Dynamic Host DNS Registration

Danny Mayer mayer at gis.net
Fri Jul 8 02:06:35 UTC 2005 

Jim Logan wrote:
> Hello everyone,
> 
> I am new to this list and to bind, so please forgive any naive 
> questions.  I've tried searching for an answer, but I can't find one.  
> Maybe I'm searching on the wrong keywords?
> 
> I have successfully set up a DNS server behind my firewall/NAT router 
> that resolves my local names to local IP addresses.  I am now trying to 
> add the ability to have Windows XP machines register their IP addresses 
> and local host names with the DNS server.  I've been taking things one 
> step at a time while I learn about BIND, so I'm leaving my DNS server 
> completely insecure for the moment.
> 
> Here's the problem.  The Windows XP event log is showing a failure, but 
> I can't see anything that indicates a failure or denial on the DNS side, 
> even though the zone files never change.  I do see messages in response 
> to the registration in the query log, and I do see debugging trace 
> messages in named.run, but I'm seeing nothing obvious that says the 
> update is failing.  The closest thing I see in the debugging messages is:
> 
>     req: leaving (JimLogan.localhost, rcode 0)
>     make_rr(localhost, 13a000, bfffeb34, 476, 1) 45 zone 2 ttl 86400
> 
> (BTW, I haven't gotten around to changing the name of my "localhost" 
> zone to a different name, like "local".  I hope that's not a factor.  I 
> inherited that zone name from the Mac OS X configuration and never 
> changed it.)
> 
> I've tried setting the following within the localhost and reverse-lookup 
> zones without effect:
> 
>     * allow-update { all; };
>     * allow-update { mynet; }; (where mynet is defined at the top of the
>       file as "acl mynet { 192.168.123.0/24; 127.0.0.1; };")
>     * not mentioning allow-update at all
> 
> Does anyone have any suggestions?
> 

Don't allow your Windows systems to update the DNS zone, have the DHCP
server do that. It's too insecure and much harder to manage the way you
are proposing. A DHCP server can send both A and PTR records as
necessary to BIND. You can also configure DHCP to authenticate itself
(with TSIG, IIRC) and only allow that system to update DNS.

Danny

> Thanks,
> -Jim
> 
> 
>

More information about the bind-users mailing list