[Kea-users] Kea DDNS issues

Ben Monroe bendono at gmail.com
Fri May 1 04:27:40 UTC 2020 

Hi Joshua,

Thank you for the follow up.
Indeed, as you suggested I can see the listening socket in ss.

# ss -tupnl | grep 53001
udp     UNCONN   0        0           172.16.100.4:53001          0.0.0.0:*
     users:(("kea-dhcp-ddns",pid=1,fd=13))
#

Also as you indicated, this is clearly listening on the internal Docker
network IP rather than the loopback.
Not as I expected, but I am convinced. I also appreciate the additional
comments on security.
After a complete restart of all relevant containers I have begun to see
DDNS updates.

Much appreciated,
Ben Monroe

On Fri, May 1, 2020 at 4:23 AM Joshua Schaeffer <jschaeffer at harmonywave.com>
wrote:

>
>
> On 4/30/20 1:57 AM, Ben Monroe wrote:
>
> I may be wrong, but I would expect that listening on 127.0.0.1 should work
> as it is the server itself.
>
>
> I have more experience with LXD containers then docker containers so I
> could be wrong here, but I would assume that each container has its own
> network namespace therefore D2's containers' loopback is not the same as
> DHCP4's containers' loopback (and both would be different then the host's
> loopback). In either case you would have to send requests to loopback in
> order for that to work and you are sending them to a global address. The IP
> addresses must match between the two configurations. See the note below the
> warning in the documentation link you posted.
>
> Perhaps someone with more knowledge about docker knows if it is possible
> to expose the loopback address from one container to another or share the
> host's. I would assume there are security concerns if this is true.
>
> In fact, the documentation includes a warning for any other configuration:
>
> https://kea.readthedocs.io/en/kea-1.6.1/arm/ddns.html#global-server-parameters
>
>
> Yes it is a security concern to run D2 on a global address. What this
> means is that it is recommended to always run it on the same machine (in
> your case container) as the DHCP4 and/or DHCP6 server(s). Again there may
> be some neat way in docker to avoid all this, but if not just make sure you
> secure that address as much as possible to avoid spoofed DNS change
> requests.
>
> Following your suggesting I installed ss (iproute2). Oddly enough, it does
> not seem to be listening to any ports.
> root@ a987aac4aa8b:/# ss
> Netid             State             Recv-Q             Send-Q
>             Local Address:Port                         Peer Address:Port
>
>
> Does running `ss -tupnl | grep 53001` return anything? If not try that
> command on the docker host. It's unclear if you actually tested a change
> request after restarting D2? Can you try submitting one. You can also sniff
> the wire again to see if traffic is being received this time.
>
> --
> Thanks,
> Joshua Schaeffer
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20200501/f375d2d0/attachment.htm>

More information about the Kea-users mailing list