Re: DDNS - limitation and excluding updates from certain networks
Am 27.12.2017 um 21:31 schrieb MAYER Hans: Many thanks. Yes, that’s exactly what I am looking for. I have "ddns-update-style interim;” But what do you mean with "static entry” ? For example my "static entries” are all servers. But the server don’t have any DHCP entries. The IP addresses of the interfaces are “hard wired” 192.168.2.9 *is not* in "range 192.168.2.150 192.168.2.200" but when MAC 00:A0:96:9C:14:1C would ask for a dhcpd IP it would get 192.168.2.9 that are static entries, it's that simple [root@srv-rhsoft:~]$ cat /etc/dhcp/dhcpd.conf authoritative; ddns-update-style none; ddns-updates off; default-lease-time 86400; max-lease-time 259200; log-facility local7; option rfc3442-classless-static-routes code 121 = array of integer 8; option ms-classless-static-routes code 249 = array of integer 8; subnet 192.168.2.0 netmask 255.255.255.0 { option domain-name "rhsoft.net"; option domain-name-servers 192.168.2.2; option routers 192.168.2.2; option smtp-server 192.168.2.2; option pop-server 192.168.2.2; option ntp-servers 192.168.2.2; option time-servers 192.168.2.2; option subnet-mask 255.255.255.0; option broadcast-address 192.168.2.255; option interface-mtu 1444; range 192.168.2.150 192.168.2.200; } host blueray { hardware ethernet 00:A0:96:9C:14:1C; fixed-address 192.168.2.9; } ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
Hello Dirk, Many thanks. Yes, that’s exactly what I am looking for. I have "ddns-update-style interim;” But what do you mean with "static entry” ? For example my "static entries” are all servers. But the server don’t have any DHCP entries. The IP addresses of the interfaces are “hard wired”. And they have a DNS entry. Long time ago generated and should never be changed by any DHCP client. ( If the client should ever have the same name as a server ) Do all your clients also generate a TXT record within DNS ? Kind regards Hans — > On 26.12.2017, at 22:35, Dirk Gottschalk via bind-users > wrote: > > Hello Hans, > > Am Mittwoch, den 20.12.2017, 12:39 + schrieb MAYER Hans: >> >> Dear All, >> >> My environment: We are using the latest version of BIND and DHCP from >> ISC. Our workstations ( mostly Windows and some Mac ) are in certain >> networks. Only these networks are allowed to do dynamic DNS updates. >> So when a PC is switched on its IPv4, IPv4 reverse, IPv6 and reverse >> is registered. >> >> So far everything works well. >> >> Is there a way to configure, that names which are registered in other >> networks, are not allowed to be updated ? > > Ny DHCPd/BIND9 kombination does exactly what you mean. Existing zune entries > are not changed by DHCPD, because DHCPD only adds new "unknown" Entries > to the DNS database, or changes dynamic entrioes which have an existing DHID > record set. > > If i try to use a name that is already set manually as a static entry, DHCPd > throws an > error to the logs like: "Record already available and no DHCID record foung, > NOT mine!" > > Is this the behavior you want? > > I have set 'ddns-update-style standard' in my dhcpd.conf and it works well. > > Regards, > Dirk > > > -- > Dirk Gottschalk > Paulusstrasse 6-8 > 52064 Aachen > Tel.: +49 1573 1152350___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
Hello Hans, Am Mittwoch, den 20.12.2017, 12:39 + schrieb MAYER Hans: > > Dear All, > > My environment: We are using the latest version of BIND and DHCP from > ISC. Our workstations ( mostly Windows and some Mac ) are in certain > networks. Only these networks are allowed to do dynamic DNS updates. > So when a PC is switched on its IPv4, IPv4 reverse, IPv6 and reverse > is registered. > > So far everything works well. > > Is there a way to configure, that names which are registered in other > networks, are not allowed to be updated ? Ny DHCPd/BIND9 kombination does exactly what you mean. Existing zune entries are not changed by DHCPD, because DHCPD only adds new "unknown" Entries to the DNS database, or changes dynamic entrioes which have an existing DHID record set. If i try to use a name that is already set manually as a static entry, DHCPd throws an error to the logs like: "Record already available and no DHCID record foung, NOT mine!" Is this the behavior you want? I have set 'ddns-update-style standard' in my dhcpd.conf and it works well. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On 12/25/2017 10:23 AM, MAYER Hans wrote: Hi Grant, Hi Hans, Many thanks for the detailed information. You're welcome. "update-policy” is new for me and maybe the solution. I have to dig deeper into the documentation. It's relatively new for me too. I think I became aware of it through one of the people I follow on Twitter. update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; }; What does it say ? My understanding is that .fx.movie.edu is given permission to update it's own A record. I'd have to go back and re-read the documentation (Zytrax's page is good) to decode it further. So far I have seen the client is only allowed to update his own record. That means if the client has a new IP it can update the IP address. That's my understanding as well. Does it mean the client is only allowed to update within the same network range ? I don't think the update-policy statement above cares where the client is located. Remember that we're talking about the A record in the fx.movie.edu zone. It seems I am missing some important information. Maybe I am blind, but how is the client name verified ? The only times that I've used this was in combination with a TSIG key. So that may be how the client is authenticating who it is to the DNS server. What happens if a client has for example the name “www” ? I can't recall at the moment what the identifying factor is. It may very well be embedded in the TSIG key. ( Assume we have already a record with name “www” and IP but in a different network than the client ) *nod* Kind regards Likewise. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
Hi Grant, Many thanks for the detailed information. "update-policy” is new for me and maybe the solution. I have to dig deeper into the documentation. > update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; }; What does it say ? So far I have seen the client is only allowed to update his own record. That means if the client has a new IP it can update the IP address. Does it mean the client is only allowed to update within the same network range ? It seems I am missing some important information. Maybe I am blind, but how is the client name verified ? What happens if a client has for example the name “www” ? ( Assume we have already a record with name “www” and IP but in a different network than the client ) Kind regards Hans > On 20.12.2017, at 18:50, Grant Taylor via bind-users > wrote: > > On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote: >> I don't remember the specifics, but there is a way built into BIND to do >> what you are wanting. > > Well, my GoogleFu seems to working today: > > Link - DNS Dynamic Update (DNS and BIND, 4th Edition) > - https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm > >> I think there's an ACL configuration where you can configure that DDNS >> clients are only able to update the records that they own. - I think >> ownership is related to the connecting IP. > > "update-policy" seems to be what you want. > >> I do remember that when I tested this, it was trivial to set up and one >> configuration entry seemed to apply multiple DDNS clients. > > Per the linked page, something like the following allows all machines in the > fx.movie.edu zone to update their own records. > > zone "fx.movie.edu" { > type master; > file "db.fx.movie.edu"; > update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; }; > }; > > Short of this, the other hack that I had considered was to use a CNAME to a > child zone that the client was allowed to update. I.e. example.fx.movie.edu. > CNAME example.ddns.fx.movie.edu, which example had full control over. - But > this scheme proved to be unnecessary with the "update-policy { grant … self … > };" technique above. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
Dear Philippe, thanks for your reply. > - and, always in DHCPD.conf, set that only in the subnet you want. Of course, but this does not prevent that a client takes a name which is already in use in an other protected network. The name of the client comes from the client itself and not from the DHCP server. > the interim style use for each A record a TXT records to ensure that 'static' > dns entries are not overwritten by dynamic (dhcp) client. Ah. This would be great if this works. I have to test. I will report to you. But after New Year. Kind regards Hans > On 20.12.2017, at 21:13, philippe.simo...@swisscom.com wrote: > > Hi Hans > > if you can afford, use ISC DHCP server DDNS method : > > - only DHCP server is allowed to update DNS server (forward / reverse zone), > protect NSUPDATE with ACL, or better tsig > - in dhcpd.conf : > ddns-updates on; > ddns-update-style interim; > ignore client-updates; > - and, always in DHCPD.conf, set that only in the subnet you want. > > the interim style use for each A record a TXT records to ensure that 'static' > dns entries are not overwritten by dynamic (dhcp) client. > > http://www.zytrax.com/books/dns/ch9/dhcp.html > > > Philippe > > >> -Original Message- >> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of >> MAYER Hans >> Sent: Wednesday, December 20, 2017 2:27 PM >> To: bind-us...@isc.org >> Subject: Re: DDNS - limitation and excluding updates from certain networks >> >> >> Dear Mukund, >> >> Many thanks for coming back. >> >>> You'll have to explain what you mean better for a more specific answer, >>> but see the manual for the "allow-update" ACL config option >> >> In my zone configuration I have an “allow-update” statement. >> Here I define all networks which are allowed to dynamically update the DNS >> entries. >> >> But my zone contains other IP addresses too. Not only those of the PCs. >> These are static names/addresses which are seldom changed. >> >> And of course the complete zone is a dynamic zone. >> >> And I don’t wont that this static names can by changed by someone out of >> an IP range, where it is allowed. >> I didn’t find any hint to block certain IP ranges to be updated within a >> dynamic zone. >> >> Hopefully this explains my question a little bit better. >> >> >> // Hans >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DDNS - limitation and excluding updates from certain networks
Hi Hans if you can afford, use ISC DHCP server DDNS method : - only DHCP server is allowed to update DNS server (forward / reverse zone), protect NSUPDATE with ACL, or better tsig - in dhcpd.conf : ddns-updates on; ddns-update-style interim; ignore client-updates; - and, always in DHCPD.conf, set that only in the subnet you want. the interim style use for each A record a TXT records to ensure that 'static' dns entries are not overwritten by dynamic (dhcp) client. http://www.zytrax.com/books/dns/ch9/dhcp.html Philippe > -Original Message- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of > MAYER Hans > Sent: Wednesday, December 20, 2017 2:27 PM > To: bind-us...@isc.org > Subject: Re: DDNS - limitation and excluding updates from certain networks > > > Dear Mukund, > > Many thanks for coming back. > > > You'll have to explain what you mean better for a more specific answer, > > but see the manual for the "allow-update" ACL config option > > In my zone configuration I have an “allow-update” statement. > Here I define all networks which are allowed to dynamically update the DNS > entries. > > But my zone contains other IP addresses too. Not only those of the PCs. > These are static names/addresses which are seldom changed. > > And of course the complete zone is a dynamic zone. > > And I don’t wont that this static names can by changed by someone out of > an IP range, where it is allowed. > I didn’t find any hint to block certain IP ranges to be updated within a > dynamic zone. > > Hopefully this explains my question a little bit better. > > > // Hans > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On Wed, Dec 20, 2017 at 10:40:31AM -0700, Grant Taylor via bind-users wrote: > On 12/20/2017 06:27 AM, MAYER Hans wrote: > > And I don’t wont that this static names can by changed by someone out of > > an IP range, where it is allowed. I didn’t find any hint to block > > certain IP ranges to be updated within a dynamic zone. > > I don't remember the specifics, but there is a way built into BIND to do > what you are wanting. > > I think there's an ACL configuration where you can configure that DDNS > clients are only able to update the records that they own. - I think > ownership is related to the connecting IP. > > I do remember that when I tested this, it was trivial to set up and one > configuration entry seemed to apply multiple DDNS clients. > > I'm sorry, but I don't remember any more specifics. I beg your pardon, my original answer was incorrect. The option to do this (for more access control over what updates to perform) is "update-policy" as you have correctly pointed out. The original poster may want to read about this option in the manual, under "Dynamic Update Policies" in Chapter 6. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote: I don't remember the specifics, but there is a way built into BIND to do what you are wanting. Well, my GoogleFu seems to working today: Link - DNS Dynamic Update (DNS and BIND, 4th Edition) - https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_02.htm I think there's an ACL configuration where you can configure that DDNS clients are only able to update the records that they own. - I think ownership is related to the connecting IP. "update-policy" seems to be what you want. I do remember that when I tested this, it was trivial to set up and one configuration entry seemed to apply multiple DDNS clients. Per the linked page, something like the following allows all machines in the fx.movie.edu zone to update their own records. zone "fx.movie.edu" { type master; file "db.fx.movie.edu"; update-policy { grant *.fx.movie.edu. self fx.movie.edu. A; }; }; Short of this, the other hack that I had considered was to use a CNAME to a child zone that the client was allowed to update. I.e. example.fx.movie.edu. CNAME example.ddns.fx.movie.edu, which example had full control over. - But this scheme proved to be unnecessary with the "update-policy { grant … self … };" technique above. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On 12/20/2017 06:27 AM, MAYER Hans wrote: And I don’t wont that this static names can by changed by someone out of an IP range, where it is allowed. I didn’t find any hint to block certain IP ranges to be updated within a dynamic zone. I don't remember the specifics, but there is a way built into BIND to do what you are wanting. I think there's an ACL configuration where you can configure that DDNS clients are only able to update the records that they own. - I think ownership is related to the connecting IP. I do remember that when I tested this, it was trivial to set up and one configuration entry seemed to apply multiple DDNS clients. I'm sorry, but I don't remember any more specifics. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On Wed, Dec 20, 2017 at 8:54 AM, Mukund Sivaraman wrote: > On Wed, Dec 20, 2017 at 01:27:17PM +, MAYER Hans wrote: > > > > Dear Mukund, > > > > Many thanks for coming back. > > > > > You'll have to explain what you mean better for a more specific answer, > > > but see the manual for the "allow-update" ACL config option > > > > In my zone configuration I have an “allow-update” statement. > > Here I define all networks which are allowed to dynamically update the > DNS entries. > > > > But my zone contains other IP addresses too. Not only those of the PCs. > > These are static names/addresses which are seldom changed. > > > > And of course the complete zone is a dynamic zone. > > > > And I don’t wont that this static names can by changed by someone out of > an IP range, where it is allowed. > > I didn’t find any hint to block certain IP ranges to be updated within a > dynamic zone. > > > > Hopefully this explains my question a little bit better. > > The allow-update ACL applies to the whole zone. The ACL code doesn't > discriminate using the contents of the update. > > You could put the names requiring update into a child zone (but > obviously it'll add another label) or another zone altogether (but > obviously it'll have a different name). > > Mukund Just guessing here, but I see a TXT record beside each A record, and am told that Windows clients check the TXT record to see if they "own" the A record. The TXT record is hex encoded data, maybe the client identifier. So if you created a TXT record for each A record, like: servername IN TXT "do not dynamically update" (or might need to be valid hex?) servername IN A 10.11.12.13 That might reduce the chances of a Windows client overwriting it. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On Wed, Dec 20, 2017 at 01:27:17PM +, MAYER Hans wrote: > > Dear Mukund, > > Many thanks for coming back. > > > You'll have to explain what you mean better for a more specific answer, > > but see the manual for the "allow-update" ACL config option > > In my zone configuration I have an “allow-update” statement. > Here I define all networks which are allowed to dynamically update the DNS > entries. > > But my zone contains other IP addresses too. Not only those of the PCs. > These are static names/addresses which are seldom changed. > > And of course the complete zone is a dynamic zone. > > And I don’t wont that this static names can by changed by someone out of an > IP range, where it is allowed. > I didn’t find any hint to block certain IP ranges to be updated within a > dynamic zone. > > Hopefully this explains my question a little bit better. The allow-update ACL applies to the whole zone. The ACL code doesn't discriminate using the contents of the update. You could put the names requiring update into a child zone (but obviously it'll add another label) or another zone altogether (but obviously it'll have a different name). Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
Dear Mukund, Many thanks for coming back. > You'll have to explain what you mean better for a more specific answer, > but see the manual for the "allow-update" ACL config option In my zone configuration I have an “allow-update” statement. Here I define all networks which are allowed to dynamically update the DNS entries. But my zone contains other IP addresses too. Not only those of the PCs. These are static names/addresses which are seldom changed. And of course the complete zone is a dynamic zone. And I don’t wont that this static names can by changed by someone out of an IP range, where it is allowed. I didn’t find any hint to block certain IP ranges to be updated within a dynamic zone. Hopefully this explains my question a little bit better. // Hans ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS - limitation and excluding updates from certain networks
On Wed, Dec 20, 2017 at 12:39:33PM +, MAYER Hans wrote: > > > Dear All, > > My environment: We are using the latest version of BIND and DHCP from ISC. > Our workstations ( mostly Windows and some Mac ) are in certain networks. > Only these networks are allowed to do dynamic DNS updates. So when a PC is > switched on its IPv4, IPv4 reverse, IPv6 and reverse is registered. > > So far everything works well. > > Is there a way to configure, that names which are registered in other > networks, are not allowed to be updated ? You'll have to explain what you mean better for a more specific answer, but see the manual for the "allow-update" ACL config option (per-zone). You can set access control on who can update the zone by configuring this option (preferably using TSIG key, but also network ACL). Adjust your zones, ACLs and services appropriately. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DDNS - limitation and excluding updates from certain networks
Dear All, My environment: We are using the latest version of BIND and DHCP from ISC. Our workstations ( mostly Windows and some Mac ) are in certain networks. Only these networks are allowed to do dynamic DNS updates. So when a PC is switched on its IPv4, IPv4 reverse, IPv6 and reverse is registered. So far everything works well. Is there a way to configure, that names which are registered in other networks, are not allowed to be updated ? Kind regards Hans ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users