DDNS - limitation and excluding updates from certain networks
MAYER Hans
Hans.Mayer at iiasa.ac.at
Mon Dec 25 17:08:35 UTC 2017
Dear Philippe,
thanks for your reply.
> - and, always in DHCPD.conf, set that only in the subnet you want.
Of course, but this does not prevent that a client takes a name which is already in use in an other protected network.
The name of the client comes from the client itself and not from the DHCP server.
> the interim style use for each A record a TXT records to ensure that 'static' dns entries are not overwritten by dynamic (dhcp) client.
Ah. This would be great if this works.
I have to test. I will report to you. But after New Year.
Kind regards
Hans
> On 20.12.2017, at 21:13, Philippe.Simonet at swisscom.com wrote:
>
> Hi Hans
>
> if you can afford, use ISC DHCP server DDNS method :
>
> - only DHCP server is allowed to update DNS server (forward / reverse zone), protect NSUPDATE with ACL, or better tsig
> - in dhcpd.conf :
> ddns-updates on;
> ddns-update-style interim;
> ignore client-updates;
> - and, always in DHCPD.conf, set that only in the subnet you want.
>
> the interim style use for each A record a TXT records to ensure that 'static' dns entries are not overwritten by dynamic (dhcp) client.
>
> http://www.zytrax.com/books/dns/ch9/dhcp.html
>
>
> Philippe
>
>
>> -----Original Message-----
>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
>> MAYER Hans
>> Sent: Wednesday, December 20, 2017 2:27 PM
>> To: bind-users at isc.org
>> Subject: Re: DDNS - limitation and excluding updates from certain networks
>>
>>
>> Dear Mukund,
>>
>> Many thanks for coming back.
>>
>>> You'll have to explain what you mean better for a more specific answer,
>>> but see the manual for the "allow-update" ACL config option
>>
>> In my zone configuration I have an “allow-update” statement.
>> Here I define all networks which are allowed to dynamically update the DNS
>> entries.
>>
>> But my zone contains other IP addresses too. Not only those of the PCs.
>> These are static names/addresses which are seldom changed.
>>
>> And of course the complete zone is a dynamic zone.
>>
>> And I don’t wont that this static names can by changed by someone out of
>> an IP range, where it is allowed.
>> I didn’t find any hint to block certain IP ranges to be updated within a
>> dynamic zone.
>>
>> Hopefully this explains my question a little bit better.
>>
>>
>> // Hans
>>
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list