BIND 9/8 Question DDNS Question
Richard Phillips
richphillips at lucent.com
Fri Nov 16 00:05:47 UTC 2001
Cricket,
Actually these are methods of control that are currently in place for the
"company.com" zone. In the situation described below the DHCP server is
defined in the "allow-update" control field.
Scenario:
Let's just say that you enable DHCP on your servers. Define them manually,
so that they have the same IP address all the time. Mail.company.com =
10.10.10.100
Now let's say that I plug into the same network, and my workstation name is
mail. I now get a DHCP offered lease of 10.10.10.250, and a DHCP offered
domain of company.com. What is my FQDN?? Won't it be mail.company.com??
Won't we now have a round robin for mail.company.com?? What would prevent
this from happening?? Even if I was not in the same network as the original
mail server, wouldn't this work if I was served by the same DHCP server.
This is due to the fact that the DHCP server is authorized to update the
zone via the "Allow-update" parameter, right??
mail.company.com 10.10.10.100
mail.company.com 10.10.10.250
(Won't I now get, due to the round robin, 50% of the hits??)
So now I plug, without releasing my address, I plug into a different network
that is serviced by the same DHCP server, and I get the following offer: IP
= 10.20.100.200 Domain = company.com. Won't it now create an additional
record in the round robin??
mail.company.com 10.10.10.100
mail.company.com 10.10.10.250
mail.company.com 10.20.100.200
(Won't I now get, due to the round robin, 33% of the hits??)
End of Scenario:
Am I making too much of this, or is there a mechanism that prevents this
from happening?? Or is this scenario the responsibility of the organization
to ensure that NO ONE has the capability to provide similar names within a
given zone??
Rich
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Cricket Liu
Sent: Thursday, November 15, 2001 4:43 PM
To: Richard J. Phillips Jr.; Bind Users
Subject: RE: BIND 9/8 Question DDNS Question
> I know what I've experienced, but I'm wondering if there is something new,
> that I haven't seen/enabled yet!
>
> What BIND option, if any, would prevent DNS name Hi-jacking.
>
> Scenario, What if I change my name to mail.company.com, enabled
> my interface
> for DHCP, and then obtained a lease. Wouldn't my newly changed
> name become
> the "mail.company.com" A Record. Therefore now all internal SMTP mail
> (Assuming MX records, blah, blah) would be routed to me. Page 252 in the
> "DNS Dynamic Update" chapter of DNS & BIND V4, talks, briefly about this
> occurrence, but doesn't describe the behavior that would happen.
>
> QUOTE: "only if the domain name Armageddon.fx.movie.edu isn't currently
> being used, or only if Armageddon.fx.movie.edu currently has no address
> records".
>
> Question: What happens if the DHCP Server sends an update to the
> Authorative
> zone server, the record exists, but has a different IP address,
> will it add
> it (creating a round robin), will it replace it, or what??
Boy, did you ever take that quote out of context. That's simply an
example of what you can do with dynamic update. Did you read the
section on p. 255 called "Update Access Control Lists"?
cricket
Men & Mice
DNS Software & Services
www.menandmice.com
Attend our next DNS and BIND class! See
http://www.menandmice.com/8000/8000_dns_training.html
for the schedule and to register for upcoming classes
More information about the bind-users
mailing list