Dynamic DNS updates not limited to specified interface

veksell

Re: DHCP Dynamic DNS updates on specific interfaces

My setup:
PFsense router with 2 NICs in a LAGG, 3 vlans configured so 4 LAN interfaces in total.
Interface 1 no VLAN configured 192.168.15.0/24 Dynamic DNS updates configred to go to FreeIPA
Interface 2 VLAN configured 192.168.10/24 Dynamic DNS updates configred to go to FreeIPA
Interface 3 VLAN configured 192.168.20.0/24 DDNS not configured
Interface 4 VLAN configured 192.168.25.0/24 DDNS not configured

FreeIPA DNS Server running named (BIND) and is located in the interface 1 subnet

Issue encountered:
Going through my BIND logs it is appearing PFsense is sending DNS updates for all interfaces and not just the two interfaces configured to update. Found an old thread with someone who looks like they have encountered the same issue but their was no response https://forum.netgate.com/topic/157541/dhcp-dynamic-dns-updates-on-specific-interfaces

BIND LOGS:

Sep  2 01:10:51 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting an RR at device.local.domain A
Sep  2 01:10:51 ipa named[36176]: client @0x7f6680608d98 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': update unsuccessful: device.local.domain: 'name not in use' prerequisite not satisfied (YXDOMAIN)
Sep  2 01:10:51 ipa named[36176]: zone local.domain/IN: sending notifies (serial 1693613353)
Sep  2 01:10:51 ipa named[36176]: client @0x7f6680608d98 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting rrset at 'device.local.domain' TXT
Sep  2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting rrset at 'device.local.domain' TXT
Sep  2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': adding an RR at 'device.local.domain' TXT "317906a8541004eafedfd7a41474888d6f"
Sep  2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting rrset at 'device.local.domain' A
Sep  2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': adding an RR at 'device.local.domain' A 192.168.25.24
Sep  2 01:10:52 ipa named[36176]: zone 168.192.IN-ADDR.ARPA/IN: PTR record synchronization refused: reverse zone for IP address '192.168.25.24' is not managed by LDAP driver
Sep  2 01:10:52 ipa named[36176]: client @0x7f668079ef18 192.168.15.254#63337/key dhcp-key: updating zone '10.168.192.in-addr.arpa/IN': deleting rrset at '12.10.168.192.in-addr.arpa' PTR
Sep  2 01:10:52 ipa named[36176]: client @0x7f66896afba8 192.168.15.251#58693: received notify for zone 'local.domain'
Sep  2 01:10:52 ipa named[36176]: zone 10.168.192.in-addr.arpa/IN: sending notifies (serial 1693613451)
Sep  2 01:10:52 ipa named[36176]: checkhints: unable to get root NS rrset from cache: not found
Sep  2 01:10:52 ipa named[36176]: client @0x7f6688bbf2b8 ***START OF IPV6***:0:5054:ff:feb6:ba5d#32854: received notify for zone 'local.domain'
Sep  2 01:10:52 ipa named[36176]: client @0x7f6689521f38 192.168.15.251#53979: received notify for zone '10.168.192.in-addr.arpa'
Sep  2 01:10:52 ipa named[36176]: client @0x7f6688bbf2b8 ***START OF IPV6***:0:5054:ff:feb6:ba5d#32854: received notify for zone '10.168.192.in-addr.arpa'
Sep  2 01:10:56 ipa named[36176]: zone local.domain/IN: sending notifies (serial 1693613454)
Sep  2 01:10:57 ipa named[36176]: client @0x7f6688cca358 192.168.15.251#55463: received notify for zone 'local.domain'
Sep  2 01:10:57 ipa named[36176]: client @0x7f6680932368 ***START OF IPV6***:0:5054:ff:feb6:ba5d#38884: received notify for zone 'local.domain'
Sep  2 01:10:57 ipa named[36176]: client @0x7f668010d618 ***START OF IPV6***:0:5054:ff:feb6:ba5d#38884: received notify for zone '10.168.192.in-addr.arpa'
Sep  2 01:10:57 ipa named[36176]: client @0x7f6680608d98 192.168.15.251#34096: received notify for zone '10.168.192.in-addr.arpa'

PFSense DHCP logs

Sep 2 00:10:52	dhcpd	88492	Removed reverse map on 12.10.168.192.in-addr.arpa.
Sep 2 00:10:52	dhcpd	88492	Added new forward map from device.local.domain to 192.168.25.24
Sep 2 00:10:51	dhcpd	88492	Removed forward map from device.local.domain to 192.168.10.12
Sep 2 00:10:51	dhcpd	88492	DHCPACK on 192.168.25.24 to *** MAC ADDRESS *** (pop-os) via lagg0.25
Sep 2 00:10:51	dhcpd	88492	DHCPREQUEST for 192.168.25.24 (192.168.25.254) from 0*** MAC ADDRESS *** (pop-os) via lagg0.25
Sep 2 00:10:51	dhcpd	88492	DHCPOFFER on 192.168.25.24 to *** MAC ADDRESS *** (pop-os) via lagg0.25
Sep 2 00:10:50	dhcpd	88492	DHCPDISCOVER from *** MAC ADDRESS *** via lagg0.25

dhcp.conf

option domain-name "local.domain";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;
option arch code 93 = unsigned integer 16; # RFC4578

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
one-lease-per-client true;
deny duplicates;
update-conflict-detection false;
authoritative;
class "s_lan" {
	match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.15.0 netmask 255.255.255.0 {
	pool {
		option domain-name-servers 192.168.15.252,192.168.15.251;
		ddns-update-style interim;

		range 192.168.15.1 192.168.15.200;
	}

	option routers 192.168.15.254;
	option domain-name "local.domain";
	ddns-domainname "local.domain";
	allow client-updates;
	option domain-name-servers 192.168.15.252,192.168.15.251;
	ping-check true;
	option ntp-servers 192.168.15.252,192.168.15.251;

}
host s_lan_0 {
	hardware ethernet *** MAC ADDRESS ***;
	option host-name "another-device";

}
subclass "s_lan" 1:00:18:dd:23:31:d8;
host s_lan_1 {
	hardware ethernet *** MAC ADDRESS ***;
	fixed-address 192.168.15.203;
	option host-name "device";

}
subclass "s_lan" 1:dc:a6:32:ae:9a:96;
host s_lan_2 {
	hardware ethernet *** MAC ADDRESS ***;
	fixed-address 192.168.15.251;
	option host-name "ipa-replica";

}
subclass "s_lan" 1:52:54:00:b6:ba:5d;
host s_lan_3 {
	hardware ethernet *** MAC ADDRESS ***;
	fixed-address 192.168.15.252;
	option host-name "ipa";

}
subclass "s_lan" 1:52:54:00:d6:5d:5e;
key "dhcp-key" {
	algorithm hmac-sha256;
	secret *** BASE64 KEY ***;
}
class "s_opt1" {
	match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.10.0 netmask 255.255.255.0 {
	pool {
		option domain-name-servers 192.168.15.252,192.168.15.251;
		ddns-update-style interim;

		range 192.168.10.1 192.168.10.200;
	}

	option routers 192.168.10.254;
	option domain-name "local.domain";
	ddns-domainname "local.domain";
	allow client-updates;
	option domain-name-servers 192.168.15.252,192.168.15.251;
	ping-check true;
	option ntp-servers 192.168.15.252,192.168.15.251;

}
key "dhcp-key" {
	algorithm hmac-sha256;
	secret *** BASE64 KEY ***;
}
class "s_opt3" {
	match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.25.0 netmask 255.255.255.0 {
	pool {
		option domain-name-servers 8.8.8.8,8.8.4.4;

		range 192.168.25.1 192.168.25.200;
	}

	option routers 192.168.25.254;
	option domain-name-servers 8.8.8.8,8.8.4.4;
	ping-check true;
	option ntp-servers 192.168.25.254;

}
class "s_opt2" {
	match pick-first-value (option dhcp-client-identifier, hardware);
}
subnet 192.168.20.0 netmask 255.255.255.0 {
	pool {
		option domain-name-servers 8.8.8.8,8.8.4.4;

		range 192.168.20.1 192.168.20.200;
	}

	option routers 192.168.20.254;
	option domain-name-servers 8.8.8.8,8.8.4.4;
	ping-check true;
	option ntp-servers 192.168.20.254;

}
ddns-update-style interim;
update-static-leases on;
zone local.domain. {
	primary 192.168.15.252;
	secondary 192.168.15.251;
	key "dhcp-key";
}
zone 15.168.192.in-addr.arpa. {
	primary 192.168.15.252;
	secondary 192.168.15.251;
	key "dhcp-key";
}
zone 10.168.192.in-addr.arpa. {
	primary 192.168.15.252;
	secondary 192.168.15.251;
	key "dhcp-key";
}

Interface 1 DHCPv4 Dynamic DNS config (interface 2 looks the same so wont upload two of the same

Interface 4 DHCPv4 Dynamic DNS config

Based on the config in the GUI and the resulting dhcp.conf file I believe theirs a bug in the GUI/web interface resulting in a incorrectly configured dhcp.conf???