Using isc dhcpd to only update reverse DNS zone for selected hosts
Kristian Pedersen
kristian.pedersen at vejen-net.dk
Sat Nov 5 21:09:29 UTC 2011
Hi list,
I have a isc dhcpd setup serving docsis cable modems with build-in
router function. The routers are assigned dynamic public IPs from a
pool. I use ISC to create nice forward and reverse DDNS entries for
routers, such as:
rg<mac>.cm.example.com A 123.x.x.8
and
8.x.x.123 PTR rg<mac>.cm.example.com
This all works fine, but I would like to expand my setup a bit, so I can
have selected routers set up with just reverse DNS entries pointing to
external domains. The scenario is my customers are asking if they can
have a custom reverse DNS entry for their router, and they will
themselves do the forward dns setup in their own DNS. So in essence,
they just want me to do:
8.x.x.123 PTR <whatever.privatedomain.com>
Below is the parts of my config I think is essential. To begin with I
changed the dynamic ddns-hostname i generate from the router mac, so it
grabs the hostname from the host section, if it exists:
ddns-hostname = pick-first-value (ddns-hostname, concat("rg", macadr));
I then added specific ddns-hostname and ddns-domainname within the host
config for a test device:
host whatever {
hardware ethernet 11:22:33:44:55:66;
fixed-address 123.x.x.8;
ddns-hostname "whatever";
ddns-domainname "privatedomain.com";
}
Its trying to update but times out on the forward record for
whatever.privatedomain.com, which makes sense since I have no key for
the domain. If i set ddns-domainname to my own "cm.example.com", then it
will correctly add whatever.cm.example.com, so it is matching the host
config correctly. I then tried adding "do-forward-updates off;" for the
host, but it seems to turn off reverse DNS updates aswell. Which seems
to match the manual page for dhcpd.conf:
"If this statement is used to disable forward updates, the DHCP
server will never attempt to update the client's A record, and will
only ever attempt to update the client's PTR record if the client
supplies an FQDN that should be placed in the PTR record using the fqdn
option."
However, my modems wont add a FQDN option .. and evne if they did, I
would rather not trust any option coming from a device, I would like it
to use the settings from the host configuration. I tried adding
something like option fqdn.fqdn "whatever.privatedomain.com"; to the
host config but could not get it to work.
I hope I am missing some simple option :) I guess I could fool it by
creating a dummy dns-server with forward-zones matching my customers
private domains, but it seems like quite an ugly hack ..
Here's what I think is important from my current config:
# Global DDNS settings
ddns-update-style interim;
ignore client-updates;
ddns-updates off;
update-static-leases on;
update-conflict-detection off;
use-host-decl-names on;
ddns-domainname "cm.example.com";
# DNS update key
key dhcp-key {
algorithm hmac-md5;
secret "<key>";
}
# DNS zones
zone cm.example.com. { primary <ip>; key dhcp-key; }
zone x.x.123.in-addr.arpa. { primary <ip>; key dhcp-key; }
# Parse client mac-adresse with 0 as prefix
set macadr = concat(
suffix (concat ("0", binary-to-ascii (16, 8, "",
substring(hardware, 1, 1))),2),
suffix (concat ("0", binary-to-ascii (16, 8, "",
substring(hardware, 2, 1))),2),
suffix (concat ("0", binary-to-ascii (16, 8, "",
substring(hardware, 3, 1))),2),
suffix (concat ("0", binary-to-ascii (16, 8, "",
substring(hardware, 4, 1))),2),
suffix (concat ("0", binary-to-ascii (16, 8, "",
substring(hardware, 5, 1))),2),
suffix (concat ("0", binary-to-ascii (16, 8, "",
substring(hardware, 6, 1))),2)
);
# Shared networks behind docsis CMTS
shared-network klient-lan {
# Match docsis routers
class "docsis-rg" {
match if substring(option vendor-class-identifier,0,6)
= "RG 1.0";
}
# Ip-net for docsis routers
subnet 123.x.x.0 netmask 255.255.255.0 {
authoritative;
option subnet-mask 255.255.255.0;
option broadcast-address 123.x.x.255;
option routers 123.x.x.1;
ddns-updates on;
ddns-hostname = pick-first-value (ddns-hostname,
concat("rg", macadr));
pool {
failover peer "cm";
allow members of "docsis-rg";
range 123.x.x.50 123.x.x.254;
}
}
}
host whatever {
hardware ethernet 11:22:33:44:55:66;
fixed-address 123.x.x.8;
ddns-hostname "whatever";
ddns-domainname "privatedomain.com";
do-forward-updates off;
}
Regards,
Kristian
More information about the dhcp-users
mailing list