help me explain

Please help me to explain to another admin at my site, or tell me that I'm wrong and what I need to do in this case.

We are in process of restructuring our network in one of our buildings. There are good aspects of this, better redundancy, dual paths from each switch to the primary router on site, etc, and there are parts of this that are not strictly necessary and will in some ways make more work.

We are dividing the 6 floor building from a /21 network and creating a new /24 on each floor, we are for the first time in this building enabling DDNS. (yes, we have a net of two /24 networks free when we are done)

The positives are that the printers will now provide an identifier (string matching their inventory tag) to DHCP then to DNS, and we will be able to create DNS short names pointing to their FQDN, so we don't need to remap anything from either the print servers or directly mapped printers - well, for printers mapped by ID rather than IP.

I know from when we did something similar at the first building which is using a /22 network for the entire building (regardless of floor) that I can use a single subnet name, and can have one named Forward table but needed 4 Reverse tables. No problem there. (Is there a better/easier way)?

The issue in question is that while it is only a /24 on each floor and I can use one Forward and one Reverse table FQDN (I believe) needs to be unique by floor. IE if a printer moves I don't need to lock it down, never need to enter it in DHCP, but do need to change its CNAME to point to the new FQDN since each floor requires a different subnet name.

Am I correct in my understanding, or is there a way to maintain unique address ranges by floor but use a single subnet name for the entire building?

Many thanks,
Brian

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 17 Oct 2016, at 16:54, "Cuttler, Brian R (HEALTH)" <[hidden email]> wrote:

> We are in process of restructuring our network in one of our buildings. There are good aspects of this, better redundancy, dual paths from each switch to the primary router on site, etc, and there are parts of this that are not strictly necessary and will in some ways make more work.

It's always "work", but if you do it right it's usually worth it eventually.

> We are dividing the 6 floor building from a /21 network and creating a new /24 on each floor, we are for the first time in this building enabling DDNS. (yes, we have a net of two /24 networks free when we are done)
>
> The positives are that the printers will now provide an identifier (string matching their inventory tag) to DHCP then to DNS, and we will be able to create DNS short names pointing to their FQDN, so we don't need to remap anything from either the print servers or directly mapped printers - well, for printers mapped by ID rather than IP.
>
> I know from when we did something similar at the first building which is using a /22 network for the entire building (regardless of floor) that I can use a single subnet name, and can have one named Forward table but needed 4 Reverse tables. No problem there. (Is there a better/easier way)?

Yes, that's correct.
All the DHCP subnets can share a single forward DNS zone. If they were smaller than /24 subnets then you'd also find that some of them would be sharing reverse DNS zone as well. The only reason you need separate DNS reverse zones is that you can only split the URL at a "dot" - so for example if you were using 172.16.0.0/21, you'd have to use 0.16.172.in-addr.arpa, 1.16.172.in-addr.arpa, and so on.

You don't need to specify the reverse zone within the subnet declarations in DHCP - the server will figure that out automgically, as in a client with IP address 172.16.1.57 would automatically trigger a reverse pointer update for 57.1.16.172.in-addr.arpa and if your DNS is correctly setup then the DHCP server will automagically figure out the zone to update.
The main reason for specifying DDNS zones in DHCP is to assign an update key for secured updates.

> The issue in question is that while it is only a /24 on each floor and I can use one Forward and one Reverse table FQDN (I believe) needs to be unique by floor. IE if a printer moves I don't need to lock it down, never need to enter it in DHCP, but do need to change its CNAME to point to the new FQDN since each floor requires a different subnet name.

You don't have to use different forward zones per floor - they can all use (say) "magabuildingone.mycompany.com" and moving a device around will not change it's DNS name. Or, you can choose to use different names, eg floor1.magabuildingone.mycompany.com, floor2.magabuildingone.mycompany.com, and so on. Some people go further and have different DNS names for different departments (even if they are on the same subnet (eg accounts.magabuildingone.mycompany.com, sales.magabuildingone.mycompany.com, ...)
That's really a management decision, though the technical issues may be part of the input to that choice.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

On 10/17/16, 3:13 PM, "" <> wrote:

Simon, Bruce,
   
When I was setting up the /24 by floor I'd specified the dynamic range from 30-224 so that I could use lower numbers as fixed addresses for network infrastructure and the upper addresses for anything that wasn't amenable to dynamic addressing, old HW, devices I really needed to lock down in DHCP.
   
So my DHCP config looks like this – with one such stanza per building floor.

I am not certain how to implement this addressing structure with a single domain name, I would simply use the building name and drop the vlan id, so “dai.wadsworth.org” and maintain the addressing the way we wanted to.

Moving forward we are routing the vlan per floor to the specific floor only. These are truly separate networks.

Do we simply put the 6 subnet statements inside of a GROUP statement and move the ddns-domainname and ddns-rev-domainname statements into the outer structure?

# Subnet Declaration default_vlan for DAI 6th floor, Vlan 126 10.57.46.0/24
subnet 10.57.46.0 netmask 255.255.255.0 {
authoritative;
option routers 10.57.46.1;
update-static-leases on;
update-optimization off;
      ddns-domainname = "dai126.wadsworth.org";
      ddns-rev-domainname "in-addr.arpa.";
        option domain-name-servers admin.wadsworth.org, bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
        pool {
              range 10.57.46.30  10.57.46.225;
              allow unknown-clients;
              allow known-clients;
              option domain-name-servers admin.wadsworth.org, bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
        }
}

Thank you,
Brian


   
    > -----Original Message-----
    > From: dhcp-users [mailto:[hidden email]] On Behalf Of
    > Simon Hobson
    > Sent: Monday, October 17, 2016 2:32 PM
    > To: Users of ISC DHCP <[hidden email]>
    > Subject: Re: help me explain
    >
    > ATTENTION: This email came from an external source. Do not open
    > attachments or click on links from unknown senders or unexpected emails.
    >
    >
    > On 17 Oct 2016, at 16:54, "Cuttler, Brian R (HEALTH)"
    > <[hidden email]> wrote:
    >
    > > We are in process of restructuring our network in one of our buildings.
    > There are good aspects of this, better redundancy, dual paths from each
    > switch to the primary router on site, etc, and there are parts of this
    > that are not strictly necessary and will in some ways make more work.
    >
    > It's always "work", but if you do it right it's usually worth it
    > eventually.
    >
    > > We are dividing the 6 floor building from a /21 network and creating a
    > > new /24 on each floor, we are for the first time in this building
    > > enabling DDNS. (yes, we have a net of two /24 networks free when we
    > > are done)
    > >
    > > The positives are that the printers will now provide an identifier
    > (string matching their inventory tag) to DHCP then to DNS, and we will be
    > able to create DNS short names pointing to their FQDN, so we don't need to
    > remap anything from either the print servers or directly mapped printers -
    > well, for printers mapped by ID rather than IP.
    > >
    > > I know from when we did something similar at the first building which is
    > using a /22 network for the entire building (regardless of floor) that I
    > can use a single subnet name, and can have one named Forward table but
    > needed 4 Reverse tables. No problem there. (Is there a better/easier way)?
    >
    > Yes, that's correct.
    > All the DHCP subnets can share a single forward DNS zone. If they were
    > smaller than /24 subnets then you'd also find that some of them would be
    > sharing reverse DNS zone as well. The only reason you need separate DNS
    > reverse zones is that you can only split the URL at a "dot" - so for
    > example if you were using 172.16.0.0/21, you'd have to use 0.16.172.in-
    > addr.arpa, 1.16.172.in-addr.arpa, and so on.
    >
    > You don't need to specify the reverse zone within the subnet declarations
    > in DHCP - the server will figure that out automgically, as in a client
    > with IP address 172.16.1.57 would automatically trigger a reverse pointer
    > update for 57.1.16.172.in-addr.arpa and if your DNS is correctly setup
    > then the DHCP server will automagically figure out the zone to update.
    > The main reason for specifying DDNS zones in DHCP is to assign an update
    > key for secured updates.
    >
    > > The issue in question is that while it is only a /24 on each floor and I
    > can use one Forward and one Reverse table FQDN (I believe) needs to be
    > unique by floor. IE if a printer moves I don't need to lock it down, never
    > need to enter it in DHCP, but do need to change its CNAME to point to the
    > new FQDN since each floor requires a different subnet name.
    >
    > You don't have to use different forward zones per floor - they can all use
    > (say) "magabuildingone.mycompany.com" and moving a device around will not
    > change it's DNS name. Or, you can choose to use different names, eg
    > floor1.magabuildingone.mycompany.com,
    > floor2.magabuildingone.mycompany.com, and so on. Some people go further
    > and have different DNS names for different departments (even if they are
    > on the same subnet (eg accounts.magabuildingone.mycompany.com,
    > sales.magabuildingone.mycompany.com, ...) That's really a management
    > decision, though the technical issues may be part of the input to that
    > choice.
    >
    > _______________________________________________
    > dhcp-users mailing list
    > [hidden email]
    > https://lists.isc.org/mailman/listinfo/dhcp-users
   

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

"Cuttler, Brian R (HEALTH)" <[hidden email]> wrote:

> So my DHCP config looks like this – with one such stanza per building floor.
>
> I am not certain how to implement this addressing structure with a single domain name

The domain name is irrelevant - it does NOT affect your addressing structure

> Do we simply put the 6 subnet statements inside of a GROUP statement and move the ddns-domainname and ddns-rev-domainname statements into the outer structure?

That's one way to do it, or you can just use the same domain name statement in each one. YOu can omit ddns-rev-domainname as it works out of the box with defaults - you only need to specify it if doing things like bodging around doing dynamic DNS on a reverse zone that's not on a /24 boundary.


subnet 10.57.46.0 netmask 255.255.255.0 {
     ddns-domainname = "dai.wadsworth.org";
...
}

subnet 10.57.47.0 netmask 255.255.255.0 {
     ddns-domainname = "dai.wadsworth.org";
...
}

subnet 10.57.48.0 netmask 255.255.255.0 {
     ddns-domainname = "dai.wadsworth.org";
...
}

and so on

it really is that simple !


BTW - you have a few redundancies in your config :

      option domain-name-servers admin.wadsworth.org, bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
       pool {
             range 10.57.46.30  10.57.46.225;
             allow unknown-clients;
             allow known-clients;
             option domain-name-servers admin.wadsworth.org, bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;

You've duplicated domain-name-servers and your allow statements (unless you have something at a higher inheritance level to override) simply implement the defaults.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Simon,

Thank you, I will put these changes into the config, immediately.

Thank you very much,
Brian

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Simon,

Perhaps a stupid follow up, but the "zone" declarations.

I just need one for the cms.wadsworth.org, nuke all of the cms<vlannumber>.wadsworth.org ones.

What about the ones I'd created for the Reverse zones, are those needed at all?

Thank you,
Brian
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

"Cuttler, Brian R (HEALTH)" <[hidden email]> wrote:

> I just need one for the cms.wadsworth.org, nuke all of the cms<vlannumber>.wadsworth.org ones.

Yes, but see below ...

> What about the ones I'd created for the Reverse zones, are those needed at all?

That depends on your setup.

If your internal DNS is setup with the correct SOA records, AND you aren't using signed updates, then you don't need any zone declarations at all. By default, the server will look at the SOA record for the zone (cms.wadsworth.org or xx.57.10.in-addr.arpa in your case) and get the master DNS server from that - then sends the (unsigned) update requests to it.
This does require that the DNS server be setup to accept unsigned updates, which in the general case is "unsafe". You could lock it down and just accept updates from certain IP addresses - eg if this is a dedicated system, with restricted users (so you can trust anyone with access), then just accepting updates from "localhost" may be OK.

But in the general case, you want to restrict the system to signed updates. To do this, you need to define each zone in the DHCP server just so you can specify the key to be used for each one.


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Thank you Simon.

In this case it looks like I can remove all zone entries then.

The DHCP server and the dynamic dns master live on the same box and I've established nsupdate keys, and the dns master talks to the slave servers for zone transfers, but I specified masters and allow-transfers, so things are reasonably secure.

If I was on the other side of the FW or in the DMZ it would need to be tighter but I think we are ok this way.

I'll looke to remove the "zone" commands for the dhcpd.conf file, the simpler the better, at least until security issues begin to loom.

Thanks and have a great weekend,
Brian
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Simon,

I have performed testing and I am in fact running 4.2.5 which is anomalous regarding requirement for zone config statements.

https://lists.isc.org/pipermail/dhcp-users/2013-February/016421.html

Thanks for your help, you are confirmed write, except for my site which is always an oddity.

Brian
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users