Classifying clients based on FQDN in option 81

Wed Feb 27 18:43:02 UTC 2013

Thanks for all the responses.
You are right the problem as you pointed out is the client is not
guaranteed to send the FQDN option (81) in the DISCOVER message as well as
the INFORM message as per RFC 4702.
At more detailed level the problem here is -
Lets say I have a class for example.com and use that to assign IPs from a
specific IP address range. A client comes in which does not send FQDN in
DISCOVER and but sends one in REQUEST. Based on the DISCOVER, the server
sends an OFFER with an IP address from a general IP range (not class
specific). The client now sends a REQUEST for the offered IP and also
includes FQDN of mycomputer.example.com. Now, since the client is not
entitled to the offered IP based on the configuration on the server to
assign class specific IP, the server will need to send a NAK (as per RFC
2131) since it cannot ACK the requested IP address in the client REQUEST.
This causes the client to restart DORA. The client is now stuck in a loop
continuously attempting DORA.
Is there a way around this ?

However, assigning options for a class of clients based on FQDN should
still be possible IMO since the options sent by server can change between
OFFER and ACK. The client is expected to use the options send in the ACK.
Correct ?

Thanks,
Prasad

On Wed, Feb 27, 2013 at 8:18 PM, Sten Carlsen <stenc at s-carlsen.dk> wrote:

>
> On 27/02/13 14:31, Glenn Satchell wrote:
>
> In terms of the configuration language it is certainly possible.
>
> class "example-com" {
>     match if option fqdn.domainname = "example.com";
> }
>
> However, you may need to do a simple packet capture to check that your
> clients actually send that option in the DHCPDISCOVER packet. If it isn't
> there then the server can't make the decision about what to offer.
>
>  You could have a pool for non class members only. That might be easier to
> pick up then.
>
>  regards,
> -glenn
>
> On Wed, February 27, 2013 8:50 pm, Niall O'Reilly wrote:
>
>  On 27 Feb 2013, at 02:24, VithalPrasad Gaitonde wrote:
>
>
>  Can one configure the ISC DHCP server to define class(es) of clients
> based on the DNS domain sent in option 81 by the client.
>
>  	I haven't tried that, but I'ld be surprised if it couldn't be done;
> 	the man pages for dhcpd.conf and dhcp-eval seem to contain the
> 	information you need.
>
> 	That said, I would ask two more basic questions:
>
>     1.	Can one depend on the client to set option 81?
>     2.	Can one trust the client not to spoof a "more attractive" DNS
> 	domain name than the "legitimate" one?
>
> 	Good luck!
>
>
>  Can you then use this class to set options and specific IP range for
> such a class of clients.
>
>  	Surely.
>
> 	IHTH
> 	Niall O'Reilly
>
> _______________________________________________
> dhcp-users mailing listdhcp-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/dhcp-users
>
>  _______________________________________________
> dhcp-users mailing listdhcp-users at lists.isc.orghttps://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>
>        "MALE BOVINE MANURE!!!"
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20130228/338b4ed3/attachment.html>