Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. Re: division of responsibility client/dhcp/bind (Bill Shirley)
2. Re: MAC randomisation and DHCP pools (Bill Shirley)
----------------------------------------------------------------------
Message: 1
Date: Sat, 25 Jul 2020 06:07:31 -0400
From: Bill Shirley <b...@c3po.polymerindustries.biz>
To: dhcp-users@lists.isc.org
Subject: Re: division of responsibility client/dhcp/bind
Message-ID:
<bb6a1f10-c34f-8d32-0d10-21cfb5d3a...@c3po.polymerindustries.biz>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Allowing just any device to update the DNS is a recipe for disaster.? "Hey Mr.
DNS, not only
am I desktop.yourdomain.com but also www.yourdomain.com as well as
gateway.yourdomain.com."
Allowing client updates is a concept from a more innocent time of networking.
Configure dhcpd to do *all* the DNS updates:
deny??? ??? ??? ??? client-updates;
deny??? ??? ??? ??? duplicates;
deny??? ??? ??? ??? declines;
option????????????? fqdn.no-client-update??? true;
option????????????? fqdn.server-update?????? true;
.
.
subnet 192.168.99.0 netmask 255.255.255.0 {
??? ddns-updates??? ??? ??? on;
??? ddns-domainname??? ???? "lan.yourdomain.com";
??? option domain-name??? ? "lan.yourdomain.com";
??? option domain-search??? "lan.yourdomain.com", "wifi.yourdomain.com";
??? option fqdn.fqdn??? ??? = concat(config-option server.ddns-hostname, ".",
config-option server.ddns-domainname);
.
.
}
To get dhcpd to always update the DNS:
update-optimization??? ??? off;
To get dhcpd to update the DNS for hosts with fixed addresses:
update-static-leases??? ??? on;
To assign a DNS host name (with or without a fixed address):
host Bobs-phone??? ??? { hardware ethernet ac:ff:10:d1:0d:2a;??? ddns-hostname
"Bobs-phone"; }
Static addresses should be outside of any pool.
I don't think host a statements are required to achieve what you want.
Bill
On 7/25/2020 3:15 AM, Boylan, Ross wrote:
> I have a small private network with machines that go on and off. Some of
> those machines may come up with the same hardware/mac address, and yet be
> running different OS's. The different OS's have different host names, and I
> would like that reflected in DNS. An additional complication is that some of
> the system netboot into an NFS root. I'm having trouble getting things to
> work, and think I'm missing something basic about how this is all supposed to
> work together.
>
> Using ISD dhcpd 4.1, bind 9.11.5 with Debian buster. Initial testing used an
> NFS root client that PXE booted (using dhcpd's support for that).
>
> I don't understand why the DDNS update responsibility is potentially split
> between the server and the client. It seems the default is that the client
> updates the A record while the dhcp server requests the update of the PTR
> record for reverse DNS. This seems like a recipe for trouble. First, they
> could get out of sync. Second, if a key is required for updates, as was true
> in my initial configuration, the clients won't ordinarily have it, and so the
> update will fail. Because of the second concern, I set dhcpd.conf to "ignore
> client-updates;". But my reading of the manual is that this means the
> client's notion of its hostname will be ignored, defeating the ultimate goal
> of allowing different hostnames for same MAC.
>
> Another problem was that because of the NFS boot the usual code to bring up
> the interface was skipped. So the client system didn't run dhclient. As a
> result, I got DDNS entries when the client started. But when the lease
> expired without further expression of interest from the client, dhcpd
> (successfully) requested deletion of the DNS records for the client.
>
> Also, since dhcpd only handed out parameters during the PXE boot, many of the
> parameters like the domain and search list, didn't make it to the main system
> once it was booted.
>
> I tried forcing the interface up on the client (specifying auto in
> /etc/network/interfaces). This solved some problems while introducing
> others: the NIC ended up with 2 IP addresses. Initially only the first was
> in DNS. When its lease expired, there were no entries in DNS, but since
> dhclient was running for the 2nd IP, its lease was renewed and entered into
> DNS at that time. In principle it seemed the first IP address could be
> handed out to another machine, and then 2 machines that would think they had
> the same IP. It may be that the discovery process would suffice to prevent
> this, but at any rate it didn't seem to be a good state of affairs that the
> client thought it had an IP address that both DHCP and BIND thought was free.
> Finally, the client was unable to shutdown without a manual power off
> because it was waiting for a response on one of the IP's "after" it shutdown.
>
> In all the above I was assigning the client IPs from a pool, although the
> client had a host declaration (with the MAC but without an IP). Some
> discussion on this list says host declarations should use fixed IPs outside
> of the pool range. So I gave the host declaration in dhcpd.conf a fixed IP
> outside the pool range, as well as a very long lease. I also changed to the
> default "allow client-updates" while changing bind to accept update without
> a key.
>
> The client came up, but no dynamic DNS entries were requested or created as a
> result. So does that only happen for IP's allocated out of the pool? And
> lease time is irrelevant for an IP not in the pool?
>
> For now, I manually entered the forward and reverse DNS entries into my local
> zone in bind.
>
> These last choices (dhcpd.conf gets host with fixed ip; bind gets
> corresponding forward and reverse entries; client does not try to bring
> interface up after nfs boot) mostly work. The fact that the entries exist
> even when the system is down doesn't seem like much of a practical problem,
> but this obviously can not satisfy my original desire to allow different
> hostnames/OS's for the same machine and MAC.
>
> Suggestions?
>
> Thanks.
> Ross Boylan
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
> dhcp-users mailing list
> dhcp-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/dhcp-users/attachments/20200725/61b4484d/attachment-0001.htm>
------------------------------
Message: 2
Date: Sat, 25 Jul 2020 07:21:12 -0400
From: Bill Shirley <b...@c3po.polymerindustries.biz>
To: dhcp-users@lists.isc.org
Subject: Re: MAC randomisation and DHCP pools
Message-ID:
<cd91d1fe-bc70-17fc-a9fe-c30f46b3e...@c3po.polymerindustries.biz>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
No, the point of IPv6 is more addresses.? Then the privacy advocates and DHCP
haters
jumped onboard and made IPv6 very complicated.? For DHCPv6, most devices don't
sent the host name.? This makes if very hard to keep DNS updated. However,
kudos to
Microsoft because Windows does send the host name.
Yes, random MAC addresses will lead to problems assigning static addresses.? It
will
be impossible to open a port (in-going or out-going) on the firewall for a
special device.
For IPv4 you can identify a device by host name because most devices send it:
class "identify_by_hostname" {
??? match option host-name;
}
subclass "identify_by_hostname" "android-4867fdc048d28c06"??? ??? ??? ??? ??? {
ddns-hostname "My-eXpro-tablet"; }??? # this works
Just add a fixed-address between the {} to the subclass entry if desired.
Who ever comes up with this randomization stuff has obviously never been a
network administrator.
To address Mike's post, shorten your lease times:
class "mobile_device" {
??? match if (
??? ??? option host-name ~~ "dhcpcd"
??? ??? or option host-name ~~ "android"
??? ??? or option host-name ~~ "iphone"
??? ??? or option host-name ~~ "samsung-sm"
??? ??? or option host-name ~~ "ipod"
??? ??? or option host-name ~~ "ipad"
??? ??? or option host-name ~~ "a?p?plewatch"
??? ??? or option host-name ~~ "nintendo 3ds"
??? ??? or option host-name ~~ "galaxy-"
??? ??? or option host-name ~~ "g7-thinq"
??? ??? or option host-name ~~ "v40-thinq"
??? ??? or option vendor-class-identifier ~~ "android-dhcp"
??? );
# optional: to make devices unique (for DNS) that have a duplicate host name
(users haven't changed the default):
??? if (lcase(option host-name) = "iphone")?? { ddns-hostname =
concat("iPhone-", binary-to-ascii(16, 8, "",
substring(hardware, 4, 3))); }
??? if (lcase(option host-name) = "iphone-2") { ddns-hostname =
concat("iPhone2-", binary-to-ascii(16, 8, "",
substring(hardware, 4, 3))); }
??? if (lcase(option host-name) = "iphone-3") { ddns-hostname =
concat("iPhone3-", binary-to-ascii(16, 8, "",
substring(hardware, 4, 3))); }
??? if (lcase(option host-name) = "ipod") ? ? { ddns-hostname =
concat("iPod-", binary-to-ascii(16, 8, "", substring(hardware,
4, 3))); }
??? if (lcase(option host-name) = "ipad") ? ? { ddns-hostname =
concat("iPad-", binary-to-ascii(16, 8, "", substring(hardware,
4, 3))); }
??? if ((substring(lcase(option fqdn.hostname), 0, 8) = "g7-thinq") or
(substring(lcase(option host-name), 0, 8) = "g7-thinq")) {
??? ??? ddns-hostname = concat("g7-thinq-", binary-to-ascii(16, 8, "",
substring(hardware, 4, 3)));
??? }
??? if not ((exists server.ddns-hostname) or (exists fqdn.hostname) or (exists
host-name)) {
??? ??? if (substring(lcase(option vendor-class-identifier), 0, 12) =
"android-dhcp") {
??? ??? ??? ddns-hostname = concat("android-dhcp-", binary-to-ascii(16, 8, "",
substring(hardware, 4, 3)));
??? ??? }
??? }
}
class "Other_mobile" {
??? match hardware;
??? set member_of = "mobile_device";
}
subclass "Other_mobile"??? 1:68:09:ff:49:0a:35;??? # Brenda's-phone
subclass "Other_mobile" 1:00:aa:f6:01:05:fe ??? { ddns-hostname "Ricks-phone"; }
.
.
subnet 192.168.99.0 netmask 255.255.255.0 {
.
.
# ------------------
??? pool {
??? ??? allow members of "mobile_device";
??? ??? allow members of "Other_mobile";
??? ??? deny dynamic bootp clients;
??? ??? adaptive-lease-time-threshold?????? 75;?????? # use min-lease-time
when pool is above this percent
? min-lease-time?? ??? ??? ?3600;?? ? # 1 hour
??? ? ? default-lease-time??? ??? 14400;??? # 4 hours
??? ? ? max-lease-time??? ??? ??? 28800;??? # 8 hours
??? ??? range 192.168.99.128 192.168.99.191;??? # 192.168.99.128/26 (64
addresses)
??? }
# ------------------
.
.
}
Note the *adaptive-lease-time-threshold* statement.
Bill
On 7/24/2020 9:46 PM, Joshua Stark wrote:
> But was that not the point of IPv6 - totally random
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/dhcp-users/attachments/20200725/93c1c944/attachment-0001.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 141, Issue 12
*******************************************
