guarantee RFC standardized hostname
Frank Sweetser
fs at WPI.EDU
Wed Aug 24 23:50:36 UTC 2011
On 8/24/2011 5:25 PM, Kevin Fitzgerald wrote:
> Hi Group,
>
> For quite some time we have been generating DHCP ddns hostnames as follows:
>
> if exists host-name {
> ddns-hostname = concat (lcase (option host-name) , "-" ,
> binary-to-ascii(10 , 8 , "-" , leased-address));
> }
> else {
> ddns-hostname = concat("dhcp-" , binary-to-ascii(10 , 8 , "-" ,
> leased-address));
> }
I have to say, you're a *lot* more trusting than than we are here. As a
general principle, we never trust user data any more than we have to, and only
after it's been through some form of strict sanitizing process, preferably a
default-deny one.
> This is not an uncommon format. It helps us ensure unique host names on our
> network. Lately I notice a handful of user devices that present host names
> with invalid characters, such as android_blah or "nintendo 3ds" with a space
> in the middle (no quotes).
> What are you folks doing to mitigate this? As it stands these users do not
> receive valid NS records and we get a bevy of log messages when illegal
> characters are in the hostname.
>
> - I have seen mention of the use of regex in the man pages for dhcp-eval. Is
> there a method to examine the host-name for invalid characters, replacing them
> with a hyphen or otherwise? (Is there REGEX evaluation available within
> dhcpd.conf)
> - if there is no way to do a character by character replace, can I fail down
> to my else condition, simply prepending dhcp- to the front of the IP address?
I'm assuming that you don't have any kind of pre-existing records for these
hosts? We track all hosts here, and force a hostname to be defined at
registration time, with all of the usual validity and uniqueness checks. We
then feed this data into our dhcp configuration files, and all client supplied
ddns hostname values are summarily ignored.
If that's not an option for you, I would do the second option, but go further.
Don't both with ddns at all - just dump in static DNS records for all of the
IP addresses in your pools. That way you don't have to depend on the ddns
linkage between DNS and DHCP, and you don't burn CPU cycles always associating
the same hostnames with the same IP addresses, and constantly trigger zone
refreshes every time a laptop connects.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken
More information about the dhcp-users
mailing list