Underscores and Latin2 characters in ISC DHCP + BIND9 DDNS hostnames

Fri May 20 18:58:42 UTC 2022

Dear All,

After writing to the list I suddenly got some inspiration not seen in 
months. Thanks for your thoughts,
and silent prayers ...

What I got with is this:

if ((substring (option host-name, 0, 3) = "PC-")      or
     (substring (option host-name, 0, 8) = "DESKTOP-") or
     (substring (option host-name, 0, 4) = "ALU-")     or
     (substring (option host-name, 0, 2) = "S-")       or
     (substring (option host-name, 0, 3) = "NO-")      or
     (substring (option host-name, 0, 6) = "OKIRU-")   or
     (substring (option host-name, 0, 7) = "OZAFIN-")  or
     (substring (option host-name, 0, 8) = "MikroTik")) {
         default-lease-time 43200;
} else {
         default-lease-time 1800;
}

# mtodorov 20220520, from dhcp-users
if (not (option host-name ~~ "^[a-z0-9][a-z0-9\-]+[a-z0-9]$")) {
         set new_host-name = concat("host-", binary-to-ascii(16, 8, "-", 
substring(hardware, 1, 6)));
         log(concat("invalid hostname: ", option host-name, " => ", 
new_host-name));
         ddns-hostname = new_host-name;
} elsif (exists host-name) {
         ddns-hostname = option host-name;
}

I came across the notion that or might have greater priority than = 
comparison and added plenty of parentheses.
Now it appears to work as expected (part 2, the allotment of 
default-lease-time by the type of device).

However, the solution with supplementing a hostname derived from MAC 
address when there is a _ or UTF-8
character in option host-name is only partially satisfactory. I can look 
up the type of device and vendor by MAC
unless it is also forged by hiding original hw MAC, which is as you know 
trivial to do and default on some
smartphones (like my device).

I considered the execute() statement, but it doesn't seem to return 
anything but the status error code.

Alternatively, I can set "check-names warn;" in BIND9 named.conf.local 
for the dynamically updated zone, but this is
less than optimal, as it could open the door for spoofed hostname 
attacks on old DNS servers who do not talk UTF8.

I can't see any such option in dpchd.conf (5) nor dhcp-eval (5) manual 
pages, nor on the kb.isc.org manual.
Perhaps Kea has such an option. It seems rather straightforward to have 
something like:

if (not (option host-name ~~ "^[a-z0-9][a-z0-9\-]+[a-z0-9]$")) {
*set new_host-name = translit (option host-name, "_ČĆĐŠŽčćđšž", 
"-CCDSZccdsz");*
         log(concat("invalid hostname: ", option host-name, " => ", 
new_host-name));
         ddns-hostname = new_host-name;
} elsif (exists host-name) {
         ddns-hostname = option host-name;
}

Kind regards,
Mirsad

On 5/20/2022 12:09 PM, Mirsad Todorovac wrote:
> Dear All,
>
> 1. I was receiving errors for a long time like this one:
>
> May 20 11:50:42 domac dhcpd[29435]: DHCPREQUEST for 192.168.100.59 
> from a8:7d:12:f8:e8:6c (HUAWEI_Y7_Prime_2018-d716) via eth0
> May 20 11:50:42 domac dhcpd[29435]: DHCPACK on 192.168.100.59 to 
> a8:7d:12:f8:e8:6c (HUAWEI_Y7_Prime_2018-d716) via eth0
> May 20 11:50:42 domac dhcpd[29435]: Unable to add forward map from 
> HUAWEI_Y7_Prime_2018-d716.local.alu.hr to 192.168.100.59: REFUSED
>
> May 20 11:48:47 domac named[5524]: zone local.alu.hr/IN: 
> Win-Ra\159unalo.local.alu.hr/A: bad owner name (check-names)
> May 20 11:48:47 domac dhcpd[29435]: Unable to add forward map from 
> Win-Ra�unalo.local.alu.hr to 192.168.100.235: REFUSED
>
> Additionally, some users have added ČĆĐŠŽčćđšž Latin2 characters to 
> hostnames or smartphone names on WLAN.
>
> It is difficult to change all of these, especially on user's 
> smartphones who usually connect without even seeing us administrators.
> Also, disabling BIND9 name checks might make users unable to browse as 
> some other services would reject their reverse DNS names as spoofed.
>
> It would be very useful if there was a way to do in DHCPD dhcp-eval 
> scripting what is done with the effect of:
>
> % tr '_ČĆĐŽŠčćđšž' '-CCDSZccdsz' < in > out
>
> that is, transliterate characters, or search & replace. I couldn't 
> find that option in dhcpd.conf nor in dhcp-eval.
>
> 2. I have also tried this to have PCs 12h lease time and smartphones 
> 30min,
> but it did not work:
>
> if substring (option host-name, 0, 3) = "PC-" or
>    substring (option host-name, 0, 8) = "DESKTOP-" or
>    substring (option host-name, 0, 4) = "ALU-" or
>    substring (option host-name, 0, 2) = "S-" or
>    substring (option host-name, 0, 3) = "NO-" or
>    substring (option host-name, 0, 6) = "OKIRU-" or
>    substring (option host-name, 0, 7) = "OZAFIN-" or
>    substring (option host-name, 0, 8) = "MikroTik"
> {
>         default-lease-time 43200;
> } else {
>         default-lease-time 1800;
> }
>
> Thank you very much.
>
> My version of DHCPD is:
>
> root at domac:~# dpkg -l isc-dhcp-server
> ii  isc-dhcp-server 4.4.1-2+deb10u1 amd64        ISC DHCP server for 
> automatic IP address assignment
> root at domac:~#
>
> Best regards,
> Mirsad Todorovac
>
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20220520/b381c5b6/attachment.htm>