BIND 9/8 Question DDNS Question
Kevin Darcy
kcd at daimlerchrysler.com
Fri Nov 16 00:11:53 UTC 2001
Richard,
The job of the nameserver is to accept whatever updates are given to it,
from whomever it trusts to make those updates. Really, the kind of fine-grained
control you're asking about probably belongs in the DHCP server rather than in the
DNS server. But this isn't a DHCP list.
- Kevin
Richard Phillips wrote:
> Cricket,
> Actually these are methods of control that are currently in place for the
> "company.com" zone. In the situation described below the DHCP server is
> defined in the "allow-update" control field.
>
> Scenario:
>
> Let's just say that you enable DHCP on your servers. Define them manually,
> so that they have the same IP address all the time. Mail.company.com =
> 10.10.10.100
>
> Now let's say that I plug into the same network, and my workstation name is
> mail. I now get a DHCP offered lease of 10.10.10.250, and a DHCP offered
> domain of company.com. What is my FQDN?? Won't it be mail.company.com??
> Won't we now have a round robin for mail.company.com?? What would prevent
> this from happening?? Even if I was not in the same network as the original
> mail server, wouldn't this work if I was served by the same DHCP server.
> This is due to the fact that the DHCP server is authorized to update the
> zone via the "Allow-update" parameter, right??
>
> mail.company.com 10.10.10.100
> mail.company.com 10.10.10.250
> (Won't I now get, due to the round robin, 50% of the hits??)
>
> So now I plug, without releasing my address, I plug into a different network
> that is serviced by the same DHCP server, and I get the following offer: IP
> = 10.20.100.200 Domain = company.com. Won't it now create an additional
> record in the round robin??
>
> mail.company.com 10.10.10.100
> mail.company.com 10.10.10.250
> mail.company.com 10.20.100.200
> (Won't I now get, due to the round robin, 33% of the hits??)
>
> End of Scenario:
>
> Am I making too much of this, or is there a mechanism that prevents this
> from happening?? Or is this scenario the responsibility of the organization
> to ensure that NO ONE has the capability to provide similar names within a
> given zone??
>
> Rich
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Cricket Liu
> Sent: Thursday, November 15, 2001 4:43 PM
> To: Richard J. Phillips Jr.; Bind Users
> Subject: RE: BIND 9/8 Question DDNS Question
>
> > I know what I've experienced, but I'm wondering if there is something new,
> > that I haven't seen/enabled yet!
> >
> > What BIND option, if any, would prevent DNS name Hi-jacking.
> >
> > Scenario, What if I change my name to mail.company.com, enabled
> > my interface
> > for DHCP, and then obtained a lease. Wouldn't my newly changed
> > name become
> > the "mail.company.com" A Record. Therefore now all internal SMTP mail
> > (Assuming MX records, blah, blah) would be routed to me. Page 252 in the
> > "DNS Dynamic Update" chapter of DNS & BIND V4, talks, briefly about this
> > occurrence, but doesn't describe the behavior that would happen.
> >
> > QUOTE: "only if the domain name Armageddon.fx.movie.edu isn't currently
> > being used, or only if Armageddon.fx.movie.edu currently has no address
> > records".
> >
> > Question: What happens if the DHCP Server sends an update to the
> > Authorative
> > zone server, the record exists, but has a different IP address,
> > will it add
> > it (creating a round robin), will it replace it, or what??
>
> Boy, did you ever take that quote out of context. That's simply an
> example of what you can do with dynamic update. Did you read the
> section on p. 255 called "Update Access Control Lists"?
>
> cricket
>
> Men & Mice
> DNS Software & Services
> www.menandmice.com
>
> Attend our next DNS and BIND class! See
> http://www.menandmice.com/8000/8000_dns_training.html
> for the schedule and to register for upcoming classes
More information about the bind-users
mailing list