Search Again: Re: DNS and DHCP From: Len Conrad Date: Monday, October 8, 2001 Time: 11:39:24 am >Hi, >I am wondering if there is a way to use QDNS with dynamic dns and dhcp? >What this would do is assign a dns entry for the dhcp client based on the >client info. If it is not possible, this would be a nice feature. As Chris pointed out, ddns requires some serious thinking and systems design to make work and keep it secure. Dynamic dns (ie, updatable records) entails a bouquet of protocols: "update" opcode allows modifying ANY record in a zone (but not create zone). So you need to secure the update feature so malicious/stupid people can't poison your zone with cracked records, delete the entire zone contents, let you imagination run a bit. You can limit limit which ip's can update a zone with the "allow-update" ACL, but most most security people consider ip-based security to be weak, weakened further by the fact that zone update an easily source-ip-spoofable UDP packet (vs the much more difficultly spoofable tcp session). So another rfc introduced TSIG transaction signatures to secure DNS transactions, including update. MS doesn't support RFC TSIG, they've "extended" DNS to make it proprietary and closed. But since you are updating the DNS machine in the SOA record (get your SOA in perfect order!), there are probably one or more slaves to up sync'd, but in a probably constantly changing dynamic update environment, the SOA refresh (polling) time means the slaves will nearly always be out of date with the master. So there was an RFC to define the NOTIFY opcode so the master could "push out" immediately a packet to slaves to come check the zone serial number and pull across a zone transfer. But in intranets, esp DHCP intraenets, where you cn have largish zones, 100's or 1000's of records, which can take a lot of master resources to do full zone AXFR's to slaves, so an RFC defined how to do incremental zone transfers, ie, IXFR, so only the changes get transferred to the slaves, not the full zone file. Another issue is that you really don't want x00 or x000 workstations hitting on the dynamic zone records to update them (the workstations all have to be secured with TSIG keys), so it's better to limit updates as coming from only the DHCP server(s). How's that for a "nice feature" :))) Len ___________________________________________________________________ Men & Mice: QuickDNS - DNS Expert - DNS Training - DNS Consulting DNS Classes: Newark Sep 27-28, Toronto Oct 18-19, Frankfurt Nov 21-23, London Nov. 26-28, Maidenhead Oct 31-Nov 2 http://MenAndMice.com/DNS-training

Messages In This Thread: DNS and DHCP by Alan Ordway on Oct 8, 2001 at 8:56:30 am Re: DNS and DHCP by Frank Laszlo on Oct 8, 2001 at 9:14:28 am Re: DNS and DHCP by Men & Mice Support on Oct 8, 2001 at 10:30:14 am Re: DNS and DHCP by Len Conrad on Oct 8, 2001 at 11:39:24 am DNS and DHCP by Global Homes Webmaster on Feb 6, 2002 at 11:39:13 am Re: DNS and DHCP by Steffan A. Cline on Feb 6, 2002 at 12:08:02 pm Re: DNS and DHCP by Global Homes Webmaster on Feb 6, 2002 at 12:38:29 pm Re: DNS and DHCP by Warren Michelsen on Feb 6, 2002 at 3:34:01 pm Re: DNS and DHCP by Global Homes Webmaster on Feb 6, 2002 at 3:41:26 pm Re: DNS and DHCP by Men & Mice Support on Feb 6, 2002 at 3:49:45 pm Re: DNS and DHCP by Global Homes Webmaster on Feb 6, 2002 at 4:04:25 pm Re: DNS and DHCP by Len Conrad on Feb 6, 2002 at 4:21:08 pm Re: DNS and DHCP by Global Homes Webmaster on Feb 7, 2002 at 9:58:09 am