ISC DHCP Users

Prevent PCs from using Server hostnames

classic Classic list List threaded Threaded
4 messages Options
thomas.zenz@oenb.at
Reply | Threaded
Open this post in threaded view
|

Prevent PCs from using Server hostnames

thomas.zenz@oenb.at
Dear all,

We are running DHCP Server 4.3.5.

To prevent Clients form using server hostnames and so pull traffic to the client, I added the following script:

        set HostName = ucase(substring (ddns-fwd-name,0,4));
        #############################################################################
        #                                 Update only DDNS for PC, ANP and RIB
        #############################################################################

        if (( HostName ~= "PC[0-9] [0-9]" ) or ( HostName4~= "PRT[0-9]" )) {
           log (info, concat ("DDNS for ", ddns-fwd-name));
           ddns-updates on;
        }
        else {
           log (info, concat ("no DDNS for hostname: ", ddns-fwd-name));
           ddns-updates off;
        }
        ########################################

My question is: Will that work?

I do have so many requests per day, it's hard to test for me.

Kind Regards
Thomas

Diese E-Mail kann vertrauliche Informationen enthalten und irrtümlich an Sie gelangt sein. In diesem Fall informieren Sie bitte sofort die Absenderin bzw. den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder von Teilen dieser Mail sind nicht gestattet.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson
Reply | Threaded
Open this post in threaded view
|

Re: Prevent PCs from using Server hostnames

Simon Hobson
"Zenz, Thomas" <[hidden email]> wrote:

> To prevent Clients form using server hostnames and so pull traffic to the client, I added the following script:

No need.
IFF your servers are in the DNS (and not themselves allocated by the same DHCP) then DHCP is refuse to update the DNS with a matching entry.

If you look in your DNS zones, you'll find that the A records for your clients are also accompanied by a TXT record with some long "random" string. The TXT record is a key (hashed from client information) to show that the A record was created by the DHCP server - and if it's not present, then the DHCP server will not update/replace the A record.
This is there specifically to avoid the issue you describe - allowing a client to over-write DNS records that don't belong to DHCP clients.

It's not just servers - it's anything you've statically configured.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
thomas.zenz@oenb.at
Reply | Threaded
Open this post in threaded view
|

AW: Prevent PCs from using Server hostnames

thomas.zenz@oenb.at
Hi Simon

Thank you for the quick answer.
We were facing the problem because the servers get set up using DHCP and then the server admin changes the record without deleting the TXT record.  So the DHCP server could change the record again.

We use failover and do have failover tests every year for a week. So I set the remaining server to partner-down. Could this be an issue?

Regards Tom

- by Phone
Von: [hidden email]
Gesendet: ‎19.‎05.‎2017 13:11
An: [hidden email]
Betreff: Re: Prevent PCs from using Server hostnames

"Zenz, Thomas" <[hidden email]> wrote:

> To prevent Clients form using server hostnames and so pull traffic to the client, I added the following script:

No need.
IFF your servers are in the DNS (and not themselves allocated by the same DHCP) then DHCP is refuse to update the DNS with a matching entry.

If you look in your DNS zones, you'll find that the A records for your clients are also accompanied by a TXT record with some long "random" string. The TXT record is a key (hashed from client information) to show that the A record was created by the DHCP server - and if it's not present, then the DHCP server will not update/replace the A record.
This is there specifically to avoid the issue you describe - allowing a client to over-write DNS records that don't belong to DHCP clients.

It's not just servers - it's anything you've statically configured.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Diese E-Mail kann vertrauliche Informationen enthalten und irrtümlich an Sie gelangt sein. In diesem Fall informieren Sie bitte sofort die Absenderin bzw. den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder von Teilen dieser Mail sind nicht gestattet.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Simon Hobson
Reply | Threaded
Open this post in threaded view
|

Re: Prevent PCs from using Server hostnames

Simon Hobson
"Zenz, Thomas" <[hidden email]> wrote:

> We were facing the problem because the servers get set up using DHCP and then the server admin changes the record without deleting the TXT record.  So the DHCP server could change the record again.

So there's your problem, and the fix !

> We use failover and do have failover tests every year for a week. So I set the remaining server to partner-down. Could this be an issue?

I don't believe that should have any effect.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Free forum by Nabble Edit this page