DDNS - limitation and excluding updates from certain networks
Philippe.Simonet at swisscom.com
Philippe.Simonet at swisscom.com
Wed Dec 20 20:13:51 UTC 2017
Hi Hans
if you can afford, use ISC DHCP server DDNS method :
- only DHCP server is allowed to update DNS server (forward / reverse zone), protect NSUPDATE with ACL, or better tsig
- in dhcpd.conf :
ddns-updates on;
ddns-update-style interim;
ignore client-updates;
- and, always in DHCPD.conf, set that only in the subnet you want.
the interim style use for each A record a TXT records to ensure that 'static' dns entries are not overwritten by dynamic (dhcp) client.
http://www.zytrax.com/books/dns/ch9/dhcp.html
Philippe
> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
> MAYER Hans
> Sent: Wednesday, December 20, 2017 2:27 PM
> To: bind-users at isc.org
> Subject: Re: DDNS - limitation and excluding updates from certain networks
>
>
> Dear Mukund,
>
> Many thanks for coming back.
>
> > You'll have to explain what you mean better for a more specific answer,
> > but see the manual for the "allow-update" ACL config option
>
> In my zone configuration I have an “allow-update” statement.
> Here I define all networks which are allowed to dynamically update the DNS
> entries.
>
> But my zone contains other IP addresses too. Not only those of the PCs.
> These are static names/addresses which are seldom changed.
>
> And of course the complete zone is a dynamic zone.
>
> And I don’t wont that this static names can by changed by someone out of
> an IP range, where it is allowed.
> I didn’t find any hint to block certain IP ranges to be updated within a
> dynamic zone.
>
> Hopefully this explains my question a little bit better.
>
>
> // Hans
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list