force DDNS update
Carl Karsten
carl at personnelware.com
Tue Apr 24 16:47:14 UTC 2007
Simon Hobson wrote:
> Carl Karsten wrote:
>
>> >> But that will cause dhcp to remove an A record and allow the
>> dhcp request that
>>>> you describe: someone could name their client "server"...
>>> Except that very few people use dynamic DNS updates to put their
>>> important services into DNS - except Windows of course which seems to
>>> live off DNS updates !
>>>
>>> Even if you give servers their address by DHCP, it would normally be
>>> a fixed address which by default would not trigger DDNS - hence
>>> manually adding teh DNS records.
>
>> So even more reason to add an option that turns off the "safety feature"
>
> No, the point is that normally you would put fixed records into DNS
> for your servers - and DHCP will NOT replace these. If your user set
> their client name to "server" then the DDNS update would fail because
> there would NOT be the correct key (TXT record) to go with the
> existing A record.
>
> The client could only take over DNS records for a client with
> Dynamically set DNS records - as you've figured, fake a release
> packet from the other device, set your client name to be the same as
> the other device, go get a lease.
>
> If you are really clever AND the other device doesn't respond to
> pings, request the address you've just has released and take the
> other device offline completely. If the other device does reply to
> pings, I think you can do two discovers, one results in the address
> being abandoned, the second will get it issued to you I think (just
> going from something that came up recently).
>
Um, you have drifted from your original scenario:
>>> This is a
>>> safety feature - otherwise someone could name their client "server"
>>> and the DHCP server would happily replace the A record for you
>>> important server of the same name with one that points to the client,
>>> with the obvious effects on the network !
What I am saying is the safety feature can be worked around pretty easily:
Box1: hostname:server - DHCPREQUEST, gets 10.1.1.1, ddns sets server=10.1.1.1
other boxes resolve 'server" to 10.1.1.1 which is Box1
Box2: (rouge malicious) clone Box1's mac, hostname:server - DHCPRELEASE. This
causes ddns to remove the server=10.1.1.1 entry.
Box2: sets mac back to real mac, hostname:server - DHCPREQUEST, gets 10.1.1.2,
ddns sets server=10.1.1.2.
other boxes resolve 'server" to 10.1.1.2 which is Box2.
So only Box1 has 10.1.1.1, but the dns entry not maps "server" to Box2's IP.
I do understand that "safety feature" is not security, it just helps keep
missconfigured boxes from screwing up the rest of the network.
Carl K
More information about the dhcp-users
mailing list