DDNS. Allow clients to update bind dns ??
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jan 9 23:29:27 UTC 2006
aries.ram at freenet.de wrote:
>Hi,
>
>i have a strange problem with dhcp and bind in a ddns enviroment. I am
>running a suse 9.1 server with dns and dhcp services. The windows XP
>and 2000 clients should get their ip adresses from the dhcp server and
>register their hostnames via dynamic update function in the named
>server database. The clients get their ip adresses but the dynamic
>update is not running flawless ? I get the following syslogerrors:
>
>
>Jan 8 19:03:16 gateway named[12349]: client 192.168.1.20#1069: update
>'apollo.lokal/IN' denied
>Jan 8 19:05:16 gateway named[12349]: client 192.168.1.20#1069: update
>'apollo.lokal/IN' denied
>
>Here are my config files:
>
>/etc/dhcpd.conf
># dhcpd.conf
>#
># Sample configuration file for ISC dhcpd
>#
># option definitions common to all supported networks...
>
># if you do not use dynamical DNS updates:
>#
># this statement is needed by dhcpd-3 needs at least this statement.
># you have to delete it for dhcpd-2, because it does not know it.
>#
># if you want to use dynamical DNS updates, you should first read
># read /usr/share/doc/packages/dhcp-server/DDNS-howto.txt
>
>ddns-update-style interim;
>ignore client-updates;
>ddns-updates on;
>ddns-domainname "apollo.lokal";
>allow unknown-clients;
>ddns-rev-domainname "1.168.192.in-addr.arpa";
>
># If this DHCP server is the official DHCP server for the local
># network, the authoritative directive should be uncommented.
>
>authoritative ;
>
># Use this to send dhcp log messages to a different log file (you also
># have to hack syslog.conf to complete the redirection).
>
>log-facility local7;
>
># No service will be given on this subnet, but declaring it helps the
># DHCP server to understand the network topology.
>#subnet 10.152.187.0 netmask 255.255.255.0 {
>#}
># This is a very basic subnet declaration.
>
>subnet 192.168.1.0 netmask 255.255.255.0 {
> option routers 192.168.1.1;
> option nis-domain "apollo.lokal";
> option domain-name "apollo.lokal";
> option domain-name-servers 192.168.1.1;
> default-lease-time 43200;
> max-lease-time 86400;
> range 192.168.1.110 192.168.1.150;
>}
>key apollo.lokal {
> algorithm hmac-md5;
> secret 1234567890x==;
>};
>zone apollo.lokal. {
>primary 192.168.1.1;
>key apollo.lokal;
>}
>zone 1.168.192.in-addr.arpa. {
>primary 192.168.1.1;
>key apollo.lokal;
>}
>
># This declaration allows BOOTP clients to get dynamic addresses,
># which we don't really recommend.
>#subnet 10.254.239.32 netmask 255.255.255.224 {
># range dynamic-bootp 10.254.239.40 10.254.239.60;
># option broadcast-address 10.254.239.31;
># option routers rtr-239-32-1.example.org;
>#}
># Hosts which require special configuration options can be listed in
># host statements. If no address is specified, the address will be
># allocated dynamically (if possible), but the host-specific
>information
># will still come from the host declaration.
>group {
> host duke {
> hardware ethernet 00:08:8E:28:88:AB;
> fixed-address 192.168.1.30;
> }
> host blade {
> hardware ethernet 00:12:5b:37:4b:2a;
> fixed-address 192.168.1.20;
> }
>}
>
>******************************************************************************************
>
>/etc/named.conf
>
>
># Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
># All rights reserved.
>#
># Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
>#
># /etc/named.conf
>#
># This is a sample configuration file for the name server BIND 9. It
>works as
># a caching only name server without modification.
>#
># A sample configuration for setting up your own domain can be found in
># /usr/share/doc/packages/bind/sample-config.
>#
># A description of all available options can be found in
># /usr/share/doc/packages/bind/misc/options.
>
>acl internals { 192.168.1.0/24;};
>
>controls {
> inet 127.0.0.1 port 953 allow { localhost; internals; } keys {
>apollo.lokal; }
>;
>};
>
>options {
>
> # The directory statement defines the name server's working
>directory
>
> directory "/var/lib/named";
>
> # Write dump and statistics file to the log subdirectory. The
> # pathenames are relative to the chroot jail.
>
> dump-file "/var/log/named_dump.db";
> statistics-file "/var/log/named.stats";
>
> # The forwarders record contains a list of servers to which
>queries
> # should be forwarded. Enable this line and modify the IP
>address to
> # your provider's name server. Up to three servers may be
>listed.
> # Condor Nameserver : 194.120.164.22
>
> forwarders { 194.25.2.129; };
>
> # Enable the next entry to prefer usage of the name server
>declared in
> # the forwarders section.
>
> #forward first;
> forward only;
>
> # The listen-on record contains a list of local network
>interfaces to
> # listen on. Optionally the port can be specified. Default is
>to
> # listen on all interfaces found on your system. The default
>port is
> # 53.
>
> listen-on port 53 { 192.168.1.1; 127.0.0.1; };
>
> # The listen-on-v6 record enables or disables listening on IPv6
> # interfaces. Allowed values are 'any' and 'none' or a list of
> # addresses.
>
> listen-on-v6 { none; };
>
> # The next three statements may be needed if a firewall stands
>between
> # the local server and the internet.
>
> query-source address * port 53;
> # transfer-source * port 53;
> # notify-source * port 53;
>
> # The allow-query record contains a list of networks or IP
>addresses
> # to accept and deny queries from. The default is to allow
>queries
> # from all hosts.
>
> allow-query { internals; };
>
> # If notify is set to yes (default), notify messages are sent
>to other
> # name servers when the the zone data is changed. Instead of
>setting
> # a global 'notify' statement in the 'options' section, a
>separate
> # 'notify' can be added to each zone definition.
>
> notify no;
>};
>
># To configure named's logging remove the leading '#' characters of the
># following examples.
>#logging {
># # Log queries to a file limited to a size of 100 MB.
># channel query_logging {
># file "/var/log/named_querylog"
># versions 3 size 100M;
># print-time yes; // timestamp log
>entries
># };
># category queries {
># query_logging;
># };
>#
># # Or log this kind alternatively to syslog.
># channel syslog_queries {
># syslog user;
># severity info;
># };
># category queries { syslog_queries; };
>#
># # Log general name server errors to syslog.
># channel syslog_errors {
># syslog user;
># severity error;
># };
># category default { syslog_errors; };
>#
># # Don't log lame server messages.
># category lame-servers { null; };
>#};
>
># The following zone definitions don't need any modification. The
>first one
># is the definition of the root name servers. The second one defines
># localhost while the third defines the reverse lookup for localhost.
>
>key apollo.lokal {
> algorithm hmac-md5;
> secret 1234567890x==;
> };
>
>zone "." in {
> type hint;
> file "root.hint";
>};
>
>zone "localhost" in {
> type master;
> file "localhost.zone";
>};
>
>zone "0.0.127.in-addr.arpa" in {
> type master;
> file "127.0.0.zone";
>};
>
># Include the meta include file generated by SuSEconfig.named. This
>includes
># all files as configured in NAMED_CONF_INCLUDE_FILES from
># /etc/sysconfig/named
>
># include "/etc/named.conf.include";
>
># You can insert further zone records for your own domains below or
>create
># single files in /etc/named.d/ and add the file names to
># NAMED_CONF_INCLUDE_FILES.
># See /usr/share/doc/packages/bind/README.SuSE for more details.
>
>
>zone "apollo.lokal" IN {
> type master;
> file "dyn/apollo.lokal.zone";
> allow-update { key apollo.lokal; };
>};
>zone "1.168.192.in-addr.arpa" IN {
> type master;
> file "dyn/1.168.192.in-addr.arpa.zone";
> allow-update { key apollo.lokal; };
>};
>
>
>Are the permissions ok ?
>
>drwxr-xr-x 9 named named 4096 Dec 7 00:12 .
>drwxr-xr-x 37 root root 4096 Dec 10 19:40 ..
>-rw-r--r-- 1 named named 192 Apr 6 2004 127.0.0.zone
>drwxr-xr-x 2 named named 4096 Jan 5 18:41 dev
>drwxr-x--- 2 named named 4096 Jan 8 18:20 dyn
>drwxr-xr-x 3 named named 4096 Nov 28 1996 etc
>-rw-r--r-- 1 named named 158 Apr 6 2004 localhost.zone
>drwxr-xr-x 2 named named 4096 Apr 6 2004 log
>drwxr-xr-x 2 named named 4096 Nov 2 16:23 master
>-rw-r--r-- 1 named named 2517 Apr 6 2004 root.hint
>drwxr-xr-x 2 named named 4096 Apr 6 2004 slave
>drwxr-xr-x 4 named named 4096 Dec 7 00:12 var
>gateway:/var/lib/named #
>
>4 drwxr-xr-x 9 named named 4096 Dec 7 00:12 ..
>8 -rw------- 1 named named 771 Jan 8 18:20
>1.168.192.in-addr.arpa.zone
>8 -rw-r--r-- 1 named named 1097 Jan 8 18:03
>1.168.192.in-addr.arpa.zone.jnl
>8 -rw------- 1 named named 633 Jan 8 18:19 apollo.lokal.zone
>gateway:/var/lib/named/dyn #
>
>I don't know where the problem is ? How can I allow the windows XP /
>2000 clients to update their hostnames in the named database ? I don't
>want to disable the automatic update function in the windows XP/2000
>network settings to prevent the update denied logmessages !! This is
>only a workaround that doesn't fix the problem. The allow-update with a
>security key should work, but it doesn't ?? Did i misunderstood
>something ?
>
Is 192.168.1.20 the address of the DHCP server? It's not clear to me
from a quick perusal what you posted above. The usual configuration in a
mixed Wintel/BIND/dhcpd environment is for dhcpd, not the clients
themselves, to register the client's names and addresses. This is
because Windows clients can't secure their Dynamic Updates in a way
that's compatible with BIND.
- Kevin
More information about the bind-users
mailing list