Adonis Admin 5.5

Adonis Administration GuideVersion 5.5

ADMINISTRATION GUIDE

Legal NoticesRead this page to ascertain important legal information and warnings.

Copyright

Copyright © 2000—2008, BlueCat Networks (USA) Inc.

All rights reserved. Company names and/or data used in screens and sample output are fictitious, unless otherwise stated.

Trademarks

BlueCat Networks, the BlueCat Networks logo, Adonis, the Adonis logo, Meridius, the Meridius logo, Proteus, and the Proteus logo are trademarks of BlueCat Networks (USA) Inc.

Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. Linux is a registered trademark of Linus Torvalds. Windows is a registered trademark of Microsoft Corporation. Intel and Pentium are registered trademarks of Intel Corporation. RPD is a trademark of Commtouch Software Ltd.

All other product and company names are registered trademarks or trademarks of their respective holders.

Export Warningc

This is a Class A product. In a domestic environment, this product may cause radio interference, in which case you may be required to take appropriate measures.

Canadian Regulatory Compliance

This is a Class A digital device that complies with Canadian ICES-003.

FCC Compliance

This equipment generates, uses, and may emit radio frequency energy. This equipment has been type tested and found to comply with the limits for a Class A digital device pursuant to part 15 of FCC rules that are designed to provide reasonable protection against such radio frequency interference.

Operation of this equipment in a residential area may cause interference that may require you to take reasonable measures to correct at your expense.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user’s authority to operate this equipment under part 15 of the FCC rules.

Disclaimera) Read this guide before installing or using the product. For more information, see other relevant documents in the

distribution. Failure to follow the prescribed instructions will void the product warranty.

b) BlueCat Networks (USA) Inc. (“BlueCat”) has granted you the right to use this manual. BlueCat believes the information it furnishes to be accurate and reliable, but BlueCat assumes no responsibility for, or arising out of, your use of the manual except to the extent expressly set out in the end-user agreement (“EUA”) associated with the product. No license is granted by implication or otherwise under any patent, copyright or other intellectual property right of BlueCat Networks (USA) Inc. except as specifically described in the above noted EUA.

c) BlueCat Networks (USA) Inc. reserves the right to change specifications at any time without notice.

Version 5.5

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1: Introduction

DNS and DHCP ................................................................................................ 11Adonis Overview ............................................................................................. 11

How is Adonis Organized? .............................................................................. 11Two Consoles: Two Tasks .............................................................................. 12Project Files ............................................................................................. 12Deployment .............................................................................................. 12Security .................................................................................................. 12IPv6 Support ............................................................................................. 12

Advanced Implementations ................................................................................ 13Adonis and Proteus IPAM ................................................................................... 13

Chapter 2: Administration Console

Using the Adonis Administration Console ................................................................ 15Administration Console Modes ............................................................................. 16

Main Mode ............................................................................................... 16Main Mode Help ......................................................................................... 16Configuration Mode ..................................................................................... 16Configuration Mode Help .............................................................................. 17Saving or Discarding Changes ......................................................................... 18Viewing the Command History ........................................................................ 18

Chapter 3: Management Console

Getting Started .............................................................................................. 19Navigating the Adonis Management Console ....................................................... 20

User Management and Access Control .................................................................... 23Managing Users .......................................................................................... 24Access Control ........................................................................................... 27

Configuring External Authenticators ...................................................................... 29Kerberos Authenticators ............................................................................... 30

Adonis Administration Guide 3

Contents

4

RADIUS Authenticators ................................................................................. 31LDAP Authenticators ................................................................................... 32

Chapter 4: Appliance Management

Setting Default Appliance Options ........................................................................ 35General Options ......................................................................................... 35Product Updates ........................................................................................ 36Specifying Proxy Settings .............................................................................. 37Appliance Authentication Management ............................................................. 38Passwords ................................................................................................ 41Resetting from Proteus Control ...................................................................... 41

Administration Console Server Controls .................................................................. 42Rebooting and Shutting Down ........................................................................ 42LCD ........................................................................................................ 42Inspecting the Network Configuration ............................................................... 42Configuring Network Settings ......................................................................... 43Configuring the Hostname ............................................................................. 44Viewing and Setting the Time ........................................................................ 44Setting the Time Zone ................................................................................. 45Network Time Protocol (NTP) ........................................................................ 46Configuring the Routing Table ........................................................................ 48Configuring Anycast .................................................................................... 50

Administration Console Service Control .................................................................. 51Command Server ........................................................................................ 51XHA ....................................................................................................... 51Firewalls ................................................................................................. 51SSH ........................................................................................................ 53Startup Services ......................................................................................... 53Network Services .......................................................................................53

Management Console Server Controls .................................................................... 54Deploying a Project .................................................................................... 56

Viewing System Logs ........................................................................................ 56Configuring System Log Output ....................................................................... 57Viewing Logs ............................................................................................. 58

Simple Network Management Protocol ................................................................... 59Enabling SNMP ........................................................................................... 59Configuring SNMP .......................................................................................59

Updating Adonis .............................................................................................. 64Online Updates .......................................................................................... 64Manual Updates ......................................................................................... 69

Chapter 5: Project Files

Creating a New Project File ................................................................................ 71Selecting an Appliance Type .......................................................................... 72

Adonis Administration Guide Version 5.5

Contents

Ve

Setting up an Initial DNS Service ..................................................................... 73Selecting a DNS Network Architecture .............................................................. 73Opening and Saving Files .............................................................................. 84Checking Files Into and Out Of an Adonis Server ..................................................85Modifying File Location Settings ...................................................................... 88

Editing a Project File .......................................................................................88Adding Servers .......................................................................................... 89Checking and Correcting a File ....................................................................... 90Checking the Data ...................................................................................... 91Modifying Data Check Issue Settings .................................................................91

Deploying the Project File ................................................................................. 92Importing a Project ......................................................................................... 96

Importing from a Previous Version ................................................................... 96

Chapter 6: Adonis DNS

Adonis DNS Implementation ................................................................................ 97DNS Services .................................................................................................. 98

BIND/DNS Service Control ............................................................................. 98Specifying Server Version Information .............................................................. 99Adjusting DNS Service Options ...................................................................... 100

Resource Records .......................................................................................... 101Custom Resource Records ........................................................................... 102Resource Record Fields .............................................................................. 103

Managing Servers and Zones ............................................................................. 104Authoritative DNS and Delegation .................................................................. 104Adding Zones .......................................................................................... 104Recursive DNS ......................................................................................... 108Working with Zones .................................................................................. 111Setting Zone Options ................................................................................. 112Defining the Start of Authority for a Zone ........................................................ 113Zone Templates ....................................................................................... 115

Managing Resource Records .............................................................................. 117Adding Resource Records ............................................................................ 118Auto-Generating Resource Records ................................................................ 118Generating Records Incrementally ................................................................. 119 Editing and Deleting Resource Records ........................................................... 121Disabling Resource Records ......................................................................... 121

Chapter 7: Advanced DNS

Reverse DNS ................................................................................................ 123ENUM and VoIP ........................................................................................ 123Delegating Subnets ................................................................................... 126

Dynamic DNS ............................................................................................... 128Configuring DDNS ..................................................................................... 130

rsion 5.5 Adonis Administration Guide 5

Contents

6

Integrating Active Directory ............................................................................. 130Enabling Active Directory Support ................................................................. 130Windows Active Directory Synchronization ....................................................... 131

Checking the Data ......................................................................................... 132Data Check ............................................................................................. 132Using the DNS Fixup Wizard ......................................................................... 132Live Data Check ....................................................................................... 135The Whois Lookup Tool .............................................................................. 136DNS Configuration Statistics ........................................................................ 139

Transaction Signatures .................................................................................... 140DNS Queries ................................................................................................ 144

Using BIND Views ..................................................................................... 144Managing Access Control Lists ...................................................................... 146Query Logging ......................................................................................... 148

DNS and IPv6 ............................................................................................... 151AAAA Records .......................................................................................... 151Reverse Lookup ....................................................................................... 152NS Records ............................................................................................. 153Mixed Environments .................................................................................. 153

Chapter 8: Adonis DHCP

Background ................................................................................................. 155Adonis DHCP Implementation ............................................................................ 156

Adonis DHCP Files ..................................................................................... 156Adonis DHCP Services ..................................................................................... 156

Adding a DHCP Relay Service ....................................................................... 157 DHCP Declarations and Scope ...................................................................... 158Common Object Types ............................................................................... 159DHCP Groups .......................................................................................... 159Declaring Groups ...................................................................................... 159Subnets ................................................................................................. 159Declaring Subnets ..................................................................................... 160Shared Networks ...................................................................................... 160Pools .................................................................................................... 161Hosts .................................................................................................... 162

DHCP Client Options ...................................................................................... 165Subnet Mask ........................................................................................... 165IP Layer Parameters Per Host ....................................................................... 165Interface-Specific Options ........................................................................... 167Link Layer Interface-Specific Options ............................................................. 168TCP Interface-Specific Options ..................................................................... 168Application and Service Options .................................................................... 168

DHCP Advanced Options .................................................................................. 171Setting Up DHCP Services ........................................................................... 172


Contents

Ve

Chapter 9: Adonis Advanced DHCP

Custom Client Configurations ............................................................................ 175Classes .................................................................................................. 175Subclasses .............................................................................................. 177Vendor Profiles ........................................................................................ 178DHCP Custom Options ................................................................................ 181

TFTP Service ............................................................................................... 182DDNS and Zones ............................................................................................ 183Network Access Control .................................................................................. 184

MAC Address Filtering ................................................................................ 184Adding MAC Authentication to a DHCP Service ................................................... 190MAC Authentication Menu ........................................................................... 195

DHCP/TFTP Service Control .............................................................................. 195DHCP Service Control ................................................................................ 195TFTP Service Control ................................................................................. 196OMAPI ................................................................................................... 196

DHCP Lease Viewer ........................................................................................ 196DHCP Failover .............................................................................................. 197DHCPv6 ...................................................................................................... 197

Overview of DHCPv6 .................................................................................. 197IPv6 Prefixes ........................................................................................... 197Neighbor Discovery for Address Assignment ...................................................... 198Creating a DHCPv6 Service .......................................................................... 198Configuring a DHCPv6 Service ...................................................................... 199

Chapter 10: High Availability

Crossover High Availability (XHA) ....................................................................... 201Prerequisites .......................................................................................... 202Creating a High Availability Cluster ................................................................ 202Diagnosing a High Availability Cluster ............................................................. 204Repairing a High Availability Cluster .............................................................. 205Breaking a High Availability Cluster ............................................................... 208Manual Failover ....................................................................................... 208Updating an XHA Cluster ............................................................................ 209BIND Views in XHA .................................................................................... 210

Adonis DHCP Failover ..................................................................................... 210One Client per Address .............................................................................. 210A Companion to XHA ................................................................................. 210Terms vs Times ........................................................................................ 210Three Rules ............................................................................................ 211Address Binding States ............................................................................... 211Server States .......................................................................................... 212Failover Monitor ...................................................................................... 214Typical State Transition ............................................................................. 214


Contents

8

Recommended Topologies ........................................................................... 215Setting Up DHCP Failover ............................................................................ 218

Configuring DHCP Failover on a Pool ................................................................... 219Modifying Settings for a Failover Pool ............................................................. 220

Chapter 11: Migration Tools

Importing External Configurations ...................................................................... 223Using a Live Zone Transfer .......................................................................... 225

Importing an Existing DNS Configuration ............................................................... 227Named.conf ............................................................................................ 228ACLs ..................................................................................................... 228

Importing an Existing DHCP Configuration ............................................................. 229ISC DHCP 3.x Config File ............................................................................. 229Windows 2000 DHCP Dump File ..................................................................... 230

Chapter 12: Active Directory Integration

Active Directory and DNS ................................................................................. 231Dynamic Domain Controller Registration ......................................................... 232

Integrating Adonis into Active Directory ............................................................... 233DNS Replication ............................................................................................ 234Active Directory DNS Records ............................................................................ 235

SRV Records ........................................................................................... 236A Records .............................................................................................. 237CNAME Records ........................................................................................ 237

Appendix A: Integrating with Mirage Post-Admission NAC Appliance . . . . . . . . . . . . . . . 239

About the AMA ............................................................................................. 239Setting up the AMA ........................................................................................ 240

Enabling SSH Between Adonis and Mirage ........................................................ 240Configuring the AMA .................................................................................. 240Configuring Mirage .................................................................................... 242Creating an External Authority ..................................................................... 242Creating a Profile Group and Profiles ............................................................. 242Configuring Zones ..................................................................................... 243

Controlling the AMA ....................................................................................... 243

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245


Version 5.5

Preface

Welcome to the Adonis™ Administration Guide. This guide explains how to add an Adonis appliance to your network and how to administer it on an ongoing basis.

Who should read this guide?This guide is intended for Adonis administrators. Readers should be familiar with DNS and DHCP administration.

References

Working with a DNS/DHCP system requires in-depth knowledge of many subject areas, including DNS, DHCP, and General Networking. The following references are provided for readers who require more background knowledge before working with Adonis.

• The DHCP Handbook by Ralph Droms and Ted Lemon, SAMS Publishing, ISBN 0-67232-327-3• Pro DNS and BIND by Ron Aitchison, Apress, ISBN 1-59059-494-0• DNS and BIND by Paul Albitz and Cricket Liu, O’Reilly Media, ISBN 0-596-00158-4• The Internet System Consortium website (www.isc.org). This site also hosts the BIND FAQ at

www.isc.org/sw/bind.

Typographic Conventions

This guide uses the following conventions:

Bold Command line options and user input to be typed.

Bold blue Button names, fields, tabs, and icons in the user interface.

Bold blue italic Cross references and hypertext links within the document.

Blue underline Hypertext links to external URL entries.

Monospace Source code examples and terminal output.

Monospace Italic Variables in code examples.


http://www.isc.org

http://www.isc.org/sw/bind

10

Preface

How do I contact BlueCat Networks Client Care?For additional information, please contact [email protected] or call 416-646-8433 or 1-866-491-2228. Office Hours are: Monday to Friday, 7 am to 8 pm Eastern Time.

Normal Italic New terms being defined.

Emphasis within a concept description.

Dialog box, window, and screen names.

This icon appears alongside a Caution. Cautions usually appear where performing an action may be dangerous to the user or to the equipment, or where data may be corrupted or incomplete if the caution is not observed.

This icon appears alongside a Note. Notes give additional detail about the material presented in concepts and procedures.

This icon appears alongside a Tip. Tips are similar to Notes and suggest alternative ways to accomplish a task or provide ideas for using the product in the most effective way.


mailto:[email protected]

Chapter 1

Version 5.5

Introduction

The Internet has grown to the point where it is indispensable. During this period of growth another phenomenon has occurred: Internet Protocol (IP)-based networks supplanted almost all other ISO layer 3 networking technologies. However, increased complexity and security issues can threaten the viability of these technologies and their use within critical corporate infrastructures. These networks were often constructed on an ad hoc basis, and further management and planning are required to manage and secure them properly.

The Internet and other IP-based networks depend on the idea of a unique IP address to route data between network clients. These addresses are organized into smaller blocks or subnets as a means of delegating maintenance to different organizations.

DNS and DHCPDNS is a scalable distributed service that can tolerate partial outages without disrupting the entire Internet. Because DNS and DHCP are critical network services, their availability and security are principle concerns. The cost of a service outage, even as short as an hour, far exceeds the cost of implementing properly configured, highly available DNS and DHCP infrastructures.

Unsecured DNS makes a network vulnerable to attacks, a risk that goes far beyond just “unplanned downtime”. The ubiquity of older versions of BIND software continues to make DNS a target for spoofing, ID hacking, cache poisoning attacks, and even direct threats to DNS security (such as server attacks). A modern and robust solution to DNS and DHCP service issues must consider security at every level of its design: the hardware, operating system, services, and software applications.

Adonis OverviewAdonis is an appliance server. It is designed to be intuitive, even for users who have very little background knowledge, but it also contains the advanced tools and settings required by DNS and DHCP experts. Adonis is the logical next generation of DNS/DHCP service provision. It is designed on a secure hardware platform, with a firewall-grade operating system. Updates to the software and operating system are completely automated and encrypted thanks to the known hardware and software combinations implicit with appliances.

How is Adonis Organized?Adonis is both the appliance that runs in production and the client-side toolkit for configuring one or more Adonis units. The Adonis appliance includes server-side tools in the Administration Console and a command line interface to the server. Most models have front panel controls for setting the IP address and gateway.


12


Adonis appliances operate with very few open ports; it includes an encrypted control port for connecting it to the Management Console on the administrator’s PC. Ports are opened only if they are required for the project being deployed on the appliance. Operating behind this dynamically configured packet-filtering firewall, the Adonis appliance is well suited to network conditions anywhere including hostile environments such as DMZs or the Internet.

BlueCat Networks Linux™-based operating system is stripped down to its essential code, so the kernel does not load new modules during runtime. The DNS daemon (service) also runs in a chroot jailed environment to prevent the server from being compromised in the highly unlikely event that the service is breached.

Two Consoles: Two TasksThe Adonis Administration Console is a command-line interface that allows you to configure the appliance for use within your existing network. From the Administration Console, you can set the appliance’s IP address and other network settings, handle security settings, configure query logging, and more. The Administration Console provides the power and control of a root user command prompt within a controlled environment with a fixed command set that minimizes risk to the system.

The Adonis Management Console is a Java application that runs on any J2SE-compliant platform, including Microsoft Windows and Linux/UNIX®. The look and feel of the Management Console is familiar to Windows users, simplifying the learning curve. The interface also checks the data, both user-entered and imported, and performs automated record creation for maintenance items such as glue records. The Management Console makes DNS and DHCP more manageable, even with minimal training.

Project FilesAdonis stores configurations in project files (file extension .dns) that contain all the settings the appliance needs. The Management Console uses project files to reload the server and service settings saved from a previous session.

DeploymentAdonis separates the design phase of DNS and DHCP rollouts from the actual production environment. You can design and test several different network models before going live. Because deployment is available on an ad hoc basis, configuration changes have minimum impact on service availability.

SecurityThe Adonis appliance is extremely safe and is designed to operate in the most exposed network environments. For information about specific Adonis appliance safety measures, see Appliance Management on page 35.

IPv6 SupportAdonis includes support for IPv6 addresses. IPv6 is designed to replace IPv4 by conserving its proven and established mechanisms, discarding its known limitations, and extending its scalability and flexibility. IPv6 is designed to handle the growth rate of the Internet while providing reliable service.

In most cases, Adonis accepts IPv6 input in the same places as it accepts IPv4 input. Where the two types of address work slightly differently, these differences are noted in the documentation.


Advanced Implementations

Ve

Advanced ImplementationsAdonis is easily configured through the Management and Administration Consoles, but some advanced configurations require expert advice. BlueCat Networks support and professional services personnel are trained to analyze these situations and provide resources for customers. For more information about these services, ask your BlueCat Networks account manager.

Bluecat Networks provides online and on-site training resources. Pre-defined courses can be arranged in certain major cities, or at your location. Professional Services provide advanced network analysis, design and configuration both remotely and on-site. These resources and services should be considered in addition to the information provided in this guide.

White papers and other materials are available to registered users through the Resource Center on our public web site (http://www.bluecatnetworks.com). Registration is free, and access is immediate. These white papers discuss topics that are beyond the scope of this document, such as high availability and VoIP.

Adonis and Proteus IPAMAdonis operates quickly and efficiently because it is a purpose-built appliance that has capacity for DNS and DHCP services. There are no other applications complicating the setup or making demands upon the server. Security is maximized and every part of the server (hardware, operating system, and services) is simplified and secured. The Management Console used to configure the appliance eliminates configuration errors and provides a high level of security during configuration.

Adonis is based on a client-server architecture model. The Adonis appliance operates as a server that offers DNS, DHCP, and TFTP services within the network. Project files are created in the Adonis Management Console and then deployed onto the appliance. All essential communications between the Management Console and the appliances are heavily encrypted and proprietary. Adonis can provide services in extremely hostile network environments. The configuration interface is not present on the appliance: it resides on the operator’s workstation and in the encrypted project file.

Adonis on its own is not always a perfect fit with very large installations. When an organization has many DNS and DHCP/DHCPv6 servers scattered across a WAN environment, management becomes a much bigger issue. Managing IP address inventories and policy implementations across multiple servers, as well as the other requirements of a large and complex environment, requires further configuration and modelling assistance.

Problems can arise with as few as half-a-dozen DNS and DHCP servers; however, management of tens or hundreds of servers presents much bigger issues. When they reach this point, organizations should look at adding the power of the BlueCat Networks Proteus IPAM appliance to augment their Adonis servers.

Proteus is the world’s first IPAM appliance. Instead of following traditional client-server architecture it is an n-tier application that has full Adonis compatibility. Proteus has capabilities such as database-enabled storage, as well as modelling and deployment resources that are not a good fit for the Adonis server-centric model. Proteus is designed to integrate into almost any network environment and it is compatible with most network management tools. For more information about Proteus contact BlueCat Networks, or visit our website at: www.bluecatnetworks.com.


http://bluecatnetworks.com/resourcecenter/overview/

14



Chapter 2

Version 5.5

Administration Console

The Adonis Administration Console controls the functionality of your appliance. This chapter includes the following topics:

• Using the Adonis Administration Console on page 15 introduces the Administration Console.

• Main Mode on page 16 describes Main mode commands.

• Configuration Mode on page 16 describes Configuration mode commands.

Using the Adonis Administration ConsoleThe Adonis Administration Console reduces the amount of administrative effort needed to configure console settings.

To access the Administration Console use one of the following methods:

• Attaching a monitor and keyboard to the Adonis appliance using the VGA and PS/2 connectors provided on the back of the unit.

• Connecting to the appliance’s physical IP address through version 2 Secure Shell (ssh) protocol (ssh must be enabled first).

• Attaching a 9-pin serial cable to the Adonis appliance and use a terminal (tty) application such as Hyperterminal on Windows to open an Administration Console session.

To login to the Administration console:

1 Log in at the IP address of eth0 on the Adonis appliance using the login ID “admin” and the password provided on the Information Sheet that was included in the shipping box. Passwords are generated for each unique unit and should be retained securely.

2 To close the Administration Console and return to the login screen, type “exit”.

If you purchased a secured model of Adonis, you can only access the Administration Console using the serial cable option. All other access methods have been disabled.

If you cannot locate the secure password for your Adonis appliance, contact BlueCat Networks Client Care. For more information, see How do I contact BlueCat Networks Client Care? on page 10.


16


Administration Console ModesThe Administration Console has two operational modes:

• Main mode—In main mode you can view many settings but you cannot edit most of them. You should use this mode if you need to inspect your Adonis configuration, but do not plan to make any changes. This mode is useful because it allows you to access appliance settings without the risk of changing them accidentally.

• Configuration mode—In configuration mode you can view and change many appliance settings. You can also review your changes before saving them, and discard them if they are unsatisfactory.

Main ModeWhen you log in to the Administration Console, you are in main mode by default. Main mode does not allow you to change many settings, so you are confined to viewing existing settings. Where you can change settings the changes take effect immediately; you can undo them only by changing the setting again.

Main Mode HelpYou can access help at any time in the Administration Console. There are general help pages with lists of possible commands and specific help pages for each command.

• To get general help, type “help”, and then press Enter.• To get help on configuration mode, type “help configure”, and then press Enter.• To get help on a specific command, type “help command” (where command is the command you

want information about), and then press Enter. For example, to see help for the set command:

The following list shows the full set of help possibilities:

• help• help configure • help configure object• help sample• help command

Configuration Mode Configuration mode allows you to change Adonis settings. Adonis does not apply your changes immediately, but it keeps track of them, so you can save them or discard them later. This provides a level of safety because it prevents you making inappropriate changes accidentally. Saving a setting modifies the operational state of the appliance to reflect the changes.

:adonis>help set

set admin password

set timeset host-name <hostname>

set name-server <nameserver>

set anycast


Administration Console Modes

Ve

Configuration mode includes several separate functions:

• Network configuration • Query logging configuration • Routing table configuration • Time zone configuration • NTP configuration• SNMP configuration• Syslog configuration• Anycast configuration

Each configuration function allows you to make changes only to a specific area.

Configuration Mode HelpConfiguration mode includes the same help functions as main mode (for more information, see Main Mode Help on page 16). In addition, there are help pages for specific configuration functions.

• To get general help on configuration, type “help configure”, and then press Enter.• To get help about a specific configuration function, type “help configure object”, and then

press Enter.

To change from main mode to a configuration mode:

• Type “configure object”, and then press Enter, where object is one of the following parameters:

• network• network interface• network gateway• querylogging• routetable • timezone• ntp• snmp• syslog• anycast ospf• anycast rip

The Administration Console prompt changes after you type “configure object”:

:adonis>configure network interface eth0

:configure:network:interface>set address 192.168.32.1

:configure:network:interface>exitDo you want to save all changes (Yes or No)? y

:adonis>


18


Saving or Discarding ChangesConfiguration changes do not take effect immediately; you must save them first. Before you do this, you should review your unsaved changes. If you are not satisfied with them or if you discover an error in the data, you can discard them and start again.

Reviewing Unsaved ChangesAdonis lets you review your changes before you commit them.

• To review unsaved changes type “show unsaved”, and then press Enter. • To review specific unsaved changes type “show unsaved object”, and then press Enter.

Saving or Discarding Changes and Returning to Main mode• To save your changes and return to main mode, type “save”, and then press Enter.• Alternatively, you can type “exit”, and then press Enter. When prompted to save your

changes, type “Y”, and then press Enter.• To discard your changes and return to main mode, type “cancel”, and then press Enter.• Alternatively, you can type “exit”, and then press Enter. When prompted to save your

changes, type “N”, and then press Enter.

Viewing the Command HistoryThe Administration Console records the commands you typed during your sessions in either operational mode. To view the command history, type “h” or “history”, and then press Enter. For example:

You can use the up and down arrow keys to scroll through the commands you typed previously. This feature is useful when you need to repeat previous commands.

:adonis>historyshow version

help

help setenable lcd

set network eth0 ip 192.168.127.2


Chapter 3

Version 5.5

Management Console

The Adonis Management Console is a client-side Java GUI application that serves as a front-end for the appliance. There is some crossover with the Administration Console because it includes some configuration functions and the Management Console contains some real-time controls for the appliance. This places the controls that you may need for any given task in the appropriate interface when you need them.

This chapter includes the following topics:

• Getting Started on page 19 gives an overview of the Management Console.

• User Management and Access Control on page 23 discusses users and user access control.

• Configuring External Authenticators on page 29 discusses external authenticators.

Getting StartedYou use the Management Console to create and deploy DNS and DHCP configurations.

To start the Adonis Management Console in Windows:

• From the Start menu select BlueCat Networks > Adonis > Adonis Management Console.

To start the Adonis Management Console in Linux, Solaris, or Mac OS:

• Use the following executable to launch the application:/root/BlueCat_Networks/Adonis, or ./ BlueCat _Networks/Adonis

You can find this executable in the home directory of the user who installed the Management Console. You can create a symbolic link or application launcher for the executable in the location of your choice.


20


Navigating the Adonis Management ConsoleThe Management Console GUI comprises three areas:

• the toolbar• the tree-view pane• the detail pane

The ToolbarThe toolbar gives you quick access to commonly used functions. The tools are organized into functional groups from left to right:

New File , Open , Save

These tools allow you to work with the Management Console files stored on your local machine.

Undo , Redo

These tools undo or redo your recent changes. Adonis maintains undo information for the actions you performed since you opened or saved the current file.

Search , Replace

These tools access the search and replacement features. Use these to navigate within a configuration or to quickly propagate a modification throughout it.

Cut , Copy , Paste

These tools cut, copy, and paste certain types of items in the tree-view and detail panes.


Getting Started

Ve

Rename , Delete

These tools allow you to rename and delete certain types of objects in the tree-view and detail panes.

Move Up , Move Down

These tools move certain types of objects in the tree-view pane up or down relative to their siblings in the hierarchy.

Check Data , Live Data Check

These tools access the DNS error-checking functions.

Deploy , Server Control

These allow the Management Console to connect to the Adonis appliance to distribute project file changes, gather server data, and perform server commands.

The Tree-view PaneThe tree-view pane shows a hierarchical representation of all the information in your project file, including servers, DNS, DHCP, and TFTP services. You can expand or collapse items in the tree-view as necessary. To display the details of an item in the detail pane, select it in the tree-view pane.

The Detail PaneThe detail pane shows information about the item you selected in the tree-view pane. For example, if you select a master DNS zone in the tree-view pane, the detail pane displays the resource records it contains.

Most detail pane displays have multiple tabs that display different categories of details about the selected item. For example, the master DNS zone has four tabs:

• Resource Records • Start of Authority • Template • Options

Some tabs have specific toolbars or other custom buttons. These buttons perform tasks related specifically to objects displayed in the current tab. For example, the Resource Records tab for a master DNS zone has a toolbar with a button for each type of record you can add. For more information about Resource Records see, Resource Records on page 101.


22


Search and ReplaceThe Management Console include two tools to help you locate and replace objects in the tree-view pane. These are useful for large configurations that include many servers, views, and zones.

To go to an object:

1 On the toolbar click Search. The Data Navigator dialog box opens.

2 Select the Go To tab, and then type the name of the object you want to locate in the Go To field.

3 Click Go.

Go To locates the object, and then the Data Navigator dialog box closes.

To search for objects:

1 On the toolbar click Search. The Data Navigator dialog box opens.

2 In the Search field, type the name of the object you want to find, and then click Search.

3 To search only the DNCS or DHCP service click the Target down arrow, and then select the service you want to search from the drop-down list.

4 To restrict your search to specific object types click (...). The Select Target Objects dialog box appears.

You can search for whole words, abbreviations, file name extensions, or numbers. The search tool is not case-sensitive and returns all types of objects that meet the search criteria.


User Management and Access Control

Ve

The Select Target Objects dialog contains checkboxes for DNS or DHCP objects, depending on the service you chose in step 3.

5 Select the checkboxes for the objects you want to search, and then click OK.

6 In the Data Navigator dialog box click Search. Objects that match the search criteria appear in the results table.

7 Double-click one of the objects in the table: the object is selected in the tree-view pane.

8 Click Close.

To find and replace objects:

1 On the toolbar click Replace. The Replace dialog box opens.

2 Type the name of the object you want to find in the Find What field, and then click Find.

3 To find an object by IP address click the Type down arrow, and then select IP from the drop-down list.

4 To replace an object name or IP address, type the new information in the Replace With field, and then click Replace.

5 Click Close.

User Management and Access ControlThe User Management feature allows you to set and enforce access to the Management Console with password authentication or without access security applied to the project file. Without access

You can use whole words, abbreviations, or numbers, but not file extensions or wildcards. To make the find tool case-sensitive select the Case Sensitive checkbox.

If you do not want to replace every object you found, clear the appropriate checkboxes in the Replace column.


24


security, the administration and deployment passwords are still required to make changes to the appliance, but changes can be made to the project file (.dns) without a password.

Some network policies require that users be authenticated centrally by a single system. Adonis project file users can be authenticated either by Adonis or by an external authentication server on the network. For more information, see Configuring External Authenticators on page 29.

Managing Users You can set and enforce user and group level access control over the project file at the server, view, and zone levels, as well as individual DNS and DHCP service levels.

To establish user level access control:

1 From the Management Console File menu, select User Management. The Set Administrator Password dialog box appears.

2 Type the new administrator password in the Password and Re-enter Password fields.

3 Click OK. The User Management dialog box appears.

4 To enable user level access control for the project file, select the Enable user level access checkbox.



Ve

If you do not enable this feature, authentication and user management are not performed when this file is accessed.

Users and GroupsUsers and groups are distinguished by different icons. You can edit users and groups by selecting them from the User Management dialog box, and then clicking Edit. You can remove the users or groups you created by selecting them from the User Management dialog box, and then clicking Remove.

To add a new user:

1 On the Users and Groups tab of the User Management dialog box, click Add User. The New User dialog box appears.

2 Type values in the User Name, Full Name, and Adonis Password fields. Confirm the password, and then select the applicable user options.

User cannot change password—only an Administrator can change the user’s login password.

Password must be changed next login—current Adonis password is valid only for this login; user must change the password.

User disabled—user cannot login to Adonis.

After you enable user level access control, you are prompted to enter a user name (Administrator) and password when you close the User Management dialog box.

If you want to add a new user to an existing group, click the Member of tab, select the group to which you want to add the new user, and then click Add. If you want to add the user to a new group you need to create the new group first.

A user who can deploy configurations can change server settings directly, as opposed to adding changes to a project file.


26


User can deploy configuration—user has permission to deploy project files to Adonis.

Full Access—creates an Administrator user who can access the Administration menu and change any detail in the project file.

The name of the new user appears in the list on the Users and Groups tab.

3 Click OK.

Group AccountsGroup accounts make administration easier. By collecting individual users into groups you can assign the same access rights to all members in the group.

To add a new group:

1 On the Users and Groups tab of the User Management dialog box, click Add Group. The New Group dialog box appears.

2 Type a name for the new group. To add members to the group click Add, and then select the new group members from the Users List dialog box.

3 Click OK.



Ve

To log in as a user and change the password:

1 In the Authenticate dialog box, click Change Password (not available if the Administrator selected the User cannot change password option in the New User dialog box).

2 The Change Password dialog box opens. Type the old password, the new password, and then type the new password again to confirm.

3 Click OK.

Access ControlAccess rights control access to the project file. A newly created user or group has no access rights to any object within a project file. Before users can perform any actions you must assign access rights to the appropriate user or group account. You can modify the user permissions for system objects that reside within servers, views, and zones. This is a two-stage process:

• adding a list of users or groups for each type of object• modifying the user permissions for each type of object


28


To set access control for an object:

1 Right-click the server, view, or zone object in the tree-view pane of the Management Console. Select Access Control from the menu. The Access Control dialog box opens.

2 To add users or groups, click Add. The Add User or Group dialog box opens.

The Access Inherited From field does not appear for server objects. Views and zones always reside within server objects.


Configuring External Authenticators

Ve

3 Select a user (or group), and then click OK. The Access Control dialog box displays the added user and the user’s access rights.

4 To see the access rights available for any sub-level of the current object, click the down-arrow to the right of the Filter drop-down list. The drop-down list changes depending on which object you chose in the tree-view pane. For example, the Server object shows the complete list:

▪ All ▪ DHCP Group▪ DHCP Service▪ DHCP Shared Network▪ DHCP Subnet▪ DHCPv6 Service▪ DNS Service▪ Master Zone▪ Name Server▪ View

5 In the Enable column of the Access Rights area, modify the rights granted to this user (or group) by selecting the appropriate checkboxes for the access rights you want to modify.

6 In the Permission column, click in one of the rows, and then select the level of access control for each kind of object from the drop-down list: Hide, Read-Only, Change, or Full.

7 Click OK.

Configuring External AuthenticatorsIn large network environments, requirements may dictate that password management and account validity are centralized on a single system. In addition to authenticating users natively, Adonis can

You can replicate the attributes of parent objects to child objects by right-clicking the appropriate object in the Access Right column, and then selecting Replicate To Child Attributes.


30


authenticate them through an organization’s existing LDAP, RADIUS, or Kerberos/Active Directory servers. Although users do not normally require a user account to log in to Adonis, when the user management sub-system is enabled they are prompted for a user name and password when opening project files. When you are creating or editing a user, you can switch authentication methods between the internal Adonis system and external systems by selecting an external authenticator.

To access an external authentication server, the details of the connection to this server are consolidated in an Adonis authenticator object. You can add authenticators as part of the user management subsystem (File > User Management). When you enable user management the Authenticators tab appears in the User Management dialog box.

Enabling user management requires a login for all future sessions using this configuration in the Management Console.

To add an authenticator:

1 Right-click in the empty region of the Authenticators tab, and then select New. The Add Authenticator dialog box opens.

2 Use the Add Authenticator dialog box to add authenticator objects for servers running LDAP, Radius, or Kerberos/Active Directory authentication.

Kerberos AuthenticatorsA Kerberos server issues a temporary permission ticket to an authenticated user. This ticket is authenticated and distributed using a Key Distribution Center(KDC). Kerberos authentication is also used for authentication in Microsoft Active Directory environments. For more information on integrating Adonis into Microsoft Active Directory environments, see Active Directory Integration on page 231.

If the authenticator information that is displayed does not appear to be current, you can update it by restarting the Management Console.

The fields that appear in the Add Authenticator dialog box differ for each of the available external authentication servers.



Ve

To add a Kerberos authenticator:

1 In the Add Authenticator dialog box, specify the following values:

Name—The name of this Kerberos authenticator object within Adonis.

Host—The host name or IP address of the Kerberos server that you are contacting to authenticate Adonis users.

Realm—The realm represents the administrative domain for the Kerberos server. This must be typed as ALL CAPS.

KDC—The host name or IP address of the Kerberos Key Distribution Center.

2 To ensure that the authenticator is configured properly, click Test Authenticator. This checks to see if a socket connection to the server can be formed. It returns a pop-up with status information on the authenticator connection.

3 To create this Kerberos authenticator object, click OK.

RADIUS AuthenticatorsRADIUS authentication is used in many embedded systems, including routers. It is often found running on servers as the default authentication systems for networks. RADIUS authentication support on Adonis is supported through the creation of a RADIUS authenticator object.


32


To add a Radius authenticator:

1 In the Add Authenticator dialog box, specify the following values.

Name—The name of this Radius authenticator object within Adonis.

Host—The host name or IP address of the Radius server.

Shared Secret—The shared secret between the client and the server passed as a text string. This value needs to be obtained from your Radius server configuration.

Auth Port—The port used when authenticating users, usually 1812. This port should not be changed unless your implementation requires another port to be supported. The port must be set properly here in order for the Adonis firewall to be reconfigured.

Acct Port—The port used for Radius accounting, usually 1813. This port should not be changed unless your implementation requires another port to be supported. The port must be set properly here in order for the Adonis firewall to be reconfigured.

Method—Select either the Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol (CHAP) depending which authentication method this server is accepting.


3 To create this Radius authenticator object, click OK.

LDAP AuthenticatorsLightweight Directory Access Protocol (LDAP directories are server services used to store user information centrally, thereby providing a single log on for a network.



Ve

To add a LDAP authenticator:

1 In the Add Authenticator dialog box, specify the following values.

Name—The name of this LDAP authenticator object within Adonis.

Host—The host name or IP address of the LDAP server.

Port—The TCP port used for communication between Adonis and the LDAP server.

Search Base—The location within the LDAP directory structure where the search for authenticating users begins.


3 To create this LDAP authenticator object, click OK.


34



Chapter 4

Version 5.5

Appliance Management

Adonis delivers reliable and secure DNS and DHCP. It can reside within any part of a network, including DM zones close to the Internet where security threats are greatest. A packet-filtering/stateful-inspection firewall protects the appliance from inbound threats from the network. Adonis is designed on a secure hardware platform with a hardened Linux-based operating system that does not load kernel modules while it is running, and runs BIND in a jailed environment. All of these precautions mean that Adonis operates wherever it is needed, rather than needing to be hidden in a secure portion of the network.


• Setting Default Appliance Options on page 35 explains how to set appliance options.

• Appliance Authentication Management on page 38 describes Adonis security measures.

• Management Console Server Controls on page 54 describes function you can perform through the Management Console.

• Deploying a Project on page 56 describes the process of deploying a project file.

Setting Default Appliance OptionsThe Adonis Management Console contains default options. You can set various appliance options and customize some of the Adonis operating environment variables globally. The following sections describe the default settings that you can modify using the Options dialog box.

General OptionsThese settings control the global behaviors of the Management Console.


36


To customize the General options:

1 On the Tools menu, click Options. The Options dialog box appears.

2 To display the splash screen each time you launch the Management Console, select the Show splash screen on startup checkbox.

3 To check through the project files for errors and logical inconsistencies before it is deployed, select the Set auto data check before deployment checkbox.

4 To create a extra copy of the project file each time it is saved, select the Backup files before saving (.bak extension) checkbox.

5 To autosave a project file when it is being checked in or out of the appliance, select the Auto save local copy for check in/out checkbox.

6 To maintain reverse pointers globally, select the Maintain reverse lookup record checkbox. You can override this option for individual host records.

7 To add a trailing dot to these records to fully qualify them within the domain select the Auto add trailing dot for MX, CNAME, and NS records checkbox.

8 To select the number of project files that appear in the Welcome dialog box use the arrows next to the Number of Recent Files list. This value also affects the number of files listed in the Recent Files section of the File menu.

9 Click OK.

Product UpdatesThese settings control the update behavior for the Adonis appliance.

Backup files let you revert to an earlier version of the file. Backups have the same name as the project file, but use the extension .bak. To keep several iterations, manually archive the files using different names.

The value is 5 by default, but you can use any number between 1 and 20.


Setting Default Appliance Options

Ve

To customize options for keeping your appliance up-to-date:

1 Click the Product Updates tab.

2 Update Server is set to the Use Default option.

▪ If you want to specify a different server, select Specify Address, and then type the URL of the server.

▪ If you want to select a specific file select Specify File, and then click Browse. Navigate to the file you want to use, and then click Open.

3 Click OK.

Specifying Proxy SettingsProxy settings determine how to communicate with the update server. The Adonis update process supports the use of HTTP and SOCKS proxy settings.

This is generally not necessary, because updates are downloaded directly from the BlueCat Networks website.

If your organization uses a proxy server to access the Internet you need to configure it here.


38


To specify proxy settings:

1 Click the Proxy Settings tab.

2 If you want Adonis to use a proxy during the update process, select the Use proxy for web connections checkbox, and then provide the following information:

▪ Proxy Type—HTTP or SOCKS▪ Proxy Server—the Fully Qualified Domain Name or FQDN ▪ Proxy Port—the port number for the proxy server within your network

3 If the proxy requires authentication, select the Proxy requires authentication checkbox, and then type the user name and password for the proxy in the corresponding fields.

4 Click OK.

Appliance Authentication ManagementAdonis security measures include digital certificates and passwords. Adonis uses 1024-bit certificates on both the server and client side of the 128-bit SSL encrypted connection between the appliance and the Management Console. If the certificates on the appliance and the copies stored in the Management Console do not match, you cannot deploy your configurations.

Viewing, Adding, Changing and Deleting Certificates Certificates are managed from the Management Console. You can view a list of the installed certificates, attach additional certificates, and change or remove certificates that are no longer required.

Certificates are generated automatically based on symmetrical key pairs and saved in a keystore on both the server and the client. For the installed certificates shown in the following topic, these files are saved to the client workstation:

• 172.20.210.1.ks• 172.20.210.2.ks

For example, the default location for Windows is C:\Program Files\BlueCat Networks\Adonis\keystores, but you can specify another location in the Management Console.



Ve

To add, change, or delete server certificates:

1 On the Server menu, click Certificates Management. The Certificate Browser dialog box opens. If you have installed any server certificates they are listed here.

2 To add a certificate to the list, click Add. The Connect To Server dialog box opens.

3 Choose a server from the drop-down list, type the password, and then click OK.

4 To delete a certificate, select it and then click Remove. The certificate is removed from the list in the Certificate Browser dialog box.

5 To change a certificate, click Change. The Connect To Server dialog box opens and connects to retrieve the modified certificate for this server. Changing a certificate is similar to adding one.

6 When you are finished, click Close.

To define an alternate keystore location for the client workstation:

1 On the Tools menu, select Options. The Options dialog box opens.

If you select the Remember password checkbox you do not need to type a password every time you connect to the server.


40


2 Click the File Locations tab.

3 Click the path beside Certificates. The Select Directory dialog box opens. Use it to select another location or define a new folder.

4 Click OK.

If secure communication between the client and the appliance is not possible, you may need to repopulate the keystore on the appliance and subsequently re-install server certificates on client workstations. For example, communication may be affected if problems occurred during deployment. It might be necessary to delete any installed keystore files on the client machine as well as the certificate keystore (cert.ks) on the appliance. To repopulate the keystore on the appliance, restart the command server.

For more information, contact BlueCat Technical Support at: [email protected].


mailto:[email protected]


Ve

Resetting the Certificate You can reset certificates using the Administration Console. In certain situations, for example with Crossover High Availability (Crossover High Availability (XHA) on page 201) the Management Console may create a new certificate and replace the factory-set certificate on both the server and client. Adonis always has a single current certificate and the ability to revert to the factory installed certificate. If these certificates continue to match, you can deploy new configurations. However, if the certificates become mismatched, you may have to reset the appliance certificate to its factory-set value (the certificate that shipped with your appliance).

• To reset the server certificate, type “reset certificate”, and then press Enter.

PasswordsPasswords are managed from the Management Console and from the Administration Console. You can set the administration password to any value, as well as reset the deployment password to its factory-set value using the Administration Console.

Setting the Administration PasswordThis is the password you use to log into the Administration Console. You set the administration password in main mode.

To set the administration password:

1 Type “set admin password”, and then press Enter.

2 Type a new password, and then press Enter.

3 Type the new password again, and then press Enter.

Resetting the Deployment PasswordThe deployment password is the password you use to deploy configurations and perform other actions from the Management Console. You set the deployment password in main mode.

• To reset the deployment password to its factory-set value, type “reset deployment password”, and then press Enter.

You can set the deployment password to a new value in the Management Console. For more information, see Management Console Server Controls on page 54.

Resetting from Proteus ControlYou cannot create DNS and DHCP configurations through the Adonis Management Console while Adonis is under the control of a Proteus IPAM appliance. You must remove the Adonis appliance from Proteus control before you can use Adonis on its own again.

• To remove Proteus control use the main mode of the Adonis Administration Console. Type “reset from proteuscontrol”, and then press Enter.

If you entered this command by mistake, press Enter six times, until you return to the command prompt.


42


Administration Console Server ControlsThe following sections describe some of the server control operations that are available from the Administration Console. These settings have a direct effect on the operational state of the appliance itself rather than on any services it may be running.

Rebooting and Shutting DownAdonis is extremely stable, but you may occasionally need to reboot or shut down the appliance (for example, to reset the startup services).

• To reboot Adonis from the Administration Console main mode, type “reboot”, and then press Enter.

• To shut down Adonis from this mode, type “shutdown”, and then press Enter. • Adonis prompts you to confirm each operation before it executes the command.

You can also perform these functions in the Management Console. For more information, see Management Console Server Controls on page 54.

LCDThe Liquid Crystal Display (LCD) on the front panel of the Adonis appliance gives you quick access to important settings without setting up an SSH connection (for example, the appliance’s IP address). You can enable and disable the LCD in main mode.

• To enable the LCD, type “enable lcd”, and then press Enter.• To disable the LCD, type “disable lcd”, and then press Enter.

Inspecting the Network ConfigurationYou can view any network setting from main mode, but to change most of the settings, you must work in one of the configuration modes.


Administration Console Server Controls

Ve

Viewing Network Interface SettingsYou can use a unified set of commands to view general and specific network interface settings, including IP address, gateway, subnet mask, speed, and duplex.

• To view the network interface settings for the entire appliance, open main mode, type “show network”, and then press Enter. For example:

• To view the network settings for a specific interface, open network configuration mode, type “show network interface interface” (where interface is the name of the interface), and then press Enter.

Configuring Network SettingsThe Adonis network configuration commands allow you to change important settings; for example, IP address, subnet mask, gateway, speed, and duplex.

• To delete a network interface completely, type del interface, where interface is the name of the interface such as eth1.

• To access network configuration mode, type “configure network”, and then press Enter.

Changing IP Address SettingsIn configuration mode, you can change the network interface settings as well as view them.

To set the IP address, subnet mask, and gateway simultaneously:

1 Type “set network interface”, where interface is either eth0 or eth1, and then press Enter.

2 Type the IP address of the interface, and then press Enter.

3 Type the subnet mask, and then press Enter.

4 Type the gateway, and then press Enter.

:adonis>show network

Eth0:

address:192.168.127.2

gateway:192.168.127.1

netmask:255.255.255.0

speed:

duplex :auto-negotiation :

inet6 : fe80::20c:29ff:fed6:385f/64:adonis>_

You may omit the word “network” from all commands if you are working in network configuration mode.


44


To set the IP address, subnet mask, or gateway individually, type “set network interface setting address”, where setting is ip, netmask, or gateway, and address is the appropriate address or mask, and then press Enter. For example:

Changing Speed and Duplex Settings

You can set the network speed and duplex settings of a specified network interface. This is useful where network environments use switches that need specific speed and duplex settings rather than automatically negotiated settings.

To set the speed and duplex manually:

1 To switch off the auto-negotiation from main mode type “set autoneg off” and then press Enter.

2 To set the speed of a network interface from main mode, type “configure network interface interface” where interface is either eth0 or eth1. Type “set speed speed”, and then press Enter, where speed is 10, 100, or 1000.

3 To set the duplex of a network interface from main mode, type “configure network interface interface” where interface is either eth0 or eth1. Type “set duplex duplex”, and then press Enter, where duplex is either half or full.

Configuring the HostnameYou can display and modify the hostname for the Adonis appliance from main mode.

• To display the hostname, type “show hostname”.• To set the hostname, type set hostname hostname, where hostname is the new name.

Viewing and Setting the TimeMany applications including VoIP, and many Adonis services, such as failover, authentication logging, and high availability require time synchronization to function properly. For this reason, it is important to set the time correctly. You can set the time manually in main mode or use NTP to set it automatically.

:configure:network>set eth0 ip 192.168.127.2

:configure:network>set eth0 netmask 255.255.255.0

:configure:network>set eth0 gateway 192.168.127.1

You must set the speed and duplex manually if you are using Crossover High Availability (XHA). To ensure trouble-free HA operation, set the speed to 100 and set Full duplex on Adonis and on the switch you are using.

Do not try to configure half-duplex communication. If you try to configure half-duplex, Adonis prevents you from saving the setting and an error message appears. For more information about duplex settings contact BlueCat Networks at: http://www.bluecatnetworks.com/clientsupport/self-service/.


http://www.bluecatnetworks.com/clientsupport/self-service/



Ve

Viewing the Time• To view the current time, type “show time”, and then press Enter.• To view the time zone that Adonis believes it is in, type “show timezone”, and then press

Enter.

Setting the Time ManuallyIf you do not have access to an NTP server, or if you do not want to create network traffic by querying one, you can set the Adonis internal clock manually.

To set the clock manually:

1 Type “set time”, and then press Enter.

2 Type the current time in the format MMDDHHMMYYYY.SS(Month, Day,Hour, Minutes, Year. Seconds using the 24-hour clock. For example, if the current time is 10:11:16 on December 27, 2008, type 122710112008.16, and then press Enter.

Setting the Time ZoneSetting the time zone ensures that Adonis behaves correctly with regard to daylight savings time. This is important for ensuring uninterrupted service.

• To access time zone configuration mode, type “configure timezone”, and then press Enter.

Displaying the Time Zone• To display the current time zone, type “show timezone”, and then press Enter. For example:

Setting the Time Zone

To set the time zone:

1 Type “set timezone”, and then press Enter.

You may omit the word “timezone” from the time zone commands if you are working in time zone configuration mode.

:configure:timezone>show

Area=Canada

City=Eastern


46


2 Select an area from the numbered list, and then press Enter:

3 If you chose an option from 1 to 10, select a city or zone from the numbered list, and then press Enter. The options change depending on the area you chose in the previous step.

4 If you chose option 11, select one of the 13 System V time zones.

5 If you chose option 12, select one of the 35 possible time zones, based on Greenwich Mean Time (GMT).

Network Time Protocol (NTP)Network Time Protocol (NTP) synchronizes the time settings between servers. The protocol consists of a client and a service. The Adonis NTP client runs automatically to synchronize the server. Some services like XHA and DHCP Failover require NTP synchronization to function correctly. Adonis can provide NTP service to a network and it can also set its own time as an NTP client.

Setting the Time on Adonis with the NTP ClientAn NTP server provides the correct time and is useful for synchronizing multiple Adonis appliances to within a second. Adonis always checks a pre-defined list of NTP servers and updates its time each day at 6:25 a.m. This service always runs and does not need to be enabled.

NTP Configuration Mode

Adonis has a configuration mode for setting up the NTP service.

• To enter this mode type “configure ntp”.

1 Africa

2 America

3 US time zones4 Canada time zones

5 Asia

6 Atlantic Ocean

7 Australia8 Europe

9 Indian Ocean

10 Pacific Ocean11 Use System V style time zones

12 None of the above

Unless you have considerable experience with ntp, it is probably best to accept the default values.



Ve

To add an NTP server from the pre-defined list of servers:

1 Type "add server address" where address is the IP address of the ntp server.

2 At the :adonis> prompt, type configure ntp, and then press Enter.

3 At the :configure:ntp:> prompt, type add server, and then press Enter.

4 Type appropriate answers to the questions that appear on the screen, and then type, save.

▪ autokey—type “Y” for ntp authentication using the Autokey protocol▪ version—the version to use for outgoing ntp packets (4 is the default)▪ burst—send a burst of 8 packets, instead of one packet▪ prefer—mark the reference clock as preferred, so this host is chosen for synchronization▪ minpoll—the minimum polling interval for the reference clock ▪ maxpoll—the maximum polling interval for the reference clock

This server is added to the top of the list and is queried first. Adonis contacts the servers starting at the top of the list and continues until it receives a response. As long as the ntp server allows the Adonis server to be an NTP client, time is synchronized each time the Adonis server boots.

• To delete an NTP server from the pre-defined list of servers, type “del server address” where address is the IP address of the ntp server.

• To display the list of NTP servers, open configure ntp mode, and then type “show server”.

When Adonis is managed by Proteus, the Proteus IP address is automatically added to the top of the list. For these Adonis appliances time is synchronized upon deployment and upon every reboot.

Providing the Time with the NTP Service

The NTP service is essential to some of the more complex Adonis functions. A specific external time reference is also essential to some organizations for reports and compliance tracking. The NTP service on Adonis acts as both a source of NTP synchronization for clients and as clients themselves to another NTP service that synchronizes the clock reference they provide. The Adonis NTP service commands described here should be sufficient for most NTP service requirements.

• To enable the Adonis NTP service on startup, type “enable startup ntp”, and then press Enter.• To disable the Adonis NTP service on startup, type “disable startup ntp”, and then press

Enter.

:adonis>configure ntp

:configure:ntp:>add server <ip-address>

Use autokey ([yes|no] or leave blank to set to default)?

Please input version (1,2,3,4, leave blank to set to default):Set burst ([yes|no] or leave blank to set to default)?

Set prefer ([yes|no] or leave blank to set to default)?

Please input minpoll (leave blank to set to default):Please input maxpoll (leave blank to set to default):

:configure:ntp:>save

Configurations have been saved.


48


NTP Servers

The Adonis NTP service sets its own time through NTP. The Adonis server acts as a client for another NTP server. NTP Servers can be added to the list that is queried. Typing the command “show ntp” in main mode displays the list of NTP servers.

NTP Logs

You can specify a custom location for logging the NTP service.

• In configuration mode, type the command “set logconfig” and specify an absolute path for the log including the log file name.

• To display the log location type the command “show logconfig”.

Configuring the Routing TableThe Adonis routing table indicates where the system should send packets intended for certain IP addresses. Packets to be sent to hosts on the same subnet as the Adonis appliance can be routed directly to that subnet, but packets for hosts on other subnets must be sent through a gateway (a router). The same procedures can be used to manage either IPv4 or IPv6 routes.

• To access routing table configuration mode, type “configure routetable”, and then press Enter.

Viewing the Routing TableTo view the routing table, type “show routetable”, and then press Enter. For example:

• The first line states that all requests for hosts in the 192.168.1.0/24 network should be routed directly to the host, and therefore do not require a gateway. This is possible because these hosts are on the same subnet as the Adonis appliance.

• The second line states that all other requests should be directed to the router at 192.168.1.1.

The columns contain the following information:

Destination—The destination subnet or host of a packet.

:adonis>show ntp-server

server 127.0.0.1 autokey burst version 3 prefer

server 0.north-america.pool.ntp.org

server 0.europe.pool.ntp.orgserver 127.127.1.0

You may omit the word “routetable” from the routing table commands if you are working in routing table configuration mode.

:adonis>show routetable

Kernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface

192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0



Ve

Gateway—The gateway through which to route a packet.

Genmask—The bits of the packet’s intended destination that must match the value in the destination column.

Flags—The flag value indicates the type of route.

▪ R—This is a reinstate route for dynamic routing.▪ M—This is a modified route, probably modified using the mod option.▪ C—This is a route from the kernel routing cache.▪ U—This route is up.▪ G—This is a gateway route.▪ I—Internal route using the loopback interface for other than loopback purposes.▪ !—Datagrams to this route are rejected.

Metric—This is the distance to the target destination, usually measured in hops.

Ref—This is the number of references to this route by other systems.

Use—This is the count of lookups for the route, or the number of times it has been looked up by IP.

Iface—The network interface that routes the packets.

Adding RoutesAlthough Adonis maintains the routing table, you may want to add a permanent route to the table to improve the routing efficiency.

To add a route to the routing table:

1 Type “add routetable”, and then press Enter.

2 Type the destination address for the route, and then press Enter.

3 Type the netmask for the route (i.e., the netmask determining the subnet that a packet must match), and then press Enter.

4 Type the IP address of the gateway for the route, and then press Enter.

Deleting RoutesIf you no longer require a route, you can delete it by specifying its address, netmask, and gateway.

To delete a route:

1 Type “del routetable”, and then press Enter.

2 Type the destination address for the route, and then press Enter.

3 Type the netmask for the route (i.e., the netmask determining the subnet that a packet must match), and then press Enter.

4 Type the IP address of the gateway for the route, and then press Enter.

If the route does not require a gateway, type 0.0.0.0 as the IP address.

For XHA, the routing table must be set identically on both Adonis nodes through their respective Administration Consoles.


50


Configuring AnycastAnycast is a technique for assigning a common IP address to multiple servers that provide the same service; it allows load balancing and redundancy. A client asking for that IP address is directed to the geographically closest server using Open Shorter Path First (OSPF).

The Anycast technique is useful for large DNS applications that handle a high volume of requests. For example, the DNS root servers use Anycast to distribute their service throughout the world. Although most root servers are nominally located in the United States, most of the physical machines are located elsewhere and share a U.S. IP address.

Adonis uses the Zebra daemon to broadcast Anycast addresses to the appropriate routers.

Controlling the Anycast Service• To enable Anycast, type “enable anycast”, and then press Enter.• To disable Anycast, type “disable anycast”, and then press Enter.• To check whether Anycast is currently running, type “isrunning anycast”, and then press

Enter.

Managing Anycast Addresses

To display existing Anycast addresses:

• To show the Anycast settings for this Adonis appliance in main mode, type “show anycast”, and then press Enter.

To create a virtual address for load balancing using Anycast:

1 Type “set anycast”, and then press Enter.

2 Type “lo”, “lo:0”, or “lo:1” as the loopback interface that spoofs the address, and then press Enter.

3 Type the IP address, and then press Enter.

4 Type the subnet mask, and then press Enter.

To delete an Anycast address:

• Type “del anycast”, and then press Enter.

You are prompted to type the name of the loopback interface you want to delete.

Configuring the Anycast ServiceYou can configure the Zebra Anycast service in Linux for OSPF using the Zebra command set. The Linux Zebra documentation describes these commands. For more information, refer to www.zebra.org.

To configure Anycast for OSPF:

1 Type the command “configure anycast ospf”.

2 When prompted for the password, type ospf.


Administration Console Service Control

Ve

Administration Console Service ControlMany Adonis services can be controlled from the Management Console and the Administration Console, but the command server can only be configured from the Administration Console. The service controls for DNS, DHCP, and TFTP are described here and in their respective chapters. This section describes some of the service controls that are found in the Administration Console. Service control is always performed in main mode.

Command ServerThe command server allows the Management Console to communicate with the appliance. It is an agent program that provides communication and reporting between the appliance and the Management Console, and implements the server control and deployment commands issued by the Management Console. When you make major changes to the appliance, for example, changes in the Administration Console, you may need to restart the command server.

• To start the command server, type “start commandserver”, and then press Enter.• To stop the command server, type “stop commandserver”, and then press Enter.• To restart the command server, type “restart commandserver”, and then press Enter.• To check whether the command server is running, type “isrunning commandserver”, and then

press Enter.

XHATo check whether this unit is a member of a high-availability cluster, use the command “isrunning xha”. The answer shows you whether or not the XHA heartbeat is present; if it is this appliance is a member of an XHA pair. For more information, see Crossover High Availability (XHA) on page 201.

Firewalls Adonis includes a powerful firewall to protect your DNS and DHCP services against malicious network traffic. The firewall is usually running, but you can disable it for diagnostic purposes. You can also view the current status and settings of the firewall.

Adonis rejects ICMP packets including pings while the firewall is in place.


52


Firewall RequirementsAdonis uses the ports shown in the following table:

• To enable the firewall, type “enable firewall”, and then press Enter.• To disable the firewall, type “disable firewall”, and then press Enter.• To see the current port protection settings used by the firewall, type “show firewall”, and

then press Enter.• To scroll down, press Enter.

Port # Protocol Notes Purpose In/Out Optional

22 TCP SSH2 (secure shell)SSH/SCP connectivity to appliances

Bidirectional Optional

53 TCP/UDP DNS DNS server Bidirectional Optional

67 UDP DHCP DHCP server In Optional

68 UDP DHCP DHCP server Out Optional

69 UDP TFTP TFTP service for file transfer Bidirectional Optional

80 TCP MAC Authentication MAC Authentication portal Bidirectional Optional

88 TCP/UDP KerberosKerberos/Active Directory authentication


123 UDP NTPNetwork Time (client) (in from user ports)

In Optional

123, 1023-65535

UDP NTP Network Time (client) Out Optional

161 UDP SNMP Polling SNMP management Bidirectional Optional

162 UDP SNMP Traps SNMP management Out Optional

389 TCP/UDP LDAP LDAP authentication Bidirectional Optional

443 TCP MAC Authentication MAC Authentication portal Bidirectional Optional

647/847 TCP DHCP FailoverDHCP Failover communication ports


694 UDP XHAXHA State information (heartbeat)


1812 TCP/UDP Radius Radius authentication Bidirectional Optional

10042 TCPAdonis Management

Port

Secure management / connectivity to Proteus appliances

Bidirectional Required

10044 UDP XHA File and state synchronization Bidirectional Optional

10045 TCP/UDP Notification PortAdonis to Proteus notification (DDNS, IP leases, etc.)

Bidirectional Required

10046 UDP XHA XHA File Sync port Bidirectional Optional


Administration Console Service Control

Ve

• To exit the firewall viewer, press “Q”.• To enable or disable the firewall on startup, use the command “enable startup firewall” or

“disable startup firewall”.

SSHVersion 2 Secure Socket Shell (ssh) allows a client to communicate with the appliance and access the Administration Console remotely. You can enable or disable ssh access to Adonis. By default, Adonis ships with ssh disabled for security purposes.

• To enable ssh, type “enable ssh”, and then press Enter.• To disable ssh, type “disable ssh”, and then press Enter.

Startup ServicesCertain services can be set to start up or not start up the next time the appliance is rebooted.

• To enable a startup service, type “enable startup service”, and then press Enter, where service is firewall, ntp, ntp-server, or snmp.

• To disable a startup service, type “disable startup service”, and then press Enter, where service is firewall, ntp, snmp or anycast.

• To check the status of a startup service. type isenabled startup service, and then press Enter, where service is firewall, ntp, snmp or anycast.

Network ServicesThese network services are controlled, and to some extent configured from the Administration Console in Adonis.

BIND/DNSAdonis uses the Berkeley Internet Naming Daemon (BIND) to provide its DNS service. The executable file for BIND is called named, the name daemon. This service can be managed from the main mode of the Administration Console.

• To start BIND, type “start bind”, and then press Enter.• To stop BIND, type “stop bind”, and then press Enter.• To restart BIND, type “restart bind”, and then press Enter.• To view some statistics on the DNS service, type “show status bind”, and then press Enter.• To check whether BIND is running, type “isrunning bind”, and then press Enter.

The firewall can also be enabled or disabled using the checkbox on the Security and Admin Settings tab for the server in the Management Console.

SNMP requires you to enter the IP address of an SNMP controller.


54


DHCP/DHCPv6Adonis uses the ISC DHCP server to provide its DHCP service. The executable file for ISC DHCP is called the DHCP daemon or dhcpd. To manage the IPv6 DHCP service on Adonis, use dhcpv6 instead of dhcp as a token.

• To start DHCP, type “start dhcp”, and then press Enter.• To stop DHCP, type “stop dhcp”, and then press Enter.• To restart DHCP, type “restart dhcp”, and then press Enter.• To check whether DHCP is running, type “isrunning dhcp”, and then press Enter.

TFTPAdonis provides a TFTP service to store extra files for configuration and firmware management for certain client devices. The TFTP service is set up using the Management Console, but the TFTP service itself can be managed from the Administration Console.

• To start the TFTP service, type “start tftp”, and then press Enter.• To stop the TFTP service, type “stop tftp”, and then press Enter.• To restart the TFTP service, type “restart tftp”, and then press Enter.• To check whether the TFTP service is running, type “isrunning tftp”, and then press Enter.

Management Console Server ControlsThe Management Console interfaces with the physical appliance to execute specific commands and to deploy projects and configuration changes. The most common use of this interface is for deploying project file to appliances. Other commands include querying the appliance version, starting and stopping specific services, and controlling the firewall.

Generally, real-time control of the Adonis appliance is available through the Administration Console while the Management Console is used to create and edit projects before deploying them to the appliances. Some operations however, need to be performed in real time from the Management Console. The Management Console includes a number of server control functions.

To access the Server Control functions:

1 From the Management Console Server menu, click Server Control. The Server Control dialog box opens.


Management Console Server Controls

Ve

2 Select the server, type the password, and then select the appropriate actions.

3 To perform the selected action, click Execute.

4 To see the full range of options, scroll through the Action list:

▪ Server Version Query—retrieves the server version number.▪ High Availability Status Query—retrieves the status of the XHA system on this Adonis.▪ Set HA Failure Detection Time—the time interval before a failover occurs.▪ Perform HA Failover—forces a HA failover on the selected Adonis appliance.▪ Detect Server’s Appliance Type—checks to see which type of Adonis appliance is installed.▪ Restart Server—reboots the operating system and services on the selected appliance.▪ Shutdown Server—physically powers off the appliance. ▪ Change Deployment Password—allows an administrator to change the password.▪ Restart Named—restarts the named daemon (DNS service).▪ Stop Named—stops the named daemon.▪ Start Named—starts the named daemon. ▪ Restart DHCP—restarts the dhcp daemon.▪ Stop DHCP—stops the dhcp daemon.▪ Start DHCP—starts the dhcp daemon.▪ Enable Firewall—re-enables the firewall after debugging or connectivity testing.▪ Disable Firewall—disables the firewall for debugging purposes or connectivity testing. The

firewall is automatically re-enabled when you restart the server. ▪ Enable Query Logging—enables the server’s query logging feature. ▪ Enable SSH—enables Version 2 Secure Socket Shell (SSH).▪ Disable SSH—disables Version 2 Secure Socket Shell (SSH).▪ Disable Query Logging—disables the server’s DNS query logging feature.


56


▪ Query DHCP Failover State—if an Adonis is a DHCP failover peer, this command can determine whether it is in the normal, communication-interrupted, or partner-down state.

▪ Start DHCP Failover Monitor—starts the server’s DHCP failover monitor (fomon) service.▪ Stop DHCP Failover Monitor—stops the server’s DHCP failover monitor service.▪ Set DHCP Failover State—forces an Adonis that is a DHCP failover peer into normal,

communication-interrupted, or partner-down state.▪ Start Adonis Mirage Adapter—starts the Mirage Adapter service. ▪ Stop Adonis Mirage Adapter—stops the Mirage Adapter service. ▪ Start DHCPv6—enables support for IPv6 within the DHCP service.▪ Restart DHCPv6—restarts support for IPv6 within the DHCP service.▪ Stop DHCPv6—disables support for IPv6 within the DHCP service.

Deploying a ProjectWhen you are satisfied with a project file, you can deploy it to the appropriate appliances and activate your DNS and DHCP services. For more information about file checking, see Checking and Correcting a File on page 90. For more information about deployment, see Deploying the Project File on page 92.

Viewing System LogsYou can view Adonis system logs for the purposes of troubleshooting or gathering information.

To view a log file:

1 In the tree-view pane of the Management Console, right-click the name of the server whose logs you want to view, and then select View Log Files. The View Log Files dialog box opens.

2 Select the server from the drop-down list, and then type its administration password.

3 From the Log Type drop-down list, specify the log you want to view:

You can also view log files from the Server menu using this command, Server View Logfiles.


Viewing System Logs

Ve

▪ Command Server▪ DNS▪ System▪ Update▪ DHCP

4 Specify how much of the log you want to see by selecting a value from the Nr. of lines drop-down list.

5 Click View Log. The View Log dialog box opens showing the specified text from the log file.

6 Use the icons to save or explore the data:

▪ Copy to Clipboard—copy the file so you can paste it into another application.▪ Save to File—save the log file so you can open it in another program, for example, a

spreadsheet or word-processor.▪ Reload Log File—reloads the current log file.▪ Select Log File—calls the View Log Files dialog box so you can select another log file.▪ Search—calls a dialog box that prompts you to search the log file for specific text.▪ Go To—calls a dialog box that prompts you to type a line number in the log file.

7 Click Close.

Configuring System Log OutputYou can configure the appliance to send its system log to an external server, which is useful for reviewing logging information in a central location or with a particular viewer.

Administration Console System Log RedirectionYou can set up specific system log redirections from the Administration Console. All of the commands in this section use configuration mode.

• To enter the configuration mode for system log redirection, type “configure syslog”.


58


Adonis automatically enables system log redirection if you have created any configuration statements. In configuration mode, you can configure the system log services daemon to have multiple redirection destinations and redirection selectors.

System Log Custom Action Statements

When setting up system log redirection on Adonis, you can specify selector fields and assign action fields to them. This is only an alternative to creating a redirection, and only one redirection or custom action statement is required to create a redirect configuration while many can exist in the configuration.

Selector fields describe types of messages within the syslog, like BIND syslog entries for example. Action fields describe what to do with the entries matching these selectors when they are found. Sending entries matching a particular selector to a specified IP address is the default behavior for redirection statements on Adonis. Custom action statements can have other actions such as writing the selected entries to a named pipe or a separate file.

The syntax for custom action statements on Adonis is “add selector_field action_field” to add and “del selector_field action_field” to delete. Selectors can be displayed on Adonis with the command “show selectors”.

Syslog Redirection Statements

You can configure Adonis with syslog redirections using the command “add redirection ip_address selectors”. They can be deleted with the command “del ip_address selectors”. Redirections can be viewed with the command “show redirections”. Syslog entries matching the selector set in the statement are sent to the IP address specified.

Viewing LogsAdonis keeps several logs that you can view for debugging purposes:

• commandserver is the command server log. It contains information on commands that have been sent from the Management Console.

• bind contains information related to the DNS service.• syslog is the general system log file.

• update contains information about server updates.

Using the Log ViewerThe log viewer in the Administration Console has two modes: less and tail.

In less mode the viewer shows the entire file. This is useful for administrators who want to examine the entire file to review Adonis operations or diagnose problems. To scroll down, press Enter. To quit, press “Q”.

In tail mode the viewer shows only the last ten lines of the file. The display updates as various processes append new lines to the file. This is useful for administrators who want to monitor the log as it updates in real time. To quit, press Control+C.

• To set the log viewer mode, type “set log viewer=less” or “set log viewer=tail”, and then press Enter.

• To view a log from the Administration Console, type “show log log”, and then press Enter, where log is syslog, commandserver, update, or bind.

Other logs are available for functions such as XHA. You can find these logs in the directory /var/log.


Simple Network Management Protocol

Ve

Simple Network Management ProtocolThe Simple Network Management Protocol (SNMP) allows a manager workstation (polling) or trap server to obtain data about devices on the network. This may include the almost real-time status of services and server functionality and the security and service settings on the device. Adonis appliances can behave as managed devices on an SNMP-enabled network.

Adonis includes support for SNMP versions 1, 2c, and 3. Versions 1 and 2c do not include any authentication or remote administration capabilities. This means that you only need to enable SNMP and set the appropriate SNMP username (or community string) for it to function correctly. You can also set the polling period to control how often SNMP values are refreshed on the appliance. SNMPv3 includes authentication and access control. To set up SNMPv3, you must also set the SNMP password and the Trap Server username, password, and address. Version 3 has the ability to send information as SNMP traps.

Enabling SNMPYou enable SNMP from the main mode of the Administration Console.

• To enable the SNMP service type “enable snmp”, and then press Enter. Type the address of an SNMP manager that is responsible for monitoring Adonis. After you change SNMP settings on Adonis you may need to restart the service by disabling it, and then enabling it again.

• To disable the SNMP service type “disable snmp”, and then press Enter.• To see the configuration for the SNMP service on Adonis, type “show snmp”, and then press

Enter.

Configuring SNMPYou configure SNMP from the configuration mode of the Administration Console.

• To enter this mode, type the command “configure snmp”. In SNMP configuration mode you can use all of the commands listed below. Changes you make in configuration mode do not become active until you have saved or updated them.

Core SNMP Service SettingsThe following settings are essential to the functionality of the SNMP service on Adonis.

Community String—All versions of SNMP use community string to validate the SNMP controller asking for updates or registering to receive traps. Adonis uses the SNMPv3 username as the community string for all three versions of the SNMP protocol.

Username/Password—SNMPv3 needs a username and password to protect managed devices. In order for the SNMP manager to access an Adonis appliance with the SNMPv3 protocol, it must use a specific username and password.

To set the SNMP username and password:

1 Type “set username username”, and then press Enter.

The username must be at least four characters long and the password must be at least eight characters.


60


2 Type “set password password”, and then press Enter.

3 To display the username type “show username”, and then press Enter.

4 To display the password, type “show password”, and then press Enter.

PollingAdonis SNMP service periodically polls inside the appliance for new values for each of its SNMP objects based on a polling period setting. When the polling period interval elapses, SNMP gathers information about the state of the appliance, and then updates the SNMP objects whose values have changed. For SNMPv3 traps, if an object’s new value triggers a trap threshold, then a trap for that object is sent to the SNMP trap server.

To change the SNMP polling period:

1 Type “set pollingperiod value”, and then press Enter, where value is the length of the polling period in seconds.

2 To display the polling period for this appliance, type “show pollingperiod”, and then press Enter.

Polling and Traps

When Adonis communicates across the network with the SNMP protocol it uses where possible, the built-in support for authentication in the SNMP protocol itself. However, Adonis is designed to be installed in high-threat topologies, such as the DMZ or on the Internet. Consequently, any management workstation or trap server that communicates with Adonis must first be registered with the SNMP service so that the firewall rules can be modified to permit this communication. Adonis has a setup wizard to configure the SNMP service settings and firewall rules required for management workstations and trap servers. These setup wizards are accessed from within the SNMP configuration mode.

Adonis Trap Servers

The trap server is the server to which Adonis communicates specified changes in its status by sending SNMPv3 traps. This may be a different address from the SNMP polling server or manager address that is set up when enabling the service. In SNMPv3, trap messages must be authenticated with a trap server username and password. You can view and modify the trap settings in SNMP configuration mode:

• To view the current settings for the SNMP trap server type, “show trap”. • If you changed the trap server settings within the current session and the changes have not

been saved, you can view the modified settings typing, “show unsaved trap”.• To set up a trap server type, “set trap”. This starts a wizard that guides you through the set

up process.

To set up a trap server:

1 Type “set trap”.

2 Type the trap server address. This is the IP address for the trap server to which Adonis sends traps.

3 Type the SNMP version. This is the version of the SNMP protocol for use with the trap server. The options are 1, 2 (2c), and 3. If you choose version 1 or 2, you must type a community string, and then close the wizard.

The username must be at least four characters long and the password must be at least eight characters.



Ve

4 Type the level of security to which the Adonis appliance conforms or the version 3 protocol. Choices are 1 for noAuthNoPriv, 2 for authNoPriv, and 3 for authPriv.

5 Type the name for the trap server user.

6 Type either 1 (for MD5) or 2 (for SHA) as the authentication type to use.

7 Type an authentication passphrase. This is your SNMP v3 password.

8 Type a privacy passphrase. This is a second level of authentication available in SNMP v3.

9 Type a context, if one has been provided. This enables a limited view of the available trap objects.

10 To display the settings you have configured for the trap server configuration, type the command "show trap".

11 If you are satisfied with the trap settings, type “save” and then press Enter.

Additional SNMP Service SettingsThe system contact is the person who is the default contact for this SNMP service. This field is often used with system location. The system contact is an email address, while the system location is a descriptive text string.

System Contact and Location

• To set the system contact type the command “set syscontact email_addr”. You can see the system contact with similar syntax, using the command “show syscontact”.

• To set the system location type the command “set syslocation system_location” where system_location is the text describing the system location. You can see the system location with similar syntax, using the command “show syslocation”.

System Name

You can obtain the SNMP name variable from the SNMP service. This is set to the DNS address of the appliance and the SNMP service using an FQDN.

• To set the system name on Adonis, type the command “set sysname sysname” where sysname is the FQDN for the appliance.

• To see the system name type the command “show sysname”.

SNMP Manager SetupAfter you have completed the local Adonis settings and activated the service, you may need to setup the SNMP monitor or trap server. Adonis provides support for the MIB-II SNMP standard objects and the MIB files can be found in the directory usr/share/snmp/mibs. There are also two Adonis-specific MIB files that you need to copy from Adonis onto the SNMP manager. These files are located in the same directory and are called ADONIS-DNS-MIB.txt and BLUECATNETWORKS-MIB.txt. When these files are loaded into the SNMP manager they provide object IDs and descriptions for all of the Adonis SNMP objects. You may also need to configure the type of authentication in order to log into and poll Adonis from an SNMP manager. Adonis uses MD5 and DES encryption for SNMP.


62


Adonis Polled Objects

The following table lists the Adonis-specific SNMP polled-objects in the file ADONIS-DNS-MIB.txt:

SNMP Object Description

DNS Objects

dnsDaemonRunning Current running state of the DNS daemon.

dnsDaemonNumberOfZones Number of zones loaded

dnsDaemonDebugLevel Current debug level

dnsDaemonZoneTransfersInProgress Number of zone transfers currently in progress

dnsDaemonZoneTransfersDeferred Number of zone transfers currently deferred

dnsDaemonSOAQueriesInProgress Number of SOA queries in progress

dnsDaemonQueryLoggingState Current running state of query logging.• 0 - Not logging• 1 - Logging

dnsStatsSuccess Number of successful queries made to the server since the DNS daemon was started

dnsStatsReferral Number of queries that resulted in referral responses since the DNS daemon was started

dnsStatsNXRRSet Number of queries that resulted in non-existent record set since the DNS daemon was started

dnsStatsNXDomain Number of queries that resulted in non-existent domain responses since the DNS daemon was started

dnsStatsRecursion Number of queries that required the server to perform recursive lookups since the DNS daemon was started

dnsStatsFailure Number of failed queries that did not result in non-existent domain or record set since the DNS daemon was started

DHCP Objects

dhcpDaemonRunning Current running state of the DHCP daemon.• 0 - Not Running• 1 - Running

dhcpDaemonSubnetAlert The IP address the DHCP Alerts SNMP trap is sent to.

dhcpLeaseTable Current lease table

dhcpLeaseEntry Information about a particular DHCP lease

dhcpIP IP address of the lease

dhcpLeaseStartTime Start time of the lease

dhcpLeaseEndTime End time of the lease

dhcpLeaseTimeStamp Timestamp of the lease

dhcpLeaseBindState The state of this lease



Ve

dhcpLeaseHardwareAddress The hardware address (MAC address) of this lease

dhcpLeaseHostname The client hostname of this lease

dhcpSubnetTable Current subnet table

dhcpSubnetEntry Information about a particular DHCP subnet

dhcpSubnetIP IP address of the subnet

dhcpSubnetMask IP mask of the subnet

dhcpSubnetSize Size of the subnet

dhcpSubnetUsed The number of used IPs in the subnet

dhcpSubnetAlert Alert level in the subnet

dhcpPoolTable Current pool table

dhcpPoolEntry Information about a particular DHCP pool

dhcpPoolSubnetIP Subnet IP address of the pool

dhcpPoolStartIP Start IP address of the pool

dhcpPoolEndIP End IP address of the pool

dhcpPoolSize The size of the pool

dhcpPoolUsed The number of used IPs in the pool

dhcpPoolAlert The alert level of the pool

dhcpDefaultLeaseTime Default lease time in configuration

dhcpMinLeaseTime Minimum lease time in configuration

dhcpFixedIPTable Current DHCP subnet tables in configuration

dhcpFixedIPEntry Information about a particular DHCP subnet

DhcpFixedIPEntry One of the current fixed IP addresses in the DHCP configuration

Adonis Appliance Objects

haServiceRunning Current running state of high availability.• 0 - Not running• 1 - Running

haServiceNodeType Type of high availability node• 0 - HA not running• 1 - Active Node• 2 - Passive Node

commandServerDaemonRunning Current running state of the command server daemon.• 0 - Not running• 1 - Running

SNMP Object Description


64


Adonis Traps

The ADONIS-DNS-MIB.txt file also contains trap objects. The Adonis-specific traps fall into four groups:

• DNS• DHCP• XHA• command server

Each of these groups can trap various parameters on the Adonis appliance. The DNS trap group includes both a daemon trap with attributes and a statistics trap with attributes.

The daemon trap is called dnsDaemonRunning. It has the following attributes:

• dnsDaemonZoneTransfersInProgress• dnsDaemonZoneTransfersDeferred• dnsDaemonSOAQueriesInProgress• dnsDaemonQueryLoggingState • dnsDaemonNumberOfZones• dnsDaemonDebugLevel

The DNS services trap is called dnsStatsSuccess. It has the following attributes:

• dnsStatsReferral• dnsStatsNXRRSet • dnsStatsNXDomain• dnsStatsRecursion• dnsStatsFailure

The DHCP trap group includes information about the DHCP daemon and the leases table. The trap dhcpDaemonRunning indicates whether the DHCP daemon is running on Adonis. The trap dhcpLeaseTable passes DHCP statistics, including lease information.

XHA monitoring uses two traps. The haServiceRunning trap is sent if the XHA service stops running. It has an attribute of haServiceNodeType to describe the node sending the trap. There is also a trapHAServiceFailOver trap that indicates when an XHA failover has occurred.

The Adonis command server includes a trap called commandServerDaemonRunning that shows if the command server is running. It also includes a trap for command server notifications called trapCommandServerDaemon.

Updating AdonisYou can update Adonis in one of two ways: online from the BlueCat Networks website, or manually.

Online UpdatesThe Management Console and appliance are updated regularly to add new features, resolve known issues, and generally enhance product quality. These updates are hosted online at the BlueCat Networks website.

If your organization uses a proxy server for connections to the Web, it should be configured on Adonis before proceeding with updating the software. For more information, see Specifying Proxy Settings on page 37.


Updating Adonis

Ve

You can find the current Management Console version by clicking Help > About. The versions for each server can be found using a server version query as described in Management Console Server Controls on page 54.

To check for updates (including operating system and application upgrades) follow the procedure described below. If updates are available, the Update Wizard guides you through the installation process.

To launch the Update Wizard:

1 On the Tools menu, click Check For Updates. The Update Wizard opens to guide you through the rest of the update process. Click Next.

2 The Update Wizard checks for client updates. Click Next.


66


3 The Server Connection page appears. For each server that you want to update, select the Connect checkbox, type the server password, and then click Next.

The Update Wizard returns a list of servers that you can update.

4 To update a server, select the appropriate Update checkbox (selected by default) and then click Next.

Servers are rebooted one at a time after the update finishes. Ensure that any servers that received updates of any kind remain selected.


Updating Adonis

Ve

5 Select the action you want to perform on any server selected on the previous screen, and then click Next.

6 The required update files are downloaded. Click Next.


68


7 The downloaded updates are sent to the servers that require them. Click Next.

8 To apply the server updates, each server must be rebooted sequentially. Click Start Reboot Sequence. Each server in the list reboots and starts its services before the next one reboots.

9 After the update is installed, click Next.

10 To execute the client update (if any) or to finish, click Finish.

The Management Console Install Wizard guides you through the same installation process used when the program was originally installed. During this process you are asked to determine the local storage

If you need to update a client, save your files and accept the installation.


Updating Adonis

Ve

path and the menu location for the Management Console. The wizard suggests default settings, but these may differ from your current settings.

Manual UpdatesTo update Adonis manually you must first obtain a copy of the update.jar file from BlueCat Networks, and then place this file in the root of the c: drive on the workstation running the Management Console. Adonis uses this file to update the Management Console and the server.

To update Adonis manually:

1 In the Management Console select Tools > Options.

2 On the Product Updates tab select the Specify Address option.

3 Type “jar:file:///update.jar!/adonis-update.xml” in the field provided.

4 Click OK.


70



Chapter 5

Version 5.5

Project Files

Adonis works within a client-server architecture that allows you to configure multiple servers from a single client interface and store this configuration in a project file. Project files define most of the functionality for the DNS, DHCP, and TFTP services that Adonis supplies. The project file does not contain the controls for the appliance itself: these are found in the Administration Console and the Management Console. Additionally, project files also define the server architecture for high availability configurations such as XHA and DHCP Failover.


• Creating a New Project File on page 71 describes how to use the New Project Wizard. DNS and DHCP services are created initially in a new project file and TFTP services are added later.

• Opening and Saving Files on page 84 describes how to open and save local files, as well as check files in and out of an appliance. Both project and certificate files can also be stored in a custom location.

• Editing a Project File on page 88 describes how to edit a project file to modify the DNS and DHCP service configurations before they are redeployed.

• Checking and Correcting a File on page 90 describes the tools you use to verify the structure and syntax of a project file. Projects can be checked locally in the Management Console before deployment, and can also be verified live on the network and/or the Internet. The settings for the data check can also be modified in the Management Console.

• Deploying the Project File on page 92 describes how to deploy your project during testing or production. Deploying a project configures and restarts network services on the appliance.

• Importing a Project on page 96 describes how to import project files created with a previous version of Adonis.

Creating a New Project FileAdonis guides you through the initial steps of creating a new project file with the New Project Wizard. You can add as many servers and services as required to the newly-created project file. Alternatively, you can use the New Project Wizard to create a very simple project that can be modified and expanded later. You can also create a project file by importing an external DNS or DHCP configuration (for example, a BIND configuration). For more information, see Importing a Project on page 96.

Many of the procedures described in this section apply when adding servers to an existing project and when adding services to an existing server. The process is the same in all of these situations.

Whenever you create a new project file, Adonis automatically closes any project already open in the Management Console.


72


For more information about editing project files to update and modify DNS, DHCP, and TFTP services, see Adding Servers on page 89 , Adonis DNS on page 97 and Adonis DHCP on page 155.

Selecting an Appliance TypeThe first steps in creating a new project are to choose the type of appliance you are using, and then select the services you want to set up.

The New Project Wizard changes dynamically depending on the appliance and services you choose. As the diagram shows, all appliances require master server information. All models (except the Adonis 250) require additional information depending on the services you are setting up.

To select an appliance:

1 On the File menu select New. The New Project Wizard opens.


Creating a New Project File

Ve

2 Click Next. The Configuration Setup page appears.

3 Select an appliance type from the Appliance Type drop-down list. Your selection must match the type of appliance you purchased.

▪ Adonis 1750, 1000, 750, XMB—These appliances each support one DNS service and one DHCP service.

▪ Adonis 500—This model supports only the DHCP service.▪ Adonis 250—This model runs a restricted DNS server that can have only stub zones,

forwarding zones, and a caching zone.

4 If you selected Adonis 1750, 1000, 750, or XMB, select the checkboxes to configure the services you want to run on the server.

5 Click Next.

Setting up an Initial DNS ServiceThe following procedures describe the steps necessary to set up the initial DNS service.

To set up the initial DNS service:

1 Select the DNS architecture.

2 Define the DNS and/or master DHCP server.

3 Add slave servers (if necessary).

4 Identify Active Directory domain controllers (if you are working with Microsoft Active Directory).

5 Set up DHCP (if needed).

Selecting a DNS Network ArchitectureIf you are configuring an Adonis 1750, 1000, 750 or XMB DNS service, the Select Architecture page appears. The various network architectures include different numbers of appliances playing different


74


roles on the network. This step does not appear for the Adonis 500, Adonis 250, or for a server being set up to provide only DHCP.

1 Select a DNS network architecture. To scroll through the options, click the right and left arrows in the upper-right corner of the Select Architecture page.

2 Select an appropriate architecture, and then click Next.

The following topics describe the types of architecture available.

Single Name Server—Also known as a master-only architecture, this is useful if your company has a limited budget or you have a company intranet readily available. It is a simple architecture: an in-house DNS solution and affordable for a small network. However, this is not an architecture recommended for the enterprise or for the Internet, as security is a concern because all clients connect to the master server and there is no redundancy.

• Advantages:▪ Simple configuration for in-house DNS solution.▪ Affordable for small networks.

• Disadvantages:▪ All clients connect to the master server creating security concerns.▪ No redundancy—if your server is down you do not have DNS service.



Ve

Front-End Master with Slave(s)—A typical master/slave setup assumes that a company has one master server and one or more slaves in a flat arrangement. These components are structured horizontally across the network rather than vertically, allowing for the ability to load-balance the queries across multiple servers.

• Advantages:▪ Redundant DNS configuration.▪ The slave servers are kept consistent with master server.▪ The load can be distributed among the master and its slaves.

• Disadvantages:▪ The master is not protected from the outside world.▪ Not recommended for external DNS because the NS record can be viewed.

In this scenario, if the master or slave fails, one of the remaining servers accepts its load and carries on. If the master server fails, you can promote a slave to become the master until you can bring the master back online.

This is a redundant DNS architecture because slave servers are kept consistent with the master server and the load is distributed among the master and its slaves. However, the master is not protected from the outside world. Consequently, this architecture is not recommended for Internet DNS.

Front-End Slaves with Hidden Master—This architecture allows you to place the master server behind a firewall and hide it. In addition to increased security, the load can be distributed among the slaves. It does require at least 3 servers (2 slaves and 1 master) and may require networking expertise especially if the slaves are on different networks.

• Advantages:▪ No outside access to master, so it is less vulnerable to outside attacks.


76


▪ If a failure causes the master to go down, there is little loss of service to external clients because they do not query it directly.

▪ Performance on a master server increases, especially when performing zone transfers for a large number of zones.

• Disadvantages:▪ Needs at least 3 servers—two slaves and a master to provide the necessary redundancy.▪ May need networking expertise if the slaves are on a different network.

The increased security of this architecture makes it the best solution for Internet DNS.

This architecture features an option in the Add Slave Servers page to designate a slave (secondary) server as the master server for SOA records. Setting a slave as a primary server (instead of a master server) for SOA records avoids exposing the hidden master’s IP address because other name servers query the designated SOA Primary Server instead of the hidden master.

DNS Caching Server—Caching servers decreases the time needed for name lookups by retrieving and caching other servers’ DNS information. This type of server performs the lookup, and then stores it in memory for a pre-determined time. At the end of this time, the information is deleted unless a query comes in before the time is up, in which case, the information is refreshed.

• Advantages:



Ve

▪ Caching server can reduce the time needed for name lookups.▪ Can stand-alone, or can forward unresolved queries to another name server.

Windows Active Directory—This architecture enables the appliance to host DNS services for a Windows Active Directory environment. Select this configuration if your appliances are participating in an Active Directory infrastructure.

• Advantages:▪ Configures the server to operate within the Windows Active Directory environment.

Custom Configuration—This architecture allows you to define name server parameters and the form of your network. It is useful for networks that do not fit into any of the more traditional network architectures, or those that involve a more complex architecture with many servers.

• Advantages:▪ You can add your own name servers.


78


Defining the Master/DHCP ServerAll DNS architecture models in a new file require a master DNS server. The master server must be defined at this point. DHCP servers also require the same information. These changes are implemented in the new project file upon completion of the wizard.

To define a master server:

1 Type a Fully Qualified Domain Name (FQDN) in the Server Name field: do not use a relative name for this server. This FQDN creates a forward zone in a default DNS view based on the name that you specify containing a name server record and a glue record for this server. The server name is also used to populate the Start of Authority (SOA) record for the zone. If you use an FQDN for a DHCP-only server name, it is automatically added into any new DNS service added later.

2 Type an IPv4 or IPv6 address in the IP Address field. This creates a corresponding reverse DNS zone that contains a name server record for this server.

3 Type an e-mail address with no periods (.) before the at sign (@) in the Contact e-mail field.

4 Type a phone number in the Phone Number field using hyphen separators. (optional)

5 Type a mobile phone number in the Mobile Number field. (optional)

6 Type a department or division in the Dept./Division field. (optional)

7 Click Next.



Ve

Adding Slave Servers to a New MasterIf you chose either the Front-End Master with Slave(s) or the Front-End Slaves with Hidden Master architecture on the Select Architecture page, you must add slave servers to the configuration.

Add each slave using the following information:

• Name—a meaningful name (FQDN) for each slave server (for example, ns2.example.com).• IP address—the IP address for each slave server (for example, 192.168.127.3).


80


If you are using the Front-End Slaves with Hidden Master architecture, you can select a slave server to act as the start of authority (SOA). This server plays the role on behalf of the hidden master so that none of the slaves carries a direct reference to the master for any required functionality.

Identifying Active Directory Domain ControllersIf you chose a Windows Active Directory configuration, you are prompted to identify the IP address for each Active Directory Domain Controller.



Ve

Click Add, and then enter the IP address for one of your domain controllers.

Repeat the above procedure for all required domain controllers, click Next, and then click Finish.

Configuring DHCPIf you are using a multi-server architecture, you must choose one server to host the initial DHCP service for this project.

Setting up a New DHCP Server or Service

After you decide which appliance to use as host for the initial DHCP service, configuring DHCP is very easy. You can create a new DHCP service in several ways:

• by creating a new project file• by creating a new server in an existing project file• by adding the DHCP service to an existing server

In each case, the procedure for configuring DHCP is the same. The New DHCP Service Wizard needs the following information:

• Group declaration• Subnet declaration• Subnet or pool range

You can add additional declarations as needed after the wizard has finished.

To create a new DHCP service:

1 If you are creating an Adonis 1750, 1000, 750, or XMB DHCP service in the New Project Wizard, make sure you select the DHCP Service checkbox.

2 If you are adding DHCP service to an existing project, right-click a server and then follow the instructions in the New DHCP Service Wizard.

If you want to create a DNS service as well as configure DHCP, you must configure the DNS service first.


82


3 Type the information for the new DHCP server, and then click Next. The Get DHCP Group Information page appears.

4 Type a group name for the DHCP service, and then click Next. The Get DHCP Subnet Information page appears.

5 Select either the Network or Subnet option.

▪ If you select Network, type the network identifier using classless internet domain routing (CIDR) notation, for example 192.25.200.0/24.

▪ If you select Subnet, type the network identifier for example 192.25.200.0 in the Subnet field and the subnet mask, for example 255.255.255.0 in the Mask field.



Ve

Optionally, you can select the Add the DHCP subnet to a new shared network checkbox. Type the name of a shared network in the Shared Network field that appears beneath the checkbox.

6 Click Next. The Add DHCP Subnet/Pool Ranges page appears.

7 To add a subnet range or a DHCP pool, click Add. The Add Address Range dialog box appears.

8 Type the IP address at the start and at the end of the range.

To add an exclusion range within the range you are creating, right-click the Exclude Ranges area of the Add Address Range dialog box, and then select New Exclude Range from the context menu. Type the IP addresses at the beginning and end of the exclusion range, and then click OK.

9 In the Add Address Range dialog box, click OK to add the range.

You can create a subnet range or a pool range: you cannot create both. Because pools offer additional functionality, we recommend pools and pool ranges instead of subnet ranges.


84


10 Click Next, and then click Finish.

To create a pool:

1 In the Add DHCP Subnet/Pool Ranges dialog box select the Create a new pool for the DHCP subnet checkbox. The pool ranges area appears in the dialog box.

2 Click Add, and then type the beginning and end addresses.


The DHCP service appears in the directory tree under the selected server at the same level as the DNS service for the server.

The Management Console creates a new project file using the settings you have specified. No changes are made to the appliances at this point. The appliance configurations and services are updated and restarted when you deploy the project.

Opening and Saving FilesAdonis has two methods for storing project files: you can store the file on your workstation or you can store it on the appliance. Storing the project file on the appliance has some advantages:

• Several administrators can have access to the file without needing to maintain separate copies.

• Access to the file on the server is restricted while any administrator has it checked out.

Like the DNS service, the DHCP configuration can be checked for errors before deployment. In some cases, the errors may simply be informational.



Ve

Networked storage is useful for ensuring that the file is always backed up to a central location. In many environments, this can be achieved by storing the file on a network drive that is backed up centrally.

• To open a file, from the File menu select Open. Select the .dns project file as you would any other type of file.

• To save a file, from the File menu select Save or Save As. Save the project file as you would any other type of file.

Checking Files Into and Out Of an Adonis ServerThe Check In/Check Out features enable you to store the project file centrally on the Adonis server. You can check-out a file, modify it, deploy the changes, and then check the project back into the server. This allows several administrators to work on the same project one at a time without overwriting each other’s changes. The process creates a copy of the project file where changes are made, and then the local copy is updated on the appliance. This resets the lock on the appliance’s copy of the file so that it can be checked out by another administrator. Lock-out prevents other administrators from checking out a project file that is already checked out.

Before checking the project file in or out, you can view the log of all check-in/check-out server activity by clicking View Log. This log indicates who has checked the project file in or out of the appliance.

Checking In a Project FileWhen you are satisfied with the changes you made to the project file, you should check in the file so another administrator can work on it.

To check in a project file:

1 Click Tools, and then click Options.

2 On the General tab select the Auto save local copy for check in/out checkbox. This ensures that Adonis saves a backup copy of the project file to the requested path.

3 Click OK.

Check In is not the same as deployment. Check In is a process for storing the latest project file on the appliance. Deployment is a process designed to install and activate the latest project changes on the appliance(s).

Checking a project into Adonis does not activate any changes that were made to the configuration data. To activate changes, first deploy the project, and then check the project file into Adonis.


86


4 After you deploy the project, select Check-In from the File menu. The Check-In dialog box appears.

5 Type a comment describing the changes you have made to the file, and then click Check-In.

Adonis performs an SSL handshake to ensure that you have the correct credentials to check-in the project. The current project is checked-in and overwrites any existing file on the appliance.

Checking Out a Project FileIf you need to make changes to a project, check out the latest version from the server.

To update the project for subsequent check outs, remember to check the project file back into the appliance after you have completed and deployed your changes.

After you check-in a project, it disappears from the Management Console. This is very important: it is impossible to deploy a project file after you check it in.

You can force a check-in, if necessary. If another administrator had the configuration file checked-out and you needed to check in a different version select the Force check-in (break existing lock) checkbox.

You need to be particularly careful when forcing a check-in. Are you absolutely sure your changes are more important than somebody else’s?



Ve

To check out a project file:

1 From the File menu, click Check-Out. The Check-Out dialog box opens.

2 Type the server IP address in the Server field (if necessary).

3 Type your deployment password in the Password field (if necessary).

4 Click Check-Out.

Adonis performs an SSL handshake, and then removes the project from the server and displays it in the Management Console.

5 Deploy the configuration in the checked-out file.

Typical Management SessionThe following scenario describes a typical Adonis management session using the check in/check out features. The steps assume that a project already exists (the file has been checked in) on the appliance and has been deployed.

To use Check-In and Check-Out:

1 Launch the Management Console. From the Welcome dialog box select Check out Project from server, and then click OK. The Check-Out dialog box opens.

2 Specify the IP address and password for the server that contains the project.

3 Click Check-Out to get a local copy of the project and lock it.

The name of the file that you have checked out is always the named listed after the IP address of the server itself.

If you need to check out a file, but it is locked, select Force check-out (break existing lock). However, before you do this make sure another administrator is not currently using the file.

You can view the Check-In/Check-Out log to see all previous activity on the server. The last log entry must be a check in (in order to check the project out from the server).


88


4 Make the necessary configuration changes, and then deploy the project to activate your changes immediately.

5 When deployment is complete, select Check-In from the File menu to place the project file back on the appliance.

6 When the project has been checked back in to the server, the session is complete and you can close the Management Console.

Modifying File Location SettingsYou can change the default locations for project files and server certificates.

To change the default locations:

1 From the Tools menu select Options. Click the File Locations tab.

2 Click in the Project Files or Certificates box to display the Select Directory dialog box and browse to the new location. Alternatively, you can type the directory name manually.

3 Click Select, and then click OK.

Editing a Project FileEditing a project file may involve wizards and other tools that Adonis uses to help you create a well-formed and efficient project.

If you do not want to activate the changes, you can check the project back in, and deploy it later.

End the session by checking the project file back in to the server to make it available for future management sessions.


Editing a Project File

Ve

Adding ServersAdding a server or service to an existing project file is similar to defining the server for a new project file.

To add a server to an existing configuration file:

1 Right-click Servers (the root of the project file tree).

2 Click New Server from the context menu. The New Server Wizard appears.

3 Click Next.

4 Select an appliance type from the drop-down list. Your selection must match the type of appliance you purchased.

▪ Adonis 1750, 1000, 750, XMB—These appliances each support one DNS service and one DHCP service.

▪ Adonis 500—This model supports only the DHCP service.▪ Adonis 250—This model runs a restricted DNS server that can have only stub zones,

forwarding zones, and a caching zone.

5 If you selected Adonis 1750, 1000, 750, or XMB, select the checkboxes for the services you want to run on the server.

6 Click Next.

If you want to create a DHCP service, follow the steps in Configuring DHCP on page 81 now or after you have configured the DNS server.


90


7 Type the appropriate server information. This screen shows different fields, depending on the options you selected in the previous screen.

8 Because you are creating a new server in an existing project, select Master, Master Hidden, Slave, or Caching as the type of server.

9 If you are creating a slave server, select its corresponding master from the Master Server list.

10 Type a FQDN in the Server Name field: do not use a relative name for this server. This FQDN creates a forward zone in a default DNS view based on the name you specify containing a name server record and a glue record for this server. The server name is also used to populate the Start of Authority (SOA) record for the zone. If you use an FQDN for a DHCP-only server name it is automatically added into any new DNS service you add later.

11 Type an IPv4 or IPv6 address in the IP Address field. This creates a corresponding reverse DNS zone that contains a name server record for this server.

12 In the Contact e-mail field type an e-mail address (without periods) before the @ sign.

13 In the Phone Number field type a phone number (use hyphens as separators). This field is optional.

14 In the Mobile Number field type a mobile phone number. This field is optional.

15 In the Dept./Division field type a department or division. This field is optional.

16 Click Next.

17 Click Finish.

Checking and Correcting a FileAdonis provides several kinds of data checking to help ensure the accuracy of files and their ability to deploy successfully. Despite the controls built into the Adonis management console, errors can be designed into a project file. This section outlines some of the data checking that can occur within a project file.


Editing a Project File

Ve

Checking the DataBefore transferring the project file to the appliance, you should perform a data check on the information that the file contains. This procedure normally takes a few minutes, but it can save you time in the long run because it allows you to resolve issues before you deploy the project. If you have imported external data or a project file from an older version, this step is strongly recommended. Further tools for checking DNS integrity can be found in Checking the Data on page 132.

To check your project data:

1 From the Tools menu, select Check Data or click Check Data on the toolbar. The Check Data pane appears at the bottom of the Management Console.

2 Use this list to review issues that exist in your project file. The Type column identifies three types of issues:

▪ Errors—serious problems that interfere with the correct operation of the server▪ Warnings—less serious problems that still require your attention▪ Information—items of interest that do not affect deployment

3 Double-click an issue. The left and right panes display the location of the issue within the project file and the setting that needs to be modified (you can also select the issue, and then click Go to...).

4 To see an explanation of the issue, click Explain.

5 Make the modifications necessary to resolve the issue.

6 Repeat the previous steps to continue checking your data until the Management Console reports that there are no problems with your project file.

Modifying Data Check Issue SettingsYou can customize the severity level that is reported for every test the data checker runs.

You can right-click on the Check data table, and then use the Collapse Related Issues and Expand Related Issues commands.

Click Re-check to run the data check again. Click Explain to see an explanation for the issue you selected.


92


To modify data check issue settings:

1 From the Tools menu click Options, and then select the Data Check Issue Settings tab.

2 To change a setting, select the severity for an issue, and then select the desired severity level to be reported from the corresponding drop-down list.

3 Click OK.

Deploying the Project FileDeployment is the process that converts a project file in the Adonis Management Console into a running set of services. Service configuration files are generated and transferred to the servers that provide services. The services are then restarted, and the new project becomes live on the servers. Upon deployment, the project file creates the appropriate DNS, DHCP, and TFTP service configurations and starts the services.

If you selected the Set auto data check before deployment checkbox in the Tools > Options > General tab the server performs an automatic data check during deployment. A results screen appears and gives you the option to continue the deployment, or abort it, based on the results of the data check. If there are no errors in your project file, or you elect to proceed anyway, the Deployment Wizard opens. Aborting the deployment returns you to the Management Console.

To deploy your configuration:

1 On the Management Console, click Deploy on the toolbar, or select Deploy from the Server menu. The Deployment Wizard opens.


Deploying the Project File

Ve

2 Click Next. The Server Connection dialog box opens.

3 Select the checkbox for each server you want to deploy, and then type the password.

4 Click Next.

5 After the connection is made, the following screen appears.


94


6 When connection is established, click Next. The Select Action dialog box appears.

7 Select one of the following actions:

▪ Do Nothing—No processing is required.▪ Update Client—Transfer data from the server to the client. This uses configuration data

from the server to rebuild the configuration file on the client.▪ Refresh Client—Transfer dynamic updates from the server to the client so that the client

has a snapshot of the running services and information about the current state for dynamic objects such as DHCP leases, DDNS entries, and MAC Authentication status.

▪ Update Server—Transfer data from the client to the server. Once you have finished making changes to a configuration file, use this option to transfer it to an Adonis appliance and start the services.

▪ Update Server (Force)—Normally, updating a server involves making iterative changes to the configuration files. In the event that an appliance has been upgraded or is in an indeterminate functional state, this option should be used. The force option completely rewrites all of the configuration files on the appliance.


Deploying the Project File

Ve

8 To continue the deployment and display a status screen, click Next.

9 To display the summary screen, click Next.

10 To complete the deployment, click Finish.

When deploying a disabled service, the current service stops if it is running.


96


Importing a ProjectThere are several ways to import existing data into the Management Console. You can import data from a previous version of the Management Console, import an external DNS or DHCP configuration (for example, a BIND 9 configuration), or perform a live zone transfer. This section covers importing a project file created with an earlier version of the Management Console. Imports from external sources are discussed in Migration Tools on page 223.

Importing from a Previous VersionOpening a project file created using a previous version of the Management Console prompts you to select the servers that need their appliance type queried. This lets the Management Console adjust the available settings to match the appliance. Because all Adonis appliances are now manageable from a single software console, this step should only be required when upgrading from Adonis 3 or earlier.

To detect the appliance type:

1 From the pop-up screen that automatically appears when you load a project file from a previous version, select the checkboxes corresponding to the servers for which you want to detect the appliance type.

2 Type the password for each server, and then click Detect Type.

Closing the detection screen without detecting the appliance type sets the type to Adonis 1000 by default. If the appliance type is set to Adonis1000 and the appliance itself is a different type, the configuration cannot be deployed.

If the appliance type is not detected, a warning message appears when you start deploying the project. All appliances must be detected before the project can be deployed.

If the appliance type is not being successfully detected, try using the Detect Appliance Type function from the Server Control menu.


Chapter 6

Version 5.5

Adonis DNS

DNS is a wide-ranging topic and a detailed explanation is beyond the scope of this administration guide. Server configuration and administration is intuitive with Adonis, and the critical topics are covered.


• Adonis DNS Implementation on page 97 describes the Adonis-specific implementation of DNS services.

• DNS Services on page 98 explains how DNS services are controllable through the Administration Console.

• Managing Servers and Zones on page 104 describes how DNS zones and sub-zones form the hierarchical structure of the DNS system.

• Resource Records on page 101 describes how resource records define the characteristics of the individual hosts that are referred to in a DNS zone.

• Managing Resource Records on page 117 describes how resource records can change dramatically and how to manage those changes using the tools provided with Adonis.

Adonis DNS ImplementationThe following features highlight the strengths of the Adonis DNS implementation.

BIND Views—BIND views allow you to configure a single name server so it responds differently, based on who performed the query. With BIND views, a single Adonis appliance can return an intranet response to a query that originates from within the corporation and an external address to a query received from an external address. For example, you can run your company's internal and external DNS data on the same server, instead of configuring separate name servers. Before BIND 9, presenting one view of a zone to one community of hosts and a separate view to others called for a very complex configuration, running multiple name servers, or multiple name server processes on a single host.

Recursive Queries—Recursion allows a DNS server to respond to requests for zones for which it is not authoritative. It does this by passing the request along to the server for which it is authoritative. Adonis allows recursion to be enabled at the service or view level, through the option Allow Recursion. Recursion is actually provided by Cache Zones and Forwarding Zones. Both the option and the zone must be configured for recursion to work properly.

Enable/Disable Zones—Adonis can disable and enable zones intelligently. Network administrators can create “live” configurations, serving only DNS data for zones that are fully prepared with online web, email, and database servers that are ready for production. When a zone is disabled, Adonis selectively disables dependent records outside the zone without the manual intervention of the administrator.

Delegation-Only Zones/Root Delegation Only—Delegation-only zones are useful when filtering out wildcard or synthesized data from Network Address Translation (NAT) servers, or authoritative name


98


servers containing undelegated zone data of no interest. Root delegation only is a server option enabled directly from the Management Console. It is used to enforce delegation-only for top-level domains (TLD) and root zones, with the option to add specific domains to exclude or load the default list.

Enable/Disable Resource Records—When a zone is disabled, the Management Console selectively disables dependent records outside the zone without the manual intervention of the administrator. This is similar to the enable/disable zone feature, but on a per-record basis.

Auto Generate—Auto generate can be used where a BIND $GENERATE statement is employed. It creates a series of resource records differing only by an iterator (for easily generating the record sets required to support sub-/24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation). The process of automatically generating resource records creates a single host entry in the project file. When synchronized, Adonis creates the actual records on the server.

Configuration Migration—Existing DNS configurations can be migrated with the Management Console, eliminating tedious recreation and re-entering of zone data. Migration imports DNS files created with both current and earlier releases of the BIND software (including versions 4.x, 8.x, and 9.x). Microsoft Windows DNS configurations can be extracted with the Adonis Extraction Tool. After importing the configuration into the Management Console, check for previous errors and perform data validation using Data Checker, and the Live Data Check and Validation tools.

Automatic Serial Number Generation—The Start of Authority (SOA) resource record for a zone identifies which primary master name server is authoritative — the best source of information for the zone. SOA records contain important settings for refreshing the data in the zone. One of these settings is the serial number, a unique identifying number that applies to all data in the zone. This option is set by default to auto, enabling a special algorithm to determine the correct setting.

Configuration Statistics—Generate a statistical summary of your DNS configuration using the Management Console. Statistics on the number of servers, zones, and addresses provide useful data on the size of your network infrastructure.

Supported DNS RFCs—Adonis is fully compliant with the following DNS RFCs: 1034, 1035, 1995, 1996, 2136, 2317, 2782.

DNS ServicesAdonis uses ISC BIND to provide its DNS service. Normally, this service is configured in a text editor. Adonis provides graphical configuration of this network service. You can create a DNS service in three different ways:

• Creating a new project file is described in Creating a New Project File on page 71.

• Creating a DNS service on an existing server is described in Editing a Project File on page 88.

• Creating a new server in an existing project file is described in Adding Servers on page 89.

BIND/DNS Service ControlThe executable file for BIND is called named, the name daemon. This service can be managed from the normal mode of the Administration Console.

To start BIND, type “start bind”, and then press Enter.

To stop BIND, type “stop bind”, and then press Enter.

To restart BIND, type “restart bind”, and then press Enter.

To view some statistics on the DNS service, type “show status bind”, and then press Enter.


DNS Services

Ve

To check whether BIND is running, type “isrunning bind”, and then press Enter.

Specifying Server Version InformationProfiling hackers check for any information they can find about your servers and the services running on them, including version information, so their attempts to breach security are better targeted.

DNS services answers a server version query by default. You can provide a custom text string that comprises the version information reported when the server is queried. This is a powerful defence against the profiling that tends to precede incidents of hacking.

You can choose from the following options to specify the response given to a server version query:

• [Disabled]—Send no response.• Adonis Server—Send the version of the appliance.• [BIND Version]—Send the version of BIND that is running on the appliance.• Custom Text—Send a customized text response.

Setting the Server Version Information

To set the version query response:

1 In the tree-view pane of the Management Console, click the DNS service for which you are setting the query response.

2 In the detail pane, click the General tab.

3 Using the Display drop-down list in the Version Information section, select the version information to display when a version query is issued to the server.

4 Choose from the following options to specify the response given to a server version query:

▪ [Disabled]—Send no response.▪ Adonis Server—Send the version of the appliance.▪ [BIND Version]—Send the version of BIND that is running on the appliance.▪ Custom Text—Send a customized text response.

5 If you select Custom Text, click Browse, and then type the version text in the Edit Version Text dialog box.


10


Adjusting DNS Service OptionsEvery time you define a new name server, create a project file, or add a new name server to an existing project the Management Console automatically enters the default BIND sub-statements in your project file. You can modify any of these options as your needs change.

Setting DNS Service Options

To adjust server options for a name server:

1 In the tree-view pane of the Management Console, double-click the DNS service whose options you want to set. A list of the server’s zones and views appears.

2 In the detail pane, select the Options tab. A list of options appears.

3 To change a server option, double-click it. A dialog box appears to allow you to make changes to that particular option. For some options, deselect the Use default checkbox, to enable the other options in the dialog box.

4 Make the necessary changes, using Add, Edit, Remove, Move Up and Move Down on the dialog boxes to open additional dialog boxes, whenever applicable.

5 Click OK.

Available DNS OptionsWhen configuring DNS you can set options at different levels. For example, you can configure a DNS server to allow zone transfers at the following levels:

• DNS service level• Views level• Zones level

Options configured at the DNS service level are global and are inherited by all views and zones. However, options that are set at lower levels take precedence. Options configured at the Views level

For numeric options, you can type a number in the available field. For yes/no options, you can select yes, no, or default. For the transfer-format option, select one-answer, many-answers or default.

For some options, the Add and Edit dialog boxes include an Exclude option which, when selected, indicates that the address should be ignored. This lets you add an entire subnet, and exclude individual IP addresses.

0 Adonis Administration Guide Version 5.5

Resource Records

Ve

are inherited by all zones within that view and take precedence over the options configured at the DNS service level. Options configured at the zones level only affect the zone itself and take precedence over the options configured at both the DNS service level and the views level.

Resource RecordsYou create Resource Records on the Resource Records tab in the detail pane. The Resource Records toolbar appears when you select a zone and includes tools that allow you to create the following types of record:

New Host Record (A)— A host record resolves a Fully Qualified Domain Name (FQDN) to an IP address for a device. A host record requires a name and an IP address (multiple addresses may exist for the same device). You can set the TTL for this record to override the value assigned in the SOA record.

New Quad-A Record (AAAA)—You can use host records in Adonis to indicate IPv6 hosts by including an IPv6 address rather than an IPv4 address in the record. Using the AAAA host record format several names can refer to a single address. This can be done with multiple host records rather than using a CNAME or Alias record. Also, a single name can refer to several different addresses. When multiple host records are associated this way, they should be listed together, as BIND processes them in a round-robin fashion in responding to queries. IPv4 and IPv6 addresses can be mixed together within the same zone.

New Alias Record (CNAME)—This is a Canonical Name record, used to specify an alias for a host name. The Alias record type only requires a name to be supplied. You can set the TTL for this record to an override value.

New Name Server Record (NS)—Name Server records are always used in conjunction with a host record, also known as a glue record. The NS record refers to the DNS name for the server that hosts this zone. With DNS delegation a subzone can be hosted on any server, so these records are essential in answering DNS queries and making the system work. This NS record is qualified within the same zone by a host record that points to the actual IP address of the server. Along with the SOA record for the zone, this defines the server that has been delegated the hosting for this zone.

New Mail Exchanger Record (MX)—A Mail Exchanger record designates the host name and preference value for a mail server or exchanger for this zone as defined in RFC 974. An MX record requires a name and a priority value (an integer value). Priorities with lower values are chosen first in assessing delivery options. You can set the TTL for this record to an override value.

New Service Record (SRV)—Service records define services that are available within the zone, such as LDAP. A Service record requires a name by which it is known within Adonis. You can set the TTL for this record to an override value.

Options Description

Priority The lowest value has greatest precedence. This is an integer.

Port The port on which the service is available.

Weight If two services within Adonis have equal priority, the weight value is checked. If the weight for one object is higher than another, the one with the higher weight has its resource records returned first. This is an integer.


10


New Pointer Record (PTR)—Pointer records are used to resolve IP addresses to FQDNs. They can be thought of as the opposite of a host record. Within an in-addr.arpa zone, PTR records associate an IP address with DNS information. For more information, see Reverse DNS on page 123.

New Text Record (TXT)—Text records can be used to associate arbitrary text with a host name. They include Name and Text fields, and support record types such as those used in Sender Policy Framework (SPF) email validation. You can set the TTL for this record to an override value.

New Naming Authority Record (NAPTR)—NAPTR records are used to specify settings for applications such as VoIP. They are used in Adonis to populate ENUM zones. For more information, see ENUM and VoIP on page 123.

New Custom Resource Record—create custom resource records.

Custom Resource RecordsTo use the following DNS record types, you must create a new custom Resource Record. To do this, select the relevant DNS zone in the tree-view pane, and then click New Custom Resource Record.

DNAME—Creates an alias for an entire subtree of the DNS name space. This type of record differs from a CNAME record, which maps only a single node of the name space.

HINFO—Specifies the type of CPU and operating system for the host/server. Application protocols such as FTP use this information for special procedures when communicating with computers of known CPU and operating system type.

ISDN—Maps a domain name to an ISDN (Integrated Service Digital Network) telephone number. The ISDN phone number or DDI (Direct Dial In) should follow the pattern shown in this example:

12125551234

Where:

01 = United States (country code)212 = New York City area code5551234 = phone number

The ISDN sub-address is an optional decimal number.

RP—Specifies the mailbox of the person responsible for individual domain names contained within the zone. To specify the mailbox, replace the @ symbol in the email address with a period.

RT—Indicates an intermediate host that provides routing to the domain name (host) of the record. This information can be used by computers not directly connected to the Internet or any Wide Area Network. If you are using multiple intermediate routing hosts, a preference value is used to set the priority. Lower values have a higher priority, and are tried first. For each intermediate host, a corresponding host (A) address resource record is required in the current zone.


Resource Records

Ve

Resource Record FieldsEach type of Resource Record presents a different New dialog box (for example, the New Host dialog box looks different from New Mail Exchanger dialog box), but they share many common fields. These fields appear in all New Records dialog boxes:

• Name—Type the name you want to use for the record you are creating.

• Provide Name—If you want the record name to be the same as the Zone, click the down arrow, and then select Same as Zone from the drop-down list.

• Time to Live (TTL)—This is automatically set to default. To change the TTL, double-click inside the field, and then type a different value.

• Comment—Type additional information about the record in this field.

These fields appear in some of the New Records dialog boxes, depending on the type of record you are creating:

• Address—Type the IP address of the host, or click the down arrow, and then click the (...) button. Use the Select Host or View dialog box to select the appropriate server. This field appears in New Host and New Quad-A dialog boxes.

• Data—In Custom records, this field shows any other information required by the type of resource record that you are creating. For instance, if you chose to add a Mail Group (MG) record, use this field to record the email addresses of the persons in the group.

• Flags—Flags control the rewriting and interpretation of records and are usually single alphanumeric characters (A—Z and 0—9). This field appears in the New NAPTR dialog box.

• Host—This field appears in Alias, Mail, Name Server, Pointer, and Service dialog boxes. Type a name of the Host, or click the down arrow, and then click the (...) button. From the drop-down lists select Link to Another, and then select a host from the Select Host or View dialog box.

• Maintain Reverse Lookup Record—This checkbox appears in New Host and New Quad-A dialog boxes. It controls whether or not reverse pointers are maintained on this server for the record you are creating. In most cases, you can leave this option selected.

• Order— Specifies the order in which records must be processed to represent the ordered list of rules. Ordering runs from lowest value to highest. This field appears in the New NAPTR dialog box.

• Port—Type the number of the port on which the service runs. This field appears in the New Service dialog box.

• Preference—Specifies the order in which records that have equivalent order numbers should be processed. Ordering runs from lowest value to highest. This field appears in the NAPTR dialog box.

• Priority—Type a value that corresponds to the target that you specified in the Host field. Lower numbers have a higher priority when client machines search for a host offering a given service. This field appears in Service and Mail Exchanger dialog boxes.

• Provide Address—If you select this you can type the host’s IP address in the Address field, or click the down arrow, and then select Link to Another.

• Regular Expression—It contains a substitution expression to construct the next domain name to lookup. This field appears in the New NAPTR dialog box.

• Replacement—The next domain name to look up depending on the potential values found in the Flags field. This field appears in the New NAPTR dialog box.

• Services—It is a character string that specifies the Service Parameters that apply to a particular delegation path. This field appears in the New NAPTR dialog box.


10


• Type—This field appears in the New Other dialog box. For more information, see Custom Resource Records on page 102.

• Text—Shows descriptive text. This field appears in the New Text dialog box.

• Weight—This value controls the distribution of load balancing for a service running on multiple servers. It accepts values between 0 and 65535. Higher values are used more often than lower values. A value of zero indicates load balancing does not occur. This field appears in the New Service dialog box.

Managing Servers and ZonesDNS is hierarchical: a domain or namespace may contain sub-domains, and a domain may contain several zones. A zone contains all the hosts that fall into a single namespace. You can set up zones for the servers in your project file. You can only work on one project file within the Management Console. However, one project file may contain multiple servers, each with domains and zones.

Internal DNS provides name resolution of internal resources (that is, file servers) to internal clients. Internal clients access external resources on the Internet by accepting recursive queries and performing name resolution on the Internet on behalf of clients, or by forwarding them to caching-only servers.

External DNS provides authoritative responses to external queries regarding public resources (that is, web sites). External DNS is set up on servers that usually are configured in a master-slave architecture. For security reasons, these servers should be configured to respond to queries for which only they are authoritative, and with recursion turned off.

Authoritative DNS and DelegationEvery DNS zone has one or more servers listed as being authoritative for that zone. This means that the final word on the DNS information for that zone resides on that master server where the zone is maintained. This authority is defined in two important ways. The SOA record for a zone lists the master server for the zone using its DNS name rather than its IP address. This is to prevent network changes from breaking DNS services. SOA records are discussed in Defining the Start of Authority for a Zone on page 113.

The NS or name server records in the zone list all of the authoritative servers, whether master or slave servers for the zone. These are CNAME records that also refer to the DNS name of the server. These are always accompanied by a special host record called a glue record that refers to the IP address of the name server. Adonis manages these NS and glue records during most operations within the Management Console. However, some editing may require that these records be re-established in order to maintain DNS functionality on the servers involved.

Adding ZonesYou can add the following zone types:

• Master Zones (see Adding a Master Zone on page 105)

• Slave Zones (see Adding a Slave Zone on page 106)

• Cache Zones (see Adding a Cache Zone on page 108)

• Forwarding Zones (see Adding a Forwarding Zone on page 109)

• Stub Zones (see Adding a Stub Zone on page 110)

• Delegation Only Zones (see Adding a Delegation Only Zone on page 110)


Managing Servers and Zones

Ve

Adding a Master ZoneA master zone contains one or more DNS zone files that are authoritative for these zones. DNS information on a master server is edited and read from a local file system. A master zone likely receives requests to transfer zone files through zone transfer operations to one or more slave servers whenever the zone file changes. In this case, the term “master” relates to the fact that this is the authoritative source of information about these zones.

There are two types of master zone mapping, forward and reverse.

• A forward master zone defines the zone characteristics and the IP addresses used by any hosts and services within the zone. It also matches queries containing domain names to the IP addresses that they represent.

• A reverse master zone matches IP addresses to the host names that represent them.

To add a forward master zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Master Zone. The New Master Zone dialog box appears.

2 In the Name field type the name of the zone, and then click OK.

To add a reverse master zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Master Zone. The New Master Zone dialog box appears.

To apply a template to the new zone, select the Apply Template checkbox. This checkbox and the associated drop-down list are inactive until you create at least one zone template.


10


2 From the Zone Type drop-down list, select Reverse Zone.

3 Specify the zone parameters using one of these options:

▪ By Address Type ▪ in-addr.arpa notation

4 If you choose By Address Type, select one of the following classes from the Size Type drop-down list:

▪ Class A▪ Class B▪ Class C

▪ Class C (subnet)

5 Complete the Partial Address field, and then click OK.

6 If you choose in-addr.arpa notation, type the zone address, and then click OK.

Adding a Slave Zone

A slave zone obtains its information from a master zone using DNS zone transfers, but it responds as authoritative with zones for which the master server is authoritative. Zone data on a slave server can expire, so the slave remains authoritative only for zone files and resource records that have not expired.

To apply a template to the new zone, select the Apply Template checkbox. This checkbox and the associated drop-down list are inactive until you create at least one zone template.

If you select Class C (subnet), you must also indicate the Zone Format, Start Offset, Size, and Separator.



Ve

To add a slave zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Slave Zone. The New Slave Zone dialog box appears.

2 Specify the zone name using one of these options:

▪ Choose Master—Use this option if the master zone that this slave mirrors resides within the same Adonis configuration (which it should). Click the field for this option to display the Select Master Zone dialog box and select a zone to associate with the slave zone.

▪ Provide Master—Use this option if the master zone does not reside within the same Adonis configuration and a remote server is being referenced. Enter a zone name in the Name field and the IP address for the server containing the master zone in the IP Address field.

3 Modify the allow transfer and notify options on the master to include this slave.

Master Zone DependenciesSlave zones are dependencies of the master zone. In a large network that includes many slave servers you can view all the dependencies simultaneously from the tree-view pane.

To view zone dependencies:

1 In the tree-view pane right-click the master zone, and then select Show Dependencies from the context menu. The Zone Dependencies dialog box appears.

2 Scroll through the list until you find the dependency you want to examine, and then double-click it. In the tree-view pane the server object that contains this dependency expands to show you the location of the slave zone.

3 To see the master zone right click the dependency, and then select Go To master Zone from the context menu.

Authoritative DNS OptionsThese options are used on authoritative DNS servers that host master or slave zones. Options for DNS objects are set on their Deployment Options tabs. For more information, see Zone Transfer Options on page 116.

additional-from-auth/additional-from-cache—These options are used to specify whether out-of-zone CNAME and DNAME references are followed. They are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set it to no without also specifying recursion no causes the server to ignore the option and log a warning message.


10


When these options are set to yes (default) and a query is being answered from authoritative data, the additional data section of the reply is completed using data for this alias record from other authoritative zones. If only additional-from-cache is set to yes, then the server provides the extra data if it is available within its cache. All other combinations generate a REFUSED response to the query. This option is used at the service and views levels.

auth-nxdomain—If this option is set to yes, the name server can answer authoritatively when returning an nxdomain (domain does not exist) response. If it is set to no, the server cannot answer authoritatively.

Recursive DNSRecursive DNS is necessary for answering queries that are not within a zone for which the DNS server is authoritative. A query can automatically be sent to another name server through the use of a forwarder or stub zone, but often recursive DNS is used to refer to a non-authoritative DNS server taking responsibility for a query. The caching DNS server uses iterative queries to all of the required DNS servers starting at the root zone, then to a top-level domain server and so on, until it has a final answer for the client or resolver. This section describes the zone types and DNS options related to recursive DNS.

Adding a Cache ZoneA cache zone is used to store temporary DNS entries that are derived using recursive queries. For this reason, the Allow Recursion option must be set to Yes for the view in which the cache zone appears.

Custom root servers can be specified for a cache zone to prevent recursive queries from leaving an organization’s network. This option is often used to maintain organizational security.

To use this option, select the Use Custom Root Servers checkbox.

Caching DNS OptionsThese are DNS options that apply to DNS caching servers. They are generally set at the service level.

Allow Recursion—This option can be set to yes, no, or default. It configures whether the server does recursive queries. This option is used at the service and views levels. In order for the server to actually respond to recursive queries, you must create a cache zone or a forwarding zone.

Configure Recursion—This option defines a match list of IP addresses allowed to issue recursive queries to the server. If the answer to the query already exists in the cache, it is returned. If not specified, all hosts are allowed to make recursive queries. This option may only be specified at the service level.

Match Recursive Only—This option is set either to yes or no. If set to yes, the server answers only recursive queries. This option is used at the views level.

When you provide new zone information, the new zone appears beneath the name of the view or zone in the tree-view pane of the Management Console.



Ve

max-cache-size—This option uses an unsigned 16-bit integer value to define the maximum size for the DNS cache in bytes. This option is used at the service and views levels.

max-cache-ttl—This option defines the upper limit in seconds of the Time to Live (TTL) for cached records. The default setting is 604800 seconds (one week). This option is used at the service and views levels.

max-ncache-ttl—This option limits the TTL in seconds for cached negative records. The default setting is 10800 seconds (three hours). This option is used at the service and views levels.

root-delegation-only—This option enables the enforcement of delegation-only in TLD and root zones, with an optional execute list. This option is used at the service level.

Sort List—This creates a list of IP addresses that the server uses to sort the results of a name lookup. If a query generates multiple addresses, the resolver refers to the sort list and tries the items in the list. This option is used at the service and views levels.

cleaning-interval—This is the time period in minutes for which the server checks for, and removes, expired resource records from the cache (default is 60 minutes). This option is used at the service and views levels.

lame-ttl—This option specifies the time interval in seconds that the server avoids requesting data from a remote server that is listed as authoritative, but is not responding authoritatively. The default value for this option is 600 seconds. This option is used at the service level.

Adding a Forwarding ZoneA forwarding zone is used as a shortcut to zones for which the name servers are not authoritative, but that the clients may access frequently. Forwarders are useful security tools because internal DNS servers can use forwarding zones to forward requests for external resources to servers that allow recursive queries.

To add a forwarding zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Forwarding Zone. The New Forwarding Zone dialog box appears.


▪ Choose Master—Use this option if the master zone resides on an Adonis appliance. Click the field to the right of this option to open the Select Master Zone dialog box and select a zone.

▪ Provide Master—Use this option if the master zone does not reside on an Adonis appliance, or if you are referencing a remote server. Type the Name and IP Address of the master zone in the available fields.


11


Forwarding zones require recursion to be enabled. You must set the Allow Recursion option for the view or DNS service to Yes. Two DNS options apply directly to forwarders.

Forwarding—This is a list of the IP addresses of servers that are designated as forwarders. Off-site queries requiring recursive resolution are sent to these forwarders, thereby helping to efficiently manage traffic on your network. These addresses are listed by order or preference. This option is used at all levels.

Forwarding Mode—This option indicates whether requests are forwarded to the forwarders with precedence only, or are forwarded there first, and if not answered, are answered by this server. This option is used at the DNS service level.

Adding a Stub ZoneA stub zone is useful for managing the delegation of sub-domains, as it keeps a dynamic link between the parent and the delegated child domains. Stub zones are often used to reference Windows Primary Domain Controllers in an Active Directory-based network. Adonis tries to use the name server specified here as if the results from that name server existed in its cache. If this fails to resolve the query, it is answered using a standard recursive query.

To add a stub zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Stub Zone. The New Stub Zone dialog box appears.


▪ Choose Master—Use this option if the master zone resides on an Adonis appliance. Click the field to the right of this option to open the Select Master Zone dialog box and select a zone.

▪ Provide Master—Use this option if the master zone does not reside on an Adonis appliance, or if you are referencing a remote server. Type the Name and IP Address of the master zone in the available fields.

Adding a Delegation Only ZoneQueries to a delegation only zone return a referral or a delegation.



Ve

To add a delegation only zone:

1 In the tree-view pane, right-click the group to which you want to add a zone. From the context menu select New Zone, and then select Delegation Only Zone. The New Delegation Only Zone dialog box appears.

2 Type the zone name in the Name field, and then click OK.

Working with ZonesAdonis has several different kinds of operations for working with zones:

• rename• refresh• delete• disable

Renaming Zones

To rename a zone:

1 In the tree-view pane, right-click the zone that you want to rename, and then select Rename from the context menu. The Rename Zone dialog box opens.

2 Type the new name in the Zone Name field.

3 To allow Adonis to update all your resource records within this zone and reflect changes, select the Rename all sub-zones checkbox.

4 Click OK. The dialog box closes and the new name displays in the tree-view pane.

Refreshing ZonesIf you are using DDNS to update master DNS zones automatically (for example, to keep up-to-date with your DHCP service) the changes take place on the Adonis server, but not in the Management Console.


11


To refresh a zone from the server:

1 Click Refresh from Server. The Refresh Master Zone dialog box appears.

2 Type the server password.

3 Click OK. This updates the entries in the Management Console.

After you have refreshed a zone, the connection to the server stays open. If you need to refresh the same zone again or another zone, click Refresh from Server.

Deleting Zones

To delete a zone:

1 In the tree-view pane, right-click the zone that you want to delete, and then select Delete from the context menu.

Disabling ZonesYou can create live configurations and serve DNS data only for zones that are fully prepared (for example, all web, email, and database servers are online and ready for production). When you disable a zone, Adonis automatically disables all resource records associated with that zone. For more information, see Editing and Deleting Resource Records on page 121.

To disable a zone:

1 In the tree-view pane of the Management Console, right-click the zone you want to disable.

2 Select Disable Zone from the context menu. The zone is now disabled.

Setting Zone OptionsWhen you set up zones, the Management Console automatically enters a series of substatements and settings into your project file. These configuration settings represent the default settings for BIND, but you can change them to suit your needs.

If you accidentally delete a zone, from the Edit menu, select Undo. This function can be used to step back through multiple changes in the console.

To enable a disabled zone, right-click the zone and then select Enable Zone.



Ve

To set the options for a zone:

1 In the tree-view pane of the Management Console, double-click the server that you want to work with and view its corresponding zones. A list of the server’s views and zones appears.

2 Click the zone you want to edit, and then click the Options tab in the detail pane of the Management Console. A list of options and settings appears.

3 To change a setting, double-click the option. An option-specific dialog box opens. Use it to make changes for that particular option. For some options, you must clear the Use default checkbox first to enable the other options in the dialog box.

4 Make the necessary changes using Add, Edit, Remove, Move Up, and Move Down. Additional dialog boxes may open, depending on the option you select.

5 Click OK.

Defining the Start of Authority for a Zone

The SOA resource record for a zone identifies the primary master name server that is authoritative for the zone. Together with the name server and glue records for the zone, this is used to control where a zone is hosted. The SOA records contain important settings for refreshing the data in the zone. They also provide general information, including contact information for the zone.

For most options, the Add and Edit dialog boxes have an Exclude checkbox, which indicates that the address should be ignored. You can then add an entire subnet and exclude individual IP addresses.


11


To set the start of authority for a master zone:

1 In the tree-view pane, right-click a view. From the context menu select Set Master Zones SOA. The Set Master Zones SOA dialog box appears.

2 Clear the Default Settings checkbox, and then type new values in the fields you want to change:

Primary Server—The name of the primary master name server for the zone.

Contact e-mail—The zone administrator’s email address.

Serial #—A unique identifying number that applies to all data in the zone.

Refresh Interval—The time period in seconds that slaves for the zone check to make sure the zone data is up-to-date. The default setting is 10800 seconds (three hours).

Retry Interval—The time period in seconds that slaves try to reconnect to the master name server if the first attempt failed after the refresh interval. The default setting is 3600 seconds (one hour).

Expiry Time—The time period in seconds after which slaves that have failed to connect with the master name server stops providing information about the zone. After the time has passed, the resource records for the zone are considered too old to be useful. The default setting is 604800 seconds (one week).

Minimum TTL—The minimum duration in seconds that the caching server stores zone data before discarding it and acquiring updated data. The default setting is 86400 seconds (one day).

Default TTL—The default duration in seconds that the master name server caches zone data before discarding it and acquiring updated data. The default setting is 3600 seconds (one hour).

3 Select the time values you want to use from the drop-down lists, and then click OK.

4 To see your edited values click a master zone, and then select its Start of Authority tab.

The serial number is set to auto because Adonis uses a special algorithm to determine the correct setting : you cannot change it.



Ve

To modify the SOA records for a zone:

1 Click the zone that contains the SOA you want to modify, and then click the Start of Authority tab in the details pane.

2 To modify a setting, click the field you want to edit. A dialog box opens for you to make the necessary changes.

3 Type a new value, and then select a time value from a drop-down list.

4 To return a setting to its default value, select the Use Default Setting checkbox.

5 Click OK.

Zone TemplatesAdonis supports the use of zone templates for creating zones. A template is a generic zone with settings that can be applied to a new or existing zone. Records in the template are automatically added to the zone, as are configuration settings. Records added to the template are updated in each zone whenever they are updated in the template. However, template configurations are not updated when they are modified in the template after a zone is updated once. Manually editing a record or setting in a zone linked to a template breaks the link between the record or setting in the template and the zone .

To create a zone template:

1 Right-click the Zone Template icon of any view in the tree-view pane of the Management Console, and then select New Master Zone Template.

2 Set up the options for the zone template the same way that you would for a regular zone.

To apply a zone template:

1 Select the Apply Template checkbox in the New Master Zone dialog box when you are creating a new master zone.

or

2 In the tree-view pane of the Management Console highlight an existing zone.

Records in a particular zone that came from a template are no longer updated from the template after they have been updated once in that zone.


11


3 In the detail pane click the the Template tab.

4 Click the Link To: field. The Select Zone Template dialog box opens.

5 Select a template from the list, and then click OK.

To unlink a zone template:

1 In the tree-view pane of the Management Console highlight the zone you want to unlink.

2 In the detail pane click the the Template tab.

3 Click the Link To: field. The Select Zone Template dialog box opens.

4 Select the Unlink zone from template option, and then click OK.

Zone Transfer Options

These options control the way in which the DNS service manages zone transfers, and the transfers themselves.

Access ControlsThese options control whether transfers takes place, and which servers are notified of changes to master zones.

Allow Transfer—This option prevents zone transfers between Adonis and any IP addresses except those specified in the option. As a zone option, it restricts transfers of one particular zone. As a server option, it restricts all zone transfers and is set by default to allow only your slave servers to transfer zones (you can expand this permissions list). The list for a particular zone overrides the list for the corresponding server. This option is used at all levels.

notify—This option indicates whether or not zone transfers from the primary master to the slaves occur immediately after zone updates on the master. The default setting is yes, which helps to avoid lengthy propagation times. This option is used at all levels.

Notify List—This option is a list of IP addresses that receives zone transfers from the primary master immediately after zones are updated on the master. For servers, the default list includes the IP addresses of all name servers that you have set up within the Management Console. This option is used at all levels.


Managing Resource Records

Ve

Transfer ControlsThese options control the relevant time intervals, format, number of connections and dial-up properties associated with zone transfers.

max-transfer-idle-in—This option is only applicable to master servers. It is the maximum time in minutes that an inbound zone transfer remains idle without timing out. The default for both servers and zones is 60 minutes. This option is used at all levels.

max-transfer-idle-out—This option is only applicable to master servers. It is the maximum time in minutes that an outbound Zone Transfer remains idle without timing out. The default for both servers and zones is 60 minutes. This option is used at all levels.

max-transfer-time-in—This option is the maximum time in minutes allowed for a single inbound zone transfer connection to a slave server. The default for both servers and zones is 120 minutes. This option is used at all levels.

max-transfer-time-out—This option is the maximum time in minutes allowed for a single outbound zone transfer connection to a slave server. The default for both servers and zones is 120 minutes. This option is used at all levels.

transfer-format—This option controls whether the format of zone transfers from the master to the slaves is one-answer, which carries only one resource record in each DNS message, or many-answers, which carries as many resource records as possible in each DNS message. The default setting is many-answers. This option is used at the service and views levels.

transfers-in—This option limits the total number of inbound zone transfers from all remote servers that the local name server requests at any one time. The default setting is 10 transfers. Increasing this setting may speed up the convergence of slave zones, but it may also increase the load on the local system. This option is used at the service level.

transfers-out—This option limits the total number of concurrent outbound zone transfers per master server to all remote servers. The default value is 10. This option is used at the service level.

transfers-per-ns—used by slave servers, this option limits the total number of inbound zone transfers from any single remote name server that this server requests at any one time. The default is 10 transfers. This option is used at the service level.

dialup—This option marks whether or not zone transfers occur as if they are across a dial-on-demand dialup link. For servers, this option refers to all of the server’s zones. The setting for a particular zone overrides the setting for the corresponding server. The default for both servers and zones is no. This option is used at all levels.

heartbeat-interval—This option indicates the frequency in minutes at which the name server brings up its dial-on-demand connection for all zones marked as dialup (default is 60 minutes). This is a service level option.

Managing Resource RecordsYou can use the Resource Records toolbar to add resource records to the zones in your project file. The following tools are useful for adding new records.

In addition to using the Resource Records toolbar, you can right-click a blank area on the Resource Records tab, select New on the context menu, and then select the type of resource record you want to create.


11


Adding Resource RecordsAdonis supports two ways of creating Resource Records

New Auto Generate Resource Record—creates records as a single line in the Management Console.

Generate Records Incrementally—creates all host and pointer records in the Management Console.

You can use either tool to create Host, Alias, Pointer, or Name Server records. Each method performs a similar function, but there are some distinct differences:

• New Auto-Generate Resource Records—uses the BIND $GENERATE control statement to create a single line in the zone file. This tool creates a series of records that differ by a specific numerical iterator: for example, workstation1, workstation 2.

• Generate Records Incrementally—creates all records in the zone in the Management Console. This tool creates the resource records in the zone so that they are visible in the Management Console and on the appliance.

Auto-Generating Resource RecordsAutomatic generation of resource records creates a single host entry in the project file. When synchronized, Adonis creates the actual records on the server.

To create auto-generated resource records:

1 In the tree-view pane of the Management Console, click the zone for which you want to create auto-generated resource records.

2 Click New Auto Generate Resource Record on the Resource Records toolbar. The New Auto Generate Record dialog box opens.

3 In the Start and End fields, type the values to start and stop numbering your records.

4 In the Step field, type the increment that you want to use between iterations.

5 In the Name field, type the name for your auto-generated records. Type the dollar symbol ($) as a place-holder for the generated number. For example, if the Start value is set at 5, the

This tool does not create Host PTR records in the corresponding reverse zone.



Ve

End value is 25, the Step value is 5, and the Name value is mytest$, Adonis auto-generates the following incremental records:

▪ Mytest5▪ Mytest10▪ Mytest15▪ Mytest20▪ Mytest25

6 From the Type list, select a type of record (Alias, Host, Name Server, or Pointer).

7 In the Host field, type the IP address for the first auto-generated record, using $ as the place holder for the auto-generated integer. The following list shows the auto-generated record addresses:

▪ 172.16.0.5▪ 172.16.0.10▪ 172.16.0.15▪ 172.16.0.20▪ 172.16.0.25

8 Click OK. The Auto-Generated records appear in the detail pane of the Management Console. These records are created on the appliance when you deploy the project file and it synchronizes with the server.

Generating Records IncrementallyThis tool creates the resource records in the zone so that they are visible in the Management Console and on the appliance.

To generate records incrementally:

1 In the tree-view pane of the Management Console, click the zone for which you want to generate incremental records.

This tool creates Host PTR records by default in the appropriate reverse zone files. You can choose not to create the PTR records if you prefer. The tool does not re-create records that already exist.


12


2 On the Resource Records toolbar, click Generate Records Incrementally. The Generate Records Incrementally dialog box opens.

3 In the Start and End fields, type a value for the start and end numbers of your records.

4 In the Step field, type the increment that you want to use between iterations. For example, type 1 if you want to step up one at a time.

5 In the Name field, type a name for your incremental records. Type the dollar symbol ($) as a place-holder for the generated number.

For example, if the Start value is 5, End value is 25, Step is 5, and Name is mytest$, Adonis generates the following incremental records:

▪ mytest5▪ mytest10▪ mytest15▪ mytest20▪ mytest25

6 From the Type list, select a type of record (Alias, Host, Name Server, or Pointer).

7 In the Host field, type the name or IP address of the host with which the records are to be associated:

▪ For Alias, Name Server, and Pointer records type the host name.

▪ For Host records type the host IP address.

8 To prevent a record from being created if one already exists, select the Prevent duplicate records checkbox.

9 Click OK. The list of incremental records appears in the detail pane.

To create and maintain reverse address pointers for host records, select the Add reverse entries checkbox. This checkbox is not active until you select Host as the record type.



Ve

Editing and Deleting Resource Records

To edit or delete resource records:

1 In the tree-view pane of the Management Console, click the zone containing the resource record that you want to edit or delete. The detail pane lists all of the resource records for the selected zone.

2 To edit a resource record, double-click it, and then make changes in the dialog box that appears.

3 To delete a resource record:

▪ right-click the record, and then select Delete from the context menu

▪ select the record, open the Edit menu, and then select Delete▪ select the record, and then press the Delete key on your keyboard.

Disabling Resource RecordsYou can disable resource records to hide them or make them unavailable to queries.

To disable a resource record:

1 In the tree-view pane of the Management Console, click the name of the zone containing the resource record that you want to disable.

2 In the detail pane right-click the name of the resource record, and then select Disable Resource Record(s) from the context menu.

If you delete a resource record accidentally, click Undo. Alternatively, on the Edit menu, select Undo.

You can also disable several resource records at the same time. Hold down the Control key while selecting the resource records you want to disable, right-click them, and then select Disable Resource Record(s).To enable a disabled resource record, click the zone containing the resource record, right-click the resource record, and then select Enable Resource Record(s).


12



Chapter 7

Version 5.5

Advanced DNS

Adonis has advanced DNS capabilities that can support complicated network topologies. This chapter includes the following topics:

• Reverse DNS on page 123 discusses Reverse DNS as an integral part of modern dynamic networks.

• Dynamic DNS on page 128 explains how Dynamic DNS can update reverse DNS zones with information about dynamic network clients.

• Integrating Active Directory on page 130 contains information about integrating Microsoft Active Directory (AD) with Adonis.

• Checking the Data on page 132 discusses the tools available to check the integrity and efficiency of the DNS data in a project file.

• Transaction Signatures on page 140 introduces Transaction Signatures (TSIG) and how they provide a certificate-based authentication system for DNS and DDNS from DHCP servers. This enables trusted transfers and modifications of DNS information. Adonis appliances use TSIGs to protect all transfers between them.

• DNS Queries on page 144 describes how Adonis can control access for DNS queries and deliver a customized response using DNS Views. Sophisticated query logging capabilities also provide Adonis with in-depth DNS tracking and auditing.

• DNS and IPv6 on page 151 describes how to use DNS in an IPv6 environment with Adonis.

Reverse DNSReverse DNS is used to translate IP addresses into DNS names. It is a critical component in dynamic networks to ensure proper routing. The zones used to store this information contain special records (for example, PTR and NAPTR records) that are designed to provide reverse DNS information for a given address. Reverse DNS is an essential component of the Microsoft Active Directory service, and it provides the DNS functionality necessary to operate VoIP packet-based telephony.

Reverse DNS is often populated using DDNS in conjunction with a DHCP server. For more information, see Dynamic DNS on page 128.

Some ISPs delegate the responsibility for maintaining reverse DNS to their clients. For more information, see Delegating Subnets on page 126.

ENUM and VoIPVoIP technology provides the framework to evolve the telephone from a simple two-way voice communication device to a network-attached node with multifaceted capabilities. VoIP devices are addressed in more than one way. An URI string provides custom forward locator references for these


12


devices as defined in RFC 3401. Reverse DNS is used to discover the relevant information for a device based on its phone number alone and NAPTR records are used to represent this information.

ENUM zones, also known as in-addr.arpa zones or e.164 zones, provide VoIP functionality within a DNS server. ENUM zones contain special sub-zones called prefixes that represent telephone exchanges and can contain the records for the actual devices. Within the prefixes, the last four digits of the phone number after the exchange are the only ones entered for the record. The structure of the zones and prefixes dictates the exchange and area code for this number.

Provisioning a VoIP service requires many systems, including DNS to manage the phone numbers associated with client end points. Adonis uses a reverse DNS zone to create the ENUM structure for each desired area code. This reverse zone is populated with sub-zones that represent all of the required telephone exchanges. Finally, NAPTR records are added to represent the individual VoIP devices. The naming convention for the ENUM and prefix zones involves reversing the numbers and placing a dot between each number. Thus, for the phone number 1-416-555-1212, the ENUM zone is 6.1.4.1, and the prefix zone is 5.5.5. This could also be represented with a 1 zone for the country exchange with a 6.1.4 ENUM zone beneath it, depending on your requirements. When you add the ENUM zone, a reverse master zone is added with the button highlighted for the in-addr.arpa notation option.

The following figure shows an ENUM zone within the Management Console.


Reverse DNS

Ve

To add a NAPTR record:

1 On the Resource Records tab, click New NAPTR Record. The New NAPTR dialog box appears.

2 Type information in the following fields:

▪ Name—The name for the record.▪ Order—Specifies the order in which NAPTR records are read, with the lowest match being

selected first.▪ Preference—Determines the order in which NAPTR records with the same order should be

processed. It functions similarly to the preference field in an MX record.▪ Flags—Values 0–9 and a–z can be used as flags to control aspects of the rewriting and

interpretation of the fields in the NAPTR record. Because different replacements and interpretations can be required when using NAPTR records, these flags can be useful in dictating behaviors for the host VoIP application.

▪ Service—The service that this NAPTR record uses. The available service types are described in the IANA ENUM Service definition, available from IANA. A client attempts to match against this service type.

▪ Regular Expression—Regular Expressions or URI’s are strings that are used in the Dynamic Delegation Discovery System as described in RFC 3401.

▪ Replacement—If the regular expression statement is being used as a simple replacement, this field can provide a domain name. Returning both fields is considered an error, so simple replacement using the regular expression field is the only case where this field should be used.

▪ TTL—This is a standard Time To Live value for this record.▪ Comment—Type any comments that should be associated with this record.

3 Click OK.


12


Delegating SubnetsThe Subnet Delegation Wizard enables the management of a block of addresses for delegation to another reverse DNS server. This is useful, for example, where an ISP wants to delegate management of a organization’s reverse DNS resolution to that company. The ISP delegates a block of addresses and the company maintains all of the reverse-PTR Records for the subnet. When DNS changes occur, they can be managed by the organization instead of the ISP. This feature also enables organizations to manage their own DNS architecture and security. For more information, see Adding a Master Zone on page 105.

To create a reverse zone that can have addresses delegated to it:

1 In the tree-view pane, right-click the object under which you want to create the zone.

2 Select a new master zone, specify a reverse zone in the drop-down box, and then click OK.

3 Right-click the new zone and choose Subnet Delegation Wizard. Click Next. The Delegated Address Space dialog box appears.


Reverse DNS

Ve

4 Specify the offset from the beginning of the zone for the subnet that is delegated, choose the CIDR notation to indicate the proper size for the subnet, select a separator, and then click Next.

5 Click Add, and then type the name server address in the New Delegate dialog box.


On the Resource Records tab Adonis adds an auto-generated Alias record and Name Server records.

The subnet is now delegated.


12


To edit a delegation:

1 On the Resource Records tab, double-click the Name Server record for the delegated server. The Name Server dialog box appears.

2 Edit the Name and Host information, and then type a TTL and an optional comment.

3 Click OK.

To delete a delegation:

1 On the Resource Records tab, right-click the record for the delegated server.

2 From the context menu select Delete.

Dynamic DNSDynamic DNS (DDNS) is the system by which updates to DHCP address assignments are reflected in the DNS records for these hosts. DDNS is a essential part of reverse DNS. It also plays a critical role in Microsoft’s Active Directory technology, because it looks up dynamically configured hosts using reverse DNS.

DDNS enables a DNS server to accept updates regarding the IP addresses of dynamic IP or DHCP clients. Every time a dynamic client changes its IP addresses the DNS server receives an update, and the DNS server associates this IP address with a DNS name for the client. Dynamic data for an address is maintained if the DDNS Updates option is deployed in the DHCP range that contains that address. Any records that are generated dynamically are clearly marked as such when looking at the records for this zone. Dynamic updates are always deployed immediately to the Adonis server where they were generated.

DNS on the internal side often allows dynamic updates to the DNS server. DDNS allows hosts to update zone data dynamically. This process makes administration easier, especially with internal DNS, when it is common for a large number of internal hosts to be represented as records in the DNS database. Dynamic DNS eliminates the need to enter large numbers of records manually. Rather than using dynamic updates, authorized users, or DHCP servers themselves, can add, delete and change records on the fly. However, making use of DDNS does have the potential to open your network to certain vulnerabilities. In the wrong hands, dynamic updates can allow a user to dynamically update records on an organizations’ DNS server with bogus information. As such, dynamic updates should be restricted


Dynamic DNS

Ve

as much as possible. Best practice dictates ensuring that the DHCP servers are the only source of dynamic updates to records on the DNS server. This can be further secured using TSIG keys on the DHCP server. The Allow Dynamic Updates DNS option should be employed to create an Access Control list (ACL) for each dynamically updated zone. Only addresses matched on this list are allowed to send updates to the server for that zone.

Required DNS Options

Before DDNS can function you must configure the following DNS options:

Allow-Update—The Allow-Update option takes an IP address or block, ACL, key, or Adonis item as data for its match list argument. Only servers or clients matched on the list are allowed to send updates for that zone to the master DNS server hosting it.

Allow Update Forwarding—This option lets you specify which hosts are allowed to submit DDNS updates to slave zones to be forwarded to the master. The default is none, which means that no update forwarding occurs. Specifying values other than none is counterproductive unless required with Active Directory, because the responsibility for update access control must rest with the master, not the slaves.

Required DHCP Service Options

Before DDNS can function you must configure the following DHCP options in the Advanced Options tab. For more information, see DHCP Client Options on page 165.

Client Updates—The Client Updates option indicates whether client updates should be used to maintain DDNS records for this client. If this checkbox is selected when the option is added, then the client updates its own DNS record on the server. If the option is added without the checkbox selected, the DHCP server performs the update. This option is required for DDNS.

DDNS Domain Name—This is the domain name that is appended to this client’s hostname to form the FQDN. This is also the name of the zone that is updated with this client’s record.

DDNS Updates—The DDNS updates option indicates whether the server should attempt a DDNS update when the lease is confirmed.

Optional DHCP Service Options

The following DHCP Service options enhance the functionality of DDNS in Adonis:

DDNS Hostname—This option specifies the hostname that should be used for DDNS updates for this client. If no value is specified, the zone creates a name for the records.

DDNS Reverse Domain Name—This is the reverse domain name that is appended to this client’s hostname to form a reverse record. By default this value is in-addr.arpa, but can be overridden here.

DDNS TTL—This is number of seconds (between 0 and 4,294,967,295) indicating the default TTL for DDNS records.

This DDNS option can be valuable for integrating Active Directory, but it presents challenges to DNS security.

Enabling the update forwarding feature on a slave could expose master servers to cache poisoning attacks by relying on an insecure slave IP address-based access control. This option is used at the service and views levels.


13


Configuring DDNS• DDNS works by notifying a name server of any changes to a host’s IP address. This is useful

when you are using DHCP to lease IP addresses dynamically.• To set the IP address of the name server to which you want to send updates, type this

command “set name-server address”, and then press Enter, replacing address with the appropriate address.

• To view the current address of the DDNS name server, type “show name-server”, and then press Enter.

In network configuration mode you can manage other DDNS settings and the name server:

• To set the DDNS name server, domain, or search suffix, use the following commands:set ddns name-server data set ddns domain data set ddns search data

where name-server, domain or search is used as the parameter being set, and data is the data to populate the domain or search setting.

• To delete these settings, use “del“ instead of “set“ in the command. • To display all of the DDNS settings use “show ddns“ in network configuration mode.

Integrating Active DirectoryMicrosoft Active Directory is the backbone of the Windows Server architecture, and is centered on the LDAP service. Adonis fully supports Active Directory DNS integration.

The Management Console has an Active Directory Wizard to guide you through the process of enabling Active Directory integration on Adonis. For more information, see Active Directory Integration on page 231.

Enabling Active Directory SupportTo enable Active Directory Support you must complete a process in the Management Console for both the forward and reverse zones involved.

To enable Active Directory support:

1 Right-click the zone in which you want to enable Active Directory.

2 From the File menu, select Enable Active Directory. The Active Directory Wizard opens.

On an XHA cluster, both Adonis nodes should be set to the same name server through their respective consoles.

Both the forward and reverse zones for a namespace should be Active Directory-enabled. Active Directory depends upon the use of Host (A), Service (SRV), and Reverse Pointer (PTR) records for navigation functionality.


Integrating Active Directory

Ve

3 Click Next. The Add Domain Controllers page appears.

4 To add the IP addresses of each of your Active Directory domain controllers, click Add. The Add Active Domain Controller dialog box opens.

5 Type the IP address of the Active Directory domain controller, and then click OK.

6 Repeat steps 4 and 5 until you have added all the Active Directory domain controllers.


Your zone icon changes to red, showing that you have enabled Active Directory.

Windows Active Directory Synchronization

The Active Directory synchronization procedure may take hours, depending on the replication schedule of your Active Directory domain controllers. To shorten the synchronization time, type the following command at the command prompt on your Active Directory domain controller:

C:\>IPCONFIG /registerdns

After synchronization takes place, _SRV (service records) are displayed in the Active Directory zone in the Management Console. Service records have the following format:

An ACL is automatically created for your Active Directory domain controller(s). It is also added to the Allow Transfer and Allow Update options, which you can view by clicking the Options tab of the zone.

You must deploy the project file before seeing any integration results.


13


_ldap._tcp.default-first-site-name._sites.dc._msdcs

An alternate synchronization method is to restart the Active Directory service on the Windows servers using the “Net stop netlogon” and “Net start netlogon” commands.

Checking the DataThe following topics explain how to check your project file before you deploy it to the appliance, and how to verify the data after the project has been deployed.

Data CheckBefore transferring the project file to the appliance, you should perform a data check on the information. This procedure takes a few minutes, but it saves you time in the long run because it allows you to resolve issues in advance. If you have imported a project, this step is strongly recommended. For more information, see Checking the Data on page 91.

You can customize data check rules for an Adonis project. For more information, see Modifying File Location Settings on page 88.

Using the DNS Fixup WizardThe DNS Fixup Wizard can check your project file for errors. You should check the data every time you make a major change to the project. If you are using an imported project, run the DNS Fixup Wizard before you deploy the file.

To check your project files:

1 From the Tools menu, select DNS Fixup. The DNS Fixup Wizard opens.


Checking the Data

Ve

2 Click Next. The Choose Action page appears.

3 Select one of these options:

▪ Auto Match Resource Records—In an imported project file, this synchronizes all records in the zone with any correlated records and creates the required glue records.

▪ Auto Create PTR Records—Creates the PTR records required for matching host records in a zone.

▪ Add Delegation Records To Parent Zones—Ensures that all required NS records for a given zone exist in the Adonis project.

▪ Delete Orphan PTR Records—Deletes PTR records that do not have a matching forward DNS entry.


13


4 Click Next. The Select Name Server, View, and Zone page appears.

5 Select the server from the Name Server drop-down list.

6 If this server has BIND views implemented, select a view from the View drop-down list.

7 To select the master zone select the Select Zone checkbox. If this checkbox is clear, all zones for the view in question are selected.

8 Click Select master zone... and then select a zone in the Select Zone dialog box.

9 Click Next. The Inspecting Resource Records For Fixup page appears.

10 After viewing the results, click Next, and then click Finish.


Checking the Data

Ve

Live Data CheckAfter deploying the project file to the appliance, you can use the Live Data Check feature to validate the data in the deployed project file. This also lets you ensure that no one else with access to the project files has inadvertently changed the setup. All of the records are verified live on the network(s) and the Internet.

To perform a Live Data check:

1 From the Tools menu, select Live Data Check. The Live Data Check dialog box opens.

2 From the Name Server drop-down list select the server that you want to check.

3 From the View drop-down list select the view that you want to check.

4 Click an option to specify the location from which you want to resolve issues:

▪ Name Server—The name server itself that you previously specified.▪ Another Server—A different name server with another IP address or host name that you must

specify in the available field.

5 If you want recursion, select the Allow recursion checkbox.

6 To perform recursive queries when recursion is not enabled on the server, select the Perform recursive queries when recursion is not available checkbox. The client performs recursive queries when checking data.

7 Select the communication method from the Communication Method list. The options are UDP (Datagram) or TCP (Socket).

8 Click Check.


13


The data check begins and displays a progress bar to show you the status as it processes the queries. When the data check is complete, the Live Data Check Results dialog box appears.

9 Correct any outstanding errors.

10 When you are finished reviewing the results, click Close.

The Whois Lookup ToolThe Management Console includes a Whois lookup tool that you can use to determine the registration information for any domain name belonging to a public TLD. The Whois lookup tool can also verify whether a domain is available (unregistered).


Checking the Data

Ve

Using the Whois Tool

To determine domain registration information:

1 In the tree-view pane of the Management Console right-click a domain, and then select Whois Lookup. The Whois Lookup dialog box opens.

2 In the Domain field, type the name of the domain you want to examine, and then click Look Up. A list of results appears in the Whois Lookup dialog box.


13


3 To select a Whois Server to perform the lookup, click […]. The Whois Servers List dialog box appears.

4 To add a server to a domain, select the domain, and then click Add. The New Server dialog box opens.

5 Type the FQDN of the server you want to add, select the appropriate server port from the drop-down list, and then click OK.

6 To edit a server select it, and then click Edit. The Edit Server dialog box opens.

7 Edit the server name or change the server port, and then click OK.

8 To restore default values click Restore Defaults. The Restore Defaults dialog box opens.


Checking the Data

Ve

9 Select the appropriate option, and then click OK.

DNS Configuration StatisticsAdonis provides useful statistics to help you manage your network infrastructure. You can generate a statistical summary of your DNS configuration using the Management Console. The following statistics are available as a summary or on a per-server basis:

• Total number of name servers hosted on the selected appliance or all appliances• Number of master name servers on the selected appliance or all appliances• Number of slave name servers on the selected appliance or all appliances• Number of hidden name servers on the selected appliance or all appliances• Number of views for name server X • Number of zones for the default view of name server X • Number of master zones for the default view of name server X • Number of slave zones for the default view of name server X • Number of forwarding zones for the default view of name server X • Number of hint zones for the default view of name server X • Number of resource records for zone X in the default view on name server X • Number of ACLs for name server X

To view DNS statistics:

1 Select Tools > DNS Statistics. The DNS Statistics dialog box appears.

2 In the left pane you can select from the following choices:

▪ Summary—View a summary of all servers in the project file.▪ Server name—View a summary of the statistics for a particular server.

3 In the right pane, scroll through the list to see the details.

4 Click Close.


14


Transaction SignaturesBy default, Adonis uses Transaction Signatures (TSIGs) to authenticate systems such as DHCP servers initiating DDNS updates and other DNS servers participating in zone transfers. When more than one Adonis appliance is deployed on a network, a shared secret TSIG key is configured on both appliances to secure all transfers of DNS information between them. A custom TSIG key can also be configured between the Adonis appliance and another kind of DNS or DHCP (DDNS) server. The DNS service on Adonis computes a hash value to determine if the TSIG key that the other machine is passing with the DNS information is authentic.

TSIG uses a shared secret and a one-way hash function to certify the data source and integrity for every zone transfer or dynamic update. This is much more secure than an ACL, because the data source is more difficult to spoof and the data integrity is also assured.

This system works by including a special type of resource record with every transfer. The TSIG resource record contains a special hashed signature and it is never cached by either server. This signature is created through a one-way hash function, ensuring that it accurately represents the original data without revealing the original data. This hash function has two inputs:

• data being transferred • the shared secret key (TSIG)

Thus, the receiving server can ensure that the correct shared secret is present and that the data has not been modified in transit. If either of these conditions fails the transfer or update is rejected.

Because TSIG is based on a shared secret rather than public key cryptography, there is an issue about transporting the key to all of the servers that need it. Any time that the key is exposed during transfer is an opportunity for it to be compromised. Traditionally, these keys are transported using secure email, SSH, or by courier. The Management Console handles all of these details on behalf of users, ensuring that keys are securely deployed to the required appliances during project file deployment. When configuring keys to additional servers, alternative methods must be employed. The additional key is securely deployed to Adonis, but must be manually configured on the other server.

The default TSIG configuration set up when the Adonis appliance is deployed should ensure the appropriate level of security for most situations. However, the following situations exist where additional TSIGs besides the defaults may be required:

• Adonis acting as a master DNS server for a remote DNS slave server• Adonis acting as a slave to a remote DNS master server• Restricting DDNS updates between two Adonis appliances or Adonis and a remote server

With all three of these types of TSIG implementation situations, the DNS allow transfer option is implemented and the TSIG keys are used to validate the transfer. Because allow transfer accepts a TSIG key as a valid condition to check against, a server presenting the correct TSIG is allowed to perform a transfer of DNS information, whether it be a zone transfer or a DDNS update.

TSIG for Remote Slave DNSSeveral steps need to be performed before Adonis can interact using TSIGs with a remote server that is acting as a DNS slave:

• The remote server and TSIG keys need to be created in the Management Console. • Server deployment roles need to be created.• The allow transfer and notify options on Adonis and the remote server need to be set up.


Transaction Signatures

Ve

To configure TSIGs when using Adonis with a non-Adonis DNS slave server:

1 In the tree-view pane select your master DNS service, and then click the Security tab.

2 Right-click in the Keys section. On the context menu, select New. The New Key dialog box appears.

3 To generate a transfer key, type a name for the new key, click Generate, and then click OK.

4 If you select the Link to Another option from the drop-down list, browse and select the transfer key from the Select key dialog box. The available keys are any TSIGs explicitly configured on another server within the same project file. Click OK.

If a key is currently in use on the DNS slave, you can type it into this field. Alternatively, you can use the drop-down list to select Link to Another.


14


5 To add a remote (slave) server, right-click the Remote Servers area, and then select New. The New Remote Server dialog box opens.

6 Type the IP address of the remote server, or select Item from the drop-down list.

7 If you selected Item, click [...], the Select Remote Server dialog box opens.

8 Locate the remote server, select it, and then click OK.

9 In the New Remote Server dialog box select the key you want to use, and then click OK.

After you have set up TSIG you must configure the Adonis master server or zone to use the key to authenticate all zone transfers and updates.

To use the key for transfers and updates:

1 In the tree-view pane of the Management Console, select a DNS service node.


Transaction Signatures

Ve

2 Select the Options tab, and then double-click the Allow Transfer option. The Allow Transfer dialog box appears.

3 Clear the Use default checkbox, and then click Add. The Add dialog box appears.

4 From the drop-down list select the key, or the IP address of the slave server that contains the key. Click OK.

5 Double-click the Notify List option, and then add the IP address of the remote slave server.

6 Double-click the notify option, and then select Yes (default).

7 Set up the Allow Transfer option on the remote slave server to permit transfers from the Adonis master.

TSIG for Remote Master DNSThis procedure is similar to the one described for a remote slave DNS. With the TSIG key here, you are probably copying or typing the text string for the key from the remote master server. Adonis needs to have the Allow Transfer option set on the zones that are slaved to the remote master. You need to set the Allow Transfer, notify, and Notify List options on the remote master.

TSIG for Remote DDNSFor DDNS with TSIG to work, a TSIG key must be generated for the Adonis master DNS server. This TSIG key is then configured on the remote DHCP service. It should be noted that if Adonis appliances from the same project are hosting both the DNS and DHCP sides of this transaction, DDNS is protected with TSIG keys by default. For more information, see TSIG for Remote Slave DNS on page 140 for details on using the New key dialog box.


14


The options described in Dynamic DNS on page 128 should be implemented on both the Adonis DNS master and on the remote DHCP server. If all of the required options are configured and the key is configured then DDNS updates from the remote DHCP server are protected by TSIG.

Overriding the default TSIG Configuration

To force all zone transfers to use the TSIG key:

1 In the tree-view pane of the Management Console, select the DNS service node.

2 Select the Options tab, and then double-click the Allow Transfer option. The Allow Transfer dialog box appears.

3 Clear the Use default option, and then click Add. The Add dialog box appears.

4 From the left drop-down box select Key, and then select the key you want to use from the right drop-down box. Click OK.

5 Save the project and deploy it to your server(s).

To force all zone updates for the master server to use the TSIG key, repeat the process above using the Options tab for each required zone.

DNS QueriesThis section describes the tools available in Adonis DNS to restrict queries, deliver selective responses, and log all of this on the appliance for later reference.

Using BIND ViewsBIND views allow you to configure a single name server to present a different configuration to different user communities. For example, you can run your internal and external DNS on the same server instead of setting up separate sets of name servers.

Views can be essential for creating a secure DNS configuration. For example, you can configure a single DNS server in a company to respond differently to different departments’ workstations, or you might use a view to serve PCs that have not yet registered their MAC address with the Adonis MAC-based filtering system. This lets you provide secure access to the network for authenticated clients and an authentication portal for non-authenticated clients. Because of the level of security implemented in Adonis, DNS views allow many permutations.

Matching OrderThe most important consideration when setting up views is the matching order for the views. Views are matched against an ACL of client addresses. If the client’s address matches an ACL entry, then that client is granted access to a view. This process actually grants a client access to the first view that is a match for the client address. Thus, if the first view listed matched against any address, all other views are ignored. This could present challenges to the desired view design. Also, if many clients are being matched against a large number of views, processing considerations come into play.

When designing the matching order for views you should ensure that the desired logic is achieved in the client matching, and then adjust the order such that each client is testing against the fewest possible number of view ACLs. Refining the matching order in this way ensures that the system operates as efficiently as possible. Views can be reordered using the up and down buttons in the Management Console. For more information, see Queries and the DNS Service on page 148.


DNS Queries

Ve

Creating a New ViewUse the New View Wizard to add a new view to your project file.

To create a New View:

1 In the tree-view pane of the Management Console, right-click the DNS service to which you want to add a view, and then click New View. The New View Wizard opens.

2 Click Next. The General Information page appears.

3 Type a name for the view and specify a Published Address. This is the address that a client uses to resolve authority records for master and slave zones for this view.


14


4 Click OK. The Match Clients page appears. Use this screen to add, edit or remove addresses served by this view.

5 On the Match Clients page, click Add. The Add dialog box appears.

6 From the drop-down list select one of the following options:

IP or Block—Select this item to match clients by address.

ACL—Select which pre-configured ACL you want to match against.

Item—Click [...] to browse to the item within the main Adonis interface that should be matched against.

7 Click OK.

8 To edit an address, click Edit, and then type the information in the Edit dialog box.

9 To remove an address, select it, and then click Remove.

10 To update your project file click Next, and then Finish.

Managing Access Control ListsAccess Control Lists (ACLs) give you increased authority over who can view and manipulate your network's internal name space. ACLs prevent unauthorized remote servers from transferring zones from your local name servers.

ACLs increase the workload on a name server because the server must compare each query against the ACL.


DNS Queries

Ve

You can use ACLs while setting server options or zone options. The Management Console makes it easy to create new ACLs for your network, including populating these lists with IP addresses, and then editing them later to satisfy your network's changing requirements.

ACLs consist of two elements, the list itself and the IP addresses that make up the list. ACLs are given a name that is used as a unique identifier.

Adding, Editing, and Deleting an ACL

To add an ACL:

1 In the tree-view pane of the Management Console, select the DNS service to which you want to add an ACL.

2 On the ACLs tab, right-click in the list pane, and then click New on the context menu. The New ACL dialog box opens.

3 Type a name in the Name field, and then click Add. The Add dialog box opens.

4 Type the IP address for the ACL, or click the down arrow and then select an Item or ACLfrom the drop-down list.

5 Click OK. The ACLs appear in the detail pane of the Management Console.

To edit or delete an ACL:

1 In the tree-view pane of the Management Console, click the DNS service that uses the ACL you want to modify.

2 In the detail pane, click the ACLs tab. A list of all ACLs defined for this server appears.

3 To edit an ACL, double-click it. The Edit ACL dialog box opens.

ACL names cannot contain spaces. Use an underscore ( _ ) as a separator instead.


14


4 Select an IP address, and then click Edit. The Edit dialog box opens.

5 To delete an ACL, right-click it, and then click Delete, or press the Delete key on your keyboard.

Queries and the DNS Service

The following options can be configured on the Adonis DNS service to control the way that the appliance responds to queries.

Allow Query—This option provides a list of the IP addresses of servers or clients that are allowed to send queries to the local server (for server options), or to a specific zone (for zone options). A list for a zone overrides the list for the corresponding server. This option is used at all levels.

Blackhole—This is a list of IP addresses of remote name servers to which your local name server does not respond because they are known to supply incorrect, poorly formatted, old, or even deceptive data. Your server does not query these IP addresses nor accept queries from them. This option is used at the service and views levels.

Match Destination—This option works similarly to the ACL described in Managing Access Control Lists on page 146. However, instead of matching a client making a request, this list represents destination addresses. If this option is used, and the destination address for the query is on this list, then the DNS server resolves the query. This option is used in conjunction with the ACL for views and is used at the views level.

recursive-clients—This option restricts the maximum number of simultaneous recursive clients. It is specified using an unsigned 16-bit integer. This option is used at the service level.

tcp-clients—This option restricts the number of concurrent TCP connections that the server processes. The default is 100 clients. This option is used at the service level.

Query LoggingAdonis includes a powerful query logging feature that creates detailed DNS logs according to the settings that you specify. Although you must configure query logging in configuration mode, you can view query logs in normal mode.

If you delete an ACL accidentally, click Undo. Alternatively, you can select Undo from the Edit menu.

Query Logging is a powerful feature that can create large logs that require a log management strategy.


DNS Queries

Ve

Viewing Query LogsQuery logs are divided into channels. Each channel logs a particular category at a particular severity level and then outputs its errors to a log file. For example, you can configure a channel to log critical errors in the “query” category. The following command works in normal mode:

• To view the current status of querylogging, type “show status querylogging”, and then press Enter.

The following commands work in configure querylogging mode:

• To show a list of the querylogging channels, type “show querylogging channels”, and then press Enter.

• To show detailed information about all querylogging channels, type “show querylogging settings”, and then press Enter.

• To show detailed information about just one querylogging channel, type “show querylogging channel=channel_name”, and then press Enter, where channel_name is the name of the channel you want to view.

The following commands work in both modes:

• To show the current log file for a channel, type “show log querylogging channel=channel_name”, and then press Enter.

• To show a specific log file, type “show log querylogging file=file_name”, and then press Enter.

Configuring Query LoggingQuery logging can be used to record various errors, warnings, notices, and other types of information as the DNS service runs. A log file consists of entries, each of which can be marked with the time, severity, and category. These markings are optional.

• To access query logging configuration mode, type “configure querylogging”, and then press Enter.

Adding a Channel

When you create a channel, you must specify a name, a file path, the maximum number of versions of the file to create, a file size, a severity level, and a message category. You must also specify whether the query logging system should mark each entry with its time, severity, and category.

To add a channel:

1 Type “add querylogging channel”, and then press Enter.

2 Type a channel name. If your name includes spaces place quotation marks around it, and then press Enter.

3 Type the absolute path for the log file (for example, “/var/log/named/mynamed.log“) and then press Enter.

4 Type a value that defines the maximum number of log file versions to create (by appending a number to the input file starting with 0). The maximum is 99. Press Enter.

5 Type the number of bytes to allocate to the log file (1024 = 1kB, 1048576 = 1MB). Press Enter.

6 Type a value for the severity level, as defined in the following table, and then press Enter.

You may omit the word “querylogging” from the query logging commands if you are working in query logging configuration mode.


15


Severity levels are cascaded, so each error level includes all the messages from the previous severity levels.

7 To include a time stamp, severity stamp, or category stamp on each message, type “0“. To exclude these stamps, type “1“. Press Enter.

8 Type a value for a message category, as described in the following table, and then press Enter.

Value Includes Messages of Severity

1 critical

2 critical, error

3 critical, error, warning

4 critical, error, warning, notice

5 critical, error, warning, notice, info

6 critical, error, warning, notice, info, bebug

7 critical, error, warning, notice, info, debug, dynamic

Value Category Description

1 database Name server database messages

2 security Requests that are approved or denied

3 config Parsing and processing of the configuration file

4 resolver Name resolution (including recursive lookups)

5 xfer-in Details about the zone transfers received by the server

6 xfer-out Details about the zone transfers sent by the server

7 notify NOTIFY operations

8 client Client requests

9 network Network operations

10 update DDNS transactions

11 queries Query transactions

12 dispatch Incoming packets dispatched to the server modules

13 dnssec Processing of DNSSEC and TSIG protocols

14 lame-servers Lame server—for example, when the NS record for a domain specifies a server that is not authoritative for the domain

15 general Default category

16 default Logs values not defined in category statements


DNS and IPv6

Ve

Deleting a Channel

To delete a channel:

1 Type “del querylogging channel”, and then press Enter.

2 Type a channel name. If your name includes spaces, place quotation marks around it. Press Enter.

3 Type the name of the channel you want to delete, and then press Enter.

DNS and IPv6DNS is necessary in an IPv6 environment because IPv6 addresses are four times longer than IPv4 addresses and are much more difficult to memorize.

DNS includes a new type of record, called AAAA (read quad-A), defined in RFC 3596. The quad-A record performs the same name-to-address mapping as an IPv4 A record, but uses IPv6’s 128-bit address format. The NS and PTR types of records remain unchanged, except that now they accept IPv6 input.

AAAA RecordsThe AAAA record maps a domain name to a 128-bit IPv6 address. The address is presented in eight 16-bit blocks in hexadecimal notation, separated by a colon. For example:

2001:0DB8:0000:0000:0202:B3FF:FE1E:8329

To make the notation simpler, you can delete leading zeros (zeros before any other digit) in a 16-bit block. For example, the block 0202 may be written as simply 202. The next line shows a simplified form of the previous example:

2001:DB8:0:0:202:B3FF:FE1E:8329

To further simplify notation, you can use a double colon to replace single or consecutive blocks with a value of 0. For example, the two blocks between DB8 and 202:

2001:DB8::202:B3FF:FE1E:8329

However, in addresses that contain two or more non-consecutive zero blocks, you can replace only one with the double colon; otherwise the notation is ambiguous. In the following example, the first 0 block is separated from the other two by 56. This means that you can use a double colon to replace either this block or the two consecutive 0 blocks after 56, but not both. For example:

2001:DB8:0:56:0:0:EF12:1234 may be presented as 2001:DB8::56:0:0:EF12:1234 or 2001:DB8:0:56::EF12:1234

To create an IPv6 host record:

1 From the tree-view of the Management Console select or create the master zone in which you want to add the record.

The A6 record was an alternative format for an IPv6 host record, but it has been moved to experimental status and is no longer used.


15


2 Click New Quad-A Record in the toolbar on the Resource Records tab. The New Quad-A dialog box appears.

3 In the Name field, type the host name.

4 In the Address field, type the address using the notation guidelines above.

5 Select the Maintain reverse lookup record checkbox.

6 Edit the Time to Live or type a comment (optional).

7 Click OK.

Reverse LookupThe reverse lookup domain for IPv6 is ip6.arpa. Pointer records are written with the hexadecimal digits of the address in reverse order and separated by a period. For example, the address 4321:0:1:2:3:4:567:89ab might have this pointer record in the ip6.arpa zone:

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.

The Management Console usually maintains reverse lookup records automatically.

To create an IPv6 reverse lookup record manually:

1 Select or create the zone ip6.arpa in the tree-view pane of the Management Console.

If you do not select this checkbox you must the reverse lookup pointer record manually: this is very tedious in IPv6.


DNS and IPv6

Ve

2 In the Resource Records toolbar click New Pointer Record . The New Pointer dialog box opens.

3 In the Name field, type the reverse lookup address in the format described above.

4 In the Host field, type the host name.

5 Optionally, edit the Time to Live or type a comment.

6 Click OK.

NS RecordsNS records behave exactly the same in IPv6 as they do in IPv4. The record only needs to contain the name of the server that is authoritative for the zone (for example, ns1 in the example.com zone).

Mixed EnvironmentsMixed IPv4 and IPv6 environments are fully supported. A single host can have both an IPv4 address and one or more IPv6 addresses. In this case, you can create an A record and one or more AAAA records for the host.


15



Chapter 8

Version 5.5

Adonis DHCP

Adonis DHCP (Dynamic Host Configuration Protocol) securely supports many different types of network clients with advanced network configuration options. This chapter contains topics useful for designing, building, and managing DHCP implementations, even in the largest networks. This chapter is supplemented by white papers available on the BlueCat Networks web site, especially with respect to DHCP VoIP support and integration.


• Background on page 155 describes the DHCP protocol and its role in the network.

• Adonis DHCP Implementation on page 156 describes the implementation specifics of Adonis DHCP.

• Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see “Configuring DHCP” on page 89. on page 172 describes the different kinds of settings tabs for DHCP services.

• DHCP Client Options on page 165 describes DHCP client options that can provide advanced configurations to client devices.

• DHCP Advanced Options on page 171 explains how DHCP advanced options control the behavior of DHCP clients and servers.

BackgroundTo be a member of a TCP/IP network, a client requires configuration of network settings, including a valid IP address. DHCP automates and centralizes your TCP/IP network configuration for client computers. The Adonis appliance can dynamically allocate IP addresses for hosts on your network from a pool of available addresses. New hosts, or frequently relocated hosts, can automatically acquire new IP addresses for a limited time period through a process known as leasing an IP address.

DHCP services are available with all Adonis appliances except the Adonis 250 appliance. On all of these appliances, the Adonis DHCP service runs the ISC DHCP server.

DHCP is also important for assigning parameters such as default gateway, DNS servers, and several other parameters. DHCP networks are divided by groups, shared networks that share physical hardware, and subnets.

DHCP server level configurations include various client and advanced options. A DHCP server can communicate with a DNS server and a failover peer, and can be configured to receive communications with an OMAPI (Open Mobile Application Processor Interface) client.


15


Adonis DHCP ImplementationThe following features highlight aspects of the Adonis implementation of DHCP.

Management Console—The Management Console allows you to add vendor and custom options, vendor profiles, shared networks, groups, subnets, pools, hosts, classes, subclasses, DNS zones, and relay agents.

Server Level Configurations—DHCP server level configurations include client and advanced options, and OMAPI for querying and modifying remote objects.

DHCP Resource Management—Quickly and easily add relay agents, locations, shared networks, subnets, hosts, classes, subclasses, pools, groups, and zones using the Management Console. Add vendor profiles and support for custom DHCP options.

Advanced DHCP MAC Authentication for Network Access Control—Adonis provides organizations with advanced Network Access Controls for DHCP users. With an advanced web-based DHCP authentication portal, Adonis quarantines all users requesting access to the network while authenticating their access rights against RADIUS/LDAP/AD or Kerberos to protect network access. If user authentication is successful, the users are released from quarantine and granted an IP lease and given access to the network. Complete with a customizable web-based authentication portal, Adonis provides end-to-end security and access controls for DHCP-enabled networks.

DHCP Lease Viewer—Conveniently view (in tabular and graphical formats) the status, type, lease start and end times, hardware address, and client hostname per IP address of each block without having to stop the server using the Management Console’s Lease Viewer.

Data Checker—Resolve any IP address or resource allocation conflicts in the system (before live deployment) using the Data Checker.

Access Control—Enforce DHCP access control for user management at administrator level, group level, and other user levels.

Adonis DHCP Files/etc/dhcpd.conf—This is the file that Adonis uses to configure the dhcpd service with all of the settings made in the Management Console.

usr/local/bluecat/subnet.csv—This file contains subnet and pool information that is used to construct the data found in the DHCP Lease Viewer.

/var/state/dhcpd.leases—This contains all of the leases that the DHCP service has handed out, with new entries written at the end of the file. It is automatically created when the first lease is issued. To maintain a reasonable file size, the service occasionally moves the current file to dhcpd.leases~ and only maintains the most current information in the dhcpd.leases file.

Adonis DHCP ServicesA new DHCP server can be created using the method detailed in Setting up a New DHCP Server or Service on page 81. All DHCP services use the same wizard for initial setup. When you have created the DHCP service you can customize it to your requirements, beginning with the information presented in Setting up DHCP services requires an existing DHCP server. To create a DHCP server, see “Configuring DHCP” on page 89. on page 172.


Adonis DHCP Services

Ve

Adding a DHCP Relay ServiceBecause DHCP traffic is broadcast-based it is not usually allowed to pass through a router. However, having a DHCP server on every subnet is an impractical solution for many networks. If DHCP clients are located on different subnets from the server, a mechanism must be put in place to allow the traffic to pass from client to server and vice versa. This situation is avoided through the use of DHCP Relay Agents.

Typically, relay agents are configured on router or switch interfaces. The Adonis 1750, 1000, 750, XMB and 500 servers can also perform as relay agents, if required. However, an appliance cannot be both a DHCP server and a relay agent at the same time.

To add a DHCP relay (instead of a DHCP service):

1 In the tree-view pane of the Management Console right-click the name server. From the context menu, select New Service > Relay. The Add DHCP Relay Service dialog box opens.

2 Specify the DHCP relay address, and then click OK.

3 On the General tab in the details pane, select the Append Agent Information checkbox to have the relay agent append an agent option field to each DHCP request before forwarding the request to the server.

Option 82Adonis includes support for DHCP option 82, which allows you to see DHCP relay agent information in the lease viewer. A router or switch configured to support DHCP Relay Information (a Relay Agent) allows communication between a DHCP client and a DHCP server on different subnets. No specific DHCP options are required to configure a DHCP Relay Agent; however, the benefit of option 82 is that it allows a DHCP server to receive DHCP client information from a specially configured Relay Agent.

You can also use option 82 to configure an Adonis DHCP server to limit the number of IP leases handed out to a specific subnet. For example, when a DHCP client located on a remote subnet issues a DHCPDISCOVER request for a new IP address, a Relay Agent forwards information about the subnet in the form of a circuit ID to the Adonis DHCP server. You can configure this circuit ID to use a DHCP Class to limit the number of assigned leases. The Adonis Lease Viewer displays both Circuit ID and Remote ID parameters for DHCP allocations. For more information, see DHCP Lease Viewer on page 196.

In Cisco terminology, the DHCP relay mechanism is known as an IP helper address.

An Adonis DHCP server that does not have option 82 configured ignores Option 82 fields.


15


To configure Option 82:

1 Right-click on the DHCP Service node.

2 Select New > Class.3 In the Name field type the name of the circuit-id (for example, 0:0:0:10).

4 Select the circuit-id class.

5 Select the Conditions tab, right-click in the empty area, and then select New Condition.

6 Select Lease limit, the Lease limit dialog box appears.

7 Type a value for the maximum number of leases for this circuit ID, and then click OK.

8 Right-click in the empty area, and then select New Condition.

9 Select Spawn with, the Select Option dialog box appears.

10 Select agent.circuit-id, and then click OK.

DHCP Declarations and ScopeA DHCP project uses the concept of scope to determine which options control client behavior. Statements can be declared at different scope levels, depending on the clients to which the statements apply. This allows options to be set at a high level within a configuration and to be overridden by an option set at a more local level. Options and statements applied at the DHCP service level apply to all clients regardless of the group, subnet, or class in which they are located. Statements and declarations set at lower levels apply only to those clients that fall under the scope of the particular level.

In a situation where an option is set locally but in conflict with those set at a higher level, the more local option has precedence. For example, a domain name statement set at a subnet declaration overrides a domain name set at the service or group declaration level.



Ve

Some options such as OMAPI port, shared secret key information, and failover peer servers are configured only at the DHCP service level. Client or custom options set at this level are inherited by all declarations set at lower levels unless overridden. Vendor profiles are also set at the DHCP service level.

Common Object TypesDHCP contains several different types of objects used in the configuration of a network. These objects include Groups, Shared Networks, Subnets, Pools, Classes, Subclasses, and Reverse DNS Zones. These objects are used to configure the DHCP server, and to configure DHCP clients. This section describes the various object types to show their uses and interactions with each other.

DHCP Groups You can declare groups to provide a common scope for hosts with the same parameters. At least one group declaration is mandatory for a DHCP service. A group provides a common scope for whatever is declared within it.

You can use groups in different ways:

• You can declare a group to represent each physical location for an organization.• You can declare a group to provide a common scope for hosts requiring the same network

configuration parameters on the same or different subnets.

Declaring Groups

To declare a host group for the DHCP service:

1 In the tree-view pane of the Management Console right-click the DHCP service, and then select New Group.

2 Type a name for the new group, and then click OK.

3 Select the group in the tree-view pane, and the set the client and advanced options for the group using the tabs in the detail pane.

Subnets Subnets let you divide the local network into several parts and logically separate it in a way that makes sense and makes packet routing more efficient.

A DHCP server needs to know about all network segments, or subnets, so that it can properly respond to address requests on those segments. For each subnet, there must be a subnet declaration on the server, even if the given subnet has no dynamically allocated addresses.


16


After you have declared a subnet, you can create a range of IP addresses to serve DHCP clients. Exclusion ranges can be set within a single subnet range to reserve addresses for statically-addressed clients. Both client and advanced options can be set at the subnet level.

Declaring SubnetsYou can use any name for a subnet, although it is best to use a descriptive name. For example, the name might refer to a department or a location within a building. Address ranges are used to specify the addresses available on this subnet.

To declare a host subnet within the shared network or group:

1 In the tree-view pane of the Management Console right-click the relevant DHCP service level (below the service itself), and then select New > Subnet.

2 Name the subnet and specify the network with CIDR notation, or by using a network and subnet address combination. Click OK.

3 To specify an address range, right-click the Range section of the General tab of the new subnet, select New Address Range, and then specify the range limits.

4 Click OK.

5 Set the client and advanced options for the subnet using the tabs in the detail pane.

Shared NetworksShared networks can be declared when IP subnets share the same physical network. Like a subnet declaration, the shared-network declaration describes a network segment. However, it is used when more than one logical subnet is located on the same physical network segment. This is helpful because all hosts on a shared network receive link-layer broadcasts sent by other hosts. Therefore, hosts that require different DHCP options can still reside on the same segment and communicate using ARP broadcasts, rather than using routed packets. Options set at this level are inherited by all member subnets.

Classless Inter Domain Routing (CIDR) is a method for assigning IP addresses without using the standard IP address classes like Class A, Class B, or Class C.

You can copy a row of information from one subnet to another. For example, you can copy a DHCP host entry from one subnet to another.



Ve

Declaring Shared Networks

To declare a shared network for subnets within the host group:

1 In the tree-view pane of the Management Console right-click the group, and then select New Shared Network.

2 Type a name for the new shared network, and then click OK.

3 Set the client and advanced options for the shared network.

Pools You can declare unique IP address pools at the shared network and subnet levels. These are the pools from which addresses are allocated to clients. They also provide a rich level of configuration options. Often, a pool range is configured in favor of a subnet range because you can configure the permit lists and class memberships for pools. Pool ranges can be used in place of subnet ranges. Pools are also required when using DHCP failover between two servers.

Pools can be defined at the shared network or subnet level. On the shared network level, the pools must be within the range of a previously declared subnet within the same shared network.

Permit ListsAddress allocation within pools can be controlled using permit lists. Permit lists govern whether a client is able to receive a DHCP configuration and address from the pool.

You can set allow or deny flags to differentiate between clients based on any of the following criteria:

• all clients• dynamic bootp clients• known/unknown clients• known/unknown status

For example, permit lists can be set up so that only clients with host declarations (known clients) receive an IP address. All others are denied an IP address. To configure this, unknown clients are set to deny and all others are set to allow. Pools can also be configured to allocate addresses based on whether the client is a bootp client or not.

Declaring PoolsDeclaring pools requires you to set the client and advanced options for the pool. For more information, see Required DHCP Service Options on page 129 and Optional DHCP Service Options on page 129.

Shared networks are used to inform the DHCP service that the subnets declared are connected to the same network segment.


16


To declare a pool:

1 In the tree-view pane of the Management Console, right-click the relevant subnet. On the context menu, select New > Pool. The New Pool dialog box opens.

2 Type a name for the new pool, and then specify its address range.

3 Click OK. The new pool appears in the detail pane.

4 To edit the address range, double-click the pool. The Edit Address Range dialog box opens.

5 To add a new address range to the pool right-click the pool, and then select New Address Range from the context menu. The New Address Range dialog box opens.

6 Type the address range you want to add, and then click OK.

7 On the Flags tab click the relevant row of the Value column, and then use the drop-down list to select whether to allow or deny the following options:

▪ All Clients—Determines allocation from the pool to all clients.▪ Dynamic Bootp Clients—Determines allocation from the pool to any bootp client.▪ Known Clients—Determines allocation from the pool to any client that has a (known) host

declaration.

▪ Unknown Clients—Determines allocation from the pool to any (unknown) client that has no host declaration.

8 On the Members tab, select the checkbox in the Include column of any relevant class that you created at the DHCP service level.

9 To allow access to the pool to be differentiated by class membership, click the Access column.

10 From the drop-down list select whether to allow or deny allocation from this pool to any client that is a member of the named class.

HostsHosts can be declared at the DHCP service, group, shared network, and subnet levels, provided that a host name is never duplicated within a single DHCP service. The host declaration provides a way for a DHCP server to identify a specific DHCP client.

A client is known if it has a host declaration in any scope, not just the current scope.



Ve

There are three main reasons to use a host declaration:

• Assigning a static IP address to a client. This acts like a reservation to ensure that the client gets a specific IP address and no other host can get that address.

• Declaring a client as “known”. A client with a host declaration is considered known whereas a client without a host declaration is considered unknown. This can control the way addresses are handed out when used in conjunction with a permit list.

• Assigning specific options to the a particular host. For example, a host can be assigned the address of a specific DNS server.

Declaring HostsDeclaring a host involves selecting the relevant DHCP level. You must provide a name for the host, specify its hardware address, and the type of interface in use (Ethernet, Token Ring, or FDDI). You can also specify a fixed IP address and add a comment if you want to. For more information, see Required DHCP Service Options on page 129, Optional DHCP Service Options on page 129, and Declaring Classes on page 176.

To declare a host:

1 In the tree-view pane of the Management Console select the relevant DHCP service, group, shared network, or subnet for the host declaration.

2 Click the Hosts tab in the detail pane.

3 Right-click in the detail pane, and then select New from the context menu. The New Host dialog box appears.

4 Type a name in the Host Name field, and then type a 48-bit hexidecimal address in the Hardware field.

5 Select the appropriate type of interface (Ethernet, Token Ring, or FDDI) from the drop-down list, and then click OK.

The new host name and MAC address appear in the detail pane of the Management Console.


16


6 In the detail pane, double-click the new host. The Edit Host Details dialog box appears.

7 On the General tab, you can specify the DDNS Host Name, and the Site Option Space (if any). The DDNS Host Name parameter lets you set a different hostname in dynamic DNS. By default, DHCP uses the supplied hostname of the client computer when it updates dynamic DNS. The Site Option Space parameter specifies options above 128 used to implement options for site-specific uses but are sometimes used by vendors of embedded hardware that contain DHCP clients.

8 On the Flags tab you can set each of the following parameters to allow, deny or ignore:

▪ booting—Determines whether the DHCP server responds to queries from the client. If it is disabled, the client cannot get an address from the DHCP server. Booting is allowed by default.

▪ bootp—Determines whether the DHCP server responds to bootp queries. Bootp queries are allowed by default.

▪ client-updates—Determines whether the DHCP server honors the client's intention to update its A record. It is only relevant when doing interim DNS updates. Updates are allowed by default.

▪ declines—Determines whether the DHCP server honors DHCPDECLINE messages. If set to deny or ignore in a scope, the DHCP server does not respond to DHCPDECLINE messages. This situation occurs where the client has determined through other means that the network address being offered is already in use. Declines are allowed by default.

▪ duplicates—If the DHCP server receives a request from a client that matches the MAC address of a host declaration, any other leases matching the MAC address should be discarded by the server, even if the UID is not the same. (This is a violation of the DHCP protocol, but it can prevent clients whose identifiers change regularly from holding many leases at the same time.) Duplicates are allowed by default.

9 On the Fixed Address tab you can specify a fixed address for the host, if you did not include one in step 4. This is similar to using an address reservation applied only to a single host. You can also add a comment, or edit an existing comment in the Edit Fixed Address dialog box.


DHCP Client Options

Ve

10 On the Client Options tab, set the appropriate DHCP Client options. Options defined at the host level apply only to that host.

11 On the Advanced Options tab, set the appropriate Advanced DHCP options. Options defined at the host level apply only to that host.

DHCP Client OptionsIn addition to IP addresses and subnet masks, a DHCP server can assign other configuration options to clients, such as the IP address of a DNS server or a router. These options can be assigned at various levels, with the most local options taking precedence in the event of a conflict. The IP address of a router might be assigned at the subnet level whereas the IP address of a DNS server might be assigned at the DHCP service or group level. Any object within the DHCP configuration that allows you to set these options includes Client Options and Advanced Options tabs.

It is important to consider which clients should receive which options. DHCP classes are often used to differentiate between clients on a single subnet. Options can then be assigned based on client identifiers. Certain options can be assigned to a VoIP handset or a thin client that requires specific configurations.

These are the DHCP options that can be added to a DHCP configuration to specify deployment instructions relating to extra settings for client configuration. For more information about these options, refer to RFCs 2132, 2241, 2242, 2610, and 2485. Users are also encouraged to read RFCs 1122 and 1497 for more background information. Options that accept Boolean values are activated by a value of 1 unless otherwise specified. When specifying a list of IPv4 addresses, the first address takes precedence.

Subnet MaskThe subnet mask specifies the network in which a particular address resides by stipulating the portions of the IP address that represent the network and the host identifiers. RFC 950, Internet Standard Subnetting Procedure defines this system.

IP Layer Parameters Per HostThese options specify values that are applied to the entire host system, and do not necessarily apply just to a single interface.

Most Common OptionsThese options are almost always configured for the client:

• Routers (3)—Option code 3 indicates the default router for this configuration. In Windows DHCP, this option is known as Default Gateway. The data consists of one or more IP addresses.

• DNS Servers (6)—Option code 6 specifies one or more DNS servers that the client contacts for DNS resolution. These are comparable to the Windows primary and secondary DNS servers that are configured for clients.


16


ServersThese options define some of the servers that clients can reference:

• Time Servers (4)—Option code 4 indicates RFC 868 time servers that are available to a client. The data consists of one or more IP addresses.

• IEN Name Servers (5)—Option code 5 is used to specify IEN name servers: these are not the same as BIND name servers.

• Log Servers (7)—Option code 7 specifies a log server for the client to use. It is an UDP log server identified with an IPv4 address. This option could be a list of IPv4 addresses, with the first address entered taking precedence.

• Cookie Servers (8)—Option code 8 refers to “Quote of the Day” servers as described in RFC 865. They are specified with IPv4 addresses.

• LPR Servers (9)—Option code 9 is a list of line printer servers as defined in RFC 1179. They are defined using a list of IPv4 addresses and are matched in the order specified.

• Impress Servers (10)—Option code 10 is a list of Imagen Impress servers. They are defined using a list of IPv4 addresses and are matched in the order specified.

• Resource Location Servers (11)—Option code 11 is a list of resource location server addresses for the client to use on the local network as specified in RFC 887. They are defined using a list of IPv4 addresses and are matched in the order specified.

Client-sideThese options configure functionality on the DHCP client:

• Time Offset (2)—Option code 2 specifies the time offset from GMT for the DHCP client. This offset is expressed in seconds, with a negative value representing locations west of Greenwich. Thus Eastern Standard Time, which is 5 hours behind Greenwich Mean Time, could be expressed as -18000.

• Host Name (12)—Option code 12 specifies a host name for the client. This can be qualified with the local domain name.

• Boot Size (13)—Option code 13 describes the size of the boot file image for the client, expressed as a number of 512-byte segments.

• Merit Dump File (14)—Option code 14 is the complete path and file name of the server to which the client dumps its core image in the event that the client crashes.

• Domain Name (15)—Option code 15 specifies the domain name for the client system.• Swap Server (16)—Option code 16 specifies a swap server for the client.• Root Path (17)—Option code 17 specifies the path as a text value. A root disk contains essential

startup file for client system in several schemes, including NFS.• Extensions Path (18)—Option code 18 specifies the path to a file as a text value. The file

contains options or vendor-specific configuration settings to be used in DHCP device configuration.


DHCP Client Options

Ve

IP Forwarding

These options deal specifically with IP Forwarding:

• IP Forwarding (19)—Option code 19 is a Boolean value. It indicates whether a client with more than one network interface should forward packets between its interfaces.

• Non-Local Source Routing (20)—Option code 20 is a Boolean value. It indicates whether a client should forward packets from a non-local source.

• Policy Filter Masks (21)—Option code 21 is a list of one or more addresses and submasks used with IP forwarding. If this option is specified, a forwarded packet goes to one of these addresses as its next hop or else the packet is dropped.

Packets

These options define the client’s packet handling:

• Max Datagram Reassembly (22)—Option code 22 is an unsigned 16-bit integer value. It specifies the maximum size of datagrams that the client should be prepared to reassemble. This minimum legal value is 576 and the maximum should not exceed the limits of the 16-bit integer (65535).

• Default IP TTL (23)—Option code 23 specifies the Time-To-Live (TTL) value that clients should specify for outgoing packets. This is expressed as an unsigned 16-bit integer with a value between 1 and 255.

• Path MTU Aging Timeout (24)—Option code 24 specifies the aging timeout for PMTU values in seconds as an unsigned 32-bit integer. For more information about PMTU, refer to RFC 1191.

Interface-Specific OptionsThe following DHCP options are applied to a specific interface on the client. Therefore, it is possible for a client-device containing multiple interfaces to have different values for these options for each interface:

• Interface MTU (26)—Option code 26 specifies the Maximum Transfer Unit (MTU) size for packets being sent from a specific interface. This is specified as an unsigned 16-bit integer value.

• All Subnets Local (27)—Option code 27 indicates whether all local subnets have the same MTU as the network to which the client is attached. This is specified using a Boolean value.

• Perform Mask Discovery (29)—Option code 29 is a Boolean value that indicates whether an ICMP address mask request message is sent to the gateway to receive a subnet mask. This process is explained in RFC 950.

• Mask Supplier (30)—Option code 30 is a Boolean value that indicates whether or not a client responds to subnet mask requests using ICMP. This process is explained in RFC 950.

• Router Discovery (31)—Option code 31 is a Boolean value that indicates whether the client performs Router Discovery as explained in RFC 1256. A router can be specified with DHCP option 32.

• Router Solicitation Address (32)—Option code 32 is an address used in conjunction with DHCP Option 31. It specifies a particular router address with an IPv4 address. This address is used by the client when submitting router discovery messages in accordance with RFC 1256.

• Static Routes (33)—Option code 33 is a list of static routes for the client to store in its routing cache. The first address specified is the destination address; the second address is the router for that address. The route 0.0.0.0 is an illegal entry for this option.


16


Link Layer Interface-Specific OptionsThese options are applied to a specific interface on a client, but they deal with the link layer of the interface, rather than the IP layer:

• Trailer Encapsulation (34)—Option code 34 is a Boolean value that indicates whether the client should negotiate the use of ARP trailers in accordance with RFC 893.

• ARP Cache Timeout (35)—Option code 35 accepts an unsigned 32-bit integer value that specifies the timeout for ARP cache entries in seconds.

• IEEE 802.3 Encapsulation (36)—Option code 36 is a Boolean value that indicates the type of encapsulation used for Ethernet interfaces. A value of false indicates Ethernet 2 encapsulation (RFC 894) and a value of true indicates IEEE 802.3 (RFC 1042).

TCP Interface-Specific OptionsThese options apply to Transport Control Protocol settings on a per-interface basis for client interfaces:

• Default TCP TTL (37)—Option code 37 is the default TLL value that client systems use for the TCP segments they send. It is specified with an unsigned 8-bit integer representing the number of seconds.

• TCP Keep Alive Interval (38)—Option code 38 is the number of seconds, specified with an unsigned 32-bit integer, that the client waits before sending a TCP keep alive message. A value of 0 prevents the client TCP from sending keep alive messages.

• TCP Keep Alive Garbage (39)—Option code 39 is a Boolean value used in conjunction with option code 38. It indicates whether a client should send keep alive messages with an octet of garbage to comply with older TCP implementations.

Application and Service OptionsThese options deal with the Network Information Service (NIS):

• NIS Domain (40)—Option code 40 is text used to define the client’s NIS domain using the ASCII character set.

• NIS Servers (41)—Option code 41 is a list of NIS servers specified using IPv4 addresses in order of preference.

This option is used to specify client settings for Network time Protocol (NTP):

• NTP Servers (42)—Option code 42 is a list of NTP servers specified using IPv4 addresses in order of preference.

These options deal with Microsoft WINS and NetBIOS:

• WINS/NBNS Servers (44)—Option code 44 is a list of Windows Internet Name Service/NetBIOS Name Service (WINS/NBNS) servers (RFC 1001/1002), specified using IPv4 addresses in order of preference.

• NetBIOS over TCP/IP NBDD (45)—Option code 45 is a list of NetBIOS Datagram Distribution (NBDD) servers (RFC 1001/1002) specified using IPv4 addresses in order of preference.

• WINS/NBT Node Type (46)—Option code 46 accepts an 8-bit integer value that specifies the type of NetBIOS node (NetBIOS over TCP/IP) for the client. Here are the values: ▪ 1—B-node▪ 2—P-node▪ 4—M-node


DHCP Client Options

Ve

▪ 8—H-node• NetBIOS Scope ID (47)—Option code 47 is text that specifies the NetBIOS Scope ID for a client.

These options are X-Windows specific:

• X-Window Font Servers (48)—Option code 48 is a list of X-Window font servers (RFC 1198). They are specified in order of preference using IPv4 addresses.

• X-Window Display Manager (49)—Option code 49 is a list of X-Window Display Manager servers (RFC 1198) available to the client. It is specified using IPv4 addresses in order of preference.

This option identifies a client uniquely:

• DHCP Client Identifier (61)—Option code 61 is a unique identifier used to specify individual DHCP clients. This value should be unique for all clients on a network and is defined in RFC 2132.

These options identify NIS services:

• NIS+ Domain (64)—Option code 64 is a text value that identifies, using the ASCII character set, the name of the NIS+ domain to which the client belongs.

• NIS+ Servers (65)—Option code 65 is a list of NIS+ servers specified using IPv4 addresses in order of preference.

These options configure clients requiring advanced information such as Preboot eXecution Environment (PXE) clients:

• TFTP Server Name (66)—Option code 66 identifies, using a text field for input, the name of a TFTP server.

• Boot File Name (67)—Option code 67 identifies, using a text field for input, the name of the boot file for this client.

This option configures Mobile IP home agents:

• Mobile IP Home Agent (68)—Option code 68 is a list of the Mobile IP home agents available to the client. They are specified using IPv4 addresses in order of preference.

These options configure commonly used Internet services.

• SMTP Server (69)—Option code 69 is a list of the Simple Mail Transfer Protocol (SMTP) servers available to the client. They are specified using IPv4 addresses in order of preference.

• POP3 Server (70)—Option code 70 is a list of the POP servers available to the client. They are specified using IPv4 addresses in order of preference.

• NNTP Server (71)—Option code 71 is a list of the Network News Transfer Protocol (NNTP) servers available to the client. They are specified using IPv4 addresses in order of preference.

• WWW Server (72)—Option code 72 is a list of the World Wide Web (WWW) servers available to the client. They are specified using IPv4 addresses in order of preference.

• Finger Server (73)—Option code 73 is a list of the Finger servers available to the client. They are specified using IPv4 addresses in order of preference.

• IRC Server (74)—Option code 74 is a list of the IRC servers available to the client. They are specified using IPv4 addresses in order of preference.

These options configure StreetTalk services:

• StreetTalk Server (75)—Option code 75 is a list of the StreetTalk servers available to the client. They are specified using IPv4 addresses in order of preference.

• StreetTalk Directory Assistance Server (76)—Option code 76 is a list of the StreetTalk Directory Assistance servers available to the client. They are specified using IPv4 addresses in order of preference.


17


These options configure SLP services:

• SLP Directory Agent (78)—Option code 78 (RFC 2610) is a list of the SLP Directory Agents available to the client. They are specified using IPv4 addresses in order of preference. If the checkbox is selected, the client must not use either active or passive multicast discovery of directory agents. This option also requires the use of DHCP option 79, SLP Service Scope.

• SLP Service Scope (79)—Option code 79 is a list of the SLP scopes that a client is configured to use. If the checkbox is selected, the client’s static SLP Service Scope settings are overridden by the settings specified by this option.

Cable modems generally require an advanced configuration in order to participate effectively in authentication and billing schemes. Cablelabs modems are configured with this option.

• Cablelabs (122)—This option is used to configure cable modems and media terminal adapters according to the PacketCable security standard. More information can be found in this standard, or in RFC 3495. The following fields are available to customize this option:

Trivial File Transfer Protocol (TFTP) service is commonly configured to enable DHCP clients to download a complex configuration. TFTP service is configured with this option:

• TFTP Server Address (150)—Option code 150 is the IPv4 address for the TFTP server that the client uses. Some devices, such as certain VoIP phones, download their initial configuration from a TFTP server. This option is not yet in an RFC, but was most recently proposed in internet draft VoIP Configuration Server Address Option on November 16, 2007.

Field Description

primary-address This is the IPv4 address for the primary DHCP server that this client is allowed to accept DHCP offer messages from.

secondary-address This is the IPv4 address for the secondary DHCP server that this client is allowed to accept DHCP offer messages from.

provisioning-address This is the address or FQDN for the provisioning server that this modem or MTA may be contacting.

as-req_as-rep-backoff-and-retry Requests to the Kerberos Authentication Server or the Ticket Granting Server are managed by the values in this option.

ap-req_ap-rep-backoff-and-retry This option controls the timeout and retry values for kerberos authentication headers.

kerberos-realm-name This field lists the Kerberos realm that should be used to authenticate against. Realm names are always specified in capitals and this instance must be specified in domain style as described in RFC1510.

granting-server-utilization Check this box if the option should use a Ticket Granting Ticket when obtaining service from a PacketCable application server.

provisioning-timer This option accepts an integer value between 0 and 255 defining the timeout in seconds that the provisioning process has to complete.


DHCP Advanced Options

Ve

DHCP Advanced OptionsDHCP advanced options control how a DHCP server responds to client requests.

Option Explanation

Always Broadcast Indicates whether the DHCP server should always broadcast its responses. You should restrict the use of this feature to as few clients as possible.

Always Reply rfc1048 Indicates whether to send RFC 1048 options to bootp clients that expect RFC 1048-style responses.

Authoritative Indicates whether the DHCP server is authoritative and should send DHCPNAK messages based on client requests. In a subnet that has only one choice of DHCP server, you should enable ensure this option. However, on networks where clients can expect to interact with multiple DHCP servers, enabling this option may create loops that prevent clients from obtaining an address.

Client Updates Indicates whether client updates should be used to maintain DDNS records for this client. If this checkbox is selected when the option is added, then the client updates its own DNS record on the server. If the option is added without the checkbox selected, the DHCP server performs the update. This option is required for DDNS.

DDNS Domain Name Specifies the domain name that is appended to this client’s hostname to form the FQDN. This is also the name of the zone that is updated with this client’s record.

DDNS Hostname Specifies the hostname that should be used for DDNS updates for this client. If no value is specified, the zone creates a name for the records.

DDNS Rev Domain Name Specifies the reverse domain name that is appended to this client’s hostname to form a reverse record. By default this value is in-addr.arpa, but you can override it here.

DDNS TTL Specifies the number of seconds indicating the default time-to-live for DDNS records (between 0 and 4,294,967,295).

DDNS Updates Indicates whether the server should attempt a DDNS update when the lease is confirmed.

Default Lease Time Specifies the duration of the lease that the DHCP server assigns unless the client that requests the lease wants a specific expiration time.

Dynamic bootp Lease Length

Specifies the length of the leases the server assigns to dynamic bootp clients.

Filename Specifies the file name of the initial boot file to be loaded by a client. Many clients first try to contact the specified TFTP server. If they cannot download the file from there they connect to the DHCP server, and then attempt to download the file by FTP.

Get Lease Hostnames Enables DHCP to look up the FQDN corresponding to each address in the lease pool, and uses that address for the DHCP hostname option.

Maximum Lease Time Specifies the maximum lease time for address leases within the scope on which the option is set. The value indicated for this option must be equal to, or greater than, the current Default-Lease-Time option value.


17


Setting Up DHCP ServicesSetting up DHCP services requires an existing DHCP server. To create a DHCP server, see “Configuring DHCP” on page 89.

Several options are available at both the DHCP service level and for various objects below this level. The most local instance of any option is the option that is used in the configuration. The following

Minimum Lease Time Specifies the minimum lease time for address leases within the scope on which the option is set. The value indicated for this option must be equal to, or lower than both the current default-lease-time and the Maximum-Lease-Time option values.

Minimum Seconds Specifies the minimum amount of time (seconds) for the DHCP server to respond to a client’s request for a new lease.

Next Server Specifies the host address of the server from which the client attempts to load an initial boot file.

Ping Check Determines whether the DHCP server sends an ICMP echo request, to probe the availability of an IP address, before the address is offered to a DHCP client.

Server Identifier Specifies the IP address for the DHCP server that is reachable by all clients. This option is useful in cases where a physical network interface has more than one IP address. If the address referenced by default is not appropriate for some or all clients served by that interface, this option can substitute the appropriate address.

Server Name Specifies the name of the server from which the client is booting.

Site Option Space Specifies the option space name used to indicate the site-local options for the client.

Stash Agent Options Indicates whether relay agent information (option 82) is saved for use when renewing an address. If these options are not saved, then no relay agent information is included in the client’s DHCP renewal request.

Update Optimization Specifies whether the server should perform a DNS update every time the client renews its lease, or only when it appears to be necessary.

Update Static Leases Specifies whether the server should perform DNS updates for clients even if those clients are being assigned their IP address using a fixed-address statement.

Use Lease Address for Default Route

Determines whether the IP address of the client’s own lease is assigned as the router value for the client, instead of the value specified in the router’s option. This is useful for networks that use an ARP proxy on the local router because the clients can ARP every address lookup.

NOTE: This is not a recommended option for most configurations, because it does not work with many DHCP clients.

When you create the DHCP service, it is enabled by default. To disable it, right-click the DHCP service and select Disable DHCP. To re-enable it, right-click and select Enable DHCP.

Option Explanation


DHCP Advanced Options

Ve

procedure refers to the DHCP service itself. However, other DHCP objects can be configured using many of the same techniques.

To set up DHCP per configured name server:

1 In the tree-view pane of the Management Console select the DHCP service.

2 On the General tab click Port, and then specify the OMAPI port (usually 7911).

3 Click Key. The Select OMAPI Key dialog box appears.

4 Select a key from the drop-down list, and then click OK.

5 Set up any DHCP failover peers for this DHCP service.

6 Click the Hosts tab, and then declare a new host.

7 Click the Client Options tab, and then set the DHCP client options.

8 Click the Advanced Options tab, and then set the DHCP advanced options.

9 Add any Vendor Options that are required.

10 Add any Custom Options that are required.

11 Save your project.

Client options include custom options required for VoIP services.


17



Chapter 9

Version 5.5

Adonis Advanced DHCP


• Custom Client Configurations on page 175 describes the classes and vendor profiles used to identify devices so that they can receive appropriate configuration information from the DHCP server.

• DHCP Custom Options on page 181 describes DHCP custom options that provide support for non-standard or manufacturer-specific DHCP.

• TFTP Service on page 182 introduces TFTP, which provides complex network configuration files to clients.

• DDNS and Zones on page 183 describes how DDNS updates the DNS service with information about DHCP clients.

• Network Access Control on page 184 explains security issues and network access before clients receive a dynamic configuration and an IP address.

• DHCP/TFTP Service Control on page 195 describes the controls over these services, including a section on OMAPI.

• DHCP Lease Viewer on page 196 describes how the DHCP Lease Viewer can provide a real-time view of the DHCP service and how it can be used to control leases in real time.

• DHCP Failover on page 197 introduces the concepts of DHCP failover.

• DHCPv6 on page 197 describes how Adonis provides dynamic network configuration with support for DHCPv6.

Custom Client ConfigurationsThere are two mechanisms by which Adonis DHCP clients can be identified and given customized network configurations:

• Classes can match various aspects of a client, and then provide DHCP options specific to that class of clients. For more information, see Classes on page 175.

• Vendor identifiers can identify clients and give them a vendor profile that contains all the required options for network configuration. For more information, see Vendor Profiles on page 178.

ClassesClasses are a means of grouping clients based on the information that they need to receive from the DHCP service. Unlike subnets that group clients based on their IP addresses, DHCP classes group clients based on information that the client sends about itself. For example, a client can identify itself as a printer or a VoIP handset during communications with the DHCP server.


17


Declaring ClassesClass declarations are created on the server, and clients can identify themselves as belonging to a particular class. The DHCP server can then assign common configuration options that apply only to clients from that class. For example, members of a class representing the engineering department can be allowed an IP address from a particular pool, while members of a class representing the sales department are denied addresses from that pool. Based on the class membership, the client can be allowed or denied an IP address and associated network settings. For example, in addition to being assigned an IP address, a VoIP phone can be allocated the IP address of a TFTP server.

A client may be a member of several classes, but the first match creates most of the client settings, while further matches may override some client options for more specific cases. Subclasses represent a subset of their parent class, and their settings only modify the settings for the parent class.

User class options allow the user or administrator to conform with the configuration requirements of the class to which the client belongs.

To declare a class for the DHCP service:

1 In the tree-view pane right-click the DHCP service. From the context menu, select New Class. The New Class dialog box appears.

2 Type a name for the class, and then click OK. The new class appears in the tree-view pane of the Management Console below the DHCP service.

3 Select the Conditions tab, right-click on the empty area, and then select New Condition.

4 Select one of the following conditions:

▪ Match—Specifies a condition that client must match completely. For example, you could configure a class to match a computer’s 48-bit hardware MAC address.

▪ Match if—Allows you to define a wider set of conditions using elements such as wildcards. For example, you can create a match-if statement using the first 24 bits of a MAC address. Any clients that match this condition would match the class. Match-if statements are a key component of DHCP Option 82.

▪ Spawn with— A spawning class automatically produces subclasses based on information sent by a client. The Spawn with condition allows you to create lease-limited classes instantly. For example, a cable-modem environment in which a client requires additional IP addresses. The client’s cable modem is represented as a circuit-id. A service provider can create a class that uses the Spawn with condition to provide the additional IP addresses. The Spawn with class works with the lease-limit condition. In the Select Option dialog box, select one of the client options that must evaluate to a non-null value, and then click OK.

▪ Lease limit—DHCP limits the number of class members that can hold an address lease at any one time. This limit applies to all addresses that the DHCP server allocates in the class, not just the addresses on a specific network segment.


Custom Client Configurations

Ve

5 To set the Client Options for the class double-click an option value, and then select new values in the dialog box that appears.

6 To set the Advanced Options for the class double-click an option value, and then select new values in the dialog box that appears.

SubclassesA subclass has the same name as a parent class, but it has a specific submatch expression that examines criteria to match clients more specifically. A spawning class is a class that automatically generates subclasses based on the options that the client sends. Subclasses are very useful for adding extra options to a specific subset of your DHCP clients.

Declaring Subclasses

To declare a subclass:

1 In the tree-view pane right-click the class to which you want to add a subclass. From the context menu, select New Subclass. The New Subclass dialog box appears.

2 Type a name for the subclass, and then type the class data as a text string enclosed in quotation marks, or as a list of bytes in hexadecimal format separated by colons. Click OK.

3 Set the Client Options and Advanced Options for the subclass by double-clicking an option, and then selecting new values in the dialog box that appears.


17


Vendor ProfilesVendor profiles are a necessary part of the evolution of DHCP. Adonis implements vendor profiles so devices can set up non-standard parameters including the settings needed to enable devices such as VoIP handsets and to provide them with IP-layer options and resources. Vendor profiles also help to account for roaming networks and rich media services.

Adonis examines a client’s vendor-class-identifier (option 60) to determine if the client should be configured with a vendor profile and its associated options. Option 43, vendor-specific information can also be used to convey option information that is outside of the standards track.

Vendor profiles are created first at the DHCP service level and then implemented at the service, group, or subnet level. You can select a predefined class or create a new custom class.

Pre-defined Vendor ClassesPredefined vendor profiles are XML files that define a class listing its name, identifier, and the various options it contains. You can add vendor profiles to your system’s %systemroot% \Program Files \BlueCat Networks \ Adonis \vendor profiles directory. You can create a new profile using an XML editor. Adonis includes an example called Sun Ray. The following example shows the XML file that defines it:

<?xml version="1.0" encoding="UTF-8"?>

<vendor_options identifier="SUNW.NewT.SUNW" name="Sun Ray">

<option id="21" name="AuthSrvr" type="ip" comment="Sun Ray server IP address to connect to"/>

<option id="22" name="AuthPort" type="number" comment="Sun Ray server port to connect to"/>

<option id="23" name="NewTVer" type="text" comment="Which firmware version to upgrade to"/>

<option id="24" name="LogHost" type="ip" comment="Log level for host"/>

<option id="25" name="LogKern" type="number" comment="Log level of kernel"/>

<option id="26" name="LogNet" type="number" comment="Log level of network"/>

<option id="27" name="LogUSB" type="number" comment="Log level for USB"/>

<option id="28" name="LogVid" type="number" comment="Log level for video"/>

<option id="29" name="LogAppl" type="number" comment="Log level for application"/>

<option id="30" name="NewTBW" type="number" comment="Limits bandwidth available for Sun Ray"/>

<option id="31" name="FWSrvr" type="ip" comment="Firmware server IP address"/>

<option id="32" name="NewTDispIndx" type="number" comment=""/>

<option id="33" name="Intf" type="text" comment="Interface used for Sun Ray service"/>



Ve

The following example shows how the XML encoded options appear in the Management Console.

To add or create a vendor profile:

1 In the tree-view pane select the DHCP service.

2 In the details pane select the Vendor Profiles tab.

3 Right-click in the empty area, and then select New.

4 The New Vendor Option Class dialog box appears.

5 To select a predefined class, click the (...) button, and then navigate to the XML file that contains the vendor profile information.

6 Click OK.

<option id="34" name="NewTFlags" type="number" comment=""/>

<option id="35" name="AltAuth" type="ip" comment="Alternate set of Sun Ray server IP addresses"/>

<option id="36" name="BarrierLevel" type="number" comment="Barrier level firmware download"/>

</vendor_options>


18


7 To create a custom class, select the Custom option, type a name in the Vendor Name field, and then type a Vendor Class Identifier that matches the one provided by clients during DHCP discovery.

8 Click OK.

After you have assigned a name and identifier to your custom vendor profile, you must populate the profile with attributes.

These are the options that are assigned to clients:

• Name—a descriptive name for the attribute.• ID—the numerical ID for the attribute.• Type—the format of the attribute. Use one of the following types:

▪ IP—a single IP address.▪ IP_List—a list of IP addresses separated by commas.▪ Number (Unsigned 8)—a number between 0 and 255.▪ Number (Unsigned 16)—a number between 0 and 65,535.▪ Number (Unsigned 32)—a number between 0 and 4,294,967,295.▪ Text—an NVT ASCII string, which must be enclosed in double quotation marks (“”).▪ Raw—an NVT ASCII string enclosed in double quotation marks, or a series of octets

specified in hexadecimal, separated by colons.• Comment—an optional comment regarding the attribute.

To populate a vendor class with attributes:

1 Double-click the vendor option name. The Edit Vendor Option Class dialog box appears.

You must assign a value for every attribute you have created.



Ve

2 Right-click in one of the rows under Attributes, and then select New Attribute from the context menu. The New Attribute dialog box appears.

3 Type an attribute Name and an ID.

4 From the drop-down list select Type, and then type a comment (optional).

5 Click OK.

The new attribute appears in the Edit Vendor Option Class dialog box.

DHCP Custom OptionsYou can define custom options at the DHCP service level and use them throughout the DHCP service wherever you assign a client option. Custom options have three required elements:

• Code—The code field requires a DHCP option code value. To avoid conflict with standard client options we recommend a value above 150. The client device that receives this option uses the same code to reference it.

• Name—This is a user-recognizable name that refers to this option within the Adonis project.• Type—All custom options can be assigned a data type to which all values must conform. Any

values for this option are checked against this type, or limited to selections based on data type.

To create a custom option:

1 At the DHCP service level, select the Custom Options tab in the details pane.

2 Right-click a blank area of the pane, and then select New from the context menu. The New Custom Option dialog box appears.

Attribute names must not contain spaces.


18


3 Type a number in the Code field.

4 Type a name in the Name field.

5 Select the option type from the Type drop-down list, and then click OK.

The new custom option appears in the list of client options in the DHCP configuration wherever client options can be assigned.

TFTP ServiceAdonis can provide TFTP service on the appliance for clients who need to download a configuration or boot file. This is useful for organizations that run certain VoIP systems and cable modems because these devices often need to obtain their startup configuration as a file from a TFTP server.

To add TFTP service:

1 In the tree-view pane, right-click the server that hosts TFTP. On the context menu, select New Service > TFTP.

2 Click TFTP Service, the TFTP Server Control tab appears in the details pane.

3 Click Manage TFTP Files. The TFTP Server Control dialog box appears.

If you select a number that is already in use a message appears informing you that the option code already exists.

Names must not include spaces.


DDNS and Zones

Ve

4 Select the server from the drop-down list, type the password, and then click OK. The TFTP Server Files dialog box opens.

After you log in, the service is inspected and the Management Console populates the File List On Server field from the actual service.

5 To refresh the File List On Server field, click Refresh.

6 To select files use the (...) button next to the Upload File field.

7 To upload the selected files that appear in the list, click Upload.

8 To download the selected files, click Download.

9 Click Close.

DDNS and ZonesReverse DNS facilitates network navigation by converting numbers into names. It uses a DNS zone to represent the IP address mappings within a network. Host address registrations are made using DDNS. In Adonis DHCP, DNS zones can be added to associate them to DHCP networks. For more information, see Dynamic DNS on page 128.

Adding ZonesYou can add zones at the DHCP server level and at the group level.


18


To add a new zone:

1 In the tree-view pane, right-click a group. From the context menu, select Zone. The New Zone dialog box appears.

2 Type a name for the zone, and then type the primary address for the server that hosts this zone.

3 Click the browse button to open a browse dialog box. Select a portion of the DNS structure for linking the zone name.

4 If the zone should be part of a DNS configuration, select Link to Another from the drop-down list.

5 Click OK.

Network Access ControlNetworks need a technology that screens possible member devices before allowing them onto the network. However, this systems restricts network access control (NAC) to the domain level. Adonis has a type of pre-admission NAC that verifies the MAC or hardware address of the device and prevents unauthorized systems from obtaining configuration information from DHCP.

MAC Address FilteringAdonis can filter client requests based on the originating MAC address of the workstation hardware that makes the request. When a client requests an IP address, Adonis checks the MAC address of the network interface from which the request originated against a deny list. Matching MAC addresses are denied an IP address.

To enable MAC address filtering:

1 From the Server menu of the Management Console, select MAC Address Filtering. The MAC Address Filtering Wizard opens.

If you are using TSIG, on the General tab select the key to associate with the zone (recommended).


Network Access Control

Ve

2 Click Next. The MAC Address Filtering page appears.

3 Select Enable MAC Address Filtering, and then click Next. The Server Action page appears.

4 Select one or more servers to perform filtering, type a password for each, and then click Next. A Status column indicates whether or not the action was successful.

5 Click Next. The Finish page appears, indicating that wizard has completed operations. Click Finish.


18


To manage the filter list of MAC addresses:

1 In the tree-view pane, right-click Servers. From the context menu select MAC Address Filter. The MAC Address Filter dialog box opens.

2 Select the MAC filter server from the drop-down menu, type the administrator password for the server, and then click OK.

3 The MAC Address Filter dialog box opens. This shows the Deny Filter list stored on the server.



Ve

4 To add an address, right-click an empty part of the Deny Filter list, and then click Add MAC Address. The Add MAC Address dialog box opens. Type the MAC address and add a comment, if desired.

5 Type the 48-bit address you want to deny in the MAC Address field. You can type the address using any of the following formats:

▪ 123456123456 (no delimeters)▪ 12:34:56:12:34:56 (colon delimiters)▪ 12-34-56-12-34-56 (hyphen delimiters)

Use the Comment field for related or explanatory notes that appear in the MAC Address Filter window.

6 To export the Deny Filter list, right-click an empty area of the list, and then select Export Deny List. A Save dialog box opens and prompts you to save the list as a Comma Delimited MAC Address CSV file.


18


7 To import a list, click Import MAC Addresses. The MAC Address Import dialog box opens.

The imported list should be a comma-separated value (CSV) file of MAC addresses. Type the path to the file in the Import File field or use the adjacent [...] button to locate the file. You can ignore all duplicates or overwrite them by using the toolbar buttons.

8 On the toolbar, click Import List. When you are finished importing files, click OK.

9 To save changes, click Commit Changes on the MAC Address Filter toolbar.

The MAC filtering system operates at the server level and uses a static list of addresses that must be modified by the administrator. This makes the MAC filtering system very secure, but does not provide the opportunity to manage MAC-based access dynamically or at the pool level rather than at the server level. There is an alternative system called MAC authentication that addresses both of these issues, but requires an additional open port on the Adonis appliance.

MAC Authentication

DHCP MAC authentication gives administrators a system that can add MAC addresses to the system dynamically instead of loading them as a list. MAC authentication is applied at the pool level rather than at the server level, giving more precise control of the parts of the DHCP configuration that have access to MAC-based security.

MAC authentication requires a web server on the Adonis server to facilitate the dynamic validation of addresses. This may increase security concerns for some administrators. Networks can opt for a MAC-based security system without the use of a web server through the use of MAC address filtering. However, MAC filtering is limited to denying access for specific IP addresses (essentially, a list of banned addresses).

The MAC authentication system uses the ability of DHCP pools to differentiate between known and unknown clients to decide whether to respond to a client request. A known client has a host entry on all of the subnets where MAC authentication is in operation.

MAC filtering does not take effect on the server until the MAC filtering configuration has been deployed to the appliance.



Ve

If a client is unknown, an address (with a short lease time) is issued from an unknown users pool, and a DNS entry is configured on the client to redirect all DNS queries back to the master MAC authentication server. When the client reaches the master server, a web page appears and prompts for a network username and password. These can be authenticated against a Radius, LDAP, or Kerberos (Active Directory) server.

If the user is authenticated successfully against the external authentication server, the MAC address of the user’s computer is registered as a known host with all of the MAC authenticated subnets. Because the lease time is short, the user’s computer requests renewal of its IP address, but instead receives a less restricted IP address from the known users pool. In this way, MAC addresses are added dynamically using the most up-to-date user information possible—the primary user authentication system for the network itself.


19


Adding MAC Authentication to a DHCP ServiceTo set up MAC authentication for an entire project, you must add it to one of the servers.

To set up MAC authentication:

1 Right-click on a DHCP service, and then click Add MAC Authentication. The General tab of the MAC Authentication Service appears.

The General tab contains several settings for configuring the web portal for unauthenticated users. The HTTP Connection Data area is used to set up the portal and the Web Data area is used to customize its look and feel.



Ve

HTTP Connection Data

• Shared Secret—This value is used to seed the HTTP service. • Login Session Time—The amount of time that the user’s session is maintained on the MAC

authentication portal.

To set the HTTP Connection Data:

1 Click the empty field to the right of Shared Secret; the HTTP Shared Secret dialog box appears.

2 Type the shared secret, and then click OK.

3 Click the empty field to the right of Login Session Time, the Login Session Time dialog box appears.

4 To change the session time, clear the Use Default Setting checkbox, and then type in the value you want to use. Select the appropriate time interval from the drop-down list.

MAD Settings

• Default Authorization Time—This is the amount of time that the user’s MAC address remains on the MAD list before the user needs to re-authenticate through the web portal.

• Shared Secret String—This value is used as a password for the MAD service.

To set the MAD Settings:

1 Click the empty field to the right of Default Authorization Time, the Default Authorization Time dialog box appears.

2 To change the authorization time, clear the Use Default Setting checkbox, and then type in the value you want to use. Select the appropriate time interval from the drop-down list.


19


3 Click the empty field to the right of Shared Secret String, the MAD Shared Secret dialog box appears.

4 Type the shared secret, and then click OK.

Web Data

You can use default values for the following parameters, or select customized ones.

• Welcome Message—To display a greeting on the portal, click this field, and then type your message in the Welcome Message dialog box. Your message can include up to 150 characters, but it is better to keep the message brief.

• Logo File—To specify a custom logo for the portal, click this field, and then navigate to the logo you want to use. This should be a graphic file, such as a jpg, gif, or png.

• EULA File—To specify an EULA file for the portal, click this field, and then navigate to the file you want to use. HTML is the recommended format, but you can use txt files too.

• SSL Certificate—To select an SSL certificate, click this field, and then navigate to the certificate you want to use.

MAD Servers

The MAD Servers tab allows you to add servers to the MAD service for this configuration. After you have added servers you can create MAC Authentication Pools on their subnets.

To add a MAD server:

1 Select the MAD Servers tab, right click in the empty area, and then select New. The New MAD Server dialog box appears.

2 Select the server’s IP Address from the drop-down list.

3 Type the MAD port (default is 1067), and then click OK.

The Adonis you chose as the MAD server maintains the master lists of MAC addresses for authentication.

Authenticators

Authenticators for the MAD service are set up in exactly the same way as those used for user management. For more information, see Configuring External Authenticators on page 29.



Ve

To add a MAD authenticator:

1 Select the Authenticators tab, right click in the empty area, and then select New. The New Authenticator dialog box appears.

2 In the New Authenticator dialog box, specify the following values:

Name—The name of the authenticator object within Adonis.

Host—The host name or IP address of the server that you are contacting to authenticate Adonis users.

Type—The type of authenticator object you want to use.

Priority—The lower this value, the more priority an authenticator has in the MAD service.


4 To create this authenticator object, click OK.

MAC Authentication PoolsAfter you have added a server to the MAC Authentication service, you can add MAC Authentication Pools to any of its subnets.

The dialog box contents change if you select a Radius or LDAP authenticator type. Make sure you type all the required information for the authenticator you intend to use.


19


To add MAC Authentication pools:

1 Right click on the subnet, and then select Add MAC Authentication Pools from the context menu.

2 The primary pool is the address pool from which known users receive their addresses. Consider naming the pool to reflect this using the Name field.

3 Use the Start Offset and End Offset fields for entering a range of addresses on the subnet to which this pool applies.

4 The Default Lease Time should be set to the standard default lease time for the network. In this case, it has been set to 172800 seconds (2 days).

5 Use the Temporary Pool area to issue addresses to unknown clients. Type a name for the pool that reflects this in the Name field.

6 Use the Start Offset and End Offset fields to specify only a range of IP addresses that is sufficient to service unknown clients waiting to authenticate and receive a fully functional DHCP configuration.

7 The lease time should be set very short, such as 300 seconds (5 minutes). This enables the client machine to maintain its limited IP address long enough to authenticate through the MAC authentication portal, but it is short enough that the client receives a full network configuration shortly after being authenticated.

8 To finalize this part of the MAC authentication setup, click OK.

MAC Authentication DNS SetupSetting up MAC authentication DNS on the Adonis server or on another DNS server requires two views, one for unauthenticated clients and one for clients with full access.

Deny View—This view requires two important settings to capture queries from unauthorized clients:

• Set the Allow Recursion option to No. This prevents the unknown clients from reaching the Internet using this view.

• Configure an ACL to match the IP addresses for the unauthorized pool.


DHCP/TFTP Service Control

Ve

Allow View—This view is set up similarly to a typical DNS service. It does not need an ACL, but you can create one if necessary. To create an ACL for this view, follow the method described for the Deny View.

ACLs are discussed in Managing Access Control Lists on page 146. Because pool ranges can contain any range of IP addresses, the addresses can be entered into the ACL individually or using a combination of Classless Inter-Domain Routing (CIDR) notation and individual addresses. The CIDR notation can generally encompass most of the required addresses, and you can modify the others individually. A root (.) zone must also be created with an A (host) record that uses the wildcard (*) to match all queries and send them to the Adonis IP address on which the MAC authentication portal is running.

MAC Authentication MenuThe web server used for MAC authentication is controlled through the Administration Console. The following commands help you check the MAC authentication status:

show authenticators—displays all authenticator information used on the appliance. Any changes to this information should be performed through the Management Console, and then deployed back to the server. show madsettings—displays information about the MAD server settings for the appliance. Any changes to this information should be performed through the Management Console, and then deployed back to the server. isrunning webserver—reports whether or not the web server is running.

For more information, see Administration Console on page 15.

DHCP/TFTP Service ControlThe following commands control the services that provide DHCP and TFTP on Adonis.

DHCP Service ControlAdonis uses the ISC DHCP server to provide its DHCP service. The executable file for ISC DHCP is called the DHCP daemon or DHCPD. To manage the IPv6 DHCP service on Adonis, use dhcpv6 instead of dhcp as a token. The DHCP service is managed using the normal mode of the Administration Console.

• To start DHCP, type “start dhcp”, and then press Enter.• To stop DHCP, type “stop dhcp”, and then press Enter.• To restart DHCP, type “restart dhcp”, and then press Enter.• To check whether DHCP is running, type “isrunning dhcp”, and then press Enter.

The Allow View entry should appear below the Deny View entry on the ACL match list. If this is the case it should not represent a serious security issue.


19


TFTP Service ControlAdonis provides a TFTP service to store extra files for configuration and firmware management for certain client devices. This service is set up using the Management Console, but the TFTP service itself can be managed from the normal mode of the Administration Console.

• To start the TFTP service, type “start tftp”, and then press Enter.• To stop the TFTP service, type “stop tftp”, and then press Enter.• To restart the TFTP service, type “restart tftp”, and then press Enter.• To check whether the TFTP service is running, type “isrunning tftp”, and then press Enter.

OMAPIOpen Mobile Application Programming Interface (OMAPI) is a communications mechanism that lets a user make changes to an ISC DHCP server without needing to stop and restart the server. To control the server using OMAPI, the server must be configured to accept OMAPI connections.

Adonis is configured to accept OMAPI connections by default and is secured with a secret key similar to a TSIG key. Only a client that shares the key can make changes to the server using OMAPI. By default, the OMAPI port is 7911. However, the secret key and port number can be changed from the Administration Console. The settings for the port and the key are on the General tab for the DHCP service on each appliance. The port and key are both set here. After you deploy the project you can modify the firewall and connect to the OMAPI shell using a terminal.

DHCP Lease ViewerThe Adonis Lease Viewer is an essential tool for the management of DHCP. It allows you to examine lease data in real time and release any leases as required.

The Lease Viewer displays leases for specific (/16 and smaller) blocks of IP addresses, as well as lease details in both graphical and tabular formats.

To launch the Lease Viewer:

1 Select a subnet in the tree-view pane of the Management Console.

2 Select the Lease Viewer tab.

You can use the icon on the Lease Viewer to refresh the data.

Releasing a lease for an IP address means that the address becomes available for re-use. However, the user’s workstation may attempt to renew the lease before the lease period actually ends. In this case, the previous end date for the lease period is no longer valid and the lease is renewed.

Another possibility in freeing a lease is that the address could be over-allocated by being reassigned while it is still assigned to the original user. Freeing an IP address from the server does not immediately affect the IP address used by the client.


DHCP Failover

Ve

3 To refresh the Lease Viewer with the latest data from the server, click Refresh.

4 Right-click an active lease to display a context menu with commands that let you release it or view its properties.

Circuit ID and Agent IDThe last two fields in the lease viewer, Circuit ID and Agent ID, correspond to a DHCP relay agent. If no relay agent was used to assign a lease, these fields remain blank.

DHCP FailoverTraditional DHCP high availability has been handled by a practice called “scope splitting”. Scope splitting splits the pool of IP addresses between two DHCP servers. If one server fails, clients cannot renew their lease and are required to obtain a new IP address from the secondary peer server.

Adonis DHCP failover uses ad hoc updates through proprietary send and receive channels. This ensures high availability of DHCP services. DHCP failover does not require any additional IP resources, and existing leases continue to exist, even in the event of a total hardware failure on one server.

For detailed information on Adonis DHCP failover, see Adonis DHCP Failover on page 210.

DHCPv6Although an inexperienced user can easily create and configure a DHCPv6 service, understanding the mechanisms of DHCPv6 and stateless auto configuration requires advanced knowledge of networking concepts.

If you simply want to create a DHCPv6 service and configure it, skip directly to Creating a DHCPv6 Service on page 198 and Configuring a DHCPv6 Service on page 199.

Overview of DHCPv6The Adonis DHCPv6 service supports only stateless IPv6 auto configuration. This means that it can configure hosts that already have an address with lists of DNS servers, but it cannot assign addresses.

In DHCPv6, the server responds to Information Request messages containing an Option Request option. It sends back a Reply message with the appropriate information.

IPv6 PrefixesIPv6 prefixes define networks and subnets in IPv6, and are used for matching clients in DHCPv6. Their notation is very similar to CIDR notation. That is, an address followed by the number of significant bits, separated by a slash. For example: 2001:DB8:0:56::/64

Releasing an IP address lease here does not immediately affect a user’s network configuration. The user may still renew the lease before it runs out, or another user could be assigned this address, and a conflict could occur.

DHCP option 82 allows you to see the DHCP relay agent information at the DHCP server.


19


The first portion of the prefix is a valid IPv6 address with the long string of trailing zeros replaced by a double colon (for more information on IPv6 notation, see AAAA Records on page 151).

Just as in CIDR notation, this prefix matches all clients whose addresses begin with 2001:DB8:0000:0056.

Neighbor Discovery for Address AssignmentBecause the DHCP server no longer assigns addresses, in an IPv6 environment a host must either use a fixed address or assign itself one in some way. To do this, it uses the Neighbor Discovery protocol.

A new host undergoes the following steps to assign itself an address:

1 The host generates a tentative address by using the link-local prefix of FE80 and appending the network interface identifier.

2 The host joins the following multicast groups: the all-nodes multicast group (FF02::1) and the solicited-node multicast group for its tentative address. This means that the host receives all multicast messages sent in this group.

3 The host sends a Neighbor Solicitation message to the tentative address. If the address is already in use, the host must be manually configured to use a different address. If the address is not in use, the tentative address becomes a preferred address. This mechanism is called Duplicate Address Detection (DAD).

4 The host sends out a Router Solicitation message to the all-routers multicast group (FF02::2).

5 All routers on the link reply with a Router Advertisement message. The message contains a prefix, which the host uses to generate an address. The new address combines the prefix with the network interface identifier. If more than one router replies, the host generates more than one IPv6 address.

The host now has an address and a prefix (more important for DHCP), so it can be configured by DHCPv6.

Creating a DHCPv6 ServiceA DHCPv6 service can have three scopes:

• Service scope: these options apply to all clients being served by this server. • Interface scope: these options apply to all clients connected to the server through that network

interface. • Network scope: these options apply to all clients with a particular IPv6 prefix.

To create a DHCPv6 service:

1 Right-click a server in the tree-view pane of the Management Console.

2 Select New Service > DHCPv6. The DHCP6 service appears in the tree-view.

3 Expand the new service to reveal the network interface (eth0).


DHCPv6

Ve

4 Right-click the network interface, and then click New > Network. The New DHCPv6 Network dialog box appears.

5 Type a name and a valid IPv6 prefix for the new network, and then click OK.

Configuring a DHCPv6 ServiceStateless auto configuration uses only two options to configure clients:

• dns-recursive-name-server—This option specifies a list of IPv6 addresses of name servers to which a client may send queries.

• domain-search-list—This option specifies a list of domain names to append to a given hostname in a dns-lookup-hostname request. If a DNS query does not return an address, a host configured with this options may try the host name combined with any of these domain names.

To configure a DHCPv6 service:

1 Click on the scope you want to configure (the service itself, a network interface, or a network).

2 Select the Client Options tab in the right pane of the Management Console.

3 Edit the options as required by double-clicking their values and specifying new ones in the dialog boxes provided.


20



Chapter 10

Version 5.5

High Availability

Adonis features two types of redundancy, Crossover High Availability (XHA) and DHCP failover. These systems are independent, but they can be used together to provide different benefits:

• XHA uses server clustering to link two Adonis appliances together and provide highly available DNS service. Users see a single server running a single copy of each service.

• DHCP failover links two DHCP services together on two separate servers to ensure that a secondary DHCP service (on another server) manages existing leases and responds to new requests if the primary service fails.


• Crossover High Availability (XHA) on page 201 describes DNS high availability and Adonis.

• Adonis DHCP Failover on page 210 describes how Adonis DHCP failover uses ad-hoc updates through proprietary send and receive channels.

Crossover High Availability (XHA)XHA gives Adonis the protection of disaster recovery through the use of redundant appliances. XHA makes two Adonis appliances appear to users as a single appliance. If one of the appliances fails for any reason, the other takes its place and continues to provide services without users even being aware of the change. The pair appears as a single server for DNS queries because they share an IP address for answering queries, but are controlled through separate IP addresses at the Management Console.

XHA uses an enslaved master as the passive node, meaning that it always has up-to-date data, making failover between the two seamless and almost instantaneous. The passive node monitors a heartbeat signal from the active node, and becomes the active master if it does not receive the current active master’s heartbeat signal. When updates are sent to the active node, DNS updates are automatically propagated to the passive node as standard incremental zone transfers. Also, use of XHA allows DHCP services to operate in a high availability configuration without scope-splitting because active leases are always up-to-date on both servers. Adonis has a High Availability Wizard to help you create and control an XHA cluster. The wizard includes four options:

• Create a High Availability cluster • Diagnose a High Availability cluster• Repair a High Availability cluster• Break a High Availability cluster

If you select High Availability when a cluster does not exist the wizard guides you through the set up procedure. The Diagnose, Repair, and Break options appear when you select High Availability after you have created the cluster.


20


PrerequisitesBefore creating your XHA cluster, ensure that the following conditions are met:

• Two Adonis appliances are powered up, each configured with an IP address on the same subnet, and are connected to the network.

• The latest Management Console is installed and available.• Deployment passwords are available for both nodes that are to be part of the XHA cluster.• Three IP addresses (on the same subnet) are allocated per XHA cluster: one physical address

for each Adonis node, and one for the virtual IP address used for responding to DNS queries. • The eth0 adapter on both Adonis servers should be explicitly set to 100Mbps Full Duplex as

described in Configuring Network Settings on page 43. Auto negotiation to 100Mbps Full Duplex is not adequate for this requirement and may cause inadvertent failover incidents between the two nodes. These appliances must be on the same subnet, because routing the heartbeat is not supported.

The switch ports to which the Adonis appliances are connected must also be explicitly set to 100Mbps, full-duplex. The Spanning Tree option on the switch containing these ports must also be set to PORTFAST.

• Both Adonis appliances must be able to ping their Ping Node (usually set to the address of the default gateway or a server) at all times. The appliance performs this test to ensure that it is live on the subnet and is not experiencing a local network failure.

• Remove old certificates and set the time on the appliances so it does not vary by more than 40 seconds. Use NTP to control the time on both appliances for this reason.

Creating a High Availability ClusterCreating an XHA cluster is the process of taking a single server object from an Adonis that is running DNS, DHCP, or both and adding a second appliance to act as the passive backup master for the appliance. Only the first appliance should be configured in the Management Console: you can add the other one later using the High Availability Wizard. The following example creates a master DNS server, and then adds a redundant backup to it through the High Availability Wizard.

To create a High Availability cluster:

1 Set up both Adonis appliances using the two physical node IP addresses on the same subnet as specified in the Adonis Installation Guide.

2 Launch the Management Console. From the Welcome dialog box select New Project, and then select Single Name Server as your DNS architecture.

3 Create the project file and use the IP address of one of the nodes as the IP address for the server. Do not deploy the project to the server. Deployment to both appliances is managed by the High Availability Wizard.

4 From the Server menu select High Availability. The High Availability Wizard opens.

The speed and duplex settings on the appliances and the switch are extremely important. Do not forget to set them.

Do not try to configure half-duplex communication. If you try to configure half-duplex, Adonis prevents you from saving the setting and an error message appears. For more information about duplex settings contact BlueCat Networks at: http://www.bluecatnetworks.com/clientsupport/self-service/.




Crossover High Availability (XHA)

Ve

5 In the High Availability Wizard, select the server that you just created, and then click Next. The Get Node Information page opens.

6 Type the IP addresses and passwords for each of the individual appliance nodes.

7 Type the virtual IP address for the cluster. Click Next. The Set HA Common Data page opens.

8 Set the Common HA configuration password used to manage the new XHA cluster.

The Node 1 and Node 2 IP addresses must correspond to the physical IP addresses assigned to the appliances in Step 1 above. These addresses must be different from the virtual IP address of the XHA cluster.


20


9 In the Ping Address field, type a ping address on the same subnet. Both appliances need to be able to ping this address and receive a response or the cluster cannot function properly.

10 In the Failure Detection Time field, type the number of seconds a node in the cluster should wait without receiving a heartbeat before assuming that its peer node has failed.

11 Click Next. The XHA cluster is created and the Wizard indicates when the process is complete.


When the XHA cluster configuration is complete, the server icon in the Management Console changes to show the new XHA cluster. Wait three to four minutes for the Adonis servers to finish the configuration. After this time, you should be able to query the cluster for information.

Diagnosing a High Availability ClusterIf you encounter problems with the HA cluster may be necessary to run the Diagnose option to determine the cause. The Diagnose option checks both nodes and then provides the results in a table.

To diagnose a High Availability cluster:

1 From the Server menu select High Availability. The High Availability Wizard opens.

2 On the High Availability Options page select the Diagnose High Availability option, and then click Next.

3 Select the High Availability cluster you want to diagnose, and then click Next.

4 Type and confirm the passwords for the two nodes, and then click Next.

It can be useful during this process to monitor the contents of the /var/log/ha-log file to observe the status of the XHA services on both appliances. The main service and system status for the appliance is still found in /var/log/syslog.

At this point, you are managing the XHA cluster as a single entity, although the XHA cluster has two physical nodes. Running the High Availability Wizard again lets you either repair the XHA cluster or break it to return to a single server configuration.



Ve

5 The wizard diagnoses both nodes of the cluster; after it has finished, click Next.

6 The Diagnostic Results page appears showing you any problems that exist in your HA cluster.


Repairing a High Availability ClusterIt may be necessary to repair an HA cluster because a hardware failure occurred at one of its nodes. The Management Console provides an easy way to swap the failed hardware, replace it with a new node, and repair the HA cluster.


20


To repair an XHA server:

1 Launch the Management Console, and then open the project file containing the XHA cluster you want to repair.

2 From the Server menu select High Availability. The High Availability Wizard opens. Select Repair High Availability, and then click Next.

3 Select Repair High Availability, and then click Next. The Get Node Information page appears.



Ve

4 Type and confirm the passwords for the two nodes, and then click Next. The Get HA Common Data page appears.

5 Type and confirm the XHA cluster password, ping address and dead time, and then click Next. The Repair HA Cluster page appears showing the wizard’s progress in connecting and repairing the cluster.



20


Breaking a High Availability ClusterIt may be necessary to break an XHA cluster, for example, to troubleshoot issues on each node separately. Whenever you break an XHA cluster, you should verify that all services provided by the new standalone server are operational before the server re-enters full production.

To break an XHA cluster:

1 Launch the Management Console, and then open the project file containing the XHA cluster you want to break.

2 From the Server menu select High Availability. The High Availability Wizard opens. Select Break High Availability, and then click Next.

3 Select the XHA cluster you want to break, and then click Next.

4 Type and confirm the common HA password, and then click Next.

5 Select the checkbox to disable HA on the client configuration, and then click Next.

The wizard shows its progress as it disables the HA cluster.

6 When this process finishes, click Next and then click Finish.

Your configuration now shows a single server, using the virtual IP address of the XHA cluster as its physical address. This is not the physical IP address for either appliance in the former cluster. The second appliance does not appear as a server in the project because it was providing the same services as the new single server.

Manual FailoverYou can perform a Manual XHA Failover from the Server Control dialog box described in Management Console Server Controls on page 54.

It is essential that you select the active node of the XHA cluster in the Server drop-down list and select its physical IP address in the Node IP drop-down list.



Ve

To perform a manual failover:

1 From the Server menu select Server Control. The Server Control dialog box opens.

2 Select the Perform HA Failover option, and then click Execute.

3 Click OK.

4 To verify that the nodes have reversed select Server Control, and then select High Availability Status Query. The Action Results dialog box appears.

5 When you are satisfied that the nodes have reversed, perform another manual failover to reset them to their original status.

Updating an XHA ClusterIn previous versions of Adonis, if you wanted to update an XHA cluster you needed to break the cluster and upgrade each node separately. This is no longer the case. You can now upgrade XHA clusters as a unit, without breaking the cluster. The standard upgrade procedure is described in Modifying Data Check Issue Settings on page 91.

To perform a manual failover, you must select the active node.


21


BIND Views in XHAIn previous version of Adonis, you could not use BIND views in an XHA cluster. Adonis now uses a deployment engine that allows BIND views to behave exactly as they do in a standard DNS project. For more information, see Working with Zones on page 111.

Adonis DHCP FailoverAdonis DHCP failover uses ad hoc updates through proprietary send and receive channels. This ensures high availability of DHCP services. DHCP failover does not require any additional IP resources, and existing leases continue to be valid, even in the event of a total hardware failure on one node. Traditional DHCP high availability has been handled by a practice called scope splitting. Scope splitting divides the pool of IP addresses between two DHCP servers. If one server fails, clients cannot renew their leases and are required to obtain a new IP address from the secondary peer server.

One Client per AddressOne issue with DHCP high availability is dealt with using DHCP failover protocol. On an IP-based network, if two clients have the same IP address, neither one is allowed to communicate across the network. If this communication were allowed, it is unclear where the response should be directed. Yet, a client can have more than one IP address. When DHCP is being made highly available, the possibility of two clients receiving the same address must be eliminated. With XHA, this issue does not arise because the DHCP service believes that it is running on a single server instead of two different appliances. Synchronization is handled within the operating system rather than at the DHCP service level. However, this solution works only if the two appliances exist on the same subnet. Clients who wish to provide DHCP services with appliances on more than one subnet can also use the DHCP failover protocol. Use of one of these solutions mitigates situations where one of the appliances fails, network connectivity has failed between the appliances or planned outages are required.

A Companion to XHAOne member of a failover pair may lose contact with its partner for reasons such as a network failure, a failure of one of the servers, or a planned outage. DHCP failover is configurable on a per-pool level. This allows you to have very complex configurations, such as a single secondary DHCP server acting as the backup for multiple primary DHCP servers, or several DHCP pools backed up to different DHCP servers.

Adonis supports failover in an active-active or active-passive configuration. In an active-active configuration, both the primary and secondary servers answer requests for the specified IP addresses. The DHCP requests must reach both servers for failover to work during normal operation.

Terms vs TimesMost people think about time and DHCP as periods of time rather than points in time. DHCP failover requires that administrators be mindful of both terms and absolute times in order to manage two servers that are synchronized closely. DHCP failover servers are synchronized using Network Time Protocol (NTP). This allows both servers to use an absolute time reference that is external to each of them. DHCP failover servers communicate using several types of messages, but from the initial CONNECT message between them, absolute time is constantly referenced. The only way to try to anticipate what the other server might be doing with a lease is to reference the lease periods against absolute time. By knowing the exact start time of a state, one server can anticipate when the other


Adonis DHCP Failover

Ve

performs certain actions. To synchronize leases, Adonis DHCP servers configured for failover communicate through a persistent TCP connection on ports 647 and 847.

Start Time of State (STOS)—This is the absolute time stamp that indicates when a server or address entered a particular state.

Desired Lease Time (DLT)—The Desired Lease Time is the period of time for which a client typically requests a lease on this network. This is the standard DHCP lease time that is always given out if this server was operating in a standalone configuration rather than in failover mode.

Maximum Client Lead Time (MCLT)—The MCLT is the maximum amount of time for which a server in communication-interrupted or partner-down state issues a lease. This is also the amount of time that it takes a server in the communication-interrupted state to recover its leases before entering the partner-down state. This short lease time aids in re-synchronizing the servers, both during initialization and after a failover incident. However, very short lease times may create a great deal of traffic when the server is operating without its peer.

Potential Lease Expiry Time—This is an absolute point in time when a DHCP server believes that a particular lease on its partner server expires. This value helps servers in partner-down state to calculate when it is safe to use the other server's leases.

Max Response Delay—This value is set in the Adonis interface, and indicates the amount of time a client must attempt contact with its primary DHCP server before the secondary offers a lease. The secs field in the DHCP request provides the value (in seconds) that is checked against the Max Response Delay. A non-zero value in this field indicates that this is not a first attempt, and if the value passes the delay threshold indicated with Max Response Delay, then the other server responds to the client anyway.

Three RulesThe only way a pair of DHCP failover servers can anticipate each other's behavior during communication outages is by referencing absolute time against a known set of behaviors. To implement this strategy all DHCP failover servers follow three important rules:

1 All of the available addresses are divided between the two servers as free and backup addresses. In the ISC implementation these are always balanced so that 50% of the addresses are generally allocated to each server at any given time.

2 A DHCP failover server can generally only extend an address lease for a limited time beyond the expiry time known to its peer. This is the MCLT, and is usually not longer than an hour.

3 Addresses cannot be re-issued to clients unless both servers agree that the previous client is no longer using the address. The exception to this rule is the partner-down state.

Address Binding StatesAddress bindings on a DHCP failover server indicate the status of an address within DHCP. An address may be assigned to a client, available for allocation from one of the servers, or not available for

Because the DHCP failover mechanism depends on the MCLT to be safer to use than DLT, the MCLT value must always be lower than the DLT value for any given failover pool

DHCP failover servers must be synchronized using NTP.


21


allocation. Seven different address binding states are used to indicate these properties for an address binding.

Server StatesDHCP failover servers operate within server states that tell the DHCP failover server how to interact or not interact with its peer server. These states are used to manage normal server operations, and to manage operations when the two servers cannot communicate. Based on its state a server can anticipate the actions or lack of actions that its peer may have for any operation and operate in a way that respects these constraints.

Normal StateThis is the standard operational state for DHCP failover servers. In this state, both servers can communicate with each other. They use POOLREQ messages to ensure that as all leases are returned to the primary server, half of the addresses are sent to the secondary server as backup addresses and half become free addresses on the primary server.

Load Balance Split

If the Load Balance Split setting is set to 128 (active—active), both servers answer client requests. Both servers receive all client requests and a load balancing algorithm decides which server should respond to each client. If the Load Balance Split is set to 255 (active—passive), then only the primary server responds to client requests. Despite the load balance split setting, the primary server still holds only 50% of the available addresses for any failover pool and the secondary server holds the others, although the secondary server does not typically respond to requests.

Communication-Interrupted StateIn this state, the servers can no longer communicate with each other. However, in this state neither server is aware of the state of its peer. Therefore, all operations must assume that the other DHCP server could also be live and issuing address leases.

Once a server has entered the communication-interrupted state, it changes the way that it assigns address leases. Clients initially attempting to renew existing leases receive a new lease for the remainder of their regular lease time with the MCLT value added. Subsequent leases are only handed out for MCLT and clients are never given a lease renewal, instead, they always receive a lease for a new address. If a client releases an address lease manually, then that address is abandoned until Normal state is again achieved.

State Description

ACTIVE These addresses are in use by clients.

FREE These addresses can be leased by the primary server.

BACKUP These addresses can be leased by the secondary server.

EXPIRED This address lease has expired and is not yet available for allocation.

RELEASED This address lease has been released by a client, but is not yet available for allocation.

RESET This address lease has been reset by an administrator, but is not yet available for allocation.

ABANDONED This address has created a conflict and it is no longer being used by either server.



Ve

The disadvantage of the communication-interrupted state is immediately apparent. If clients are given short lease times and their leases are not renewed, then the address pool might quickly become depleted, not to mention the increase level of network traffic. However, if one of the servers knew that its partner was down, it might operate in a much more efficient manner and more gracefully supply service in the absence of its partner.

Partner-Down StateWhen a DHCP failover server is informed that its peer is down it can allocate IP addresses in a much different way than when it was in the communication-interrupted state. This server becomes the primary server, whether or not it was the primary before its peer went offline. It continues to hand out leases for MCLT, but renews the leases. This server also reclaims all of the expired, reset, and released leases and is able to use the entire free address pool for allocations. When its partner comes back online, this server reverts to leases for the normal DLT and remains the primary server. Transition to the partner-down state is controlled by the Adonis Failover Monitor. The Failover Monitor monitors both of the DHCP failover servers, and when an outage occurs, puts the server into partner-down state.

Recovery StateIf a server has come online for the first time and has no address database, or is recovering and has a peer in the partner-down state, recovery state is used to synchronize the databases on the two servers. The recovery state is used when a failover peer believes itself to be out of synch with its partner. The partner server could be in a state of either communications-interrupted or partner-down. The server in recovery mode stops issuing addresses (if it was) and then requests either a partial or full update of the DHCP lease database from its peer. When it has completely synchronized the database with its peer, it moves into recovery-wait state. Alternatively, if no new leases have been granted, both servers immediately return to the normal state, bypassing the recovery-wait period.

Recovery-Wait StateThe recovery-wait state is used as a safe period to ensure that all leases granted by the server in partner-down state are in a known state before the newly recovered server also begins issuing addresses. The recovering server waits for the MCLT period to expire after it has recovered and before it returns to normal state and begins issuing addresses.

Potential-Conflict StateIf the recovering server discovers that its peer went into partner-down state while it was still handing out leases, the server goes into potential-conflict state and tells its peer to also enter this state. The primary server sends an update request to the secondary server for all unacknowledged updates. The secondary server responds with these updates and indicates when this operation is completed. The secondary server then sends an update request to the primary server for all unacknowledged updates. The primary server responds with these updates and indicates when this operation is completed. Both servers then move back into the normal state.

The potential-conflict state can occur because of a communication break longer than the MCLT, when a server recovers but cannot communicate with its peer, or if one of the servers is placed in partner-down state through the OMAPI shell while its peer is in communication-interrupted state. DHCP failover servers do not issue client leases in this server state. However, this state does not generally persist for a long period of time.


21


Failover MonitorTo manage the interactions between Adonis DHCP failover servers, BlueCat Networks developed a Failover Monitor (FOMON) that monitors the failover server states and places a server into partner-down state if required. The Failover Monitor is implemented as a daemon that resides on Adonis and runs whenever DHCP failover is active on Adonis. The shell script that controls the Failover Monitor is located in /usr/local/bluecat/ and is called fomon.sh. This script accepts the command-line arguments restart and status.

The SafePeriodTimeout value controls the time interval between polling attempts. If you change these values you must restart the fomon.sh script from the command line with the command:

Typical State TransitionA typical state transition within DHCP failover involves one server going offline and its partner going into communication-interrupted state. After the Maximum Response Delay has passed, the server that is still online starts to operate in communication-interrupted state. When the SafePeriodTimeout has passed, the FOMON monitor places the server into the partner-down state. When the other server is restored and finds its peer in the partner-down state, it enters recovery state and update its leases database. When the recovered server has a completely restored leases database, it then enters the

/usr/local/bluecat/fomon.sh restart



Ve

recovery-wait state for the MCLT period. After MCLT is passed, both servers return to the normal operational state.

Recommended TopologiesThe example below shows the use of the DHCP Helper on a router to pass DHCP requests to a DHCP server on another segment. DHCP Helpers are used on the router to forward broadcast DHCP messages to the server on the other side of the router. However, activating the DHCP Helper for the clients that


21


are on the same subnet as the secondary server can cause errors by creating a loop in the router. Consult your router documentation before activating this feature on any ports.

DHCP failover is recommended for one-to-one, many-to-many or one-to-many configurations. In any case, the DHCP failover servers do not support crossover configurations. This means that two servers cannot be each other's secondary failover server. A failover server cannot be a primary and a backup server for the same set of pools. This creates a non-functional configuration.

With three or more servers, there are two standard approaches to setting up DHCP failover without creating a crossover configuration. The first example uses a round-robin style topology to avoid



Ve

crossovers. Because none of the servers acts as both a primary and secondary peer for any other server, this does not create a crossover.

A one-to-many topology involves using a single secondary server to service several primary servers. The primary servers in this example have a load balance split of 255 so that they hand out all leases in the normal state, despite having only half of the addresses available. The secondary server maintains the other half of the addresses for each primary server and uses these addresses in the case of an outage on one of the primary servers. Because of the inefficient use of available addresses with this configuration, this is not recommended. The round robin topology listed above is generally be a better option. However, the one-to-many topology may be a better choice for some networks.


21


Setting Up DHCP Failover

To define a failover peer:

1 In the tree-view pane, select the DHCP service for the primary server.


Configuring DHCP Failover on a Pool

Ve

2 On the General tab, right-click in the empty list area below Failover Peers, and then click New. The New Failover Peer dialog box opens.

3 Type a unique descriptive name for the peer.

4 Select a backup (secondary) server from the Peer Server drop-down list.

5 Type the Max Response Delay, usually recommended to be between 30 and 180 seconds. This is the amount of time that a server waits without communication before it assumes that its peer is down. This setting should be set high enough to avoid failover incidents due to common network lag or very short outages.

6 Type a value for MCLT, for example, 3600 seconds.

7 Type a value for the Load Balance Split.

8 Type the Load Balance Override. This is the amount of time during which a server allows a client request go unanswered by its peer before responding despite the client being assigned to service from the peer.

9 Click OK.

Configuring DHCP Failover on a PoolFailover is configurable only on a per-pool basis. Each pool must be individually assigned a secondary server. This lets you use different secondary servers for each pool. The secondary server is automatically configured with the backup pools.

The name of the failover peer must be a single word without spaces or special characters. The name must be unique for the entire Adonis configuration, not just the one server.

Only servers configured in the Management Console are available as DHCP failover peer servers.


22


To configure DHCP failover on a pool:

1 In the tree-view pane of the Management Console, click a pool that acts initially as the primary on a DHCP failover-enabled server.

2 On the General tab, click Failover Peer. The Select Failover Peer dialog box opens.

3 From the drop-down menu, select a DHCP failover peer as the secondary for this pool.

4 Click OK. Adonis creates the DHCP failover pool on the secondary server automatically (see the red ellipse in the following figure).

5 Repeat the above steps for each pool that requires the redundancy of DHCP failover.

Modifying Settings for a Failover PoolModifications to a DHCP address pool with failover enabled do not automatically propagate to the failover peer's pool. If you modify the primary pool, such as changing the address range, you must repeat the change manually in the failover pool. To accomplish this, set the Failover Peer setting on the primary failover server to none, and then change it back to its proper failover peer. Re-instating this selection allows the server to re-synchronize the settings for the failover pool.

To modify failover peer settings:

1 In the tree-view pane select the DHCP service.


Configuring DHCP Failover on a Pool

Ve

2 On the General tab under Failover Peers double-click the primary failover server. The Edit Failover Peer dialog box opens.

3 Edit the Failover Peer setting on the primary failover server to none.

4 Change the Failover Peer setting back to show the correct failover peer.

Re-instating this selection allows the server to re-synchronize the settings for its failover pool.


22



Chapter 11

Version 5.5

Migration Tools

This chapter describes the tools provided to help you migrate from external data sources to your Adonis DNS/DHCP Appliance appliance.

This chapter contains the following topics:

• Importing External Configurations on page 223 explains the process.

• Using a Live Zone Transfer on page 225 explains how to import data through a zone transfer.

• Importing an Existing DNS Configuration on page 227 explains how to import a DNS configuration.

• Importing an Existing DHCP Configuration on page 229 explains how to import a DHCP configuration.

Importing External ConfigurationsThe Import Wizard helps you import your existing external configuration into your Adonis appliance. You can import a BIND (8/9) configuration, a BIND 4 boot file, an ISC DHCP 3.x configuration file, or a Windows 2000 DHCP dump file.

To import the file, you must have a copy of it on your local computer.


22


To import an external configuration:

1 From the File menu, select Import. The Import Wizard opens.

2 Click Next, the Select Location page appears. From the drop-down list select the type of file you want to import, and then use the (...) button to navigate to the file.


Importing External Configurations

Ve

3 Click Next, the Select Destination page appears.

4 To import the file to a new name server, select the New Server option, and then type the server name, IP address, and contact e-mail information.

5 To import the file to an existing server or view, select the Existing Server option, and then select the server or view from the drop-down list.


Using a Live Zone TransferYou can also import data using a live zone transfer. In this procedure an existing DNS server uses the zone transfer mechanism to transfer a zone to Adonis, thus populating the DNS information on the Adonis appliance. You can also perform a bulk zone import by transferring configuration and data from .txt files.

To import from a single zone:

1 Open the Management Console.


22


2 From the Tools menu, select Live Zone Import. The Live Zone Import Wizard opens. Click Next.

3 Type the settings for the DNS server that contains the desired zone, the port on the DNS server, and the name of the zone. Click Next.


Importing an Existing DNS Configuration

Ve

4 Select the server and the zone to which you want to transfer the live zone data.

5 Click Next. The Perform Live Zone Import page appears showing status information as the live zone import takes place. A message appears showing whether or not the transfer was succesful.

6 When the transfer is complete, click Next, and then click Finish.

Importing an Existing DNS ConfigurationAdonis can import external DNS configurations from BIND 4 Boot Files and BIND 8/9 config files.


22


Named.confYou must prepare named.conf files before you import them. Using a text editor, try to eliminate the following potential errors before you attempt to import a named.conf file.

• Syntax errors—specifically end braces and semi-colons• Option Definitions—remove all option declarations (especially global ones), except match-

clients for views. These are not imported, so you do not lose anything.• Other BIND syntax—try to interpret the errors that are thrown to the import log and clean the

file accordingly

ACLsYou must define ACLs in a view before you import them. This is because the import tool loads only the ACLs that are implemented in the BIND configuration. The import tool loads zones and views in different ways and it does not load any zone options, so even if an ACL is implemented within a zone option, the import tool does not consider it to be implemented.

The following example creates three different ACLs:

To load a named.conf file that consists of ACLs and zones, you must create an empty view that implements all of the ACLs that need to be imported in a match-clients option statement. The following example is a BIND 9 configuration which initially contained only ACLs and zones. The default view has been added to ensure that the ACLs are imported.

# The client was implementing these three acls in zone options in their named.conf.

acl firstacl {

198.168.3.46; 198.168.3.56;

};

acl secondacl {

10.10.200.0/22;

};

acl thirdacl {

69.2.124.11;

64.52.36.0/25;

};

# This view doesn’t contain the zones, it just implements the acls so that they can be imported.

view "default" {

match-clients {firstacl;secondacl;thirdacl;};


Importing an Existing DHCP Configuration

Ve

The view that implements the ACLs does not need to contain the zones. You may use any name, but if you choose default the zones appear in the default view in Adonis, whether or not they are contained in that view and the ACLs are applied to the default view. The company’s previous functionality for the ACLs using zone options can be re-created after the import.

To do this, use a different view name to implement the imported ACLs, and then apply the ACLs to the zones in the default view. The zones can be automatically imported into default if they are not contained within a view.

Importing an Existing DHCP ConfigurationYou can import an existing DHCP configuration from an ISC-based DHCP server or from a Microsoft DHCP server. You can also import the text file containing the DHCP information into the Management Console using the Import Wizard described on page 224.

ISC DHCP 3.x Config FileThe Management Console allows you to import directly from an ISC DHCP server. If multiple DHCP servers are involved, you must import the individual dhcpd.conf files from each DHCP server.

};

# These zones implement the ACLs, but the import engine does not pick it up.

zone "example1.com" {

type master;

file "example1.zone";

allow-query { firstacl; };

};


type master;


allow-query { secondacl; };

};


type master;


allow-query { thirdacl; };

};


23


Windows 2000 DHCP Dump FileIf you want to import data from a Microsoft DHCP server, you must run the “netsh” command on the Microsoft server to extract the information into a simple text file.

• On a Windows 2000 DHCP server, run the following command:

• On a Windows 2003 server, run the following command:

Netsh dhcp dump > filename.txt

Netsh dhcp server IP address dump filename.txt


Chapter 12

Version 5.5

Active Directory Integration

Microsoft Active Directory (AD) is based on well-known network services such as Lightweight Directory Access Protocol (LDAP) and Kerberos. AD was first available in Windows 2000 Server and uses DNS for its location mechanism. DNS has grown to become not only the cornerstone of the Internet, but crucial for connecting Windows clients to their domain controllers. This section explains how AD uses DNS and how Adonis appliances integrate into this environment. Adonis appliances are easy to integrate and they provide a robust, secure, and highly maintainable DNS management platform.

Active Directory and DNSAD provides a centrally managed directory service for distributed computing environments. This directory service is a central authority for network security, resources, users, and services. AD is based upon LDAP and uses security based on MIT's Kerberos project.

Microsoft changed its Windows domain discovery process to use DNS instead of its legacy discovery protocol. This acts like a bootstrapping mechanism for client systems to find the closest or most appropriate Domain Controller (DC). This information is stored in a series of DNS records specifying the following information:

• LDAP servers• Kerberos domain controllers• Address of the domain controllers• Global Catalog servers• Kerberos password change servers

Before a client can connect to the Windows Domain, it needs to find a suitable DC. The Windows client contains a service called NetLogon that uses a DC-locating algorithm to find the appropriate server. This is how the DC-locating algorithm works:

• It obtains a list of DCs through a DNS query using the domain name, domain Globally Unique Identifier (GUID), and/or site name.

• The locator pings each controller in random order and uses the weighting factor discovered while getting the list of DCs. It waits up to one tenth of a second for a reply from the DC and continues pinging until it has tried all controllers or until it receives a successful response.

• After a DC responds successfully to a ping, the results from the response are compared to the parameters required by the client. If there is a match, then the DC is used. Otherwise, it resumes pinging of other DCs.


23


Dynamic Domain Controller RegistrationWithout the proper DNS information, a client cannot discover which server to contact for authentication. Each DC registers and maintains its own AD DNS integration records consisting of several A (Address), CNAME (Canonical Name), and SRV (Service) records. These records are initially registered by the DC's NetLogon service. This is performed through a standard DNS zone transfer (AXFR) and updated DDNS by the DC (RFC 2136).

When examining these records in the Microsoft DNS server, you may think that this data must reside in sub zones of the parent domain. This is not necessarily the case, because DDNS updates have no way of creating additional zones. The records are simply added as resource records with label separators (".") into the parent domain’s zone file. Notice that some record names contain underscore ("_") characters. This is common practice in Microsoft development tools and was borrowed for the DNS naming technique for AD. The following table lists the naming conventions used in the records:

A registered DNS record can contain one or more of the above names to describe a service that can be queried. For example, the following record locates an LDAP service on server1.bluecatnetworks.com in the bluecatnetworks.com:

_ldap._tcp.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com

DNS Label Description

_ldap LDAP service

_tcp Service uses TCP connections

udp Service uses UDP connections

_kerberos Record contains information about a Kerberos Key Distribution Center (KDC)

_msdcs Service is running on a Domain Controller

_kpasswd Kerberos Password Change service

_gc Global Catalog service

_sites Record contains information a specific site

dc Domain Controller (DC)

gc Global Catalog (GC)


Integrating Adonis into Active Directory

Ve

An alternative form of this record that indicates that the LDAP service is on a DC has the following syntax:

_ldap._tcp.dc._msdcs.bluecatnetworks.com SRV 0 0 389 server1.bluecatnetworks.com

For a detailed list of these records, see Active Directory DNS Records on page 235.

Integrating Adonis into Active DirectoryAdonis integrates easily into the AD environment. The simplest way to integrate the appliance is to use the Active Directory Wizard for each zone that needs AD integration. The wizard asks for the IP addresses of each DC that registers its records. When the project file is complete it is deployed, and the AD servers are informed that their primary DNS server is now an Adonis appliance. After this step, the DCs register their records and client machines use the information to gain access to the AD domain.

You can also integrate Adonis manually.

To integrate Adonis manually:

1 Create an ACL that contains the addresses of all the DCs.

2 Add this ACL to each DNS server.

3 For the master server, allow zone transfers.

4 For each master zone, allow dynamic updates using the ACL.

5 For each slave zone, allow update forwarding using the ACL. This forwards dynamic updates to the master zone.

After you deploy the project file, it takes time for the DCs to register their records. The amount of time taken depends on the DCs’ registration settings and can be changed to suit your organization's needs. DCs usually inspect their records after the interval has expired. After the DCs have registered their records, a refresh of the master server's configuration shows the Active Directory records.


23


Windows 2000 networks also allow clients to register their own Address (A) and Pointer (PTR) records with their DNS server. In most cases, organizations use DHCP servers that can perform the registration directly with the DNS server (this is a more secure method). However, if desired, clients can still register themselves directly with the DNS server by allowing those specific clients to make dynamic updates.

DNS ReplicationThere are two approaches to DNS record replication: Master-Slave and Master-Master.

Master-Slave—This is the recommended method for managing DNS. The current industry standard (outlined in RFC 1034 and 1035) states that a secondary zone (slave) replicates its contents from a primary (master) zone on a given internal network. The Master-Slave architecture works on Windows, UNIX, and other operating systems.

The following table lists the pros and cons of a Master-Slave replication system:

Master—Slave Replication System

Pros Cons

• An industry standard method for maintaining zone data.

• The master always contains most up-to-date information.

• A central repository for zone data.• It does not require other services to

replicate data.

• Master server updates are required to make changes on other servers.

• If a slave is updated, a small delay exists before the update is propagated.

• It requires latest version of BIND software to take advantage of update-forwarding.


Active Directory DNS Records

Ve

Master-Master—The recommended Microsoft architecture for AD specifies that the DNS servers should reside on the DC, eliminating the need to perform zone transfers.

The following table lists the pros and cons of the Master-Master method of replication:

Because Adonis uses the BIND 9.x name server software, its architectures are Master-Slave based.

Active Directory DNS RecordsThe following section contains a list of Active Directory specific records that are registered by the NetLogon service. Each record is followed by an example of its usage.

Master—Master Replication System

Pros Cons

• A central repository for all zone data.• Editing the DNS in one zone replicates to

all others.• Saves bandwidth and processing power. by

using existing LDAP replication to replicate DNS data.

• Microsoft-only implementations.• Zone serial numbers can be inconsistent in

SOA data.• Non-standard architecture.• Not favored in heterogeneous

environments.• Relies on LDAP for replication.• LDAP replication may not be acceptable

for external zone data.


23


SRV Records_ldap._tcp.<DomainName>—SRV record that identifies an LDAP server in the domain named by <DomainName>. The LDAP server is not necessarily a Domain Controller (DC). This record is registered by all DCs. For example:

_ldap._tcp.bluecatnetworks.com

_ldap._tcp.<SiteName>._sites.<DomainName>—Enables a client to find an LDAP server in the domain named by <DomainName>. This record is registered by all DCs. For example:

_ldap._tcp.richmondhill.bluecatnetworks.com

_ldap._tcp.dc._msdcs.<DomainName>—Used by clients to locate a Domain Controller (DC) in the domain named by <DomainName>. This record is registered by all DCs. For example:

_ldap._tcp.dc._msdcs.bluecatnetworks.com

_ldap._tcp.<SiteName>._sites.dc._msdcs.<DomainName>—Enables a client to locate a DC for the given site and domain named by <SiteName> and <DomainName> respectively. For example:

_ldap.tcp.richmondhill._sites.dc._msdcs.bluecatnetworks.com

_ldap._tcp.pdc._msdcs.<DomainName>—Enables a client to locate the Primary Domain Controller (PDC) for a domain named by <DomainName>. This record is registered only by the PDC of the domain. For example:

_ldap._tcp.pdc._mscdcs.bluecatnetworks.com

_ldap._tcp.gc._msdcs.<DomainName>—Enables a client to find the Global Catalog (GC) for the forest. Only the DC for the GC registers this record. For example:

_ldap._tcp.gc._msdcs.bluecatnetworks.com

_ldap._tcp.<SiteName>._sites.gc._msdcs.<ForestName>—Enables a client to find a GC for the forest named by <ForestName>. Only an LDAP server responsible for the GC registers this record. For example:

_ldap._tcp.richmondhill._sites.gc._msdcs.bluecatnetworks.com

_gc._tcp.<ForestName>—Enables a client to locate a GC for the forest named by <ForestName>. Only an LDAP server responsible for the GC registers this record. The LDAP server is not necessarily a DC. For example:

_gc._tcp.bluecatnetworks.com

_gc._tcp.<SiteName>._sites.<ForestName>—Enables a client to find a GC for the site and forest named by <SiteName> and <ForestName> respectively. Only an LDAP server responsible for the GC registers this record. For example:

_gc._tcp.richmondhill._sites.bluecatnetworks.com

_ldap._tcp.<DomainGuid>.domains._msdcs.< ForestName>—Used by clients to find a DC given the domain GUID of <DomainGuid> in the forest named by <ForestName>. This lookup can used to resolve the DC if the domain name has changed. This record is used infrequently and does not work if the <ForestName> has been changed. For example:

_ldap._tcp.01693484-b5c4-4b31-8608-80e 77ccc78b8.domains._msdcs.bluecatnetworks.com

_kerberos._tcp.<DomainName>—Enables a client to find a Kerberos Key Distribution Center (KDC) for the domain named by <DomainName>. This record is registered by all DCs providing the Kerberos service. This service is RFC-1510 compliant with Kerberos 5 KDC. The server is not necessarily a DC. For example:

_kerberos._tcp.bluecatnetworks.com


Active Directory DNS Records

Ve

_kerberos._udp.<DomainName>—Enables a client to find a Kerberos Key Distribution Center (KDC) for the domain named by <DomainName>. This record is registered by all DCs providing the Kerberos service. This service is RFC 1510 compliant with Kerberos 5 KDC. The server is not necessarily a DC. This service supports UDP. For example:

_kerberos._tcp.bluecatnetworks.com

_kerberos._tcp.<SiteName>._sites.<DomainName>—Enables a client to locate a server running the Kerberos KDC for a site and domain named by <SiteName> and <DomainName> respectively. The server is not necessarily a DC. For example:

_kerberos._tcp.richmondhill._sites.bluecatnetworks.com

_kerberos._tcp.<SiteName>._sites.dc._msdcs.<DomainName>—Used by clients to locate the DC running a Kerberos KDC for the site and domain named by <SiteName> and <DomainName> respectively. For example:

_kerberos._tcp.richmondhill._sites.dc._msdcs.bluecatnetworks.com

_kpasswd._tcp.<DomainName>—Enables a client to find a Kerberos Password Change Server for the domain named by <DomainName>. The server is not necessarily a DC. All DCs running the Kerberos KDC register this record. For example:

_kpasswd._tcp.bluecatnetworks.com

_kpasswd._udp.<DomainName>—Enables a client to find a Kerberos Password Change Server for the domain named by <DomainName>. The server is not necessarily a DC. All DCs running the Kerberos KDC register this record. For example:

_kpasswd._udp.bluecatnetworks.com

A Records<ServerName>.<DomainName>—The server name named by <ServerName> is registered in the domain named by <DomainName>. This record is used by referral lookups to SRV and CNAME records. For example:

dc1.bluecatnetworks.com

gc._msdcs.<ForestName>—Enables a client to find a GC for a given forest named by <ForestName>. This record is used by referral from SRV records. For example:

gc._msdcs.bluecatnetworks.com

CNAME Records<DSAGuid>._msdcs.<ForestName>—Enables a client to locate any DC in the forest named by <ForestName> by the GUID of the MSFT-DSA (Directory Services) object. For example:

01693484-b5c4-4b31-8608-80e77ccc78b8._msdcs.bluecatnetworks.com


23



Version 5.5

Appendix A

Integrating with Mirage Post-Admission NAC Appliance

Adonis can integrate with a Mirage post-admission NAC device through the Adonis Mirage Adapter (AMA). The AMA is a Linux daemon that listens for notifications from Mirage, and then takes the appropriate action. This chapter explains how to set up and control the Adonis Mirage Adapter that integrates Adonis with the Mirage post-admission NAC appliance.

• About the AMA on page 239 explains how AMA works and the steps you must complete to configure it.

• Setting up the AMA on page 240 explains how to configure AMA. However, you must still follow the instructions in the following section to complete the integration.

• Configuring Mirage on page 242 explains how to configure Mirage to send the appropriate notifications to Adonis and AMA.

• Controlling the AMA on page 243 lists the Linux commands you need to control AMA.

About the AMAMirage notifies Adonis of hosts entering or leaving a zone (a Mirage-defined network). Depending on the notification, AMA may authenticate a host and inform Mirage of the authentication results. AMA may also inform the MAC Authentication system to deny or allow a host that is entering or leaving a quarantine zone.


24

Appendix A:

Setting up the AMAThe next two sections explain how to integrate Mirage with Adonis.

The process includes 4 stages:

• enabling SSH communication between Adonis and Mirage• configuring AMA• configuring Mirage• controlling the AMA daemon

Enabling SSH Between Adonis and MirageAdonis and Mirage communicate through Secure Socket Shell (SSH). To do this, they must share an SSH key.

To set up Adonis and Mirage to share an SSH key:

1 Login to Adonis as root.

2 Type “ssh-keygen -t rsa”, and then press Enter.

3 When prompted for a file name, type “identity.ppk”, and then press Enter.

4 When prompted for a passphrase, press Enter to leave the passphrase field empty.

5 Copy identity.ppk to /usr/local/bluecat.

6 Rename identity.ppk.pub as authorized_keys2.

7 Copy authorized_keys2 to /root/.ssh/ on the Mirage machine.

The next stage is to configure the AMA.

Configuring the AMAThe Management Console allows you to configure and run AMA in a simple GUI environment. The following parameters are necessary for configuring AMA:

It is important to follow the instructions in the order in which they are presented.

Before you start, locate the password that was shipped with your appliance.

This procedure creates two new files in the working directory, identity.ppk and identity.ppk.pub.

Parameter Description

Default Zone The name of the zone to which all IPs are first sent by Mirage, before they are approved for wider access to the network. It is also referred to as the Parking Lot. For more information, see the Mirage documentation.

External Authority The name Mirage uses to identify this particular Adonis appliance. You should use the name DHCPServer_Adapter.


Appendix A:

Ve

To configure the AMA daemon:

1 From the Server drop-down menu select Server Control. The Server Control dialog box appears.

2 Scroll through the Action list, select the Start Adonis Mirage Adapter option, and then click Execute. The Mirage Adapter Data dialog box appears.

SSH Cmd User AMA uses Secure Socket Shell (SSH) to communicate with Mirage. This is the user name for SSH.

SSH Cmd Password This is the password for SSH.

Quarantine Zones The name that defines a quarantine zone when you configure Mirage. You can create multiple zones.



24

Appendix A:

3 Type the Default Zone name.

4 Type DHCPServer_Adapter for the External Authority.

5 Type the SSH Cmd User name and SSH Cmd Password.

6 To create a quarantine zone, right-click in the white area, and then click New. The New Quarantine Zone dialog box appears.

7 Type the name of the zone, and then click OK.

8 Click OK.

The next stage is to configure Mirage to send notifications.

Configuring MirageTo configure Mirage you must use the Mirage Operations Console. This process involves creating an external authority, creating a profile group and profiles, and configuring three zones.

Creating an External AuthorityBefore it can communicate with Adonis, Mirage must know how to identify it. You must create an external authority that has the same name that you used when configuring AMA.

To create an external authority:

1 Right-click the Managed Server domain, and then select New External Authority.

2 Type DHCPServer_Adapter as the external authority’s name.

3 Click OK.

Creating a Profile Group and ProfilesIn the next step you create a profile group that contains profiles for hosts that pass authentication and for hosts that fail authentication.

Creating a Profile Group

To create a profile group:

1 Right-click a Profiles folder in the Managed Resources navigation tree, and then select Add Profile Group.

2 Type DHCPServer_Adapter_Authentication as the profile group’s name.

3 Click Finish.

Creating a Pass Profile

To create a profile for hosts that pass authentication:

1 Right-click the DHCPServer_Adapter_Authentication group, and then select Add Profile.

These instructions are provided for convenience only. For more information about configuring Mirage, consult the official Mirage documentation, or visit their official website at: http://www.miragenetworks.com.


http://www.miragenetworks.com

http://www.miragenetworks.com

Appendix A:

Ve

2 Type DHCPServer_Authentication_Passed as the profile name.

3 Type a description of the profile.

4 Click Finish.

5 Add the following Include Condition to the profile:

enable Device session Authenticated (dhcpserver_adapter) is TRUE.

Creating a Fail Profile

To create a profile for hosts that fail authentication:

1 Right-click the DHCPServer_Adapter_Authentication group, and then select Add Profile.

2 Type DHCPServer_Authentication_Failed as the profile name.

3 Type a description.

4 Click Finish.

5 Add the following Include Condition to the profile:

enable Device session Authenticated (dhcpserver_adapter) is FALSE.

Configuring ZonesThe final stage is to configure the following zones that Mirage creates by default. The following table shows you how to configure them:

For more information about configuring zones, refer to the Mirage documentation.

Controlling the AMAYou control the AMA through its executable. The AMA executable is stored in /usr/local/bluecat/ama. To use this executable effectively you should be comfortable with the concept of system logs, and you should know the difference between a daemon and a normal process.

To run AMA with a parameter:

1 Log into the Administration Console.

Name Description Profile

Unknown Devices

Initial zone to which all IPs are sent on entering the network. Because both dynamic and static IPs are sent to this zone, it is recommended that this zone have all access to the network. If a static IP enters the network, it sits in this zone for a short time before it is sent to the Quarantined Zone.

Include: Unknown Devices

Exclude: DHCPServer_Authentication_Passed

Full Access Zone to which all authenticated hosts are sent. Include: DHCPServer_Authentication_Passed

No Access Zone to which all non-authenticated hosts are sent.

Include: DHCPServer_Authentication_Failed


24

Appendix A:

2 Type “!/usr/local/bluecat/ama parameter”, where parameter is one of the following:


-f syslog facility AMA uses the system log. You can specify a syslog facility instead of the default (“daemon”). The valid facilities include “local0”, “local1”, “local2”, “local3”, “local4”, “local5”, “local6”, “local7”

-p syslog priority You can specify a system log priority. The valid priorities, from highest to lowest, include “emerg”, “alert”, “crit”, “err”, “warning”, “notice”, “info”, and “debug”. AMA logs messages with a priority greater than or equal to the setting. The default priority is “notice”.

-t Normally, AMA runs as a daemon. The “trace” switch makes it run as a normal process and output logs to the console.

-v Show AMA’s version

-h Show AMA’s usage


Version 5.5

Index

AA records ..........................................101

AAAA records................................101, 151

access control...................................... 25configuring .................................... 23

Access Control Listsdefinitions for importing ...................228managing .....................................146

Active DirectoryA records .....................................237CNAME records...............................237creating DNS architecture .................. 77DNS overview ................................231DNS Records ..................................235DNS replication ..............................234domain controllers ..................... 80, 231Dynamic DNS (DDNS) ........................128Dynamic Domain Controller registration.232integration ............................. 231–235integration with Adonis.....................130Primary Domain Controller ................110record naming conventions ................232SRV records...................................236synchronization ..............................131Wizard...................................130, 233

Administration Console........................... 15command history ............................. 18command server .............................. 51configuration mode .......................... 16configuring Anycast .......................... 50DHCP service control .......................195Help ............................................ 16logs ........................................ 57, 58MAC authentication .........................195

main mode .................................... 16reboot.......................................... 42restart BIND ................................... 98server controls................................ 42service control................................ 51setting the time .............................. 44shutdown ...................................... 42start BIND ..................................... 98stop BIND ...................................... 98TFTP service control........................ 196time zone...................................... 45

administration password ......................... 41

AdonisAdministration Console...................... 15authenticator management ................ 38caching server ................................ 76controlling from Proteus .................... 13deployment overview ....................... 12Detect Server Appliance Type ............. 55Disable Query Logging ....................... 55DNS implementation......................... 97Enable Query Logging ....................... 55Extraction Tool ............................... 98failover ....................................... 210hostname ...................................... 44IPv6 support................................... 12LCD ............................................. 42Management Console ........................ 19manual updates .............................. 69Mirage Adapter (AMA) ...................... 239organization................................... 11ping node..................................... 202ports .......................................... 210project files, overview ...................... 12proxy settings................................. 37


24

Index

reboot .......................................... 42resetting from Proteus control ............. 41setting the time .............................. 44shutdown ...................................... 42supported DNS RFCs.......................... 98traps............................................ 64updating ....................................... 36using external authenticators .............. 29

Agent ID............................................197

allow query........................................148

AMAconfiguring ...................................240MAC authentication .........................239

Anycast ............................................. 50

authenticators ....................................192external........................................ 29Kerberos ....................................... 30LDAP............................................ 32management .................................. 38Radius .......................................... 31

authoritative DNSdelegation ....................................104servers ........................................107

auto generate, BIND $GENERATE statement .................. 98

auto-generationresource records.............................118

automatic serial number generation ........... 98

auto-negotiated settings ......................... 44

BBIND ................................................210

DNS service control .......................... 98matching order ..............................144restarting ...................................... 98start ............................................ 53stop............................................. 53views feature ........................... 97, 144

blackhole query ..................................148

Ccache size .........................................109

cache zone ........................................ 108

cert.ks files ........................................ 40

certificate keystore............................... 40

certificatesdeleting........................................ 39managing ...................................38–41

CIDR ................................................ 195

Circuit ID .......................................... 197

Classless Inter-Domain Routing ................ 195

CNAME records ................................... 101

command history, viewing....................... 18

configuration modeHelp ............................................ 17

configurationsdeploying ...................................... 92front-end master ............................. 75front-end slaves .............................. 75hidden master ................................ 75master-only ................................... 74migration ...................................... 98reviewing changes ........................... 18saving .......................................... 18settings ........................................ 16

crossover high availability, see XHA

Ddata checker................................ 132, 135

settings ........................................ 91severity level ................................. 91

Data Navigator..................................... 22

DDI.................................................. 102

DDNSconfiguring ................................... 130DHCP service options ....................... 129DNS options .................................. 129IP address .................................... 128transaction signatures...................... 140

default gateway.................................. 165

delegation......................................... 104

delegation-only zone ....................... 97, 110

deploy project file ................................ 92


Index

Ve

deployment password ............................ 41

Deployment Wizard ............................... 92

DHCPadding MAC authentication ................190address binding states ......................212classes.........................................175common objects .............................159communication-interrupted state ........212configuring .................................... 81custom client configurations ..............175custom options...............................181DDNS service options .......................129declarations ..................................158DHCP lease viewer ..........................156DHCPv6 interface scope ....................198DHCPv6 network scope .....................198DHCPv6 service, creating ..................198Duplicate Address Detection (DAD).......198failover..................................197, 210failover on a pool............................219failover pool settings .......................220failover, setting up..........................218files, dhcpd.conf ............................156files, subnet.csv .............................156files,dhcpd.leases ...........................156groups .........................................159hosts, declaring..............................162interface scope, DHCPv6 ...................198IP layer parameters .........................165IPv6 multicast groups .......................198IPv6 service control .........................195IPv6, stateless autoconfiguration .........197lease viewer..................................196MAC authentication .........................188master server, defining ..................... 78multicast groups, IPv6 ......................198Neighbour Solicitation message ...........198network scope, DHCPv6 ....................198Network Time Protocol.....................210normal state .................................212option codes .................................165overview ................................. 11, 155partner-down state .........................213permit lists ...................................161potential-conflict state.....................213preferred address ...........................198

recovery state ............................... 213recovery-wait state......................... 213relay agents.................................. 157Router Advertisement message ........... 198Router Solicitation message ............... 198scope.......................................... 158scope splitting ......................... 197, 210server states ................................. 212service scope, DHCPv6 ..................... 198shared networks....................... 160, 161start ............................................ 54state, communication-interrupted ....... 212state, normal ................................ 212state, partner-down ........................ 213state, potential-conflict ................... 213state, recovery .............................. 213state, recovery-wait ........................ 213stateless IPv6 autoconfiguration.......... 197stop............................................. 54subclass....................................... 177subnet mask.................................. 165subnets ....................................... 159tentative address ........................... 198transaction signatures...................... 140vendor profiles .............................. 178zone ........................................... 183

DHCPv6introduction.................................. 197service scope ................................ 198service, configuring......................... 199

disable zones ...................................... 97

disaster recovery................................. 201

DNAME records ................................... 102

DNSActive Directory records ................... 235Adonis implementation...................... 97authoritative servers ................. 104, 107available options ............................ 100BIND views .................................... 97blackhole ..................................... 148cache cleaning interval .................... 109cache size .................................... 109caching options.............................. 108caching servers ............................... 76DDNS options................................. 129


24

Index

DDNS overview...............................128delegation ....................................104DNS service level ............................100external.......................................104initial service ................................. 73internal .......................................104IPv6 ............................................151MAC authentication .........................194migrating configurations .................... 98network architecture, selecting ........... 73overview ....................................... 11queries ........................................148record types..................................102records, Active Directory ..................235recursive......................................108redundant configuration .................... 75replication under Active Directory .......234reverse DNS ............................123, 183service options...............................100SOA, defining ................................113sort list........................................109supported RFCs ............................... 98transaction signatures ......................140transaction signatures for remote slave .140TTL upper limit ..............................109VoIP functionality ...........................124zone ...........................................183zone options..................................112zone refresh..................................111zone, deleting ...............................112zone, disabling...............................112zone, enabling ...............................112zone, renaming ..............................111

DNS Fixup Wizard.................................132

domain controllers ...............................236finding nearest...............................231identifying ..................................... 80registration...................................232

domain name ...............................136, 236

duplex setting .......................... 43, 44, 202

Duplicate Address Detection ...................198

Dynamic DDNS, see DDNS

Ee.164 zones ....................................... 124

enable zones....................................... 97

ENUMprefixes ....................................... 124used for VoIP................................. 124zones .......................................... 124

eth0 adapter...................................... 202

external authenticators.......................... 29

external configurations, importing............ 223

external DNS ...................................... 104

Ffailover ............................................ 197

manual........................................ 208monitoring ................................... 213pool settings ................................. 220setting up..................................... 218states ......................................... 212

Failover Monitor............................ 213, 214

file locations, modifying ......................... 88

filescert.ks ......................................... 40dhcpd ......................................... 195dhcpd.conf ................................... 229fomon.sh ..................................... 214named.conf .................................. 228

firewalldisabling ....................................... 51enabling ....................................... 51ports and settings ............................ 51status .......................................... 51

flagsNAPTR records ............................... 125

FOMON, see Failover Monitor

forward master zone ............................ 105

forwarding zone .................................. 109

front panel LCD ................................... 42

full duplex......................................... 202


Index

Ve

Ggateway..............................43, 48, 49, 165

address setting................................ 43

global catalog.....................................236

global options.....................................100

groups ..............................................159

Hheartbeat..................................... 51, 201

HelpAdministration Console...................... 16configuration mode .......................... 17main mode .................................... 16

High Availability Wizard.........................201

HINFO records ....................................102

hostname ........................................... 44

IImport Wizard.....................................224

importing named.conf files.....................228

in-addr.arpa zones ...............................124

incremental resource records ..................119

Information Sheetunique password.............................. 15

inheritance, options .............................100

interface scope, DHCPv6........................198

internal DNS.......................................104

IP addressDDNS...........................................128setting.......................................... 43

IPAM appliance .................................... 13

IPv6AAAA records.................................151address,creating.............................151creating reverse lookup address ..........152DHCPv6 service, configuring...............199DHCPv6 service, creating ..................198DNS ............................................151mixed IPv4/IPv6 environments ............153Neighbour Discovery ........................198NS records ....................................153

prefixes ....................................... 197reverse lookup............................... 152stateless autoconfiguration................ 197

IPv6 support........................................ 12

ISDN record ....................................... 102

KKerberos

Key Distribution Centre ......... 30, 236, 237password change server.................... 237

Kerberos authenticator .................... 30, 236

keystore ............................................ 40default location .............................. 38

LLCD

disable ......................................... 42enable,......................................... 42

LDAP authenticator ................... 32, 130, 236

Lease Viewer ..................................... 196

level, setting DNS options ...................... 100

live data check ................................... 135

Live Zone Import Wizard........................ 225

load balance ...................................... 212

logging queries ................................... 149

logsredirecting .................................... 57system ......................................... 56viewing ........................................ 58

logs filescheck in/out .................................. 87

MMAC Address Filtering ........................... 184

MAC authentication..................192, 193, 194adding to DHCP.............................. 190AMA............................................ 239dynamic instead of static .................. 188menu .......................................... 195overview...................................... 156pools .......................................... 193


25

Index

MAD Servers .......................................192

Mail Exchanger (MX) record.....................101

main modeHelp ............................................ 16

Management Console ............................. 19accessing....................................... 19configurations................................. 98creating transaction signatures ...........140default options ............................... 35detail pane .................................... 21Detect Server Appliance Type.............. 55DNS service options .........................100migration ...................................... 98navigating ..................................... 20new groups, adding .......................... 26new users, adding ............................ 25resource records, disabling ................. 98resource records, enabling ................. 98root delegation only ......................... 98search and replace........................... 23server controls ................................ 54toolbar ......................................... 20tree-view pane ............................... 21user management ............................ 25version ......................................... 65Whois lookup tool ...........................136zone template ...............................115

manual failover...................................208

manual updates.................................... 69

master zone .......................................105start of authority ............................114

master-only architecture ........................ 74

Mirageconfiguring ...................................242Post-Admission NAC Appliance ............239zones ..........................................243

multicast groups, DHCPv6 ......................198

NNAC,

see Network Access Control

Name Server (NS) records.......................101

Naming Authority (NAPTR) record .............102

naming conventionsActive Directory ............................. 232

NAPTR recordsflags ........................................... 125

Network Access Control......................... 184

network interfacesettings ........................................ 43

network scope, DHCPv6......................... 198

Network Time Protocol ................44, 46, 210

New Project Wizard .............................. 71

New View Wizard ................................ 145

New Zone Wizard ................................ 104

NTP............................................ 46, 210

Oobjects

replace......................................... 22search.......................................... 22

OMAPIDHCP potential conflict state ............. 213DHCP server configurations................ 155overview...................................... 196port............................................ 173

Open Mobile Application Processor Interface, see OMAPI

option codes ...................................... 165

optionsinheritance................................... 100levels.......................................... 100precedence of setting ...................... 100

OSPF................................................. 50

Ppassword

administration ................................ 41deployment ................................... 41Information Sheet............................ 15Kerberos ...................................... 237

peer server........................................ 210

permit lists........................................ 161

ping node.......................................... 202


Index

Ve

Pointer (PTR) record.............................102

pools................................................161

portsAdonis, encrypted control .................. 12for MAC authentication.....................188OMAPI ...................................173, 196proxy settings ................................. 38TCP ............................................. 33

Primary Domain Controller .....................110

product updates ................................... 36

profile group ......................................242

project filesadd server ..................................... 89check in/check out........................... 85correcting ..................................... 90creating ........................................ 71data check............................... 91, 132deploying ...................................... 92importing ...................................... 96saving on the workstation................... 84storing on the appliance .................... 84

Proteus control of Adonis ........................ 41

proxy settings...................................... 37

Qquad-A records .............................101, 151

queriescache zone ...................................108DNS service options .........................148logging ......................................... 55recursive................................. 97, 108

query loggingdisable ......................................... 55enable.......................................... 55message category ...........................150severity level.................................149

query logsadding a channel ............................149configuring ...................................149deleting a channel ..........................151viewing........................................149

RRadius authenticator ............................. 31

reboot, start services ............................ 53

recordsA ............................................... 101A6.............................................. 151AAAA .................................... 101, 151alias (CNAME) ................................ 101DNAME ........................................ 102DNS ............................................ 102HINFO ......................................... 102ISDN ........................................... 102Mail Exchanger (MX) ........................ 101Name Server (NS) ........................... 101Naming Authority (NAPTR)................. 102Pointer (PTR) ................................ 102quad-A .................................. 101, 151RP.............................................. 102RT.............................................. 102Service (SRV)........................... 101, 236Text (TXT).................................... 102TSIG ........................................... 140

recursive clients.................................. 148

recursive DNS ..................................... 108

recursive queries............................ 97, 108

regular expressionsdynamic delegation discovery............. 125

resource recordsadding......................................... 118auto-generation ............................. 118deleting....................................... 121disabling ................................. 98, 121editing ........................................ 121enabling ................................. 98, 121fields .......................................... 103generating incrementally .................. 119managing ..................................... 117serial number generation ................... 98SOA ............................................. 98

reverse DNS ................................. 123, 183

reverse lookup.................................... 152

reverse master zone............................. 105

reviewing configuration changes ............... 18


25

Index

RFCs, Adonis compliance................... 98, 165

root delegation only .............................. 98

Router Advertisement message ................198

Router Solicitation message ....................198

routing tableadding routes ................................. 49deleting routes ............................... 49flags ............................................ 49gateway........................................ 49genmask ....................................... 49overview ....................................... 48

RP records .........................................102

RT records .........................................102

Ssaving configuration settings .................... 18

scope splitting ..............................197, 210

search and replace................................ 23

search objects ..................................... 22

secure option appliance.......................... 15

server states ......................................212

server version...................................... 99

serversmanaging .....................................104master.................................... 75, 105slave................................. 75, 79, 105zone transfer options ................. 116–117

Service (SRV) record .......................101, 236

service scope, DHCPv6 ..........................198

services, start on reboot ......................... 53

setting DNS service options .....................100

setting IP address ................................. 43

shared secret .....................................140

single name server ................................ 74

slave zone .........................................106

SNMPconfiguring .................................... 59polled objects................................. 62

SOAdefining .......................................113defining for a zone ..........................113

master zone.................................. 114zone serial numbers ........................ 235

software updates..............................36, 69

speed setting ..................................43, 44

split setting ....................................... 212

ssh ............................................. 53, 240disable ......................................... 53enable.......................................... 53

Start of Authority, see SOA

startup services ................................... 53

stateless IPv6 autoconfiguration............... 197

statisticsconfiguration ................................. 98

stub zone .......................................... 110

Subnet Delegation Wizard ...................... 126

subnet mask ...................................... 165

subnet mask setting .............................. 43

subnets ............................................ 159

system logs......................................... 56

TTCP ........................................... 148, 210

clients......................................... 148port............................................. 33

templates, zone.................................. 115

Text (TXT) record................................ 102

TFTPrestart ........................................ 196service ........................................ 182service control............................... 196start ...................................... 54, 196stop....................................... 54, 196

time zone, setting ................................ 45

transaction signaturesoverriding default........................... 144remote DDNS................................. 143remote master DNS ......................... 143remote slave DNS ........................... 140shared secret ................................ 140usage.......................................... 140


Index

Ve

transfer key, generating ........................141

trap server ......................................... 59

troubleshooting.................................... 56

TSIG resource record ............................140

TSIG, see transaction signatures

UUpdate Wizard ..................................... 65

updating software................................. 36

updating the product ............................. 69

user management ................................. 23

Vvendor profiles ...................................178

versionclient version ................................. 65

version 2 Secure Socket Shell ................... 53

viewing logs ................................... 56, 58

viewing the routing table ........................ 48

VoIP.................................................124ENUM zones ..................................124vendor profiles...............................178

WWhois lookup tool ................................136

Windows 2000 DHCP dump file.................230

Windows Active Directory, see Active Directory

Windows Server...................................130

WizardActive Directory .......................130, 233Deployment ................................... 92DNS Fixup.....................................132High Availability .............................201Import .........................................224Live Zone Import ............................225Management Console Install ................ 68New Project ................................... 71New View .....................................145New Zone .....................................104Subnet Delegation...........................126

Update ......................................... 65

XXHA.................................................. 51

BIND views ................................... 210cluster, breaking ............................ 208cluster, creating ............................ 202cluster, diagnosing.......................... 204cluster, repairing............................ 205cluster, updating ............................ 209heartbeat..................................... 201NTP synchronisation ......................... 46overview...................................... 201prerequisites................................. 202recommended topologies .................. 215setup procedures.......................202–204

ZZebra................................................ 50

zonesadding......................................... 104cache.......................................... 108DDNS .......................................... 183delegation-only......................... 97, 110deleting....................................... 112disabling ................................. 97, 112e.164 .......................................... 124enabling ................................. 97, 112ENUM.......................................... 124forward master .............................. 105forwarding.................................... 109in-addr.arpa ................................. 124managing ..................................... 104master ........................................ 105Mirage......................................... 243refresh ........................................ 111renaming ..................................... 111resource records ............................ 118reverse master .............................. 105setting options............................... 112slave, adding................................. 106slave, update forwarding .................. 129start of authority............................ 114Start of Authority (SOA).................... 113stub............................................ 110


25

Index

templates.....................................115


For safe operating procedures, ensure compliance with the guidelines below.

FCC Notice

This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:

1 this device may not cause harmful interference, and

2 this device must accept any interference received, including interference that may cause undesired operation.

No (Telecommunications Network Voltage) TNV-connected PCBs shall be installed.

Warning

This is a Class A product. In a domestic environment, the product may cause radio interference in which case the user may be required to take adequate measures.

© 2008. All rights reserved.

CAUTION CAUTIONDo not remove the cover from the appliance. The cover is to be removed only by qualified personnel. There are no serviceable parts provided inside.

Electrostatic Discharge (ESD) precautions are required before handling the appliance. Wear a wrist strap with an appropriate ground connection.

CAUTION CAUTIONTo prevent the unit from overheating, never install the appliance in an enclosed rack or room that is not properly ventilated or cooled. For proper air flow, keep the front and back sides of the appliance clear of obstructions and away from the exhaust of other equipment.

There is danger of an explosion if the battery is replaced incorrectly. Replace only with the same or equivalent type recommended by the appliance manufacturer. Contact technical support if you need to replace a battery.

CAUTION CAUTIONBefore servicing, power off the appliance by using the rear panel switch. If the appliance does not have an On/Off switch, then unplug the power cord.

Failure to properly ground the appliance, either by circumventing the 3-wire grounding-type plug or by using a power outlet that is improperly grounded, can create a potentially hazardous electrical situation.


BlueCat Networks (USA), Inc.

www.bluecatnetworks.com

Toll Free: 1.866.895.6931

Document #: AG_5.5

Published in Canada

http://www.bluecatnetworks.com

Adonis Admin 5.5

Documents

high availability

dialog box

adonis administration

crossover

begins issuing

icon appears

dialog box

high availability