DDNS. Allow clients to update bind dns ??

Kevin Darcy kcd at daimlerchrysler.com
Mon Jan 9 23:29:27 UTC 2006


aries.ram at freenet.de wrote:

>Hi,
>
>i have a strange problem with dhcp and bind in a ddns enviroment. I am
>running a suse 9.1 server with dns and dhcp services. The windows XP
>and 2000 clients should get their ip adresses from the dhcp server and
>register their hostnames via dynamic update function in the named
>server database. The clients get their ip adresses but the dynamic
>update is not running flawless ? I get the following syslogerrors:
>
>
>Jan  8 19:03:16 gateway named[12349]: client 192.168.1.20#1069: update
>'apollo.lokal/IN' denied
>Jan  8 19:05:16 gateway named[12349]: client 192.168.1.20#1069: update
>'apollo.lokal/IN' denied
>
>Here are my config files:
>
>/etc/dhcpd.conf
># dhcpd.conf
>#
># Sample configuration file for ISC dhcpd
>#
># option definitions common to all supported networks...
>
># if you do not use dynamical DNS updates:
>#
># this statement is needed by dhcpd-3 needs at least this statement.
># you have to delete it for dhcpd-2, because it does not know it.
>#
># if you want to use dynamical DNS updates, you should first read
># read /usr/share/doc/packages/dhcp-server/DDNS-howto.txt
>
>ddns-update-style interim;
>ignore client-updates;
>ddns-updates on;
>ddns-domainname "apollo.lokal";
>allow unknown-clients;
>ddns-rev-domainname "1.168.192.in-addr.arpa";
>
># If this DHCP server is the official DHCP server for the local
># network, the authoritative directive should be uncommented.
>
>authoritative ;
>
># Use this to send dhcp log messages to a different log file (you also
># have to hack syslog.conf to complete the redirection).
>
>log-facility local7;
>
># No service will be given on this subnet, but declaring it helps the
># DHCP server to understand the network topology.
>#subnet 10.152.187.0 netmask 255.255.255.0 {
>#}
># This is a very basic subnet declaration.
>
>subnet 192.168.1.0 netmask 255.255.255.0 {
>  option routers 192.168.1.1;
>  option nis-domain "apollo.lokal";
>  option domain-name "apollo.lokal";
>  option domain-name-servers 192.168.1.1;
>  default-lease-time 43200;
>  max-lease-time 86400;
>  range 192.168.1.110 192.168.1.150;
>}
>key apollo.lokal {
>     algorithm hmac-md5;
>     secret 1234567890x==;
>};
>zone apollo.lokal. {
>primary 192.168.1.1;
>key apollo.lokal;
>}
>zone 1.168.192.in-addr.arpa. {
>primary 192.168.1.1;
>key apollo.lokal;
>}
>
># This declaration allows BOOTP clients to get dynamic addresses,
># which we don't really recommend.
>#subnet 10.254.239.32 netmask 255.255.255.224 {
>#  range dynamic-bootp 10.254.239.40 10.254.239.60;
>#  option broadcast-address 10.254.239.31;
>#  option routers rtr-239-32-1.example.org;
>#}
># Hosts which require special configuration options can be listed in
># host statements.   If no address is specified, the address will be
># allocated dynamically (if possible), but the host-specific
>information
># will still come from the host declaration.
>group {
>  host duke {
>    hardware ethernet 00:08:8E:28:88:AB;
>    fixed-address 192.168.1.30;
>  }
>    host blade {
>    hardware ethernet 00:12:5b:37:4b:2a;
>    fixed-address 192.168.1.20;
>  }
>}
>
>******************************************************************************************
>
>/etc/named.conf
>
>
># Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
># All rights reserved.
>#
># Author: Frank Bodammer, Lars Mueller <lmuelle at suse.de>
>#
># /etc/named.conf
>#
># This is a sample configuration file for the name server BIND 9.  It
>works as
># a caching only name server without modification.
>#
># A sample configuration for setting up your own domain can be found in
># /usr/share/doc/packages/bind/sample-config.
>#
># A description of all available options can be found in
># /usr/share/doc/packages/bind/misc/options.
>
>acl internals { 192.168.1.0/24;};
>
>controls {
>  inet 127.0.0.1 port 953 allow { localhost; internals; } keys {
>apollo.lokal; }
>;
>};
>
>options {
>
>        # The directory statement defines the name server's working
>directory
>
>        directory "/var/lib/named";
>
>        # Write dump and statistics file to the log subdirectory.  The
>        # pathenames are relative to the chroot jail.
>
>        dump-file "/var/log/named_dump.db";
>        statistics-file "/var/log/named.stats";
>
>        # The forwarders record contains a list of servers to which
>queries
>        # should be forwarded.  Enable this line and modify the IP
>address to
>        # your provider's name server.  Up to three servers may be
>listed.
>        # Condor Nameserver : 194.120.164.22
>
>        forwarders { 194.25.2.129; };
>
>        # Enable the next entry to prefer usage of the name server
>declared in
>        # the forwarders section.
>
>        #forward first;
>        forward only;
>
>        # The listen-on record contains a list of local network
>interfaces to
>        # listen on.  Optionally the port can be specified.  Default is
>to
>        # listen on all interfaces found on your system.  The default
>port is
>        # 53.
>
>        listen-on port 53 { 192.168.1.1; 127.0.0.1; };
>
>        # The listen-on-v6 record enables or disables listening on IPv6
>        # interfaces.  Allowed values are 'any' and 'none' or a list of
>        # addresses.
>
>        listen-on-v6 { none; };
>
>        # The next three statements may be needed if a firewall stands
>between
>        # the local server and the internet.
>
>        query-source address * port 53;
>        # transfer-source * port 53;
>        # notify-source * port 53;
>
>        # The allow-query record contains a list of networks or IP
>addresses
>        # to accept and deny queries from. The default is to allow
>queries
>        # from all hosts.
>
>        allow-query { internals; };
>
>        # If notify is set to yes (default), notify messages are sent
>to other
>        # name servers when the the zone data is changed.  Instead of
>setting
>        # a global 'notify' statement in the 'options' section, a
>separate
>        # 'notify' can be added to each zone definition.
>
>        notify no;
>};
>
># To configure named's logging remove the leading '#' characters of the
># following examples.
>#logging {
>#       # Log queries to a file limited to a size of 100 MB.
>#       channel query_logging {
>#               file "/var/log/named_querylog"
>#                       versions 3 size 100M;
>#               print-time yes;                 // timestamp log
>entries
>#       };
>#       category queries {
>#               query_logging;
>#       };
>#
>#       # Or log this kind alternatively to syslog.
>#       channel syslog_queries {
>#               syslog user;
>#               severity info;
>#       };
>#       category queries { syslog_queries; };
>#
>#       # Log general name server errors to syslog.
>#       channel syslog_errors {
>#               syslog user;
>#               severity error;
>#       };
>#       category default { syslog_errors;  };
>#
>#       # Don't log lame server messages.
>#       category lame-servers { null; };
>#};
>
># The following zone definitions don't need any modification.  The
>first one
># is the definition of the root name servers.  The second one defines
># localhost while the third defines the reverse lookup for localhost.
>
>key apollo.lokal {
>     algorithm hmac-md5;
>     secret 1234567890x==;
>     };
>
>zone "." in {
>        type hint;
>        file "root.hint";
>};
>
>zone "localhost" in {
>        type master;
>        file "localhost.zone";
>};
>
>zone "0.0.127.in-addr.arpa" in {
>        type master;
>        file "127.0.0.zone";
>};
>
># Include the meta include file generated by SuSEconfig.named.  This
>includes
># all files as configured in NAMED_CONF_INCLUDE_FILES from
># /etc/sysconfig/named
>
># include "/etc/named.conf.include";
>
># You can insert further zone records for your own domains below or
>create
># single files in /etc/named.d/ and add the file names to
># NAMED_CONF_INCLUDE_FILES.
># See /usr/share/doc/packages/bind/README.SuSE for more details.
>
>
>zone "apollo.lokal" IN {
>        type master;
>        file "dyn/apollo.lokal.zone";
>        allow-update { key apollo.lokal; };
>};
>zone "1.168.192.in-addr.arpa" IN {
>        type master;
>        file "dyn/1.168.192.in-addr.arpa.zone";
>        allow-update { key apollo.lokal; };
>};
>
>
>Are the permissions ok ?
>
>drwxr-xr-x   9 named named 4096 Dec  7 00:12 .
>drwxr-xr-x  37 root  root  4096 Dec 10 19:40 ..
>-rw-r--r--   1 named named  192 Apr  6  2004 127.0.0.zone
>drwxr-xr-x   2 named named 4096 Jan  5 18:41 dev
>drwxr-x---   2 named named 4096 Jan  8 18:20 dyn
>drwxr-xr-x   3 named named 4096 Nov 28  1996 etc
>-rw-r--r--   1 named named  158 Apr  6  2004 localhost.zone
>drwxr-xr-x   2 named named 4096 Apr  6  2004 log
>drwxr-xr-x   2 named named 4096 Nov  2 16:23 master
>-rw-r--r--   1 named named 2517 Apr  6  2004 root.hint
>drwxr-xr-x   2 named named 4096 Apr  6  2004 slave
>drwxr-xr-x   4 named named 4096 Dec  7 00:12 var
>gateway:/var/lib/named #
>
>4 drwxr-xr-x  9 named named 4096 Dec  7 00:12 ..
>8 -rw-------  1 named named  771 Jan  8 18:20
>1.168.192.in-addr.arpa.zone
>8 -rw-r--r--  1 named named 1097 Jan  8 18:03
>1.168.192.in-addr.arpa.zone.jnl
>8 -rw-------  1 named named  633 Jan  8 18:19 apollo.lokal.zone
>gateway:/var/lib/named/dyn #
>
>I don't know where the problem is ? How can I allow the windows XP /
>2000 clients to update their hostnames in the named database ? I don't
>want to disable the automatic update function in the windows XP/2000
>network settings to prevent the update denied logmessages !! This is
>only a workaround that doesn't fix the problem. The allow-update with a
>security key should work, but it doesn't ?? Did i misunderstood
>something ? 
>
Is 192.168.1.20 the address of the DHCP server? It's not clear to me 
from a quick perusal what you posted above. The usual configuration in a 
mixed Wintel/BIND/dhcpd environment is for dhcpd, not the clients 
themselves, to register the client's names and addresses. This is 
because Windows clients can't secure their Dynamic Updates in a way 
that's compatible with BIND.

                                                                         
                                                      - Kevin




More information about the bind-users mailing list