BIND and DHCP – More of an adventure than it should be.

Running DNS and DHCP together should be easy.

It is in Windows, for instance. One would load the services, preferrably on an AD, and everything works together. DHCP updates DNS. DNS provides what DHCP needs. All nice and neat. One doesn’t even have to tell either service that the other exists. It figures it out.

Not so much on Linux. First off, they are completely separate services. I don’t have a problem with that. The problem comes when trying to get them to work together, where DHCP can update DNS with its lease information. There are keys to be handed over, journaling files to be written, plus SELinux and standard file access issues.

Once it works, it’s just fine. But getting it there can be interesting.

For instance, the named service entry in init.d reverses out a very important SELinux boolean. I set the variable by hand with setseboolean -p named_write_master_zones 1, which allows named to write DNS entries in a master zone. That’s pretty important to be able to do. Then I go to start named and the messages log tells me that the named_write_master_zones was set to 0 by root! Huh? What’s up with that? For some reason, the init.d entry always toggles the value. So I edited the init.d entry so that it always sets it to 1. This could cause other problems down the road if I ever turn this server into the secondary DNS server. I’ll burn that bridge when I come to it.

There goes an hour of my life I’m not getting back.

FTP for Windows – FileZilla is the way to go.

Windows IIS comes with an FTP component. I wish it didn’t. Because it is there, one would be tempted to use it. Do not succumb to this temptation. Pain and misery will ensue.

First off, IIS FTP is painfully slow. You can actually feel it in your bones how slow it is if you have used anything else. Second, it is completely dangerous. Here is what I mean by that. IIS FTP uses real Windows user names for authentication. It’s possibly to use the same real user and password as on the startup screen on your domain-cotrolled desktop or laptop.

This means that anyone can use FTP to attempt to locate usernames and passwords that work all over YOUR network! Yikes. Even worse, the bad guys will attempt to find your DOMAIN ADMINISTRATOR username and password. This is a search for the keys to the kingdom. It is possible to limit the exposure, but by default any user could be at least exposed as being a valid username, even if that user can’t login to FTP.

There is hope here, in the form of FileZilla Server. It is fast, it uses its’ own list of users, not the local computer’s or the domain’s, and you can set individual user directories with per-user rights. It’s quite simple to set up and has a great Windows FTP client available. And it’s free, but you can make a donation to the cause.

vsftpd FTP server with MySQL Authentication

I like FTP servers. Everyone should have one or two. Don’t know why I like them so much. I just do. They make me feel all techie.

Given the choice, I will usually install vsftpd on a Linux box. Fast, secure and stable. One thing I don’t like to do is to create real Linux users just for those folks who are going to use FTP or HTTPS logins. It’s a pain and a security risk. I almost always use virtual users when I install FTP servers.

A virtual user in this case (as in most,) is a username and password that can be used for service (such as FTP) that does not really exist on the system. It will exist only in a database in mySQL. Even if a username and password are discovered, only the FTP service (or specific other services you identify) will be affected. And it will only affect those areas where that virtual user has access on the FTP server.

Another huge advantage is that you could have almost limitless numbers of users. An additional user is just an entry in a database. There are no new system-wide rights additions or changes, no new groups to maintain, no linux home directories to maintain, just new subdirectories to one existing directory. All this will run on one single, limited access Linux user. Nice and fast. Nice and safe.

For more detailed information on doing this yourself, I have a drupal-based WIKI on this here:https://tboland.homelinux.org/drupal/?q=node/11