DHCP/DDNS Multi ddns domains

Hi everyone,

I'm in the midst of setting up a new dhcp server with ddns for static and dynamic clients.
For testing purposes I've tried a simple configuration for DHCP with DDNS and, after some troubles and searching online, all is working flawlessly.
DHCP is updating DNS after which DNS reloads and syncs with the secondary DNS server.

My problem starts when I try loading DHCP with a less simplistic configuration.

I would like the following configuration.

I want dynamic (unknown) clients to be assigned;
dynamic.domain.lan
range 192.168.178.65 192.168.178.126;

I would like static (known) clients to be assigned;
domain.lan
range 192.168.178.1 192.168.178.30;

To achieve this I'm using the following configuration file;

include "/etc/dhcp/ddns.key";

log-facility local7;

ping-check true;                                                                                                                   
shared-network dynamic-clients {
        subnet 192.168.178.64 netmask 255.255.255.192 {
        range 192.168.178.65 192.168.178.126;
        default-lease-time 3600;
        max-lease-time 7200;
        option ntp-servers 194.109.22.18, 194.109.20.18;
        option domain-name "dynamic.domain.lan";
        option domain-name-servers 192.168.178.24, 192.168.178.20;
        option routers 192.168.178.1;
        option subnet-mask 255.255.255.0;

        ddns-updates on;
        update-static-leases on;
        allow unknown-clients;
        use-host-decl-names on;
        ddns-update-style interim;
        authoritive;
        ddns-domainname "dynamic.domain.lan";
        ddns-rev-domainname "in-addr.arpa";

zone 178.168.192.in-addr.arpa. {
        primary 127.0.0.1;
        key DDNS_UPDATE;
        }

zone dynamic.domain.lan. {
        primary 127.0.0.1;
        key DDNS_UPDATE;
        }
}
}

shared-network static-clients {
        subnet 192.168.178.0 netmask 255.255.255.224 {
        range 192.168.178.1 192.168.178.30;
        default-lease-time 3600;
        max-lease-time 7200;
        option ntp-servers 194.109.22.18, 194.109.20.18;
        option domain-name "domain.lan";
        option domain-name-servers 192.168.178.24, 192.168.178.20;
        option routers 192.168.178.1;
        option subnet-mask 255.255.255.0;

        ddns-updates on;
        update-static-leases on;
        deny unknown-clients;
        use-host-decl-names on;
        ddns-update-style interim;
        authoritive;
        ddns-domainname "domain.lan";
        ddns-rev-domainname "in-addr.arpa";

zone ictinc.lan. {
        primary 127.0.0.1;
        key DDNS_UPDATE;
        }
}                                                                                                                                   
host router1-lan {
option host-name "router1.domain.lan";                                                                                       ddns-hostname "router1";
hardware ethernet C0:25:06:5A:A8:02;
fixed-address 192.168.178.1;
}
Etc. Etc.
}

Unfortunately for some reason this configuration fails when DHCP tries to assign a IP address to a unknown (dynamic) client with the following error:

Jul 11 05:19:53 rpi2 dhcpd: DHCPREQUEST for 192.168.178.101 from 00:e3:b2:e2:60:20 via eth0: ignored (not authoritative).
Jul 11 05:19:55 rpi2 dhcpd: DHCPREQUEST for 192.168.178.101 from 00:e3:b2:e2:60:20 via eth0: ignored (not authoritative).
Jul 11 05:19:57 rpi2 dhcpd: DHCPDISCOVER from 00:e3:b2:e2:60:20 via eth0: unknown client
Jul 11 05:20:01 rpi2 dhcpd: DHCPDISCOVER from 00:e3:b2:e2:60:20 via eth0: unknown client
Jul 11 05:20:10 rpi2 dhcpd: DHCPDISCOVER from 00:e3:b2:e2:60:20 via eth0: unknown client
Jul 11 05:20:26 rpi2 dhcpd: DHCPREQUEST for 192.168.178.101 from 00:e3:b2:e2:60:20 via eth0: ignored (not authoritative).
Jul 11 05:20:29 rpi2 dhcpd: DHCPREQUEST for 192.168.178.101 from 00:e3:b2:e2:60:20 via eth0: ignored (not authoritative).
Jul 11 05:20:30 rpi2 dhcpd: DHCPDISCOVER from 00:e3:b2:e2:60:20 via eth0: unknown client

I hope anyone could help me sort out what I'm doing wrong and what I could do to get this setup work. I'm in no way am advanced DNS/DHCP user, but I'm no beginner either.

I've tried different searches and methods online for days at an end now and I think it time to ask help from the real pros, cause I'm at a loss.

Thanks in advance for reading through this message and helping me out. I really appreciate any help or suggestions.

Best regards,

Ronald.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Ronald Roeleveld <[hidden email]> wrote:

That's OK - easy to do.
However, why are you splitting the subnet like that - unless you physically separate the clients (by LAN or switch) then it gives you no security whatsoever other than from the most technically illiterate attackers ! Anyone can easily sniff network traffic and see what's going on, and they can easily assign themselves a static address to go and talk to the other devices.


> To achieve this I'm using the following configuration file;

Which is broken in several ways ! You have put DNS zone declarations, and host declarations, within shared network (and possibly subnet) declarations. These are global in scope and should be declared as such - otherwise you get "interesting" inheritance issues.
Plus it's clear you have not understood what a shared-network is - you've declared one for each subnet, while you actually have only one for the physical network.

Try this (I've removed a few things for clarity - actually a lot of what you've put is not required) :

option ntp-servers 194.109.22.18, 194.109.20.18;
option domain-name-servers 192.168.178.24, 192.168.178.20;shared-network 178 {
default-lease-time 3600;
max-lease-time 7200;
ddns-updates on;
update-static-leases on;
use-host-decl-names on;
ddns-update-style interim;
authoritive;
include "/etc/dhcp/ddns.key";
log-facility local7;
ping-check true;                                                                                                                  

zone 178.168.192.in-addr.arpa. {
  primary 127.0.0.1;
  key DDNS_UPDATE;
}

zone dynamic.domain.lan. {
  primary 127.0.0.1;
  key DDNS_UPDATE;
}

zone ictinc.lan. {
  primary 127.0.0.1;
  key DDNS_UPDATE;
}

subnet 192.168.178.0 netmask 255.255.255.128 {
  option routers 192.168.178.1;
  # Dynamic clients
  pool {
    allow unknown-clients'
    range 192.168.178.65 192.168.178.126;
    option domain-name "dynamic.domain.lan";
    ddns-domainname "dynamic.domain.lan";
  }

  # Static clients
  pool {
    deny unknown-clients;
    range 192.168.178.1 192.168.178.30;
    option domain-name "domain.lan";
    ddns-domainname "domain.lan";
  }
}

host router1-lan {
  option host-name "router1.domain.lan";
  ddns-hostname "router1";
  hardware ethernet C0:25:06:5A:A8:02;
  fixed-address 192.168.178.1;
}

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Simon Hobson <[hidden email]> wrote:

> option ntp-servers 194.109.22.18, 194.109.20.18;
> option domain-name-servers 192.168.178.24, 192.168.178.20;shared-network 178 {
> default-lease-time 3600;

Oops, a bit of cut-n-paste error there. SHould be
> option domain-name-servers 192.168.178.24, 192.168.178.20;
(no shared-network)

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi Simon,

Thank you so much. Everything appears to be working great now. No more errors and the right DNS zones are being updated.

About splitting the subnet in this ugly fashion, I know it does not offer any security but it was the last thing I could think of to get things working. As with most of my configuration was me going at it trying everything to get things working. :)

Again, thank you very much for your quick and extensive response.

Kind regards,

Ronald

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users