DNS
Dynamic DNS
Dynamic DNS
From time to time we want to allow some other entity (commonly a DHCP client) to update the DNS. The entity knows some DNS fact, commonly its hostname, and want's to insert that record into the DNS. There are rather large trust implications here as you can imagine.
For a Secure Network
For a secure network, one where you trust all the hosts, for example a DHCP network, the changes to the stock DNS options are very simple.
options
By default, deny updates:
options { ... allow-update { none; }; ... };
view/zones
For each dynamic zone, allow the DHCP server to make updates:
zone "office.soho" IN { type master; file "internal/office.soho.db"; forwarders {}; allow-update { // DHCP server IP addresses }; };
DHCP Server
The changes for the DHCP server are equally straight-forward. We need to tell it to enable dynamic DNS updates at all (and specify forward updates) and then tell each subnet which DNS zones to change:
ddns-updates on; ddns-update-style interim; allow client-updates; do-forward-udates; zone office.soho { primary master-DNS-server-for-office.soho; } zone 0.168.192.in-addr.arpa { primary master-DNS-server-for-0.168.192.in-addr.arpa; } subnet 192.168.0.0 netmask 255.255.255.0 { ... ddns-domainname "office.soho."; ddns-rev-domainname "in-addr.arpa."; }
IPv6
IPv6 has SLAAC to do its dynamic address allocation but you still might want to it update the DNS where possible. The magic incantations in /etc/dhcp/dhcpd6.conf look like:
ddns-updates on; ddns-update-style interim; allow client-updates; do-forward-udates; zone office.local { primary master-DNS-server-for-office.local; } zone 0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa { primary master-DNS-server-for-d.c.b.a.ip6.arpa; } subnet6 fe80::/64 { option domain-name-servers 192.168.0.253; option domain-name "office.local"; ddns-domainname "office.local."; ddns-rev-domainname "ip6.arpa."; }
Clearly, where hosts only use SLAAC then we're not going to get much from the IPv6 entry. However, Windows clients will do DHCP6 lookups in addition to managing their IPv6 interfaces with SLAAC.
For Insecure Networks
For example, across the public Internet we need tsigs.
Document Actions