One A-Record for two different Interfaces

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

One A-Record for two different Interfaces

thomas.zenz@oenb.at
       
Hi to all.

I had the Problem  Has an address record but no DHCID not mine
<http://isc-dhcp-users.2343191.n4.nabble.com/Has-an-address-record-but-no-DHCID-not-mine-tt1989.html>  
and found out dhcpd is working fine.

Because I think we are not the only ones with that problem, I would like to
invete you all to disuss this.

The situation is the following:
A Laptop is connected via LAN to the company Network. DHCP Offers an address
10.1.1.1 for 14 days and makes the DNS A and PTR Record.
Out of a sudden, the user takes the Laptop out of the docking station and
WiFi kicks in. The VPN client checks that it is an unsecure network and
starts the tunnel and requests a new IP.
DHCP Offers 10.2.2.2 for one hour and tries to make DNS A and PTR Record.
Because the A Record is still valid for 10.1.1.1 and the DHCID is different
(a different Interface/UID). The A Record update fails.
If the User needs support, the helpdesk cannot resolve the IP via DNS.

I have three solution all with some kind of negative touch. How do you solve
this problem?

1) A second DNS Domain for VPN Clients. company.com and vpn.company.com.
 - the user has to know if he uses VPN or not.
 - helpdesk has to use FQN because the first suffix will win.
 - the certificate of the PC is issued for company.com not vpn.company.com
resulting in a certificate errors.
2) Shorter lease times.
 - more dhcp and dns-update traffic
 - still a gap where the A record is wrong
3) Client registers DNS
 - Trusting a PC meaning a Client can pretend to be the domain controller




--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: One A-Record for two different Interfaces

thomas.zenz@oenb.at
To bad, I am alone with the problem. Here's how we solved the Problem, and it
looks good in the Logs:

update-optimization false; # if false client will allways be renewed in DNS
(to be sure clients are updated)
update-conflict-detection true; # So no PC can overwrite a Servername

on commit {
   if static {
      # I trust my static leases, I wrote them.
      log (info, "Static: do overwrite" );
      update-conflict-detection false;
   } else {
      log (info, "Dynamic" );
      set my-client-hostname=pick (config-option server.ddns-hostname,
option host-name, "noName");
      log (info, my-client-hostname );
      set HostName2 = ucase(substring (my-client-hostname,0,2));
      set HostName3 = ucase(substring (my-client-hostname,0,3));
      set HostName4 = ucase(substring (my-client-hostname,0,4));
      #Only if the hostname is a PC, a printer or a remote inside port we
will overwirte the A Record
      if (( HostName2 = "PC" ) or ( HostName3 = "RIB" ) or ( HostName4 =
"PRT[0-9]" )) {
         log (info, concat ("DDNS map for ", client-hostname ));
         update-conflict-detection false; # It's save to overwrite the A
record of a PC
      } else {
         log (info, concat ("no DDNS map hostname: ", ddns-fwd-name, " from:
",binary-to-ascii(10,8,".",packet(24,4))));
         ddns-hostname = null; #just to be sure no A-Record at all. You can
remark it if you have other valid DHCP Clients
      }
   }
}


In my Logs I see:
#this is just the WiFi
Sep 14 10:00:56 anlpn35 dhcpd: DDNS map for PC7345.wlan.oenb.co.at
Sep 14 10:00:56 anlpn35 dhcpd: Added new forward map from
PC7345.wlan.oenb.co.at to 172.20.129.165
Sep 14 10:00:56 anlpn35 dhcpd: Added reverse map from
165.129.20.172.in-addr.arpa. to PC7345.wlan.oenb.co.at
#this is the VPN
Sep 14 10:01:02 anlpn35 dhcpd: Added new forward map from
PC7345.ad.oenb.co.at to 172.20.31.119
Sep 14 10:01:02 anlpn35 dhcpd: Added reverse map from
119.31.20.172.in-addr.arpa. to PC7345.ad.oenb.co.at
#now I am Back on cable with my static lease
Sep 14 10:02:28 anlpn35 dhcpd: Added new forward map from
PC7345.ad.oenb.co.at to 10.105.90.45
Sep 14 10:02:28 anlpn35 dhcpd: Added reverse map from
45.90.105.10.in-addr.arpa. to PC7345.ad.oenb.co.at

And the DNS:
root@dns:~# dig +short PC7345.ad.oenb.co.at
172.20.31.119
root@dns:~# dig +short PC7345.ad.oenb.co.at
10.105.90.45








--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users