Configure DHCP Failover with Dynamic DNS on CentOS 7

We are going to set up a DHCP failover with dynamic DNS.

This article is part of the Homelab Project with KVM, Katello and Puppet series.

Homelab

We have two CentOS 7 (minimal) servers installed which we want to configure as follows:

admin1.hl.local (10.11.1.2) – will be configured as a DHCP master server
admin2.hl.local (10.11.1.3) – will be configured as a DHCP slave server

Both servers have SELinux set to enforcing mode.

See the image below to identify the homelab part this article applies to.

Software

Software used in this article:

  1. CentOS 7
  2. DHCP 4.2

Configure Master DHCP Server

Installation and Firewall

Install packages and ensure that the service is enabled:

[admin1]# yum install dhcp
[admin1]# systemctl enable dhcpd

Configure firewall to allow DHCP traffic (we use iptables):

[admin1]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT

Allow DHCP peer communication from admin2:

[admin1]# -A INPUT -s 10.11.1.3/32 -p tcp -m state --state NEW -m tcp --dport 647 -j ACCEPT

Master dhcpd.conf Configuration

Open the file /etc/dhcp/dhcpd.conf and configure as per below.

Note that the parameter mclt (Maximum Client Lead Time) must be defined on the master server but must not be defined on the slave server. The parameter split is another parameter that should be defined on the primary and omitted from the configuration on the secondary. It is worth noting that the communication between failover nodes is neither encrypted nor authenticated.

failover peer "failover-dhcp" {
  primary; # This defines the master
  address 10.11.1.2;
  port 647;
  peer address 10.11.1.3;
  peer port 647;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
  split 128; # 128 is balanced; use 255 if primary is 100% responsible until failure
  load balance max seconds 3;
}

authoritative;
allow booting;
allow bootp;
next-server 10.11.1.4; # Katello TFTP
filename "pxelinux.0";
default-lease-time 86400; # 1 day
max-lease-time 86400; # 1 day

ddns-update-style interim;

update-static-leases on;
one-lease-per-client on;

# We generated the rndc-key when setting up DNS servers
key "rndc-key" {
  algorithm hmac-md5;
  secret "T0+1uWvaiKLkhWutTNhsGvLw7m4CXbjHr+3CrDwQP5ZMNHeRSvghg2XxQvT3uGVwNle9oMvBEcjB+4GEPDK1Qg==";
};
# We created zones when setting up DNS servers
zone 1.11.10.in-addr.arpa {
  primary 10.11.1.2;
  key "rndc-key";  
}
zone hl.local {
  primary 10.11.1.2;
  key "rndc-key";
}

subnet 10.11.1.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 10.11.1.255;
  option routers 10.11.1.1;
  option domain-name-servers dns1.hl.local, dns2.hl.local;
  option domain-name "hl.local";
  pool {
    failover peer "failover-dhcp";
    range 10.11.1.40 10.11.1.59;
  }
}

# DHCP leases for PXE boot
host ldap1 {
  hardware ethernet 00:22:FF:00:00:11;
  fixed-address 10.11.1.11;
  option host-name "ldap1.hl.local";
}
host ldap2 {
  hardware ethernet 00:22:FF:00:00:12;
  fixed-address 10.11.1.12;
  option host-name "ldap2.hl.local";
}
host monitoring {
  hardware ethernet 00:22:FF:00:00:13;
  fixed-address 10.11.1.13;
  option host-name "monitoring.hl.local";
}
host syslog {
  hardware ethernet 00:22:FF:00:00:14;
  fixed-address 10.11.1.14;
  option host-name "syslog.hl.local";
}
host storage1 {
  hardware ethernet 00:22:FF:00:00:15;
  fixed-address 10.11.1.15;
  option host-name "storage1.hl.local";
}
host storage2 {
  hardware ethernet 00:22:FF:00:00:16;
  fixed-address 10.11.1.16;
  option host-name "storage2.hl.local";
}
host db1 {
  hardware ethernet 00:22:FF:00:00:17;
  fixed-address 10.11.1.17;
  option host-name "db1.hl.local";
}
host db2 {
  hardware ethernet 00:22:FF:00:00:18;
  fixed-address 10.11.1.18;
  option host-name "db2.hl.local";
}
host proxy1 {
  hardware ethernet 00:22:FF:00:00:19;
  fixed-address 10.11.1.19;
  option host-name "proxy1.hl.local";
}
host proxy2 {
  hardware ethernet 00:22:FF:00:00:20;
  fixed-address 10.11.1.20;
  option host-name "proxy2.hl.local";
}
host web1 {
  hardware ethernet 00:22:FF:00:00:21;
  fixed-address 10.11.1.21;
  option host-name "web1.hl.local";
}
host web2 {
  hardware ethernet 00:22:FF:00:00:22;
  fixed-address 10.11.1.22;
  option host-name "web2.hl.local";
}
host backup {
  hardware ethernet 00:22:FF:00:00:23;
  fixed-address 10.11.1.23;
  option host-name "backup.hl.local";
}

Harden file permissions because of the plaintext rndc-key:

[admin1]# chmod 0600 /etc/dhcp/dhcpd.conf

Test the configuration file:

[admin1]# dhcpd -t -cf /etc/dhcp/dhcpd.conf

Restart the service:

[admin1]# systemctl restart dhcpd

Check leases:

[admin1]# tail /var/lib/dhcpd/dhcpd.leases

Configure Slave DHCP Server

Installation and Firewall

This part is the same as for the master server.

Install packages and ensure that the service is enabled:

[admin2]# yum install dhcp
[admin2]# systemctl enable dhcpd

Configure firewall to allow DHCP traffic (we use iptables):

[admin2]# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 67 -j ACCEPT

Allow DHCP peer communication from admin1:

[admin2]# -A INPUT -s 10.11.1.2/32 -p tcp -m state --state NEW -m tcp --dport 647 -j ACCEPT

Slave dhcpd.conf Configuration

Open the file /etc/dhcp/dhcpd.conf and configure the following:

failover peer "failover-dhcp" {
  secondary; # This defines the slave
  address 10.11.1.3;
  port 647;
  peer address 10.11.1.2;
  peer port 647;
  max-response-delay 60;
  max-unacked-updates 10;
  load balance max seconds 3;
}

authoritative;
allow booting;
allow bootp;
next-server 10.11.1.4; # Katello TFTP
filename "pxelinux.0";
default-lease-time 86400; # 1 day
max-lease-time 86400; # 1 day

ddns-update-style interim;

update-static-leases on;
one-lease-per-client on;

# We generated the rndc-key when setting up DNS servers
key "rndc-key" {
  algorithm hmac-md5;
  secret "T0+1uWvaiKLkhWutTNhsGvLw7m4CXbjHr+3CrDwQP5ZMNHeRSvghg2XxQvT3uGVwNle9oMvBEcjB+4GEPDK1Qg==";
};
# We created zones when setting up DNS servers
zone 1.11.10.in-addr.arpa {
  primary 10.11.1.2;
  key "rndc-key";  
}
zone hl.local {
  primary 10.11.1.2;
  key "rndc-key";
}

subnet 10.11.1.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 10.11.1.255;
  option routers 10.11.1.1;
  option domain-name-servers dns1.hl.local, dns2.hl.local;
  option domain-name "hl.local";
  pool {
    failover peer "failover-dhcp";
    range 10.11.1.40 10.11.1.59;
  }
}

# DHCP leases for PXE boot
host ldap1 {
  hardware ethernet 00:22:FF:00:00:11;
  fixed-address 10.11.1.11;
  option host-name "ldap1.hl.local";
}
host ldap2 {
  hardware ethernet 00:22:FF:00:00:12;
  fixed-address 10.11.1.12;
  option host-name "ldap2.hl.local";
}
host monitoring {
  hardware ethernet 00:22:FF:00:00:13;
  fixed-address 10.11.1.13;
  option host-name "monitoring.hl.local";
}
host syslog {
  hardware ethernet 00:22:FF:00:00:14;
  fixed-address 10.11.1.14;
  option host-name "syslog.hl.local";
}
host storage1 {
  hardware ethernet 00:22:FF:00:00:15;
  fixed-address 10.11.1.15;
  option host-name "storage1.hl.local";
}
host storage2 {
  hardware ethernet 00:22:FF:00:00:16;
  fixed-address 10.11.1.16;
  option host-name "storage2.hl.local";
}
host db1 {
  hardware ethernet 00:22:FF:00:00:17;
  fixed-address 10.11.1.17;
  option host-name "db1.hl.local";
}
host db2 {
  hardware ethernet 00:22:FF:00:00:18;
  fixed-address 10.11.1.18;
  option host-name "db2.hl.local";
}
host proxy1 {
  hardware ethernet 00:22:FF:00:00:19;
  fixed-address 10.11.1.19;
  option host-name "proxy1.hl.local";
}
host proxy2 {
  hardware ethernet 00:22:FF:00:00:20;
  fixed-address 10.11.1.20;
  option host-name "proxy2.hl.local";
}
host web1 {
  hardware ethernet 00:22:FF:00:00:21;
  fixed-address 10.11.1.21;
  option host-name "web1.hl.local";
}
host web2 {
  hardware ethernet 00:22:FF:00:00:22;
  fixed-address 10.11.1.22;
  option host-name "web2.hl.local";
}
host backup {
  hardware ethernet 00:22:FF:00:00:23;
  fixed-address 10.11.1.23;
  option host-name "backup.hl.local";
}

Harden file permissions because of the plaintext rndc-key:

[admin2]# chmod 0600 /etc/dhcp/dhcpd.conf

Restart the service:

[admin2]# systemctl restart dhcpd

Leave a Reply

Your email address will not be published. Required fields are marked *