (RFC 2610) is a list of the SLP Directory Agents available to the client. They are specified using IPv4 addresses in order of preference. If the checkbox is selected, the client must not use either active or passive multicast discovery of directory agents. This option also requires the use of DHCP option 79, SLP Service Scope. SLP Service Scope (79)Option code 79 is a list of the SLP scopes that a client is configured to use. If the checkbox is selected, the clients static SLP Service Scope settings are overridden by the settings specified by this option. Cable modems generally require an advanced configuration in order to participate effectively in authentication and billing schemes. Cablelabs modems are configured with this option. Cablelabs (122)This option is used to configure cable modems and media terminal adapters according to the PacketCable security standard. More information can be found in this standard, or in RFC 3495. The following fields are available to customize this option:
Field primary-address secondary-address provisioning-address as-req_as-rep-backoff-and-retry ap-req_ap-rep-backoff-and-retry kerberos-realm-name Description This is the IPv4 address for the primary DHCP server that this client is allowed to accept DHCP offer messages from. This is the IPv4 address for the secondary DHCP server that this client is allowed to accept DHCP offer messages from. This is the address or FQDN for the provisioning server that this modem or MTA may be contacting. Requests to the Kerberos Authentication Server or the Ticket Granting Server are managed by the values in this option. This option controls the timeout and retry values for kerberos authentication headers. This field lists the Kerberos realm that should be used to authenticate against. Realm names are always specified in capitals and this instance must be specified in domain style as described in RFC1510. Check this box if the option should use a Ticket Granting Ticket when obtaining service from a PacketCable application server. This option accepts an integer value between 0 and 255 defining the timeout in seconds that the provisioning process has to complete.
granting-server-utilization provisioning-timer
Trivial File Transfer Protocol (TFTP) service is commonly configured to enable DHCP clients to download a complex configuration. TFTP service is configured with this option: TFTP Server Address (150)Option code 150 is the IPv4 address for the TFTP server that the client uses. Some devices, such as certain VoIP phones, download their initial configuration from a TFTP server. This option is not yet in an RFC, but was most recently proposed in internet draft VoIP Configuration Server Address Option on November 16, 2007.
170
Version 5.5
Explanation
Indicates whether the DHCP server should always broadcast its responses. You should restrict the use of this feature to as few clients as possible. Indicates whether to send RFC 1048 options to bootp clients that expect RFC 1048-style responses. Indicates whether the DHCP server is authoritative and should send DHCPNAK messages based on client requests. In a subnet that has only one choice of DHCP server, you should enable ensure this option. However, on networks where clients can expect to interact with multiple DHCP servers, enabling this option may create loops that prevent clients from obtaining an address. Indicates whether client updates should be used to maintain DDNS records for this client. If this checkbox is selected when the option is added, then the client updates its own DNS record on the server. If the option is added without the checkbox selected, the DHCP server performs the update. This option is required for DDNS. Specifies the domain name that is appended to this clients hostname to form the FQDN. This is also the name of the zone that is updated with this clients record. Specifies the hostname that should be used for DDNS updates for this client. If no value is specified, the zone creates a name for the records. Specifies the reverse domain name that is appended to this clients hostname to form a reverse record. By default this value is in-addr.arpa, but you can override it here. Specifies the number of seconds indicating the default time-to-live for DDNS records (between 0 and 4,294,967,295). Indicates whether the server should attempt a DDNS update when the lease is confirmed. Specifies the duration of the lease that the DHCP server assigns unless the client that requests the lease wants a specific expiration time. Specifies the length of the leases the server assigns to dynamic bootp clients. Specifies the file name of the initial boot file to be loaded by a client. Many clients first try to contact the specified TFTP server. If they cannot download the file from there they connect to the DHCP server, and then attempt to download the file by FTP. Enables DHCP to look up the FQDN corresponding to each address in the lease pool, and uses that address for the DHCP hostname option. Specifies the maximum lease time for address leases within the scope on which the option is set. The value indicated for this option must be equal to, or greater than, the current Default-Lease-Time option value.
Client Updates
DDNS TTL DDNS Updates Default Lease Time Dynamic bootp Lease Length Filename
Version 5.5
171
Option
Minimum Lease Time
Explanation
Specifies the minimum lease time for address leases within the scope on which the option is set. The value indicated for this option must be equal to, or lower than both the current default-lease-time and the Maximum-Lease-Time option values. Specifies the minimum amount of time (seconds) for the DHCP server to respond to a clients request for a new lease. Specifies the host address of the server from which the client attempts to load an initial boot file. Determines whether the DHCP server sends an ICMP echo request, to probe the availability of an IP address, before the address is offered to a DHCP client. Specifies the IP address for the DHCP server that is reachable by all clients. This option is useful in cases where a physical network interface has more than one IP address. If the address referenced by default is not appropriate for some or all clients served by that interface, this option can substitute the appropriate address. Specifies the name of the server from which the client is booting. Specifies the option space name used to indicate the site-local options for the client. Indicates whether relay agent information (option 82) is saved for use when renewing an address. If these options are not saved, then no relay agent information is included in the clients DHCP renewal request. Specifies whether the server should perform a DNS update every time the client renews its lease, or only when it appears to be necessary. Specifies whether the server should perform DNS updates for clients even if those clients are being assigned their IP address using a fixed-address statement. Determines whether the IP address of the clients own lease is assigned as the router value for the client, instead of the value specified in the routers option. This is useful for networks that use an ARP proxy on the local router because the clients can ARP every address lookup. NOTE: This is not a recommended option for most configurations, because it does not work with many DHCP clients.
Several options are available at both the DHCP service level and for various objects below this level. The most local instance of any option is the option that is used in the configuration. The following
172
Version 5.5
DHCP Advanced Options procedure refers to the DHCP service itself. However, other DHCP objects can be configured using many of the same techniques.
8 Click the Advanced Options tab, and then set the DHCP advanced options. 9 Add any Vendor Options that are required. 10 Add any Custom Options that are required. 11 Save your project.
Version 5.5
173
174
Version 5.5
Chapter 9
This chapter includes the following topics: Custom Client Configurations on page 175 describes the classes and vendor profiles used to identify devices so that they can receive appropriate configuration information from the DHCP server. DHCP Custom Options on page 181 describes DHCP custom options that provide support for nonstandard or manufacturer-specific DHCP. TFTP Service on page 182 introduces TFTP, which provides complex network configuration files to clients. DDNS and Zones on page 183 describes how DDNS updates the DNS service with information about DHCP clients. Network Access Control on page 184 explains security issues and network access before clients receive a dynamic configuration and an IP address. DHCP/TFTP Service Control on page 195 describes the controls over these services, including a section on OMAPI. DHCP Lease Viewer on page 196 describes how the DHCP Lease Viewer can provide a real-time view of the DHCP service and how it can be used to control leases in real time. DHCP Failover on page 197 introduces the concepts of DHCP failover. DHCPv6 on page 197 describes how Adonis provides dynamic network configuration with support for DHCPv6.
Classes
Classes are a means of grouping clients based on the information that they need to receive from the DHCP service. Unlike subnets that group clients based on their IP addresses, DHCP classes group clients based on information that the client sends about itself. For example, a client can identify itself as a printer or a VoIP handset during communications with the DHCP server.
Version 5.5
175
Declaring Classes
Class declarations are created on the server, and clients can identify themselves as belonging to a particular class. The DHCP server can then assign common configuration options that apply only to clients from that class. For example, members of a class representing the engineering department can be allowed an IP address from a particular pool, while members of a class representing the sales department are denied addresses from that pool. Based on the class membership, the client can be allowed or denied an IP address and associated network settings. For example, in addition to being assigned an IP address, a VoIP phone can be allocated the IP address of a TFTP server. A client may be a member of several classes, but the first match creates most of the client settings, while further matches may override some client options for more specific cases. Subclasses represent a subset of their parent class, and their settings only modify the settings for the parent class. User class options allow the user or administrator to conform with the configuration requirements of the class to which the client belongs.
2 Type a name for the class, and then click OK. The new class appears in the tree-view pane of the Management Console below the DHCP service. 3 Select the Conditions tab, right-click on the empty area, and then select New Condition. 4 Select one of the following conditions: MatchSpecifies a condition that client must match completely. For example, you could configure a class to match a computers 48-bit hardware MAC address. Match ifAllows you to define a wider set of conditions using elements such as wildcards. For example, you can create a match-if statement using the first 24 bits of a MAC address. Any clients that match this condition would match the class. Match-if statements are a key component of DHCP Option 82. Spawn with A spawning class automatically produces subclasses based on information sent by a client. The Spawn with condition allows you to create lease-limited classes instantly. For example, a cable-modem environment in which a client requires additional IP addresses. The clients cable modem is represented as a circuit-id. A service provider can create a class that uses the Spawn with condition to provide the additional IP addresses. The Spawn with class works with the lease-limit condition. In the Select Option dialog box, select one of the client options that must evaluate to a non-null value, and then click OK. Lease limitDHCP limits the number of class members that can hold an address lease at any one time. This limit applies to all addresses that the DHCP server allocates in the class, not just the addresses on a specific network segment.
176
Version 5.5
Custom Client Configurations 5 To set the Client Options for the class double-click an option value, and then select new values in the dialog box that appears.
6 To set the Advanced Options for the class double-click an option value, and then select new values in the dialog box that appears.
Subclasses
A subclass has the same name as a parent class, but it has a specific submatch expression that examines criteria to match clients more specifically. A spawning class is a class that automatically generates subclasses based on the options that the client sends. Subclasses are very useful for adding extra options to a specific subset of your DHCP clients.
Declaring Subclasses
To declare a subclass:
1 In the tree-view pane right-click the class to which you want to add a subclass. From the context menu, select New Subclass. The New Subclass dialog box appears.
2 Type a name for the subclass, and then type the class data as a text string enclosed in quotation marks, or as a list of bytes in hexadecimal format separated by colons. Click OK. 3 Set the Client Options and Advanced Options for the subclass by double-clicking an option, and then selecting new values in the dialog box that appears.
Version 5.5
177
Vendor Profiles
Vendor profiles are a necessary part of the evolution of DHCP. Adonis implements vendor profiles so devices can set up non-standard parameters including the settings needed to enable devices such as VoIP handsets and to provide them with IP-layer options and resources. Vendor profiles also help to account for roaming networks and rich media services. Adonis examines a clients vendor-class-identifier (option 60) to determine if the client should be configured with a vendor profile and its associated options. Option 43, vendor-specific information can also be used to convey option information that is outside of the standards track. Vendor profiles are created first at the DHCP service level and then implemented at the service, group, or subnet level. You can select a predefined class or create a new custom class.
178
Version 5.5
<option id="34" name="NewTFlags" type="number" comment=""/> <option id="35" name="AltAuth" type="ip" comment="Alternate set of Sun Ray server IP addresses"/> <option id="36" name="BarrierLevel" type="number" comment="Barrier level firmware download"/> </vendor_options>
The following example shows how the XML encoded options appear in the Management Console.
5 To select a predefined class, click the (...) button, and then navigate to the XML file that contains the vendor profile information. 6 Click OK.
Version 5.5
179
Chapter 9: Adonis Advanced DHCP 7 To create a custom class, select the Custom option, type a name in the Vendor Name field, and then type a Vendor Class Identifier that matches the one provided by clients during DHCP discovery. 8 Click OK. After you have assigned a name and identifier to your custom vendor profile, you must populate the profile with attributes.
You must assign a value for every attribute you have created.
These are the options that are assigned to clients: Namea descriptive name for the attribute. IDthe numerical ID for the attribute. Typethe format of the attribute. Use one of the following types: IPa single IP address. IP_Lista list of IP addresses separated by commas. Number (Unsigned 8)a number between 0 and 255. Number (Unsigned 16)a number between 0 and 65,535. Number (Unsigned 32)a number between 0 and 4,294,967,295. Textan NVT ASCII string, which must be enclosed in double quotation marks (). Rawan NVT ASCII string enclosed in double quotation marks, or a series of octets specified in hexadecimal, separated by colons. Commentan optional comment regarding the attribute.
180
Version 5.5
Custom Client Configurations 2 Right-click in one of the rows under Attributes, and then select New Attribute from the context menu. The New Attribute dialog box appears.
4 From the drop-down list select Type, and then type a comment (optional). 5 Click OK. The new attribute appears in the Edit Vendor Option Class dialog box.
Version 5.5
181
5 Select the option type from the Type drop-down list, and then click OK. The new custom option appears in the list of client options in the DHCP configuration wherever client options can be assigned.
TFTP Service
Adonis can provide TFTP service on the appliance for clients who need to download a configuration or boot file. This is useful for organizations that run certain VoIP systems and cable modems because these devices often need to obtain their startup configuration as a file from a TFTP server.
3 Click Manage TFTP Files. The TFTP Server Control dialog box appears.
182
Version 5.5
DDNS and Zones 4 Select the server from the drop-down list, type the password, and then click OK. The TFTP Server Files dialog box opens.
After you log in, the service is inspected and the Management Console populates the File List On Server field from the actual service. 5 To refresh the File List On Server field, click Refresh. 6 To select files use the (...) button next to the Upload File field. 7 To upload the selected files that appear in the list, click Upload. 8 To download the selected files, click Download. 9 Click Close.
Adding Zones
You can add zones at the DHCP server level and at the group level.
Version 5.5
183
2 Type a name for the zone, and then type the primary address for the server that hosts this zone. 3 Click the browse button to open a browse dialog box. Select a portion of the DNS structure for linking the zone name. 4 If the zone should be part of a DNS configuration, select Link to Another from the drop-down list. 5 Click OK.
If you are using TSIG, on the General tab select the key to associate with the zone (recommended).
184
Version 5.5
Network Access Control 2 Click Next. The MAC Address Filtering page appears.
3 Select Enable MAC Address Filtering, and then click Next. The Server Action page appears.
4 Select one or more servers to perform filtering, type a password for each, and then click Next. A Status column indicates whether or not the action was successful. 5 Click Next. The Finish page appears, indicating that wizard has completed operations. Click Finish.
Version 5.5
185
2 Select the MAC filter server from the drop-down menu, type the administrator password for the server, and then click OK. 3 The MAC Address Filter dialog box opens. This shows the Deny Filter list stored on the server.
186
Version 5.5
Network Access Control 4 To add an address, right-click an empty part of the Deny Filter list, and then click Add MAC Address. The Add MAC Address dialog box opens. Type the MAC address and add a comment, if desired.
5 Type the 48-bit address you want to deny in the MAC Address field. You can type the address using any of the following formats: 123456123456 (no delimeters) 12:34:56:12:34:56 (colon delimiters) 12-34-56-12-34-56 (hyphen delimiters) Use the Comment field for related or explanatory notes that appear in the MAC Address Filter window. 6 To export the Deny Filter list, right-click an empty area of the list, and then select Export Deny List. A Save dialog box opens and prompts you to save the list as a Comma Delimited MAC Address CSV file.
Version 5.5
187
Chapter 9: Adonis Advanced DHCP 7 To import a list, click Import MAC Addresses. The MAC Address Import dialog box opens.
The imported list should be a comma-separated value (CSV) file of MAC addresses. Type the path to the file in the Import File field or use the adjacent [...] button to locate the file. You can ignore all duplicates or overwrite them by using the toolbar buttons. 8 On the toolbar, click Import List. When you are finished importing files, click OK. 9 To save changes, click Commit Changes on the MAC Address Filter toolbar. The MAC filtering system operates at the server level and uses a static list of addresses that must be modified by the administrator. This makes the MAC filtering system very secure, but does not provide the opportunity to manage MAC-based access dynamically or at the pool level rather than at the server level. There is an alternative system called MAC authentication that addresses both of these issues, but requires an additional open port on the Adonis appliance.
MAC filtering does not take effect on the server until the MAC filtering configuration has been deployed to the appliance.
MAC Authentication
DHCP MAC authentication gives administrators a system that can add MAC addresses to the system dynamically instead of loading them as a list. MAC authentication is applied at the pool level rather than at the server level, giving more precise control of the parts of the DHCP configuration that have access to MAC-based security. MAC authentication requires a web server on the Adonis server to facilitate the dynamic validation of addresses. This may increase security concerns for some administrators. Networks can opt for a MACbased security system without the use of a web server through the use of MAC address filtering. However, MAC filtering is limited to denying access for specific IP addresses (essentially, a list of banned addresses). The MAC authentication system uses the ability of DHCP pools to differentiate between known and unknown clients to decide whether to respond to a client request. A known client has a host entry on all of the subnets where MAC authentication is in operation.
188
Version 5.5
Network Access Control If a client is unknown, an address (with a short lease time) is issued from an unknown users pool, and a DNS entry is configured on the client to redirect all DNS queries back to the master MAC authentication server. When the client reaches the master server, a web page appears and prompts for a network username and password. These can be authenticated against a Radius, LDAP, or Kerberos (Active Directory) server.
If the user is authenticated successfully against the external authentication server, the MAC address of the users computer is registered as a known host with all of the MAC authenticated subnets. Because the lease time is short, the users computer requests renewal of its IP address, but instead receives a less restricted IP address from the known users pool. In this way, MAC addresses are added dynamically using the most up-to-date user information possiblethe primary user authentication system for the network itself.
Version 5.5
189
The General tab contains several settings for configuring the web portal for unauthenticated users. The HTTP Connection Data area is used to set up the portal and the Web Data area is used to customize its look and feel.
190
Version 5.5
2 Type the shared secret, and then click OK. 3 Click the empty field to the right of Login Session Time, the Login Session Time dialog box appears.
4 To change the session time, clear the Use Default Setting checkbox, and then type in the value you want to use. Select the appropriate time interval from the drop-down list.
MAD Settings
Default Authorization TimeThis is the amount of time that the users MAC address remains on the MAD list before the user needs to re-authenticate through the web portal. Shared Secret StringThis value is used as a password for the MAD service.
2 To change the authorization time, clear the Use Default Setting checkbox, and then type in the value you want to use. Select the appropriate time interval from the drop-down list.
Version 5.5
191
Chapter 9: Adonis Advanced DHCP 3 Click the empty field to the right of Shared Secret String, the MAD Shared Secret dialog box appears.
Web Data
You can use default values for the following parameters, or select customized ones. Welcome MessageTo display a greeting on the portal, click this field, and then type your message in the Welcome Message dialog box. Your message can include up to 150 characters, but it is better to keep the message brief. Logo FileTo specify a custom logo for the portal, click this field, and then navigate to the logo you want to use. This should be a graphic file, such as a jpg, gif, or png. EULA FileTo specify an EULA file for the portal, click this field, and then navigate to the file you want to use. HTML is the recommended format, but you can use txt files too. SSL CertificateTo select an SSL certificate, click this field, and then navigate to the certificate you want to use.
MAD Servers
The MAD Servers tab allows you to add servers to the MAD service for this configuration. After you have added servers you can create MAC Authentication Pools on their subnets.
2 Select the servers IP Address from the drop-down list. 3 Type the MAD port (default is 1067), and then click OK. The Adonis you chose as the MAD server maintains the master lists of MAC addresses for authentication.
Authenticators
Authenticators for the MAD service are set up in exactly the same way as those used for user management. For more information, see Configuring External Authenticators on page 29.
192
Version 5.5
2 In the New Authenticator dialog box, specify the following values: NameThe name of the authenticator object within Adonis. HostThe host name or IP address of the server that you are contacting to authenticate Adonis users. TypeThe type of authenticator object you want to use. PriorityThe lower this value, the more priority an authenticator has in the MAD service.
The dialog box contents change if you select a Radius or LDAP authenticator type. Make sure you type all the required information for the authenticator you intend to use.
3 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection. 4 To create this authenticator object, click OK.
Version 5.5
193
2 The primary pool is the address pool from which known users receive their addresses. Consider naming the pool to reflect this using the Name field. 3 Use the Start Offset and End Offset fields for entering a range of addresses on the subnet to which this pool applies. 4 The Default Lease Time should be set to the standard default lease time for the network. In this case, it has been set to 172800 seconds (2 days). 5 Use the Temporary Pool area to issue addresses to unknown clients. Type a name for the pool that reflects this in the Name field. 6 Use the Start Offset and End Offset fields to specify only a range of IP addresses that is sufficient to service unknown clients waiting to authenticate and receive a fully functional DHCP configuration. 7 The lease time should be set very short, such as 300 seconds (5 minutes). This enables the client machine to maintain its limited IP address long enough to authenticate through the MAC authentication portal, but it is short enough that the client receives a full network configuration shortly after being authenticated. 8 To finalize this part of the MAC authentication setup, click OK.
194
Version 5.5
DHCP/TFTP Service Control Allow ViewThis view is set up similarly to a typical DNS service. It does not need an ACL, but you can create one if necessary. To create an ACL for this view, follow the method described for the Deny View.
The Allow View entry should appear below the Deny View entry on the ACL match list. If this is the case it should not represent a serious security issue.
ACLs are discussed in Managing Access Control Lists on page 146. Because pool ranges can contain any range of IP addresses, the addresses can be entered into the ACL individually or using a combination of Classless Inter-Domain Routing (CIDR) notation and individual addresses. The CIDR notation can generally encompass most of the required addresses, and you can modify the others individually. A root (.) zone must also be created with an A (host) record that uses the wildcard (*) to match all queries and send them to the Adonis IP address on which the MAC authentication portal is running.
Version 5.5
195
OMAPI
Open Mobile Application Programming Interface (OMAPI) is a communications mechanism that lets a user make changes to an ISC DHCP server without needing to stop and restart the server. To control the server using OMAPI, the server must be configured to accept OMAPI connections. Adonis is configured to accept OMAPI connections by default and is secured with a secret key similar to a TSIG key. Only a client that shares the key can make changes to the server using OMAPI. By default, the OMAPI port is 7911. However, the secret key and port number can be changed from the Administration Console. The settings for the port and the key are on the General tab for the DHCP service on each appliance. The port and key are both set here. After you deploy the project you can modify the firewall and connect to the OMAPI shell using a terminal.
The Lease Viewer displays leases for specific (/16 and smaller) blocks of IP addresses, as well as lease details in both graphical and tabular formats.
You can use the icon on the Lease Viewer to refresh the data.
Releasing a lease for an IP address means that the address becomes available for re-use. However, the users workstation may attempt to renew the lease before the lease period actually ends. In this case, the previous end date for the lease period is no longer valid and the lease is renewed. Another possibility in freeing a lease is that the address could be over-allocated by being reassigned while it is still assigned to the original user. Freeing an IP address from the server does not immediately affect the IP address used by the client.
196
Version 5.5
DHCP Failover 3 To refresh the Lease Viewer with the latest data from the server, click Refresh. 4 Right-click an active lease to display a context menu with commands that let you release it or view its properties.
Releasing an IP address lease here does not immediately affect a users network configuration. The user may still renew the lease before it runs out, or another user could be assigned this address, and a conflict could occur.
DHCP Failover
Traditional DHCP high availability has been handled by a practice called scope splitting. Scope splitting splits the pool of IP addresses between two DHCP servers. If one server fails, clients cannot renew their lease and are required to obtain a new IP address from the secondary peer server. Adonis DHCP failover uses ad hoc updates through proprietary send and receive channels. This ensures high availability of DHCP services. DHCP failover does not require any additional IP resources, and existing leases continue to exist, even in the event of a total hardware failure on one server. For detailed information on Adonis DHCP failover, see Adonis DHCP Failover on page 210.
DHCPv6
Although an inexperienced user can easily create and configure a DHCPv6 service, understanding the mechanisms of DHCPv6 and stateless auto configuration requires advanced knowledge of networking concepts. If you simply want to create a DHCPv6 service and configure it, skip directly to Creating a DHCPv6 Service on page 198 and Configuring a DHCPv6 Service on page 199.
Overview of DHCPv6
The Adonis DHCPv6 service supports only stateless IPv6 auto configuration. This means that it can configure hosts that already have an address with lists of DNS servers, but it cannot assign addresses. In DHCPv6, the server responds to Information Request messages containing an Option Request option. It sends back a Reply message with the appropriate information.
IPv6 Prefixes
IPv6 prefixes define networks and subnets in IPv6, and are used for matching clients in DHCPv6. Their notation is very similar to CIDR notation. That is, an address followed by the number of significant bits, separated by a slash. For example: 2001:DB8:0:56::/64
Version 5.5
197
Chapter 9: Adonis Advanced DHCP The first portion of the prefix is a valid IPv6 address with the long string of trailing zeros replaced by a double colon (for more information on IPv6 notation, see AAAA Records on page 151). Just as in CIDR notation, this prefix matches all clients whose addresses begin with 2001:DB8:0000:0056.
198
Version 5.5
DHCPv6 4 Right-click the network interface, and then click New > Network. The New DHCPv6 Network dialog box appears.
5 Type a name and a valid IPv6 prefix for the new network, and then click OK.
Version 5.5
199
200
Version 5.5
Chapter 10
High Availability
Adonis features two types of redundancy, Crossover High Availability (XHA) and DHCP failover. These systems are independent, but they can be used together to provide different benefits: XHA uses server clustering to link two Adonis appliances together and provide highly available DNS service. Users see a single server running a single copy of each service. DHCP failover links two DHCP services together on two separate servers to ensure that a secondary DHCP service (on another server) manages existing leases and responds to new requests if the primary service fails. This chapter includes the following topics: Crossover High Availability (XHA) on page 201 describes DNS high availability and Adonis. Adonis DHCP Failover on page 210 describes how Adonis DHCP failover uses ad-hoc updates through proprietary send and receive channels.
Version 5.5
201
Prerequisites
Before creating your XHA cluster, ensure that the following conditions are met: Two Adonis appliances are powered up, each configured with an IP address on the same subnet, and are connected to the network. The latest Management Console is installed and available. Deployment passwords are available for both nodes that are to be part of the XHA cluster. Three IP addresses (on the same subnet) are allocated per XHA cluster: one physical address for each Adonis node, and one for the virtual IP address used for responding to DNS queries. The eth0 adapter on both Adonis servers should be explicitly set to 100Mbps Full Duplex as described in Configuring Network Settings on page 43. Auto negotiation to 100Mbps Full Duplex is not adequate for this requirement and may cause inadvertent failover incidents between the two nodes. These appliances must be on the same subnet, because routing the heartbeat is not supported. The switch ports to which the Adonis appliances are connected must also be explicitly set to 100Mbps, full-duplex. The Spanning Tree option on the switch containing these ports must also be set to PORTFAST.
The speed and duplex settings on the appliances and the switch are extremely important. Do not forget to set them. Do not try to configure half-duplex communication. If you try to configure half-duplex, Adonis prevents you from saving the setting and an error message appears. For more information about duplex settings contact BlueCat Networks at: http://www.bluecatnetworks.com/clientsupport/ self-service/.
Both Adonis appliances must be able to ping their Ping Node (usually set to the address of the default gateway or a server) at all times. The appliance performs this test to ensure that it is live on the subnet and is not experiencing a local network failure. Remove old certificates and set the time on the appliances so it does not vary by more than 40 seconds. Use NTP to control the time on both appliances for this reason.
202
Version 5.5
Crossover High Availability (XHA) 5 In the High Availability Wizard, select the server that you just created, and then click Next. The Get Node Information page opens.
The Node 1 and Node 2 IP addresses must correspond to the physical IP addresses assigned to the appliances in Step 1 above. These addresses must be different from the virtual IP address of the XHA cluster.
6 Type the IP addresses and passwords for each of the individual appliance nodes. 7 Type the virtual IP address for the cluster. Click Next. The Set HA Common Data page opens.
8 Set the Common HA configuration password used to manage the new XHA cluster.
Version 5.5
203
Chapter 10: High Availability 9 In the Ping Address field, type a ping address on the same subnet. Both appliances need to be able to ping this address and receive a response or the cluster cannot function properly. 10 In the Failure Detection Time field, type the number of seconds a node in the cluster should wait without receiving a heartbeat before assuming that its peer node has failed. 11 Click Next. The XHA cluster is created and the Wizard indicates when the process is complete.
It can be useful during this process to monitor the contents of the /var/log/ha-log file to observe the status of the XHA services on both appliances. The main service and system status for the appliance is still found in /var/log/syslog.
12 Click Next, and then click Finish. When the XHA cluster configuration is complete, the server icon in the Management Console changes to show the new XHA cluster. Wait three to four minutes for the Adonis servers to finish the configuration. After this time, you should be able to query the cluster for information.
At this point, you are managing the XHA cluster as a single entity, although the XHA cluster has two physical nodes. Running the High Availability Wizard again lets you either repair the XHA cluster or break it to return to a single server configuration.
204
Version 5.5
Crossover High Availability (XHA) 5 The wizard diagnoses both nodes of the cluster; after it has finished, click Next.
6 The Diagnostic Results page appears showing you any problems that exist in your HA cluster.
Version 5.5
205
3 Select Repair High Availability, and then click Next. The Get Node Information page appears.
206
Version 5.5
Crossover High Availability (XHA) 4 Type and confirm the passwords for the two nodes, and then click Next. The Get HA Common Data page appears.
5 Type and confirm the XHA cluster password, ping address and dead time, and then click Next. The Repair HA Cluster page appears showing the wizards progress in connecting and repairing the cluster.
Version 5.5
207
6 When this process finishes, click Next and then click Finish. Your configuration now shows a single server, using the virtual IP address of the XHA cluster as its physical address. This is not the physical IP address for either appliance in the former cluster. The second appliance does not appear as a server in the project because it was providing the same services as the new single server.
Manual Failover
You can perform a Manual XHA Failover from the Server Control dialog box described in Management
208
Version 5.5
2 Select the Perform HA Failover option, and then click Execute. 3 Click OK. 4 To verify that the nodes have reversed select Server Control, and then select High Availability Status Query. The Action Results dialog box appears.
5 When you are satisfied that the nodes have reversed, perform another manual failover to reset them to their original status.
To perform a manual failover, you must select the active node.
Version 5.5
209
A Companion to XHA
One member of a failover pair may lose contact with its partner for reasons such as a network failure, a failure of one of the servers, or a planned outage. DHCP failover is configurable on a per-pool level. This allows you to have very complex configurations, such as a single secondary DHCP server acting as the backup for multiple primary DHCP servers, or several DHCP pools backed up to different DHCP servers. Adonis supports failover in an active-active or active-passive configuration. In an active-active configuration, both the primary and secondary servers answer requests for the specified IP addresses. The DHCP requests must reach both servers for failover to work during normal operation.
Terms vs Times
Most people think about time and DHCP as periods of time rather than points in time. DHCP failover requires that administrators be mindful of both terms and absolute times in order to manage two servers that are synchronized closely. DHCP failover servers are synchronized using Network Time Protocol (NTP). This allows both servers to use an absolute time reference that is external to each of them. DHCP failover servers communicate using several types of messages, but from the initial CONNECT message between them, absolute time is constantly referenced. The only way to try to anticipate what the other server might be doing with a lease is to reference the lease periods against absolute time. By knowing the exact start time of a state, one server can anticipate when the other
210
Version 5.5
Adonis DHCP Failover performs certain actions. To synchronize leases, Adonis DHCP servers configured for failover communicate through a persistent TCP connection on ports 647 and 847. Start Time of State (STOS)This is the absolute time stamp that indicates when a server or address entered a particular state. Desired Lease Time (DLT)The Desired Lease Time is the period of time for which a client typically requests a lease on this network. This is the standard DHCP lease time that is always given out if this server was operating in a standalone configuration rather than in failover mode. Maximum Client Lead Time (MCLT)The MCLT is the maximum amount of time for which a server in communication-interrupted or partner-down state issues a lease. This is also the amount of time that it takes a server in the communication-interrupted state to recover its leases before entering the partner-down state. This short lease time aids in re-synchronizing the servers, both during initialization and after a failover incident. However, very short lease times may create a great deal of traffic when the server is operating without its peer.
Because the DHCP failover mechanism depends on the MCLT to be safer to use than DLT, the MCLT value must always be lower than the DLT value for any given failover pool
Potential Lease Expiry TimeThis is an absolute point in time when a DHCP server believes that a particular lease on its partner server expires. This value helps servers in partner-down state to calculate when it is safe to use the other server's leases. Max Response DelayThis value is set in the Adonis interface, and indicates the amount of time a client must attempt contact with its primary DHCP server before the secondary offers a lease. The secs field in the DHCP request provides the value (in seconds) that is checked against the Max Response Delay. A non-zero value in this field indicates that this is not a first attempt, and if the value passes the delay threshold indicated with Max Response Delay, then the other server responds to the client anyway.
Three Rules
The only way a pair of DHCP failover servers can anticipate each other's behavior during communication outages is by referencing absolute time against a known set of behaviors. To implement this strategy all DHCP failover servers follow three important rules: 1 All of the available addresses are divided between the two servers as free and backup addresses. In the ISC implementation these are always balanced so that 50% of the addresses are generally allocated to each server at any given time. 2 A DHCP failover server can generally only extend an address lease for a limited time beyond the expiry time known to its peer. This is the MCLT, and is usually not longer than an hour. 3 Addresses cannot be re-issued to clients unless both servers agree that the previous client is no longer using the address. The exception to this rule is the partner-down state.
DHCP failover servers must be synchronized using NTP.
Version 5.5
211
Chapter 10: High Availability allocation. Seven different address binding states are used to indicate these properties for an address binding.
State ACTIVE FREE BACKUP EXPIRED RELEASED RESET ABANDONED Description These addresses are in use by clients. These addresses can be leased by the primary server. These addresses can be leased by the secondary server. This address lease has expired and is not yet available for allocation. This address lease has been released by a client, but is not yet available for allocation. This address lease has been reset by an administrator, but is not yet available for allocation. This address has created a conflict and it is no longer being used by either server.
Server States
DHCP failover servers operate within server states that tell the DHCP failover server how to interact or not interact with its peer server. These states are used to manage normal server operations, and to manage operations when the two servers cannot communicate. Based on its state a server can anticipate the actions or lack of actions that its peer may have for any operation and operate in a way that respects these constraints.
Normal State
This is the standard operational state for DHCP failover servers. In this state, both servers can communicate with each other. They use POOLREQ messages to ensure that as all leases are returned to the primary server, half of the addresses are sent to the secondary server as backup addresses and half become free addresses on the primary server.
Communication-Interrupted State
In this state, the servers can no longer communicate with each other. However, in this state neither server is aware of the state of its peer. Therefore, all operations must assume that the other DHCP server could also be live and issuing address leases. Once a server has entered the communication-interrupted state, it changes the way that it assigns address leases. Clients initially attempting to renew existing leases receive a new lease for the remainder of their regular lease time with the MCLT value added. Subsequent leases are only handed out for MCLT and clients are never given a lease renewal, instead, they always receive a lease for a new address. If a client releases an address lease manually, then that address is abandoned until Normal state is again achieved.
212
Version 5.5
Adonis DHCP Failover The disadvantage of the communication-interrupted state is immediately apparent. If clients are given short lease times and their leases are not renewed, then the address pool might quickly become depleted, not to mention the increase level of network traffic. However, if one of the servers knew that its partner was down, it might operate in a much more efficient manner and more gracefully supply service in the absence of its partner.
Partner-Down State
When a DHCP failover server is informed that its peer is down it can allocate IP addresses in a much different way than when it was in the communication-interrupted state. This server becomes the primary server, whether or not it was the primary before its peer went offline. It continues to hand out leases for MCLT, but renews the leases. This server also reclaims all of the expired, reset, and released leases and is able to use the entire free address pool for allocations. When its partner comes back online, this server reverts to leases for the normal DLT and remains the primary server. Transition to the partner-down state is controlled by the Adonis Failover Monitor. The Failover Monitor monitors both of the DHCP failover servers, and when an outage occurs, puts the server into partner-down state.
Recovery State
If a server has come online for the first time and has no address database, or is recovering and has a peer in the partner-down state, recovery state is used to synchronize the databases on the two servers. The recovery state is used when a failover peer believes itself to be out of synch with its partner. The partner server could be in a state of either communications-interrupted or partner-down. The server in recovery mode stops issuing addresses (if it was) and then requests either a partial or full update of the DHCP lease database from its peer. When it has completely synchronized the database with its peer, it moves into recovery-wait state. Alternatively, if no new leases have been granted, both servers immediately return to the normal state, bypassing the recovery-wait period.
Recovery-Wait State
The recovery-wait state is used as a safe period to ensure that all leases granted by the server in partner-down state are in a known state before the newly recovered server also begins issuing addresses. The recovering server waits for the MCLT period to expire after it has recovered and before it returns to normal state and begins issuing addresses.
Potential-Conflict State
If the recovering server discovers that its peer went into partner-down state while it was still handing out leases, the server goes into potential-conflict state and tells its peer to also enter this state. The primary server sends an update request to the secondary server for all unacknowledged updates. The secondary server responds with these updates and indicates when this operation is completed. The secondary server then sends an update request to the primary server for all unacknowledged updates. The primary server responds with these updates and indicates when this operation is completed. Both servers then move back into the normal state. The potential-conflict state can occur because of a communication break longer than the MCLT, when a server recovers but cannot communicate with its peer, or if one of the servers is placed in partnerdown state through the OMAPI shell while its peer is in communication-interrupted state. DHCP failover servers do not issue client leases in this server state. However, this state does not generally persist for a long period of time.
Version 5.5
213
Failover Monitor
To manage the interactions between Adonis DHCP failover servers, BlueCat Networks developed a Failover Monitor (FOMON) that monitors the failover server states and places a server into partnerdown state if required. The Failover Monitor is implemented as a daemon that resides on Adonis and runs whenever DHCP failover is active on Adonis. The shell script that controls the Failover Monitor is located in /usr/local/bluecat/ and is called fomon.sh. This script accepts the command-line arguments restart and status. The SafePeriodTimeout value controls the time interval between polling attempts. If you change these values you must restart the fomon.sh script from the command line with the command:
/usr/local/bluecat/fomon.sh restart
214
Version 5.5
Adonis DHCP Failover recovery-wait state for the MCLT period. After MCLT is passed, both servers return to the normal operational state.
Recommended Topologies
The example below shows the use of the DHCP Helper on a router to pass DHCP requests to a DHCP server on another segment. DHCP Helpers are used on the router to forward broadcast DHCP messages to the server on the other side of the router. However, activating the DHCP Helper for the clients that
Version 5.5
215
Chapter 10: High Availability are on the same subnet as the secondary server can cause errors by creating a loop in the router. Consult your router documentation before activating this feature on any ports.
DHCP failover is recommended for one-to-one, many-to-many or one-to-many configurations. In any case, the DHCP failover servers do not support crossover configurations. This means that two servers cannot be each other's secondary failover server. A failover server cannot be a primary and a backup server for the same set of pools. This creates a non-functional configuration. With three or more servers, there are two standard approaches to setting up DHCP failover without creating a crossover configuration. The first example uses a round-robin style topology to avoid
216
Version 5.5
Adonis DHCP Failover crossovers. Because none of the servers acts as both a primary and secondary peer for any other server, this does not create a crossover.
A one-to-many topology involves using a single secondary server to service several primary servers. The primary servers in this example have a load balance split of 255 so that they hand out all leases in the normal state, despite having only half of the addresses available. The secondary server maintains the other half of the addresses for each primary server and uses these addresses in the case of an outage on one of the primary servers. Because of the inefficient use of available addresses with this configuration, this is not recommended. The round robin topology listed above is generally be a better option. However, the one-to-many topology may be a better choice for some networks.
Version 5.5
217
218
Version 5.5
Configuring DHCP Failover on a Pool 2 On the General tab, right-click in the empty list area below Failover Peers, and then click New. The New Failover Peer dialog box opens.
4 Select a backup (secondary) server from the Peer Server drop-down list.
Only servers configured in the Management Console are available as DHCP failover peer servers.
5 Type the Max Response Delay, usually recommended to be between 30 and 180 seconds. This is the amount of time that a server waits without communication before it assumes that its peer is down. This setting should be set high enough to avoid failover incidents due to common network lag or very short outages. 6 Type a value for MCLT, for example, 3600 seconds. 7 Type a value for the Load Balance Split. 8 Type the Load Balance Override. This is the amount of time during which a server allows a client request go unanswered by its peer before responding despite the client being assigned to service from the peer. 9 Click OK.
Version 5.5
219
3 From the drop-down menu, select a DHCP failover peer as the secondary for this pool. 4 Click OK. Adonis creates the DHCP failover pool on the secondary server automatically (see the red ellipse in the following figure).
5 Repeat the above steps for each pool that requires the redundancy of DHCP failover.
220
Version 5.5
Configuring DHCP Failover on a Pool 2 On the General tab under Failover Peers double-click the primary failover server. The Edit Failover Peer dialog box opens.
3 Edit the Failover Peer setting on the primary failover server to none. 4 Change the Failover Peer setting back to show the correct failover peer. Re-instating this selection allows the server to re-synchronize the settings for its failover pool.
Version 5.5
221
222
Version 5.5
Chapter 11
Migration Tools
This chapter describes the tools provided to help you migrate from external data sources to your Adonis DNS/DHCP Appliance appliance. This chapter contains the following topics: Importing External Configurations on page 223 explains the process. Using a Live Zone Transfer on page 225 explains how to import data through a zone transfer. Importing an Existing DNS Configuration on page 227 explains how to import a DNS configuration. Importing an Existing DHCP Configuration on page 229 explains how to import a DHCP configuration.
Version 5.5
223
2 Click Next, the Select Location page appears. From the drop-down list select the type of file you want to import, and then use the (...) button to navigate to the file.
224
Version 5.5
Importing External Configurations 3 Click Next, the Select Destination page appears.
4 To import the file to a new name server, select the New Server option, and then type the server name, IP address, and contact e-mail information. 5 To import the file to an existing server or view, select the Existing Server option, and then select the server or view from the drop-down list. 6 Click Next, and then click Finish.
Version 5.5
225
Chapter 11: Migration Tools 2 From the Tools menu, select Live Zone Import. The Live Zone Import Wizard opens. Click Next.
3 Type the settings for the DNS server that contains the desired zone, the port on the DNS server, and the name of the zone. Click Next.
226
Version 5.5
Importing an Existing DNS Configuration 4 Select the server and the zone to which you want to transfer the live zone data.
5 Click Next. The Perform Live Zone Import page appears showing status information as the live zone import takes place. A message appears showing whether or not the transfer was succesful.
6 When the transfer is complete, click Next, and then click Finish.
Version 5.5
227
Named.conf
You must prepare named.conf files before you import them. Using a text editor, try to eliminate the following potential errors before you attempt to import a named.conf file. Syntax errorsspecifically end braces and semi-colons Option Definitionsremove all option declarations (especially global ones), except matchclients for views. These are not imported, so you do not lose anything. Other BIND syntaxtry to interpret the errors that are thrown to the import log and clean the file accordingly
ACLs
You must define ACLs in a view before you import them. This is because the import tool loads only the ACLs that are implemented in the BIND configuration. The import tool loads zones and views in different ways and it does not load any zone options, so even if an ACL is implemented within a zone option, the import tool does not consider it to be implemented. The following example creates three different ACLs:
# The client was implementing these three acls in zone options in their named.conf.
acl firstacl { 198.168.3.46; 198.168.3.56; }; acl secondacl { 10.10.200.0/22; }; acl thirdacl { 69.2.124.11; 64.52.36.0/25; };
To load a named.conf file that consists of ACLs and zones, you must create an empty view that implements all of the ACLs that need to be imported in a match-clients option statement. The following example is a BIND 9 configuration which initially contained only ACLs and zones. The default view has been added to ensure that the ACLs are imported.
# This view doesnt contain the zones, it just implements the acls so that they can be imported. view "default" { match-clients {firstacl;secondacl;thirdacl;};
228
Version 5.5
}; # These zones implement the ACLs, but the import engine does not pick it up. zone "example1.com" { type master; file "example1.zone"; allow-query { firstacl; }; }; zone "example2.com" { type master; file "example2.zone"; allow-query { secondacl; }; }; zone "example3.com" { type master; file "example3.zone"; allow-query { thirdacl; }; };
The view that implements the ACLs does not need to contain the zones. You may use any name, but if you choose default the zones appear in the default view in Adonis, whether or not they are contained in that view and the ACLs are applied to the default view. The companys previous functionality for the ACLs using zone options can be re-created after the import. To do this, use a different view name to implement the imported ACLs, and then apply the ACLs to the zones in the default view. The zones can be automatically imported into default if they are not contained within a view.
Version 5.5
229
230
Version 5.5
Chapter 12
Microsoft Active Directory (AD) is based on well-known network services such as Lightweight Directory Access Protocol (LDAP) and Kerberos. AD was first available in Windows 2000 Server and uses DNS for its location mechanism. DNS has grown to become not only the cornerstone of the Internet, but crucial for connecting Windows clients to their domain controllers. This section explains how AD uses DNS and how Adonis appliances integrate into this environment. Adonis appliances are easy to integrate and they provide a robust, secure, and highly maintainable DNS management platform.
Version 5.5
231
When examining these records in the Microsoft DNS server, you may think that this data must reside in sub zones of the parent domain. This is not necessarily the case, because DDNS updates have no way of creating additional zones. The records are simply added as resource records with label separators (".") into the parent domains zone file. Notice that some record names contain underscore ("_") characters. This is common practice in Microsoft development tools and was borrowed for the DNS naming technique for AD. The following table lists the naming conventions used in the records: DNS Label
_ldap _tcp udp _kerberos _msdcs _kpasswd _gc _sites dc gc LDAP service Service uses TCP connections Service uses UDP connections Record contains information about a Kerberos Key Distribution Center (KDC) Service is running on a Domain Controller Kerberos Password Change service Global Catalog service Record contains information a specific site Domain Controller (DC) Global Catalog (GC)
Description
A registered DNS record can contain one or more of the above names to describe a service that can be queried. For example, the following record locates an LDAP service on server1.bluecatnetworks.com in the bluecatnetworks.com:
_ldap._tcp.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com
232
Version 5.5
Integrating Adonis into Active Directory An alternative form of this record that indicates that the LDAP service is on a DC has the following syntax:
_ldap._tcp.dc._msdcs.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com
For a detailed list of these records, see Active Directory DNS Records on page 235.
Version 5.5
233
Windows 2000 networks also allow clients to register their own Address (A) and Pointer (PTR) records with their DNS server. In most cases, organizations use DHCP servers that can perform the registration directly with the DNS server (this is a more secure method). However, if desired, clients can still register themselves directly with the DNS server by allowing those specific clients to make dynamic updates.
DNS Replication
There are two approaches to DNS record replication: Master-Slave and Master-Master. Master-SlaveThis is the recommended method for managing DNS. The current industry standard (outlined in RFC 1034 and 1035) states that a secondary zone (slave) replicates its contents from a primary (master) zone on a given internal network. The Master-Slave architecture works on Windows, UNIX, and other operating systems. The following table lists the pros and cons of a Master-Slave replication system: MasterSlave Replication System Pros
An industry standard method for maintaining zone data. The master always contains most up-todate information. A central repository for zone data. It does not require other services to replicate data.
Cons
Master server updates are required to make changes on other servers. If a slave is updated, a small delay exists before the update is propagated. It requires latest version of BIND software to take advantage of update-forwarding.
234
Version 5.5
Active Directory DNS Records Master-MasterThe recommended Microsoft architecture for AD specifies that the DNS servers should reside on the DC, eliminating the need to perform zone transfers. The following table lists the pros and cons of the Master-Master method of replication: MasterMaster Replication System Pros
A central repository for all zone data. Editing the DNS in one zone replicates to all others. Saves bandwidth and processing power. by using existing LDAP replication to replicate DNS data.
Cons
Microsoft-only implementations. Zone serial numbers can be inconsistent in SOA data. Non-standard architecture. Not favored in heterogeneous environments. Relies on LDAP for replication. LDAP replication may not be acceptable for external zone data.
Because Adonis uses the BIND 9.x name server software, its architectures are Master-Slave based.
Version 5.5
235
SRV Records
_ldap._tcp.<DomainName>SRV record that identifies an LDAP server in the domain named by <DomainName>. The LDAP server is not necessarily a Domain Controller (DC). This record is registered by all DCs. For example:
_ldap._tcp.bluecatnetworks.com
_ldap._tcp.<SiteName>._sites.<DomainName>Enables a client to find an LDAP server in the domain named by <DomainName>. This record is registered by all DCs. For example:
_ldap._tcp.richmondhill.bluecatnetworks.com
_ldap._tcp.dc._msdcs.<DomainName>Used by clients to locate a Domain Controller (DC) in the domain named by <DomainName>. This record is registered by all DCs. For example:
_ldap._tcp.dc._msdcs.bluecatnetworks.com
_ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName>Enables a client to locate a DC for the given site and domain named by <SiteName> and <DomainName> respectively. For example:
_ldap.tcp.richmondhill._sites.dc._msdcs.bluecatnetworks.com
_ldap._tcp.pdc._msdcs.<DomainName>Enables a client to locate the Primary Domain Controller (PDC) for a domain named by <DomainName>. This record is registered only by the PDC of the domain. For example:
_ldap._tcp.pdc._mscdcs.bluecatnetworks.com
_ldap._tcp.gc._msdcs.<DomainName>Enables a client to find the Global Catalog (GC) for the forest. Only the DC for the GC registers this record. For example:
_ldap._tcp.gc._msdcs.bluecatnetworks.com
_ldap._tcp.<SiteName>._sites.gc._msdcs.<ForestName>Enables a client to find a GC for the forest named by <ForestName>. Only an LDAP server responsible for the GC registers this record. For example:
_ldap._tcp.richmondhill._sites.gc._msdcs.bluecatnetworks.com
_gc._tcp.<ForestName>Enables a client to locate a GC for the forest named by <ForestName>. Only an LDAP server responsible for the GC registers this record. The LDAP server is not necessarily a DC. For example:
_gc._tcp.bluecatnetworks.com
_gc._tcp.<SiteName>._sites.<ForestName>Enables a client to find a GC for the site and forest named by <SiteName> and <ForestName> respectively. Only an LDAP server responsible for the GC registers this record. For example:
_gc._tcp.richmondhill._sites.bluecatnetworks.com
_ldap._tcp.<DomainGuid>.domains._msdcs.< ForestName>Used by clients to find a DC given the domain GUID of <DomainGuid> in the forest named by <ForestName>. This lookup can used to resolve the DC if the domain name has changed. This record is used infrequently and does not work if the <ForestName> has been changed. For example:
_ldap._tcp.01693484-b5c4-4b31-8608-80e 77ccc78b8.domains._msdcs.bluecatnetworks.com
_kerberos._tcp.<DomainName>Enables a client to find a Kerberos Key Distribution Center (KDC) for the domain named by <DomainName>. This record is registered by all DCs providing the Kerberos service. This service is RFC-1510 compliant with Kerberos 5 KDC. The server is not necessarily a DC. For example:
_kerberos._tcp.bluecatnetworks.com
236
Version 5.5
Active Directory DNS Records _kerberos._udp.<DomainName>Enables a client to find a Kerberos Key Distribution Center (KDC) for the domain named by <DomainName>. This record is registered by all DCs providing the Kerberos service. This service is RFC 1510 compliant with Kerberos 5 KDC. The server is not necessarily a DC. This service supports UDP. For example:
_kerberos._tcp.bluecatnetworks.com
_kerberos._tcp.<SiteName>._sites.<DomainName>Enables a client to locate a server running the Kerberos KDC for a site and domain named by <SiteName> and <DomainName> respectively. The server is not necessarily a DC. For example:
_kerberos._tcp.richmondhill._sites.bluecatnetworks.com
_kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName>Used by clients to locate the DC running a Kerberos KDC for the site and domain named by <SiteName> and <DomainName> respectively. For example:
_kerberos._tcp.richmondhill._sites.dc._msdcs.bluecatnetworks.com
_kpasswd._tcp.<DomainName>Enables a client to find a Kerberos Password Change Server for the domain named by <DomainName>. The server is not necessarily a DC. All DCs running the Kerberos KDC register this record. For example:
_kpasswd._tcp.bluecatnetworks.com
_kpasswd._udp.<DomainName>Enables a client to find a Kerberos Password Change Server for the domain named by <DomainName>. The server is not necessarily a DC. All DCs running the Kerberos KDC register this record. For example:
_kpasswd._udp.bluecatnetworks.com
A Records
<ServerName>.<DomainName>The server name named by <ServerName> is registered in the domain named by <DomainName>. This record is used by referral lookups to SRV and CNAME records. For example:
dc1.bluecatnetworks.com
gc._msdcs.<ForestName>Enables a client to find a GC for a given forest named by <ForestName>. This record is used by referral from SRV records. For example:
gc._msdcs.bluecatnetworks.com
CNAME Records
<DSAGuid>._msdcs.<ForestName>Enables a client to locate any DC in the forest named by <ForestName> by the GUID of the MSFT-DSA (Directory Services) object. For example:
01693484-b5c4-4b31-8608-80e77ccc78b8._msdcs.bluecatnetworks.com
Version 5.5
237
238
Version 5.5
Appendix A
Version 5.5
239
Appendix A:
The process includes 4 stages: enabling SSH communication between Adonis and Mirage configuring AMA configuring Mirage controlling the AMA daemon
This procedure creates two new files in the working directory, identity.ppk and identity.ppk.pub.
External Authority
240
Version 5.5
Appendix A:
Description AMA uses Secure Socket Shell (SSH) to communicate with Mirage. This is the user name for SSH. This is the password for SSH. The name that defines a quarantine zone when you configure Mirage. You can create multiple zones.
2 Scroll through the Action list, select the Start Adonis Mirage Adapter option, and then click Execute. The Mirage Adapter Data dialog box appears.
Version 5.5
241
Appendix A: 3 Type the Default Zone name. 4 Type DHCPServer_Adapter for the External Authority. 5 Type the SSH Cmd User name and SSH Cmd Password. 6 To create a quarantine zone, right-click in the white area, and then click New. The New Quarantine Zone dialog box appears. 7 Type the name of the zone, and then click OK. 8 Click OK. The next stage is to configure Mirage to send notifications.
Configuring Mirage
To configure Mirage you must use the Mirage Operations Console. This process involves creating an external authority, creating a profile group and profiles, and configuring three zones.
These instructions are provided for convenience only. For more information about configuring Mirage, consult the official Mirage documentation, or visit their official website at: http:// www.miragenetworks.com.
242
Version 5.5
Appendix A: 2 Type DHCPServer_Authentication_Passed as the profile name. 3 Type a description of the profile. 4 Click Finish. 5 Add the following Include Condition to the profile:
enable Device session Authenticated (dhcpserver_adapter) is TRUE.
Configuring Zones
The final stage is to configure the following zones that Mirage creates by default. The following table shows you how to configure them:
Name Unknown Devices Description Initial zone to which all IPs are sent on entering the network. Because both dynamic and static IPs are sent to this zone, it is recommended that this zone have all access to the network. If a static IP enters the network, it sits in this zone for a short time before it is sent to the Quarantined Zone. Zone to which all authenticated hosts are sent. Zone to which all non-authenticated hosts are sent. Profile Include: Unknown Devices Exclude: DHCPServer_Authentication_Passed
For more information about configuring zones, refer to the Mirage documentation.
Version 5.5
243
Appendix A: 2 Type !/usr/local/bluecat/ama parameter, where parameter is one of the following: Parameter
-f syslog facility
Description
AMA uses the system log. You can specify a syslog facility instead of the default (daemon). The valid facilities include local0, local1, local2, local3, local4, local5, local6, local7 You can specify a system log priority. The valid priorities, from highest to lowest, include emerg, alert, crit, err, warning, notice, info, and debug. AMA logs messages with a priority greater than or equal to the setting. The default priority is notice. Normally, AMA runs as a daemon. The trace switch makes it run as a normal process and output logs to the console. Show AMAs version Show AMAs usage
-p syslog priority
-t -v -h
244
Version 5.5
Index
A
A records ..........................................101 AAAA records................................101, 151 access control...................................... 25 configuring .................................... 23 Access Control Lists definitions for importing ...................228 managing .....................................146 Active Directory A records .....................................237 CNAME records...............................237 creating DNS architecture .................. 77 DNS overview ................................231 DNS Records ..................................235 DNS replication ..............................234 domain controllers ..................... 80, 231 Dynamic DNS (DDNS) ........................128 Dynamic Domain Controller registration.232 integration ............................. 231235 integration with Adonis.....................130 Primary Domain Controller ................110 record naming conventions ................232 SRV records...................................236 synchronization ..............................131 Wizard...................................130, 233 Administration Console........................... 15 command history ............................. 18 command server .............................. 51 configuration mode .......................... 16 configuring Anycast .......................... 50 DHCP service control .......................195 Help ............................................ 16 logs ........................................ 57, 58 MAC authentication .........................195
main mode .................................... 16 reboot.......................................... 42 restart BIND ................................... 98 server controls................................ 42 service control................................ 51 setting the time .............................. 44 shutdown ...................................... 42 start BIND ..................................... 98 stop BIND ...................................... 98 TFTP service control........................ 196 time zone...................................... 45 administration password ......................... 41 Adonis Administration Console...................... 15 authenticator management ................ 38 caching server ................................ 76 controlling from Proteus .................... 13 deployment overview ....................... 12 Detect Server Appliance Type ............. 55 Disable Query Logging ....................... 55 DNS implementation ......................... 97 Enable Query Logging ....................... 55 Extraction Tool ............................... 98 failover ....................................... 210 hostname ...................................... 44 IPv6 support................................... 12 LCD ............................................. 42 Management Console ........................ 19 manual updates .............................. 69 Mirage Adapter (AMA) ...................... 239 organization................................... 11 ping node ..................................... 202 ports .......................................... 210 project files, overview ...................... 12 proxy settings................................. 37
Version 5.5
245
Index reboot .......................................... 42 resetting from Proteus control ............. 41 setting the time .............................. 44 shutdown ...................................... 42 supported DNS RFCs.......................... 98 traps ............................................ 64 updating ....................................... 36 using external authenticators .............. 29 Agent ID............................................197 allow query........................................148 AMA configuring ...................................240 MAC authentication .........................239 Anycast ............................................. 50 authenticators ....................................192 external ........................................ 29 Kerberos ....................................... 30 LDAP ............................................ 32 management .................................. 38 Radius .......................................... 31 authoritative DNS delegation ....................................104 servers ........................................107 auto generate, BIND $GENERATE statement .................. 98 auto-generation resource records.............................118 automatic serial number generation ........... 98 auto-negotiated settings ......................... 44 cache zone ........................................ 108 cert.ks files ........................................ 40 certificate keystore............................... 40 certificates deleting........................................ 39 managing ...................................3841 CIDR ................................................ 195 Circuit ID .......................................... 197 Classless Inter-Domain Routing ................ 195 CNAME records ................................... 101 command history, viewing....................... 18 configuration mode Help ............................................ 17 configurations deploying ...................................... front-end master ............................. front-end slaves .............................. hidden master ................................ master-only ................................... migration ...................................... reviewing changes ........................... saving .......................................... settings ........................................ crossover high availability, see XHA 92 75 75 75 74 98 18 18 16
D
data checker................................ 132, 135 settings ........................................ 91 severity level ................................. 91 Data Navigator..................................... 22 DDI.................................................. 102 DDNS configuring ................................... 130 DHCP service options ....................... 129 DNS options .................................. 129 IP address .................................... 128 transaction signatures ...................... 140 default gateway .................................. 165 delegation......................................... 104 delegation-only zone ....................... 97, 110 deploy project file ................................ 92
B
BIND ................................................210 DNS service control .......................... 98 matching order ..............................144 restarting ...................................... 98 start ............................................ 53 stop ............................................. 53 views feature ........................... 97, 144 blackhole query ..................................148
C
cache size .........................................109
246
Version 5.5
Index deployment password ............................ 41 Deployment Wizard ............................... 92 DHCP adding MAC authentication ................190 address binding states ......................212 classes.........................................175 common objects .............................159 communication-interrupted state ........212 configuring .................................... 81 custom client configurations ..............175 custom options...............................181 DDNS service options .......................129 declarations ..................................158 DHCP lease viewer ..........................156 DHCPv6 interface scope ....................198 DHCPv6 network scope .....................198 DHCPv6 service, creating ..................198 Duplicate Address Detection (DAD).......198 failover..................................197, 210 failover on a pool............................219 failover pool settings .......................220 failover, setting up..........................218 files, dhcpd.conf ............................156 files, subnet.csv .............................156 files,dhcpd.leases ...........................156 groups .........................................159 hosts, declaring..............................162 interface scope, DHCPv6 ...................198 IP layer parameters .........................165 IPv6 multicast groups .......................198 IPv6 service control .........................195 IPv6, stateless autoconfiguration .........197 lease viewer..................................196 MAC authentication .........................188 master server, defining ..................... 78 multicast groups, IPv6 ......................198 Neighbour Solicitation message ...........198 network scope, DHCPv6 ....................198 Network Time Protocol .....................210 normal state .................................212 option codes .................................165 overview ................................. 11, 155 partner-down state .........................213 permit lists ...................................161 potential-conflict state.....................213 preferred address ...........................198 recovery state ............................... 213 recovery-wait state ......................... 213 relay agents .................................. 157 Router Advertisement message ........... 198 Router Solicitation message ............... 198 scope .......................................... 158 scope splitting ......................... 197, 210 server states ................................. 212 service scope, DHCPv6 ..................... 198 shared networks....................... 160, 161 start ............................................ 54 state, communication-interrupted ....... 212 state, normal ................................ 212 state, partner-down ........................ 213 state, potential-conflict ................... 213 state, recovery .............................. 213 state, recovery-wait ........................ 213 stateless IPv6 autoconfiguration.......... 197 stop............................................. 54 subclass ....................................... 177 subnet mask.................................. 165 subnets ....................................... 159 tentative address ........................... 198 transaction signatures ...................... 140 vendor profiles .............................. 178 zone ........................................... 183 DHCPv6 introduction.................................. 197 service scope ................................ 198 service, configuring......................... 199 disable zones ...................................... 97 disaster recovery................................. 201 DNAME records ................................... 102 DNS Active Directory records ................... 235 Adonis implementation...................... 97 authoritative servers ................. 104, 107 available options ............................ 100 BIND views .................................... 97 blackhole ..................................... 148 cache cleaning interval .................... 109 cache size .................................... 109 caching options.............................. 108 caching servers ............................... 76 DDNS options................................. 129
Version 5.5
247
Index DDNS overview ...............................128 delegation ....................................104 DNS service level ............................100 external .......................................104 initial service ................................. 73 internal .......................................104 IPv6 ............................................151 MAC authentication .........................194 migrating configurations .................... 98 network architecture, selecting ........... 73 overview ....................................... 11 queries ........................................148 record types..................................102 records, Active Directory ..................235 recursive ......................................108 redundant configuration .................... 75 replication under Active Directory .......234 reverse DNS ............................123, 183 service options...............................100 SOA, defining ................................113 sort list........................................109 supported RFCs ............................... 98 transaction signatures ......................140 transaction signatures for remote slave .140 TTL upper limit ..............................109 VoIP functionality ...........................124 zone ...........................................183 zone options..................................112 zone refresh..................................111 zone, deleting ...............................112 zone, disabling...............................112 zone, enabling ...............................112 zone, renaming ..............................111 DNS Fixup Wizard.................................132 domain controllers ...............................236 finding nearest...............................231 identifying ..................................... 80 registration ...................................232 domain name ...............................136, 236 duplex setting .......................... 43, 44, 202 Duplicate Address Detection ...................198 Dynamic DDNS, see DDNS
E
e.164 zones ....................................... 124 enable zones ....................................... 97 ENUM prefixes ....................................... 124 used for VoIP................................. 124 zones .......................................... 124 eth0 adapter ...................................... 202 external authenticators .......................... 29 external configurations, importing............ 223 external DNS ...................................... 104
F
failover ............................................ 197 manual ........................................ 208 monitoring ................................... 213 pool settings ................................. 220 setting up..................................... 218 states ......................................... 212 Failover Monitor............................ 213, 214 file locations, modifying ......................... 88 files cert.ks ......................................... 40 dhcpd ......................................... 195 dhcpd.conf ................................... 229 fomon.sh ..................................... 214 named.conf .................................. 228 firewall disabling ....................................... enabling ....................................... ports and settings ............................ status .......................................... 51 51 51 51
flags NAPTR records ............................... 125 FOMON, see Failover Monitor forward master zone ............................ 105 forwarding zone .................................. 109 front panel LCD ................................... 42 full duplex......................................... 202
248
Version 5.5
Index
G
gateway..............................43, 48, 49, 165 address setting................................ 43 global catalog.....................................236 global options .....................................100 groups ..............................................159
prefixes ....................................... 197 reverse lookup ............................... 152 stateless autoconfiguration................ 197 IPv6 support........................................ 12 ISDN record ....................................... 102
K
Kerberos Key Distribution Centre ......... 30, 236, 237 password change server.................... 237 Kerberos authenticator .................... 30, 236 keystore ............................................ 40 default location .............................. 38
H
heartbeat ..................................... 51, 201 Help Administration Console ...................... 16 configuration mode .......................... 17 main mode .................................... 16 High Availability Wizard.........................201 HINFO records ....................................102 hostname ........................................... 44
L
LCD disable ......................................... 42 enable,......................................... 42 LDAP authenticator ................... 32, 130, 236 Lease Viewer ..................................... 196 level, setting DNS options ...................... 100 live data check ................................... 135 Live Zone Import Wizard........................ 225 load balance ...................................... 212 logging queries ................................... 149 logs redirecting .................................... 57 system ......................................... 56 viewing ........................................ 58 logs files check in/out .................................. 87
I
Import Wizard.....................................224 importing named.conf files .....................228 in-addr.arpa zones ...............................124 incremental resource records ..................119 Information Sheet unique password.............................. 15 inheritance, options .............................100 interface scope, DHCPv6 ........................198 internal DNS.......................................104 IP address DDNS...........................................128 setting.......................................... 43 IPAM appliance .................................... 13 IPv6 AAAA records.................................151 address,creating.............................151 creating reverse lookup address ..........152 DHCPv6 service, configuring...............199 DHCPv6 service, creating ..................198 DNS ............................................151 mixed IPv4/IPv6 environments ............153 Neighbour Discovery ........................198 NS records ....................................153
M
MAC Address Filtering ........................... 184 MAC authentication.................. 192, 193, 194 adding to DHCP .............................. 190 AMA............................................ 239 dynamic instead of static .................. 188 menu .......................................... 195 overview...................................... 156 pools .......................................... 193
Version 5.5
249
Index MAD Servers .......................................192 Mail Exchanger (MX) record.....................101 main mode Help ............................................ 16 Management Console ............................. 19 accessing....................................... 19 configurations................................. 98 creating transaction signatures ...........140 default options ............................... 35 detail pane .................................... 21 Detect Server Appliance Type.............. 55 DNS service options .........................100 migration ...................................... 98 navigating ..................................... 20 new groups, adding .......................... 26 new users, adding ............................ 25 resource records, disabling ................. 98 resource records, enabling ................. 98 root delegation only ......................... 98 search and replace ........................... 23 server controls ................................ 54 toolbar ......................................... 20 tree-view pane ............................... 21 user management ............................ 25 version ......................................... 65 Whois lookup tool ...........................136 zone template ...............................115 manual failover ...................................208 manual updates.................................... 69 master zone .......................................105 start of authority ............................114 master-only architecture ........................ 74 Mirage configuring ...................................242 Post-Admission NAC Appliance ............239 zones ..........................................243 multicast groups, DHCPv6 ......................198 naming conventions Active Directory ............................. 232 NAPTR records flags ........................................... 125 Network Access Control......................... 184 network interface settings ........................................ 43 network scope, DHCPv6......................... 198 Network Time Protocol ................44, 46, 210 New Project Wizard .............................. 71 New View Wizard ................................ 145 New Zone Wizard ................................ 104 NTP ............................................ 46, 210
O
objects replace......................................... 22 search .......................................... 22 OMAPI DHCP potential conflict state ............. 213 DHCP server configurations................ 155 overview...................................... 196 port............................................ 173 Open Mobile Application Processor Interface, see OMAPI option codes ...................................... 165 options inheritance ................................... 100 levels.......................................... 100 precedence of setting ...................... 100 OSPF................................................. 50
P
password administration ................................ 41 deployment ................................... 41 Information Sheet ............................ 15 Kerberos ...................................... 237 peer server........................................ 210 permit lists........................................ 161 ping node.......................................... 202
N
NAC, see Network Access Control Name Server (NS) records.......................101 Naming Authority (NAPTR) record .............102
250
Version 5.5
Index Pointer (PTR) record.............................102 pools................................................161 ports Adonis, encrypted control .................. 12 for MAC authentication.....................188 OMAPI ...................................173, 196 proxy settings ................................. 38 TCP ............................................. 33 Primary Domain Controller .....................110 product updates ................................... 36 profile group ......................................242 project files add server ..................................... 89 check in/check out........................... 85 correcting ..................................... 90 creating ........................................ 71 data check............................... 91, 132 deploying ...................................... 92 importing ...................................... 96 saving on the workstation................... 84 storing on the appliance .................... 84 Proteus control of Adonis ........................ 41 proxy settings ...................................... 37
R
Radius authenticator ............................. 31 reboot, start services ............................ 53 records A ............................................... 101 A6.............................................. 151 AAAA .................................... 101, 151 alias (CNAME) ................................ 101 DNAME ........................................ 102 DNS ............................................ 102 HINFO ......................................... 102 ISDN ........................................... 102 Mail Exchanger (MX) ........................ 101 Name Server (NS) ........................... 101 Naming Authority (NAPTR)................. 102 Pointer (PTR) ................................ 102 quad-A .................................. 101, 151 RP.............................................. 102 RT.............................................. 102 Service (SRV)........................... 101, 236 Text (TXT).................................... 102 TSIG ........................................... 140 recursive clients.................................. 148 recursive DNS ..................................... 108 recursive queries............................ 97, 108 regular expressions dynamic delegation discovery............. 125 resource records adding......................................... 118 auto-generation ............................. 118 deleting....................................... 121 disabling ................................. 98, 121 editing ........................................ 121 enabling ................................. 98, 121 fields .......................................... 103 generating incrementally .................. 119 managing ..................................... 117 serial number generation ................... 98 SOA ............................................. 98 reverse DNS ................................. 123, 183 reverse lookup.................................... 152 reverse master zone ............................. 105 reviewing configuration changes ............... 18
Q
quad-A records .............................101, 151 queries cache zone ...................................108 DNS service options .........................148 logging ......................................... 55 recursive ................................. 97, 108 query logging disable ......................................... 55 enable.......................................... 55 message category ...........................150 severity level.................................149 query logs adding a channel ............................149 configuring ...................................149 deleting a channel ..........................151 viewing........................................149
Version 5.5
251
Index RFCs, Adonis compliance................... 98, 165 root delegation only .............................. 98 Router Advertisement message ................198 Router Solicitation message ....................198 routing table adding routes ................................. 49 deleting routes ............................... 49 flags ............................................ 49 gateway ........................................ 49 genmask ....................................... 49 overview ....................................... 48 RP records .........................................102 RT records .........................................102 master zone.................................. 114 zone serial numbers ........................ 235 software updates..............................36, 69 speed setting ..................................43, 44 split setting ....................................... 212 ssh ............................................. 53, 240 disable ......................................... 53 enable.......................................... 53 Start of Authority, see SOA startup services ................................... 53 stateless IPv6 autoconfiguration............... 197 statistics configuration ................................. 98 stub zone .......................................... 110 Subnet Delegation Wizard ...................... 126 subnet mask ...................................... 165 subnet mask setting .............................. 43 subnets ............................................ 159 system logs......................................... 56
S
saving configuration settings .................... 18 scope splitting ..............................197, 210 search and replace................................ 23 search objects ..................................... 22 secure option appliance.......................... 15 server states ......................................212 server version ...................................... 99 servers managing .....................................104 master.................................... 75, 105 slave ................................. 75, 79, 105 zone transfer options ................. 116117 Service (SRV) record .......................101, 236 service scope, DHCPv6 ..........................198 services, start on reboot ......................... 53 setting DNS service options .....................100 setting IP address ................................. 43 shared secret .....................................140 single name server ................................ 74 slave zone .........................................106 SNMP configuring .................................... 59 polled objects................................. 62 SOA defining .......................................113 defining for a zone ..........................113
T
TCP ........................................... 148, 210 clients......................................... 148 port............................................. 33 templates, zone .................................. 115 Text (TXT) record ................................ 102 TFTP restart ........................................ 196 service ........................................ 182 service control............................... 196 start ...................................... 54, 196 stop....................................... 54, 196 time zone, setting ................................ 45 transaction signatures overriding default........................... 144 remote DDNS................................. 143 remote master DNS ......................... 143 remote slave DNS ........................... 140 shared secret ................................ 140 usage .......................................... 140
252
Version 5.5
Index transfer key, generating ........................141 trap server ......................................... 59 troubleshooting.................................... 56 TSIG resource record ............................140 TSIG, see transaction signatures Update ......................................... 65
X
XHA.................................................. 51 BIND views ................................... 210 cluster, breaking ............................ 208 cluster, creating ............................ 202 cluster, diagnosing.......................... 204 cluster, repairing............................ 205 cluster, updating ............................ 209 heartbeat..................................... 201 NTP synchronisation ......................... 46 overview...................................... 201 prerequisites ................................. 202 recommended topologies .................. 215 setup procedures.......................202204
U
Update Wizard ..................................... 65 updating software................................. 36 updating the product ............................. 69 user management ................................. 23
V
vendor profiles ...................................178 version client version ................................. 65 version 2 Secure Socket Shell ................... 53 viewing logs ................................... 56, 58 viewing the routing table ........................ 48 VoIP.................................................124 ENUM zones ..................................124 vendor profiles...............................178
Z
Zebra................................................ 50 zones adding......................................... 104 cache.......................................... 108 DDNS .......................................... 183 delegation-only......................... 97, 110 deleting....................................... 112 disabling ................................. 97, 112 e.164 .......................................... 124 enabling ................................. 97, 112 ENUM .......................................... 124 forward master .............................. 105 forwarding.................................... 109 in-addr.arpa ................................. 124 managing ..................................... 104 master ........................................ 105 Mirage......................................... 243 refresh ........................................ 111 renaming ..................................... 111 resource records ............................ 118 reverse master .............................. 105 setting options............................... 112 slave, adding................................. 106 slave, update forwarding .................. 129 start of authority............................ 114 Start of Authority (SOA).................... 113 stub............................................ 110
W
Whois lookup tool ................................136 Windows 2000 DHCP dump file.................230 Windows Active Directory, see Active Directory Windows Server...................................130 Wizard Active Directory .......................130, 233 Deployment ................................... 92 DNS Fixup .....................................132 High Availability .............................201 Import .........................................224 Live Zone Import ............................225 Management Console Install ................ 68 New Project ................................... 71 New View .....................................145 New Zone .....................................104 Subnet Delegation...........................126
Version 5.5
253
Index templates.....................................115
254
Version 5.5
For safe operating procedures, ensure compliance with the guidelines below.
CAUTION
Do not remove the cover from the appliance. The cover is to be removed only by qualified personnel. There are no serviceable parts provided inside.
CAUTION
Electrostatic Discharge (ESD) precautions are required before handling the appliance. Wear a wrist strap with an appropriate ground connection.
CAUTION
To prevent the unit from overheating, never install the appliance in an enclosed rack or room that is not properly ventilated or cooled. For proper air flow, keep the front and back sides of the appliance clear of obstructions and away from the exhaust of other equipment.
CAUTION
There is danger of an explosion if the battery is replaced incorrectly. Replace only with the same or equivalent type recommended by the appliance manufacturer. Contact technical support if you need to replace a battery.
CAUTION
Before servicing, power off the appliance by using the rear panel switch. If the appliance does not have an On/ Off switch, then unplug the power cord.
CAUTION
Failure to properly ground the appliance, either by circumventing the 3-wire grounding-type plug or by using a power outlet that is improperly grounded, can create a potentially hazardous electrical situation.
FCC Notice
This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions: 1 this device may not cause harmful interference, and 2 this device must accept any interference received, including interference that may cause undesired operation. No (Telecommunications Network Voltage) TNV-connected PCBs shall be installed.
Warning
This is a Class A product. In a domestic environment, the product may cause radio interference in which case the user may be required to take adequate measures.
2008. All rights reserved.
BlueCat Networks (USA), Inc. www.bluecatnetworks.com Toll Free: 1.866.895.6931 Document #: AG_5.5 Published in Canada