Problem updating DNS with DHCP.

Baldychap · 08-13-2008, 08:15 AM

Hello All,

I have search the 'net far and wide to find the 'right' way to configure a DHCP and DNS server (using dhcp3 and bind9) I've got the servers working, to a degree, but cannot get the dhcp server to update the dns with details of new clients.

I have used the very helpful pdf at http://www.realmtech.net/documents/DynamicDNS.pdf and also some information from http://ubuntuforums.org/showthread.php?t=267974 to get where I am today and my named.conf.options is:-

Code:

include "/etc/bind/rndc.key";
options {
  directory "/var/cache/bind";
  forwarders {
	212.159.13.49;
        212.159.13.50;
  };
  auth-nxdomain no;
};
controls {
  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
zone "example.com" {
  type master;
  file "/etc/bind/zones/example.com.db";
  allow-update { key "rndc-key"; };
};
zone "1.168.192.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.1.168.192.in-addr.arpa";
  allow-update { key "rndc-key"; };
};

and my dhcpd.conf is:-

Code:

server-identifier 192.168.1.3;
authoritative;
ddns-domainname "example.com";
ddns-rev-domainname "rev.1.168.192.in-addr.arpa";
ddns-update-style interim;
include "/etc/dhcp3/rndc.key";
zone example.com. {
  primary 192.168.1.0;
  key rndc-key;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.30 192.168.1.99;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.1.255;
  option domain-name "example.com";
  one-lease-per-client on;
  default-lease-time 604800;
  max-lease-time 604800;
  # Gateways and DNS servers
  option routers 192.168.1.1;
  option domain-name-servers 192.168.1.3;
}

The problem can be seen in the daemon.log when a client requests a DHCP address from the server:-

Code:

Aug 13 00:03:53 nameserver named[1794]: starting BIND 9.4.1-P1.1 -u bind
Aug 13 00:03:53 nameserver named[1794]: found 1 CPU, using 1 worker thread
Aug 13 00:03:53 nameserver named[1794]: loading configuration from '/etc/bind/named.conf'
Aug 13 00:03:53 nameserver named[1794]: listening on IPv4 interface lo, 127.0.0.1#53
Aug 13 00:03:53 nameserver named[1794]: listening on IPv4 interface eth0, 192.168.1.3#53
Aug 13 00:03:53 nameserver named[1794]: listening on IPv4 interface vmnet8, 192.168.65.1#53
Aug 13 00:03:53 nameserver named[1794]: listening on IPv4 interface vmnet1, 192.168.81.1#53
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 254.169.IN-ADDR.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: D.F.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 8.E.F.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: 9.E.F.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: A.E.F.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: automatic empty zone: B.E.F.IP6.ARPA
Aug 13 00:03:53 nameserver named[1794]: command channel listening on 127.0.0.1#953
Aug 13 00:03:53 nameserver named[1794]: zone 0.in-addr.arpa/IN: loaded serial 1
Aug 13 00:03:53 nameserver named[1794]: zone 127.in-addr.arpa/IN: loaded serial 1
Aug 13 00:03:53 nameserver named[1794]: /etc/bind/zones/rev.1.168.192.in-addr.arpa:1: no TTL specified; using SOA MINTTL instead
Aug 13 00:03:53 nameserver named[1794]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2006081401
Aug 13 00:03:53 nameserver named[1794]: zone 255.in-addr.arpa/IN: loaded serial 1
Aug 13 00:03:53 nameserver named[1794]: zone localhost/IN: loaded serial 1
Aug 13 00:03:53 nameserver named[1794]: /etc/bind/zones/example.com.db:1: no TTL specified; using SOA MINTTL instead
Aug 13 00:03:53 nameserver named[1794]: zone example.com/IN: loaded serial 2006081402
Aug 13 00:03:53 nameserver named[1794]: running
Aug 13 00:04:13 nameserver dhcpd: DHCPRELEASE of 192.168.1.66 from 00:08:74:9d:ec:d5 (clienthostname) via eth0 (found)
Aug 13 00:04:14 nameserver dhcpd: DHCPDISCOVER from 00:08:74:9d:ec:d5 via eth0
Aug 13 00:04:15 nameserver dhcpd: DHCPOFFER on 192.168.1.66 to 00:08:74:9d:ec:d5 (clienthostname) via eth0
Aug 13 00:04:15 nameserver dhcpd: Unable to add forward map from clienthostname.example.com to 192.168.1.66: connection refused
Aug 13 00:04:15 nameserver dhcpd: DHCPREQUEST for 192.168.1.66 (192.168.1.3) from 00:08:74:9d:ec:d5 (clienthostname) via eth0
Aug 13 00:04:15 nameserver dhcpd: DHCPACK on 192.168.1.66 to 00:08:74:9d:ec:d5 (clienthostname) via eth0

The problem being "nameserver dhcpd: Unable to add forward map from clienthostname.example.com to 192.168.1.66: connection refused".

Does anyone know why permission is being refused? I've made sure that the bind group has read/write access on the /etc/bind directory and that the dchpd group has read/write access on the /etc/dhcp3 directory. I presume it's a problem with the keys, but I can't see where it is!

Any help would be gratefully received. I've searched the web/forums for advice and have not found anything, so apologies if this has been answered elsewhere :-)

Kind Regards,

Baldychap.

grepmasterd · 08-13-2008, 12:09 PM

"connection refused" is a network error, not a permissions problem. it means that the port is not open on the target machine. check the services and ports open on 192.168.1.66

chort · 08-13-2008, 12:36 PM

192.168.1.66 isn't the server, that's the DDNS entry that failed.

Try

Code:

dig example.com @192.168.1.3

what's the output? If it was a problem with the key there should be a log message from named stating so. It seems as if there might be a firewall blocking port 53.

grepmasterd · 08-13-2008, 01:33 PM

wups, yes I misinterpreted the log. however, "connection refused" is still a network error at the transport level (UDP in this case, most likely). It can come from over the wire or from loopback.

I'll bow out here, since I'm unsure of DHCP -> DNS update details. I just wanted to comment on the network error. either some service is not listening on the right port, or the update is being sent to the wrong host/port.

Baldychap · 08-14-2008, 11:00 AM

Thanks for the tips. I've run this command on the server

Code:

dig example.com @192.168.1.3

and got this response:-

Code:

; <<>> DiG 9.4.1-P1.1 <<>> example.com @192.168.1.3 ; (1 server found) ;; global options:  printcmd ;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25671 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.     IN      A

;; AUTHORITY SECTION:
example.com. 38400 IN     SOA
nameserver.example.com. admin.example.com.
2006081402 28800 3600 604800 38400

;; Query time: 114 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Thu Aug 14 11:45:52 2008
;; MSG SIZE  rcvd: 95

I've also done a port scan on 192.168.1.3 and 127.0.0.1 and it shows that port 53 is open and being used by a 'domain' service. So I guess this sounds OK. I'm running this on ubuntu 7.10 and I can't see where I can change any firewall settings. Probably my lack of knowledge :-)

Baldychap · 08-14-2008, 05:37 PM

Hi, I've also installed firestarter to make sure that ports 67,68 and 53 (used by DNS and DHCP) are not blocked. The same problem still exists

Any other ideas gratefully received!

grepmasterd · 08-14-2008, 08:37 PM

tcpdump is your friend. try watching eth0 and lo

chort · 08-15-2008, 01:17 AM

I forgot rndc runs on port 953. Try

Code:

$ sudo rndc status

and see if that gets refused.

Oh, a casual glance at dhcpd.conf settings for DDNS tends to indicate that this:

PHP Code:



zone example.com. {
  primary 192.168.1.0;
  key rndc-key;
}

should probably be changed to this:

PHP Code:



zone example.com. {
  primary 127.0.0.1;
  key rndc-key;
}

Baldychap · 08-15-2008, 03:53 PM

Thanks Chort! Changing the dchpd.conf seemed to help a lot, although I'm not quite there yet :-)

My daemon.log now shows this:-

Code:

Aug 15 21:42:18 nameserver dhcpd: DHCPDISCOVER from 00:13:8f:54:ba:0d via eth0
Aug 15 21:42:19 nameserver dhcpd: DHCPOFFER on 192.168.1.65 to 00:13:8f:54:ba:0d (clienthostname) via eth0
Aug 15 21:42:19 nameserver named[20741]: client 127.0.0.1#32779: updating zone 'example.com/IN': adding an RR at 'clienthostname.example.com' A
Aug 15 21:42:19 nameserver named[20741]: client 127.0.0.1#32779: updating zone 'example.com/IN': adding an RR at 'clienthostname.example.com' TXT
Aug 15 21:42:19 nameserver dhcpd: Added new forward map from clienthostname.example.com to 192.168.1.65
Aug 15 21:42:19 nameserver dhcpd: unable to add reverse map from 65.1.168.192.1.168.192.in-addr.arpa to clienthostname.example.com: timed out
Aug 15 21:42:19 nameserver dhcpd: DHCPREQUEST for 192.168.1.65 (192.168.1.3) from 00:13:8f:54:ba:0d (clienthostname) via eth0
Aug 15 21:42:19 nameserver dhcpd: DHCPACK on 192.168.1.65 to 00:13:8f:54:ba:0d (clienthostname) via eth0

I'm not sure, but the 65.1.168.192.1.168.192.in-addr.arpa doesn't look right to me. looking at other posts I would expect it to be 65.1.168.192.in-addr.arpa

Any idea what is going wrong? Thanks.

Baldychap · 08-16-2008, 05:21 AM

Hi. Right, think it's working now. found an error in dhcpd.conf and changed

Code:

zone 0.1.168.192.in-addr.arpa. {
  primary 127.0.0.1;
  key rndc-key;
}

to

Code:

zone 1.168.192.in-addr.arpa. {
  primary 127.0.0.1;
  key rndc-key;
}

The reverse map is now added, although the double joined ip address still exists in the daemon.log

Code:

Aug 16 01:23:57 nameserver dhcpd: added reverse map from 65.1.168.192.1.168.192.in-addr.arpa to clienthostname.example.com

Can anyone tell me if this is OK?

**Update** I'm not sure this is OK. If I ping clienthostname from a windows machine then it resolves to 192.168.1.65 correctly. If I ping -a 192.168.1.65 then the result does not show me the hostname of the client as I would expect.

chort · 08-17-2008, 01:45 AM

Looks like the correct reverse zone is:

Code:

ddns-rev-domainname "in-addr.arpa";

Baldychap · 08-18-2008, 02:27 PM

Thanks again Chort, everything now seems to be working fine. You've been a great help

For the benefit of others here are my final .conf files for my single DHCP/DDNS server with ip address of 192.168.1.3

/etc/dhcp3/dhcpd.conf

Code:

server-identifier 192.168.1.3;
authoritative;
ddns-domainname "example.com";
ddns-rev-domainname "in-addr.arpa";
# How to connect to the DNS server and update it.
ddns-update-style interim;
include "/etc/dhcp3/rndc.key";
# Use what key in what zone
zone example.com. {
  primary 127.0.0.1;
  key rndc-key;
}
zone 1.168.192.in-addr.arpa. {
  primary 127.0.0.1;
  key rndc-key;
}
# Subnet definition w/ accompanying options
subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.30 192.168.1.99;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.1.255;
  option domain-name "example.com";
  one-lease-per-client on;
  default-lease-time 604800;
  max-lease-time 604800;
  # Gateways and DNS servers
  option routers 192.168.1.1;
  option domain-name-servers 192.168.1.3;
}

/etc/bind/named.conf

Code:

controls {
  inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
include "/etc/bind/named.conf.options";
zone "." {
	type hint;
	file "/etc/bind/db.root";
};
zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

/etc/bind/named.conf.options

Code:

include "/etc/bind/rndc.key";
options {
  directory "/var/cache/bind";
  ## Put in your (internet) nameservers here
  forwarders {
	212.159.13.49;
        212.159.13.50;
  };
  auth-nxdomain no;
};
zone "example.com" {
  type master;
  file "/etc/bind/zones/example.com.db";
  allow-update { key "rndc-key"; };
};
zone "1.168.192.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/1.168.192.in-addr.arpa";
  allow-update { key "rndc-key"; };
};

/etc/bind/zones/example.com.db

Code:

example.com IN SOA nameserver.example.com. admin.example.com. (
				2006081437 ; serial
				28800      ; refresh (8 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				38400      ; minimum (10 hours 40 minutes)
				)
			NS	nameserver.example.com.

/etc/bind/zones/1.168.192.in-addr.arpa.db

Code:

@ IN SOA nameserver.example.com. admin.example.com. (
                        2006081401;
                        28800; 
                        604800;
                        604800;
                        86400 
)

                     IN    NS     nameserver.example.com.
3                    IN    PTR    example.com

I also copied the rndc.key file from /etc/bind to /etc/dhcp3.

Of course, if there are any changes that should be made to these files to make DHCP/DNS work better or more secure then please post them here.

Kind Regards,

Baldychap.