Dynamic Host DNS Registration
Danny Mayer
mayer at gis.net
Fri Jul 8 02:06:35 UTC 2005
Jim Logan wrote:
> Hello everyone,
>
> I am new to this list and to bind, so please forgive any naive
> questions. I've tried searching for an answer, but I can't find one.
> Maybe I'm searching on the wrong keywords?
>
> I have successfully set up a DNS server behind my firewall/NAT router
> that resolves my local names to local IP addresses. I am now trying to
> add the ability to have Windows XP machines register their IP addresses
> and local host names with the DNS server. I've been taking things one
> step at a time while I learn about BIND, so I'm leaving my DNS server
> completely insecure for the moment.
>
> Here's the problem. The Windows XP event log is showing a failure, but
> I can't see anything that indicates a failure or denial on the DNS side,
> even though the zone files never change. I do see messages in response
> to the registration in the query log, and I do see debugging trace
> messages in named.run, but I'm seeing nothing obvious that says the
> update is failing. The closest thing I see in the debugging messages is:
>
> req: leaving (JimLogan.localhost, rcode 0)
> make_rr(localhost, 13a000, bfffeb34, 476, 1) 45 zone 2 ttl 86400
>
> (BTW, I haven't gotten around to changing the name of my "localhost"
> zone to a different name, like "local". I hope that's not a factor. I
> inherited that zone name from the Mac OS X configuration and never
> changed it.)
>
> I've tried setting the following within the localhost and reverse-lookup
> zones without effect:
>
> * allow-update { all; };
> * allow-update { mynet; }; (where mynet is defined at the top of the
> file as "acl mynet { 192.168.123.0/24; 127.0.0.1; };")
> * not mentioning allow-update at all
>
> Does anyone have any suggestions?
>
Don't allow your Windows systems to update the DNS zone, have the DHCP
server do that. It's too insecure and much harder to manage the way you
are proposing. A DHCP server can send both A and PTR records as
necessary to BIND. You can also configure DHCP to authenticate itself
(with TSIG, IIRC) and only allow that system to update DNS.
Danny
> Thanks,
> -Jim
>
>
>
More information about the bind-users
mailing list