RE: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Philippe.Simonet 
Hi Hans

if you can afford, use ISC DHCP server DDNS method : 

- only DHCP server is allowed to update DNS server (forward / reverse zone), 
protect NSUPDATE with ACL, or better tsig
- in dhcpd.conf : 
ddns-updates   on;
ddns-update-style  interim;
ignore client-updates;
- and, always in DHCPD.conf, set that only in the subnet you want.

the interim style use for each A record a TXT records to ensure that 'static' 
dns entries are not overwritten by dynamic (dhcp) client.

http://www.zytrax.com/books/dns/ch9/dhcp.html


Philippe


> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
> MAYER Hans
> Sent: Wednesday, December 20, 2017 2:27 PM
> To: bind-us...@isc.org
> Subject: Re: DDNS - limitation and excluding updates from certain networks
> 
> 
> Dear Mukund,
> 
> Many thanks for coming back.
> 
> > You'll have to explain what you mean better for a more specific answer,
> > but see the manual for the "allow-update" ACL config option
> 
> In my zone configuration I have an “allow-update” statement.
> Here I define all networks which are allowed to dynamically update the DNS
> entries.
> 
> But my zone contains other IP addresses too. Not only those of the PCs.
> These are static names/addresses which are seldom changed.
> 
> And of course the complete zone is a dynamic zone.
> 
> And I don’t wont that this static names can by changed by someone out of
> an IP range, where it is allowed.
> I didn’t find any hint to block certain IP ranges to be updated within a
> dynamic zone.
> 
> Hopefully this explains my question a little bit better.
> 
> 
> // Hans
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Mukund Sivaraman 
On Wed, Dec 20, 2017 at 10:40:31AM -0700, Grant Taylor via bind-users wrote:
> On 12/20/2017 06:27 AM, MAYER Hans wrote:
> > And I don’t wont that this static names can by changed by someone out of
> > an IP range, where it is allowed.  I didn’t find any hint to block
> > certain IP ranges to be updated within a dynamic zone.
> 
> I don't remember the specifics, but there is a way built into BIND to do
> what you are wanting.
> 
> I think there's an ACL configuration where you can configure that DDNS
> clients are only able to update the records that they own.  -  I think
> ownership is related to the connecting IP.
> 
> I do remember that when I tested this, it was trivial to set up and one
> configuration entry seemed to apply multiple DDNS clients.
> 
> I'm sorry, but I don't remember any more specifics.

I beg your pardon, my original answer was incorrect. The option to do
this (for more access control over what updates to perform) is
"update-policy" as you have correctly pointed out.

The original poster may want to read about this option in the manual,
under "Dynamic Update Policies" in Chapter 6.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Grant Taylor via bind-users 

On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote:
I don't remember the specifics, but there is a way built into BIND to do 
what you are wanting.


Well, my GoogleFu seems to working today:

Link - DNS Dynamic Update (DNS and BIND, 4th Edition)
 - https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm

I think there's an ACL configuration where you can configure that DDNS 
clients are only able to update the records that they own.  -  I think 
ownership is related to the connecting IP.


"update-policy" seems to be what you want.

I do remember that when I tested this, it was trivial to set up and one 
configuration entry seemed to apply multiple DDNS clients.


Per the linked page, something like the following allows all machines in 
the fx.movie.edu zone to update their own records.


zone "fx.movie.edu" {
type master;
file "db.fx.movie.edu";
update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; };
};

Short of this, the other hack that I had considered was to use a CNAME 
to a child zone that the client was allowed to update.  I.e. 
example.fx.movie.edu. CNAME example.ddns.fx.movie.edu, which example had 
full control over.  -  But this scheme proved to be unnecessary with the 
"update-policy { grant … self … };" technique above.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Grant Taylor via bind-users 

On 12/20/2017 06:27 AM, MAYER Hans wrote:
And I don’t wont that this static names can by changed by someone out 
of an IP range, where it is allowed.  I didn’t find any hint to block 
certain IP ranges to be updated within a dynamic zone.


I don't remember the specifics, but there is a way built into BIND to do 
what you are wanting.


I think there's an ACL configuration where you can configure that DDNS 
clients are only able to update the records that they own.  -  I think 
ownership is related to the connecting IP.


I do remember that when I tested this, it was trivial to set up and one 
configuration entry seemed to apply multiple DDNS clients.


I'm sorry, but I don't remember any more specifics.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Bob Harold 
On Wed, Dec 20, 2017 at 8:54 AM, Mukund Sivaraman  wrote:

> On Wed, Dec 20, 2017 at 01:27:17PM +, MAYER Hans wrote:
> >
> > Dear Mukund,
> >
> > Many thanks for coming back.
> >
> > > You'll have to explain what you mean better for a more specific answer,
> > > but see the manual for the "allow-update" ACL config option
> >
> > In my zone configuration I have an “allow-update” statement.
> > Here I define all networks which are allowed to dynamically update the
> DNS entries.
> >
> > But my zone contains other IP addresses too. Not only those of the PCs.
> > These are static names/addresses which are seldom changed.
> >
> > And of course the complete zone is a dynamic zone.
> >
> > And I don’t wont that this static names can by changed by someone out of
> an IP range, where it is allowed.
> > I didn’t find any hint to block certain IP ranges to be updated within a
> dynamic zone.
> >
> > Hopefully this explains my question a little bit better.
>
> The allow-update ACL applies to the whole zone. The ACL code doesn't
> discriminate using the contents of the update.
>
> You could put the names requiring update into a child zone (but
> obviously it'll add another label) or another zone altogether (but
> obviously it'll have a different name).
>
> Mukund


Just guessing here, but I see a TXT record beside each A record, and am
told that Windows clients check the TXT record to see if they "own" the A
record.  The TXT record is hex encoded data, maybe the client identifier.
So if you created a TXT record for each A record, like:
servername  IN  TXT  "do not dynamically update"  (or might need to be
valid hex?)
servername  IN  A   10.11.12.13

That might reduce the chances of a Windows client overwriting it.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RNDC client protocol mode for NodeJS

2017-12-20 Thread Ray Bellis 
For those of you that like Javascript, and like it server side, there's
now an implementation of the RNDC protocol available for NodeJS:



We hope people may find this useful.

Please note that this is not officially supported ISC software.

Ray Bellis
ISC Research Fellow
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Mukund Sivaraman 
On Wed, Dec 20, 2017 at 01:27:17PM +, MAYER Hans wrote:
> 
> Dear Mukund, 
> 
> Many thanks for coming back. 
> 
> > You'll have to explain what you mean better for a more specific answer,
> > but see the manual for the "allow-update" ACL config option
> 
> In my zone configuration I have an “allow-update” statement. 
> Here I define all networks which are allowed to dynamically update the DNS 
> entries. 
> 
> But my zone contains other IP addresses too. Not only those of the PCs.
> These are static names/addresses which are seldom changed. 
> 
> And of course the complete zone is a dynamic zone. 
> 
> And I don’t wont that this static names can by changed by someone out of an 
> IP range, where it is allowed.
> I didn’t find any hint to block certain IP ranges to be updated within a 
> dynamic zone. 
> 
> Hopefully this explains my question a little bit better.

The allow-update ACL applies to the whole zone. The ACL code doesn't
discriminate using the contents of the update.

You could put the names requiring update into a child zone (but
obviously it'll add another label) or another zone altogether (but
obviously it'll have a different name).

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread MAYER Hans 

Dear Mukund, 

Many thanks for coming back. 

> You'll have to explain what you mean better for a more specific answer,
> but see the manual for the "allow-update" ACL config option

In my zone configuration I have an “allow-update” statement. 
Here I define all networks which are allowed to dynamically update the DNS 
entries. 

But my zone contains other IP addresses too. Not only those of the PCs.
These are static names/addresses which are seldom changed. 

And of course the complete zone is a dynamic zone. 

And I don’t wont that this static names can by changed by someone out of an IP 
range, where it is allowed.
I didn’t find any hint to block certain IP ranges to be updated within a 
dynamic zone. 

Hopefully this explains my question a little bit better.


// Hans



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread Mukund Sivaraman 
On Wed, Dec 20, 2017 at 12:39:33PM +, MAYER Hans wrote:
> 
> 
> Dear All,
> 
> My environment: We are using the latest version of BIND and DHCP from ISC. 
> Our workstations ( mostly Windows and some Mac ) are in certain networks. 
> Only these networks are allowed to do dynamic DNS updates. So when a PC is 
> switched on its IPv4, IPv4 reverse, IPv6 and reverse is registered. 
> 
> So far everything works well. 
> 
> Is there a way to configure, that names which are registered in other 
> networks, are not allowed to be updated ? 

You'll have to explain what you mean better for a more specific answer,
but see the manual for the "allow-update" ACL config option
(per-zone). You can set access control on who can update the zone by
configuring this option (preferably using TSIG key, but also network
ACL). Adjust your zones, ACLs and services appropriately.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DDNS - limitation and excluding updates from certain networks

2017-12-20 Thread MAYER Hans 


Dear All,

My environment: We are using the latest version of BIND and DHCP from ISC. Our 
workstations ( mostly Windows and some Mac ) are in certain networks. Only 
these networks are allowed to do dynamic DNS updates. So when a PC is switched 
on its IPv4, IPv4 reverse, IPv6 and reverse is registered. 

So far everything works well. 

Is there a way to configure, that names which are registered in other networks, 
are not allowed to be updated ? 


Kind regards 
Hans 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users