DDNS - limitation and excluding updates from certain networks

MAYER Hans Hans.Mayer at iiasa.ac.at
Mon Dec 25 17:08:35 UTC 2017 

Dear Philippe,

thanks for your reply.

> - and, always in DHCPD.conf, set that only in the subnet you want.

Of course, but this does not prevent that a client takes a name which is already in use in an other protected network. 
The name of the client comes from the client itself and not from the DHCP server. 

> the interim style use for each A record a TXT records to ensure that 'static' dns entries are not overwritten by dynamic (dhcp) client.

Ah. This would be great if this works. 
I have to test. I will report to you. But after New Year. 


Kind regards
Hans 



> On 20.12.2017, at 21:13, Philippe.Simonet at swisscom.com wrote:
> 
> Hi Hans
> 
> if you can afford, use ISC DHCP server DDNS method : 
> 
> - only DHCP server is allowed to update DNS server (forward / reverse zone), protect NSUPDATE with ACL, or better tsig
> - in dhcpd.conf : 
> 	ddns-updates           on;
> 	ddns-update-style      interim;
> 	ignore                 client-updates;
> - and, always in DHCPD.conf, set that only in the subnet you want.
> 
> the interim style use for each A record a TXT records to ensure that 'static' dns entries are not overwritten by dynamic (dhcp) client.
> 
> http://www.zytrax.com/books/dns/ch9/dhcp.html
> 
> 
> Philippe
> 
> 
>> -----Original Message-----
>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of
>> MAYER Hans
>> Sent: Wednesday, December 20, 2017 2:27 PM
>> To: bind-users at isc.org
>> Subject: Re: DDNS - limitation and excluding updates from certain networks
>> 
>> 
>> Dear Mukund,
>> 
>> Many thanks for coming back.
>> 
>>> You'll have to explain what you mean better for a more specific answer,
>>> but see the manual for the "allow-update" ACL config option
>> 
>> In my zone configuration I have an “allow-update” statement.
>> Here I define all networks which are allowed to dynamically update the DNS
>> entries.
>> 
>> But my zone contains other IP addresses too. Not only those of the PCs.
>> These are static names/addresses which are seldom changed.
>> 
>> And of course the complete zone is a dynamic zone.
>> 
>> And I don’t wont that this static names can by changed by someone out of
>> an IP range, where it is allowed.
>> I didn’t find any hint to block certain IP ranges to be updated within a
>> dynamic zone.
>> 
>> Hopefully this explains my question a little bit better.
>> 
>> 
>> // Hans
>> 
>> 
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list