[Kea-users] Kea DDNS issues

Joshua Schaeffer jschaeffer at harmonywave.com
Thu Apr 30 19:23:39 UTC 2020 


On 4/30/20 1:57 AM, Ben Monroe wrote:
> I may be wrong, but I would expect that listening on 127.0.0.1 should work as it is the server itself.

I have more experience with LXD containers then docker containers so I could be wrong here, but I would assume that each container has its own network namespace therefore D2's containers' loopback is not the same as DHCP4's containers' loopback (and both would be different then the host's loopback). In either case you would have to send requests to loopback in order for that to work and you are sending them to a global address. The IP addresses must match between the two configurations. See the note below the warning in the documentation link you posted.

Perhaps someone with more knowledge about docker knows if it is possible to expose the loopback address from one container to another or share the host's. I would assume there are security concerns if this is true.

> In fact, the documentation includes a warning for any other configuration:
> https://kea.readthedocs.io/en/kea-1.6.1/arm/ddns.html#global-server-parameters

Yes it is a security concern to run D2 on a global address. What this means is that it is recommended to always run it on the same machine (in your case container) as the DHCP4 and/or DHCP6 server(s). Again there may be some neat way in docker to avoid all this, but if not just make sure you secure that address as much as possible to avoid spoofed DNS change requests.

> Following your suggesting I installed ss (iproute2). Oddly enough, it does not seem to be listening to any ports.
> root@ a987aac4aa8b:/# ss
> Netid             State             Recv-Q             Send-Q                         Local Address:Port     Peer Address:Port

Does running `ss -tupnl | grep 53001` return anything? If not try that command on the docker host. It's unclear if you actually tested a change request after restarting D2? Can you try submitting one. You can also sniff the wire again to see if traffic is being received this time.

-- 
Thanks,
Joshua Schaeffer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20200430/e8cc6ccc/attachment.htm>

More information about the Kea-users mailing list