DHCP - DDNS Update
Jeremey Wise
jerewis at cdw.com
Tue Apr 25 15:47:35 UTC 2023
Greetings, and sorry up front for large email. But joining this forum and wanted to be comprehensive in my posting. I googled around and seems I am not the only one with questions on how to do this task, as things have changed with certs and updates. Hopefully this email formats in a means to make it easy for others to review and toss out ideas / links to where I can RTFM.
I am being tasked to help out with a POC / Demo lab. It is a pair of VMs, running Ubuntu 22.04 fully updated / patched.
###
dnsuser at ps-dns-01:~$ named -v
BIND 9.18.12-0ubuntu0.22.04.1-Ubuntu (Extended Support Version) <id:>
dnsuser at ps-dns-01:~$ apt list |grep dhcp
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
dhcp-helper/jammy 1.2-3 amd64
dhcp-probe/jammy 1.3.0-10.1build2 amd64
dhcpcanon/jammy 0.8.5-2 all
dhcpcd-dbus/jammy 0.6.1-2 amd64
dhcpcd-gtk/jammy 0.7.8-1 amd64
dhcpcd5/jammy 7.1.0-2build1 amd64
dhcpd-pools/jammy 2.29-1.1 amd64
dhcpdump/jammy 1.8-2.2 amd64
dhcpig/jammy 1.5-3 all
dhcping/jammy 1.2-5 amd64
dhcpoptinj/jammy 0.5.3-1 amd64
dhcpstarv/jammy 0.2.2-2 amd64
dhcpy6d/jammy 1.0.7-1 all
freeradius-dhcp/jammy-updates,jammy-security 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1 amd64
fusiondirectory-plugin-dhcp-schema/jammy 1.3-4build1 all
fusiondirectory-plugin-dhcp/jammy 1.3-4build1 all
golang-github-d2g-dhcp4-dev/jammy 0.0~git20150413-3 all
golang-github-d2g-dhcp4client-dev/jammy 1.0.0-2 all
golang-github-insomniacslk-dhcp-dev/jammy 0.0~git20200621.d74cd86-1 all
golang-github-mdlayher-dhcp6-dev/jammy 0.0~git20190311.2a67805-2 all
gosa-plugin-dhcp-schema/jammy 2.7.4+reloaded3-16build1 all
gosa-plugin-dhcp/jammy 2.7.4+reloaded3-16build1 all
isc-dhcp-client-ddns/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-client/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed,automatic]
isc-dhcp-common/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed,automatic]
isc-dhcp-dev/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-relay/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-server-ldap/jammy-updates 4.4.1-2.3ubuntu2.4 amd64
isc-dhcp-server/jammy-updates,now 4.4.1-2.3ubuntu2.4 amd64 [installed]
kea-dhcp-ddns-server/jammy 2.0.2-1 amd64
kea-dhcp4-server/jammy 2.0.2-1 amd64
kea-dhcp6-server/jammy 2.0.2-1 amd64
libnet-dhcp-perl/jammy 0.696+dfsg-1 all
libnet-dhcpv6-duid-parser-perl/jammy 1.01-2.1 all
librust-dhcp4r-dev/jammy 0.2.0-1 amd64
libtext-dhcpleases-perl/jammy 1.0-2.1 all
neutron-dhcp-agent/jammy-updates 2:20.2.0-0ubuntu1 all
opendrim-lmp-dhcp/jammy 1.0.0-0ubuntu2 amd64
python3-isc-dhcp-leases/jammy 0.9.1-2 all
udhcpc/jammy 1:1.30.1-7ubuntu3 amd64
udhcpd/jammy 1:1.30.1-7ubuntu3 amd64
wide-dhcpv6-client/jammy 20080615-23build1 amd64
wide-dhcpv6-relay/jammy 20080615-23build1 amd64
wide-dhcpv6-server/jammy 20080615-23build1 amd64
dnsuser at ps-dns-01:~$
###
Goal:
1. HA DNS and DHCP (failover / fail back)
2. DDNS updates from registered DHCP clients for PTR and A records (ipv4 only for now)
Issues:
1. Getting flooding in /var/log/syslog , every update ..
###
Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.129 to 00:50:56:97:2b:f7 (op-web2) via 10.89.132.1
Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.129 from dhcpfailover rejected: incoming update is less critical than outgoing update
Apr 25 14:51:34 ps-dns-02 dhcpd[202599]: Unable to add forward map from op-web2.ps.labs.local to 10.89.132.129: REFUSED
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.132.130 from 00:50:56:97:df:98 (easytravel) via ens160
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.130 to 00:50:56:97:df:98 (easytravel) via ens160
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.132.130 from 00:50:56:97:df:98 (easytravel) via 10.89.132.1
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: DHCPACK on 10.89.132.130 to 00:50:56:97:df:98 (easytravel) via 10.89.132.1
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.130 from dhcpfailover rejected: incoming update is less critical than outgoing update
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: bind update on 10.89.132.130 from dhcpfailover rejected: incoming update is less critical than outgoing update
Apr 25 14:51:35 ps-dns-02 dhcpd[202599]: Unable to add forward map from easytravel.ps.labs.local to 10.89.132.130: REFUSED
Apr 25 14:51:38 ps-dns-02 named[184617]: client @0x7f20082400b8 10.89.132.90#50112 (mdbrtr-cisco-assist-00-ps-labs-local-svc): query (cache) 'mdbrtr-cisco-assist-00-ps-labs-local-svc/AAAA/IN' denied (allow-query-cache did not match)
Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: reuse_lease: lease age 122 (secs) under 25% threshold, reply with unaltered, existing lease for 10.89.135.132
Apr 25 14:51:39 ps-dns-02 dhcpd[202599]: DHCPREQUEST for 10.89.135.132 from 00:50:56:8b:a5:85 via ens160
###
Similar posting was made with note that this would require configuration file review for what was / is misconfigured: https://dhcp-users.isc.narkive.com/KngCfNx3/rejected-incoming-update-is-less-critical-than-outgoing-update
As such below is sample of zone and DHCP /DNS configuration.
I read through documents https://kb.isc.org/docs/aa-01588 But did not see where their is misconfiguration in my configurations.
cat /etc/dhcp/dhcpd.conf
ps-dns-01 ps-dns-02
# option definitions common to all supported networks...
option domain-name "ps.labs.local";
option domain-search "ps.labs.local";
option domain-name-servers 10.89.100.152, 10.89.100.153;
option time-offset -6;
option ntp-servers 10.89.66.1;
option time-servers 10.89.66.1;
#ddns-domainname "ps.labs.local";
default-lease-time 600;
max-lease-time 7200;
# Failover declaration
failover peer "dhcpfailover" {
primary; # primary server declaration
address 10.89.100.152;
port 647;
peer address 10.89.100.153;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128;
load balance max seconds 3;
}
key pslabslocal {
secret cHNsYWJzbG9jYWw=;
algorithm hmac-md5;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style standard;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology. This is for local NIC listening to dhcp broadcasts.
subnet 10.89.100.0 netmask 255.255.255.0 {
}
# ps_labs_local_infrastructure
subnet 10.89.128.0 netmask 255.255.255.0 {
}
# hx06 dynamic
subnet 10.89.130.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.130.1;
pool {
failover peer "dhcpfailover";
range 10.89.130.10 10.89.130.254;
}
}
# hx07 dynamic
subnet 10.89.132.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.132.1;
pool {
failover peer "dhcpfailover";
range 10.89.132.10 10.89.132.254;
}
}
# UCSX dynamic
subnet 10.89.134.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.134.1;
pool {
failover peer "dhcpfailover";
range 10.89.134.10 10.89.134.254;
}
}
# The following three network are for Tanzu work in hx06
# Update 20221004 by JW. Data is all static as is mgmt. Workload is all DHCP
# subnet 10.89.135.0 netmask 255.255.255.224
# k8s-tz-data-hx06 dynamic
subnet 10.89.135.0 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.1;
pool {
failover peer "dhcpfailover";
range 10.89.135.2 10.89.135.30;
}
}
# k8s-tz-workload-hx06 dynamic
subnet 10.89.135.32 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.33;
pool {
failover peer "dhcpfailover";
range 10.89.135.34 10.89.135.63;
}
}
# k8s-tz-mgmt-hx06 dynamic
subnet 10.89.135.64 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.65;
pool {
failover peer "dhcpfailover";
range 10.89.135.66 10.89.135.94;
}
}
# k8s-ocp-data-hx06
subnet 10.89.135.96 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.97;
pool {
failover peer "dhcpfailover";
range 10.89.135.98 10.89.135.126;
}
}
# k8s-ocp-workload-hx06
subnet 10.89.135.128 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.129;
pool {
failover peer "dhcpfailover";
range 10.89.135.130 10.89.135.158;
}
}
# k8s-rke-mgmt-hx06
subnet 10.89.135.160 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.161;
pool {
failover peer "dhcpfailover";
range 10.89.135.162 10.89.135.190;
}
# ocpbastion
host ocpbastion {
hardware ethernet 00:50:56:8b:db:a4;
fixed-address 10.89.135.190;
}
}
# k8s-rke-data-hx06
subnet 10.89.135.192 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.194 10.89.135.222;
}
}
# k8s-rke-workload-hx06
subnet 10.89.135.224 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.225;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.226 10.89.135.253;
}
}
# Host reservations
host tanzuprod-service-control-plane-bbwwb {
hardware ethernet 00:50:56:8b:71:bf;
fixed-address 10.89.135.48;
}
<snip>
host tanzuprod-workload-control-plane-zvm6t {
hardware ethernet 00:50:56:8b:75:83;
fixed-address 10.89.135.50;
}
# DV Presales Lab
zone ps.labs.local. {
primary 10.89.100.152;
key pslabslocal;
}
# option definitions common to all supported networks...
option domain-name "ps.labs.local";
option domain-search "ps.labs.local";
option domain-name-servers 10.89.100.152, 10.89.100.153;
option time-offset -6;
option ntp-servers 10.89.66.1;
option time-servers 10.89.66.1;
#ddns-domainname "ps.labs.local";
default-lease-time 600;
max-lease-time 7200;
# Failover declaration
failover peer "dhcpfailover" {
secondary; # secondary server declaration
address 10.89.100.153;
port 647;
peer address 10.89.100.152;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
load balance max seconds 3;
}
key pslabslocal {
secret cHNsYWJzbG9jYWw=;
algorithm hmac-md5;
}
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style standard;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology. This is for local NIC listening to dhcp broadcasts.
subnet 10.89.100.0 netmask 255.255.255.0 {
}
# ps_labs_local_infrastructure
subnet 10.89.128.0 netmask 255.255.255.0 {
}
# hx06 dynamic
subnet 10.89.130.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.130.1;
pool {
failover peer "dhcpfailover";
range 10.89.130.10 10.89.130.254;
}
}
# hx07 dynamic
subnet 10.89.132.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.132.1;
pool {
failover peer "dhcpfailover";
range 10.89.132.10 10.89.132.254;
}
}
# UCSX dynamic
subnet 10.89.134.0 netmask 255.255.255.0 {
option domain-name-servers 10.89.100.152;
option routers 10.89.134.1;
pool {
failover peer "dhcpfailover";
range 10.89.134.10 10.89.134.254;
}
}
# The following three network are for Tanzu work in hx06
# Update 20221004 by JW. Data is all static as is mgmt. Workload is all DHCP
# subnet 10.89.135.0 netmask 255.255.255.224
# k8s-tz-data-hx06 dynamic
subnet 10.89.135.0 netmask 255.255.255.224 {
ddns-updates on;
option domain-name-servers 10.89.100.152;
option routers 10.89.135.1;
pool {
failover peer "dhcpfailover";
range 10.89.135.2 10.89.135.30;
}
}
# k8s-tz-workload-hx06 dynamic
subnet 10.89.135.32 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.33;
pool {
failover peer "dhcpfailover";
range 10.89.135.34 10.89.135.63;
}
}
# k8s-tz-mgmt-hx06 dynamic
subnet 10.89.135.64 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.65;
pool {
failover peer "dhcpfailover";
range 10.89.135.66 10.89.135.94;
}
}
# k8s-ocp-data-hx06
subnet 10.89.135.96 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.97;
pool {
failover peer "dhcpfailover";
range 10.89.135.98 10.89.135.126;
}
}
# k8s-ocp-workload-hx06
subnet 10.89.135.128 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.129;
pool {
failover peer "dhcpfailover";
range 10.89.135.130 10.89.135.158;
}
}
# k8s-rke-mgmt-hx06
subnet 10.89.135.160 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.161;
pool {
failover peer "dhcpfailover";
range 10.89.135.162 10.89.135.190;
}
}
# k8s-rke-data-hx06
subnet 10.89.135.192 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.152;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.194 10.89.135.222;
}
}
# k8s-rke-workload-hx06
subnet 10.89.135.224 netmask 255.255.255.224 {
option domain-name-servers 10.89.100.225;
option routers 10.89.135.193;
pool {
failover peer "dhcpfailover";
range 10.89.135.226 10.89.135.253;
}
}
# Host reservations
host tanzuprod-service-control-plane-bbwwb {
hardware ethernet 00:50:56:8b:71:bf;
fixed-address 10.89.135.48;
}
<snip>
host tanzuprod-workload-control-plane-zvm6t {
hardware ethernet 00:50:56:8b:75:83;
fixed-address 10.89.135.50;
}
# DV Presales Lab
zone ps.labs.local. {
primary 10.89.100.152;
key pslabslocal;
}
dnsuser at ps-dns-02:~$
DDNS
cat /etc/bind/named.conf
ps-dns-01 ps-dns-02
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
server 10.89.9.10 {
};
server 10.89.9.107 {
};
key pslabslocal {
algorithm hmac-md5;
secret "c<snip>w=";
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
key pslabslocal {
algorithm hmac-md5;
secret "c<snip>w=";
};
server 10.89.100.153 {
transfer-format many-answers;
keys {
pslabslocal;
};
};
" /etc/bind/named.conf.options"
listen-on-v6 { any; };
forwarders {
10.89.9.10;
10.89.9.107;
};
recursion yes;
allow-query {
any;
};
allow-recursion {
any;
};
};
"/etc/bind/named.conf.options"
options {
directory "/var/cache/bind";
listen-on-v6 { any; };
};
"/etc/bind/named.conf.local"
zone "ps.labs.local" {
type master;
file "/var/lib/bind/ps.labs.local.hosts";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "128.89.10.in-addr.arpa" {
type master;
file "/var/lib/bind/10.89.128.rev";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "129.89.10.in-addr.arpa" {
type master;
file "/var/lib/bind/10.89.129.rev";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
<snip other zones but all structured same>
"/etc/bind/named.conf.local"
zone "130.89.10.in-addr.arpa" {
type slave;
masters {
10.89.100.152;
};
allow-transfer {
10.89.100.152;
};
file "/var/lib/bind/10.89.130.rev";
};
zone "ps.labs.local" {
type slave;
masters {
10.89.100.152;
};
allow-transfer {
10.89.100.152;
};
file "/var/lib/bind/ps.labs.local.hosts";
};
zone "128.89.10.in-addr.arpa" {
type slave;
masters {
10.89.100.152;
};
allow-transfer {
10.89.100.152;
};
file "/var/lib/bind/10.89.128.rev";
};
<snip other zones but all structured same>
"/etc/bind/named.conf.default-zones"
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
also-notify {
10.89.100.153;
};
allow-transfer {
10.89.100.153;
};
};
"/etc/bind/named.conf.default-zones"
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
Questions:
1. What is missconfigured to get flood of events about DHCP cache?
2. Why are not DHCP leases pushing updates to DNS to create recoreds (A and PTR)
3. I see almost no logs as I boot up test Vm. and get lease.. as to attempts to create from DHCP to DNS .. Where are the logs for these to track down DDNS communication.
4. DNS server on replica is not a flat file but a binary hash replica. In event of failover (Ex: ps-dns-01) goes offline..) , how would DHCP push via DDNS update records of server?
Thanks,
Penguinpages
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20230425/82d1f210/attachment-0001.htm>
More information about the dhcp-users
mailing list