DDNS

Simon Hobson dhcp at thehobsons.co.uk
Tue May 2 14:33:07 UTC 2006 

Andrea Bencini wrote:

>With a Windows 2000 professional (SP4)  only reverse zone is updated .
>With a Windows XP professional (SP1) reverse and direct zone are updated.
>(the first log 10.100.0.99 is windows 2000 professional)
>(the second log 10.100.0.88 is windows Xp professional)
>Could you tell me why? and the solution?

It's a known 'issue'. There is a flag which the client can set in 
it's requests to say that the client will do it's own forward updates 
- and in an MS only world this would just happen automagically behind 
the scenes. There is a flag (ignore-client-updates IIRC) you can set 
in the dhcpd.conf to override this - setting it may or may not be 
'the right' thing to do ...

Suppose you have a laptop, normally known as laptop.mydomain.com, and 
you visit somewhere else. You plug it into the network and get an 
address. With client updates turned on, and the right access control 
in place, it can update the dns for mydomain.com so that 
laptop.mydomain.com is the correct address and other people can still 
access it by that name (subject to firewalls etc).

If you force the dhcp server to do forward updates, then it cannot do 
this update (unless you've got some prior arrangement in place to 
allow it), so the machine becomes 
laptop.sometotallydifferentdomain.com and is effectively gone from 
the network because laptop.mydomain.com either still points to it's 
previous address or is deleted because the lease has expired.

Either way, it is correct for the dhcp server to do the reverse zone 
update since it will (or should) have an existing ability to update 
the reverse zones for the subnets it serves.

You can see the client attempting an update in these log entries :

>Apr 28 16:22:45 p-suse named[4251]: client 10.100.0.99#1086: updating zone
>'tlcovernet.local/IN': update unsuccessful: casa.tlcovernet.local/A: 'RRset
>exists (value dependent)' prerequisite not satisfied (NXRRSET)
>Apr 28 16:22:45 p-suse named[4251]: client 10.100.0.99#1089: update
>'tlcovernet.local/IN' denied
>Apr 28 16:22:45 p-suse named[4251]: client 10.100.0.99#1094: update
>'0.100.10.in-addr.arpa/IN' denied
>Apr 28 16:22:46 p-suse named[4251]: client 10.100.0.99#1100: updating zone
>'tlcovernet.local/IN': update unsuccessful: casa.tlcovernet.local/A: 'RRset
>exists (value dependent)' prerequisite not satisfied (NXRRSET)
>Apr 28 16:22:46 p-suse named[4251]: client 10.100.0.99#1103: update
>'tlcovernet.local/IN' denied
>Apr 28 16:22:46 p-suse named[4251]: client 10.100.0.99#1108: update
>'0.100.10.in-addr.arpa/IN' denied

I should point out that it is very insecure to allow clients to be 
performing updates on your dns server, once you allow any updates, 
then you are reliant on all the clients behaving honourably and not 
deleting (or worse changing) important dns records. For example, it 
would be trivial for someone to put up a server that looks like your 
important server, then change the dns so that server.somedomain.com 
points at the rogue server, and suddenly all your clients are 
connecting to a rogue server with all the implications that go with 
it.

Simon

More information about the dhcp-users mailing list