Dynamic DNS via DHCP

Glenn Satchell Glenn.Satchell at uniq.com.au
Tue Oct 20 00:02:19 UTC 2009

You probably want to allow only the DHCP server to do DNS updates, so in
global you want:

ddns-update-style interim;
ddns-updates off;
deny client-updates;

and in the particular subnet you want:

ddns-updates on;


>Date: Mon, 19 Oct 2009 14:52:42 -0500
>From: Scott Rowley <scottro at netins.net>
>Hello All,
>I'm running into a problem when trying to setup Dynamic DNS via DHCP.  
>I've got it running ok in a test environment but once I move it over to
>the production server and turn it on my log file starts blowing up and
>DHCP starts to seriously slow down.  Below is a modified example of the
>log entry we started getting hammered with.  Over the course of the day
>we figured that we would end up with around 1 million entries.
>Oct 16 07:12:16 dns-prim named[6723]: [ID 873579 local3.error] update-security: 
error: client 10.x.x.x#53308: update '<our main domain>/IN' denied
>The 10.x IP address above is the DHCP servers own private IP address. 
>In the global information in dhcpd.conf I have the following options
>ddns-update-style interim;
>ddns-updates on;
>allow client-updates;
># Include file for Dynamic DNS zones
>include "/isp/dhcp/dhcp.allow.dynamic";
>Then inside dhcp.allow.dynamic I have the following (modified for
>key <key name> {
>  algorithm hmac-md5;
>  secret "<secret>";
>zone sub.example.com {
> primary <primary DNS server IP>;
> key <key name>;
>zone x.x.10.in-addr.arpa {
>  primary <primary DNS server IP>;
>  key <key name>;
>Then within my subnet I have the following (pertinent) entries:
> option domain-name "sub.example.com";
> option docsis-mta.dhcp-server-1 <primary DNS server IP>;
>option host-name "<code>;
>ddns-domainname "sub.example.com";
>ddns-hostname "<code>";
>Again, everything is working fine but once we move it to production
>everything on the planet seems to want to update through us and
>everything gets bogged down, I suspect that it may be too busy denying
>everyone to respond quickly to legit DHCP requests.
>In summary my question is:  Can we turn ddns off globally but then turn
>it on for this one subnet?  I have tried a few tests with this but no
>updates ever showed up in logs, denied or accepted.  Once I put it back
>to Global being on and the subnet being on then the dns updates started
>occuring again.  But again, if I do this on production we get litterally
>millions of denied updates.
>I hope this wasn't clear as mud and thanks in advance for any assistance.
>Thank you,
>Scott Rowley <scottro at netins.net>
>netINS Systems Administrator
>dhcp-users mailing list
>dhcp-users at lists.isc.org

More information about the dhcp-users mailing list