DHCP server does not update DNS
Richard Allen
ra at ra.is
Tue Dec 20 18:14:18 UTC 2011
Hello all
I have a recent setup of dhcp and dns on two RHEL6.2 machines. Software
versions are as follows:
[root at wanda ~]# rpm -q bind dhcp
bind-9.7.3-8.P3.el6_2.1.x86_64
dhcp-4.1.1-25.P1.el6_2.1.x86_64
There are two machines (wanda and tamar). Wanda is the primary DNS server
for the domain and reverse maps. Tamar is a secondary server off Wanda.
Both machines run DHCP in a failover configuration.
My problem is that dhcpd doesnt seem to do anything with dns except in very
few cases. At first it was very active registering things but now it does
almost nothing. I'm not using keys to control access to DDNS but IP
addresses and I know thats insecure, but still...
Relevant configs follow (domain name's changed to protect the innocent) :)
Primary DNS named.conf:
[snip]
acl updaters {
127.0.0.1/32;
172.29.100.96/32;
172.29.100.97/32;
172.23.100.60/32;
172.23.100.61/32;
};
[snip]
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localnet; };
allow-recursion { localnet; };
check-names master ignore;
check-names slave ignore;
check-names response ignore;
forward first;
forwarders {
x.x.x.x; // censored
y.y.y.y; // censored
};
};
[snip]
zone "censored.com" IN {
type master;
allow-transfer { slaves; };
allow-update { updaters; };
file "dynamic/censored.com.dynamiczone";
also-notify { 172.29.100.97; };
};
[snip]
zone "100.23.172.in-addr.arpa." IN {
type master;
allow-transfer { slaves; };
allow-update { updaters; };
file "dynamic/100.23.172.in-addr.arpa.dynamiczone";
also-notify { 172.29.100.97; };
};
[snip]
That's the important parts of named.conf on the master. The updater ACL
contains both dhcp servers and both AD servers. The slave is just a slave.
dhcpd is configured as follows:
authoritative;
ddns-update-style interim;
ddns-updates on;
deny client-updates;
failover peer "dhcp-failover" {
primary;
address 172.29.100.96;
port 647;
peer address 172.29.100.97;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
mclt 1800;
split 128;
}
[snip]
subnet 172.23.100.0 netmask 255.255.252.0 {
ddns-domainname "censored.com";
option domain-name "censored.com";
option domain-name-servers 172.29.100.96, 172.29.100.97;
authoritative;
ddns-update-style interim;
ddns-updates on;
deny client-updates;
option routers 172.23.100.254;
option subnet-mask 255.255.252.0;
option broadcast-address 172.23.103.255;
option time-offset 0;
option ntp-servers 172.29.100.96, 172.29.100.97;
option netbios-name-servers 172.23.100.60, 172.23.100.61;
one-lease-per-client on;
option ip-forwarding off;
default-lease-time 14400;
max-lease-time 14401;
next-server 172.23.100.37;
filename "\\OSChooser\\i386\\startrom.com";
pool {
failover peer "dhcp-failover";
range 172.23.101.1 172.23.101.250;
host censored1 {
hardware ethernet 18:a9:05:fc:6b:88;
fixed-address censored1.censored.com;
max-lease-time 28800;
option host-name "censored1.censored.com";
}
host censored2 {
hardware ethernet 18:a9:05:fc:6b:87;
fixed-address censored2.censored.com;
max-lease-time 28800;
option host-name "censored2.censored.com";
}
}
zone censored.com. {
primary 172.29.100.96;
}
zone 100.23.172.in-addr.arpa. {
primary 172.29.100.96;
}
if exists vendor-encapsulated-options {
ddns-updates off;
option vendor-encapsulated-options 3a:02:00:19:ff;
}
}
[snip]
Multiple other subnets follow, all identical That
vendor-encapsulated-options clause is something the company running the IP
telephones demanded to be added to the dhcp server and I have no clue what
it actually does.
The slave dhcp server has Identical config except for the failover peer
section witch reads:
failover peer "dhcp-failover" {
secondary;
address 172.29.100.97;
port 647;
peer address 172.29.100.96;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}
Everything seems to be working just right except for the fact that the dhcp
server seems to have stopped registering anything into DNS.
I tried doing "ipconfig /release" and "ipconfig /renew" on a windows box and
that did not get the machine registered.
Logs show some strange behavior. Here are the logs from when I did the
release and renew on the windows client:
Dec 20 14:44:03 wanda dhcpd: DHCPRELEASE from 00:0f:fe:80:50:3e via
172.23.200.2: unknown network segment
Dec 20 14:44:03 wanda dhcpd: DHCPRELEASE of 172.23.101.114 from
00:0f:fe:80:50:3e (censored5) via eth0 (found)
Dec 20 14:44:03 wanda dhcpd: DHCPRELEASE of 172.23.101.114 from
00:0f:fe:80:50:3e (censored5) via 172.23.100.252 (found)
Dec 20 14:44:19 wanda dhcpd: DHCPDISCOVER from 00:0f:fe:80:50:3e via
172.23.100.254
Dec 20 14:44:20 wanda dhcpd: DHCPOFFER on 172.23.101.114 to
00:0f:fe:80:50:3e (censored5) via 172.23.100.254
Dec 20 14:44:20 wanda dhcpd: DHCPREQUEST for 172.23.101.114 (172.29.100.96)
from 00:0f:fe:80:50:3e (censored5) via 172.23.100.254
Dec 20 14:44:20 wanda dhcpd: DHCPACK on 172.23.101.114 to 00:0f:fe:80:50:3e
(censored5) via 172.23.100.254
Dec 20 14:44:22 wanda named[2897]: client 172.23.101.114#10410: update
'censored.com/IN' denied
Only the client itself tried to register to dns (inspite of the deny
client-updates directive)
Can anyone suggest a way to get this working as it should?
Thanks in advance.
Richard.
--
Rikki. -- RHCE, RHCX, HP-UX Certified Administrator.
More information about the dhcp-users
mailing list