DHCP/DDNS Multi ddns domains

Simon Hobson dhcp1 at thehobsons.co.uk
Sat Jul 11 11:01:45 UTC 2015 

Ronald Roeleveld <android at ictinc.nl> wrote:

> My problem starts when I try loading DHCP with a less simplistic configuration.
> 
> I would like the following configuration.
> 
> I want dynamic (unknown) clients to be assigned;
> dynamic.domain.lan
> range 192.168.178.65 192.168.178.126;
> 
> I would like static (known) clients to be assigned;
> domain.lan
> range 192.168.178.1 192.168.178.30;

That's OK - easy to do.
However, why are you splitting the subnet like that - unless you physically separate the clients (by LAN or switch) then it gives you no security whatsoever other than from the most technically illiterate attackers ! Anyone can easily sniff network traffic and see what's going on, and they can easily assign themselves a static address to go and talk to the other devices.


> To achieve this I'm using the following configuration file;

Which is broken in several ways ! You have put DNS zone declarations, and host declarations, within shared network (and possibly subnet) declarations. These are global in scope and should be declared as such - otherwise you get "interesting" inheritance issues.
Plus it's clear you have not understood what a shared-network is - you've declared one for each subnet, while you actually have only one for the physical network.

Try this (I've removed a few things for clarity - actually a lot of what you've put is not required) :

option ntp-servers 194.109.22.18, 194.109.20.18;
option domain-name-servers 192.168.178.24, 192.168.178.20;shared-network 178 {
default-lease-time 3600;
max-lease-time 7200;
ddns-updates on;
update-static-leases on;
use-host-decl-names on;
ddns-update-style interim;
authoritive;
include "/etc/dhcp/ddns.key";
log-facility local7;
ping-check true;                                                                                                                   

zone 178.168.192.in-addr.arpa. {
  primary 127.0.0.1;
  key DDNS_UPDATE;
}

zone dynamic.domain.lan. {
  primary 127.0.0.1;
  key DDNS_UPDATE;
}

zone ictinc.lan. {
  primary 127.0.0.1;
  key DDNS_UPDATE;
}

subnet 192.168.178.0 netmask 255.255.255.128 {
  option routers 192.168.178.1;
  # Dynamic clients
  pool {
    allow unknown-clients'
    range 192.168.178.65 192.168.178.126;
    option domain-name "dynamic.domain.lan";
    ddns-domainname "dynamic.domain.lan";
  }

  # Static clients
  pool {
    deny unknown-clients;
    range 192.168.178.1 192.168.178.30;
    option domain-name "domain.lan";
    ddns-domainname "domain.lan";
  }
}

host router1-lan {
  option host-name "router1.domain.lan";
  ddns-hostname "router1";
  hardware ethernet C0:25:06:5A:A8:02;
  fixed-address 192.168.178.1;
}

More information about the dhcp-users mailing list