Dynamic DNS updates not limited to specified interface
-
Re: DHCP Dynamic DNS updates on specific interfaces
My setup:
PFsense router with 2 NICs in a LAGG, 3 vlans configured so 4 LAN interfaces in total.
Interface 1 no VLAN configured 192.168.15.0/24 Dynamic DNS updates configred to go to FreeIPA
Interface 2 VLAN configured 192.168.10/24 Dynamic DNS updates configred to go to FreeIPA
Interface 3 VLAN configured 192.168.20.0/24 DDNS not configured
Interface 4 VLAN configured 192.168.25.0/24 DDNS not configuredFreeIPA DNS Server running named (BIND) and is located in the interface 1 subnet
Issue encountered:
Going through my BIND logs it is appearing PFsense is sending DNS updates for all interfaces and not just the two interfaces configured to update. Found an old thread with someone who looks like they have encountered the same issue but their was no response https://forum.netgate.com/topic/157541/dhcp-dynamic-dns-updates-on-specific-interfacesBIND LOGS:
Sep 2 01:10:51 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting an RR at device.local.domain A Sep 2 01:10:51 ipa named[36176]: client @0x7f6680608d98 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': update unsuccessful: device.local.domain: 'name not in use' prerequisite not satisfied (YXDOMAIN) Sep 2 01:10:51 ipa named[36176]: zone local.domain/IN: sending notifies (serial 1693613353) Sep 2 01:10:51 ipa named[36176]: client @0x7f6680608d98 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting rrset at 'device.local.domain' TXT Sep 2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting rrset at 'device.local.domain' TXT Sep 2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': adding an RR at 'device.local.domain' TXT "317906a8541004eafedfd7a41474888d6f" Sep 2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': deleting rrset at 'device.local.domain' A Sep 2 01:10:52 ipa named[36176]: client @0x7f6680376bb8 192.168.15.254#63337/key dhcp-key: updating zone 'local.domain/IN': adding an RR at 'device.local.domain' A 192.168.25.24 Sep 2 01:10:52 ipa named[36176]: zone 168.192.IN-ADDR.ARPA/IN: PTR record synchronization refused: reverse zone for IP address '192.168.25.24' is not managed by LDAP driver Sep 2 01:10:52 ipa named[36176]: client @0x7f668079ef18 192.168.15.254#63337/key dhcp-key: updating zone '10.168.192.in-addr.arpa/IN': deleting rrset at '12.10.168.192.in-addr.arpa' PTR Sep 2 01:10:52 ipa named[36176]: client @0x7f66896afba8 192.168.15.251#58693: received notify for zone 'local.domain' Sep 2 01:10:52 ipa named[36176]: zone 10.168.192.in-addr.arpa/IN: sending notifies (serial 1693613451) Sep 2 01:10:52 ipa named[36176]: checkhints: unable to get root NS rrset from cache: not found Sep 2 01:10:52 ipa named[36176]: client @0x7f6688bbf2b8 ***START OF IPV6***:0:5054:ff:feb6:ba5d#32854: received notify for zone 'local.domain' Sep 2 01:10:52 ipa named[36176]: client @0x7f6689521f38 192.168.15.251#53979: received notify for zone '10.168.192.in-addr.arpa' Sep 2 01:10:52 ipa named[36176]: client @0x7f6688bbf2b8 ***START OF IPV6***:0:5054:ff:feb6:ba5d#32854: received notify for zone '10.168.192.in-addr.arpa' Sep 2 01:10:56 ipa named[36176]: zone local.domain/IN: sending notifies (serial 1693613454) Sep 2 01:10:57 ipa named[36176]: client @0x7f6688cca358 192.168.15.251#55463: received notify for zone 'local.domain' Sep 2 01:10:57 ipa named[36176]: client @0x7f6680932368 ***START OF IPV6***:0:5054:ff:feb6:ba5d#38884: received notify for zone 'local.domain' Sep 2 01:10:57 ipa named[36176]: client @0x7f668010d618 ***START OF IPV6***:0:5054:ff:feb6:ba5d#38884: received notify for zone '10.168.192.in-addr.arpa' Sep 2 01:10:57 ipa named[36176]: client @0x7f6680608d98 192.168.15.251#34096: received notify for zone '10.168.192.in-addr.arpa'
PFSense DHCP logs
Sep 2 00:10:52 dhcpd 88492 Removed reverse map on 12.10.168.192.in-addr.arpa. Sep 2 00:10:52 dhcpd 88492 Added new forward map from device.local.domain to 192.168.25.24 Sep 2 00:10:51 dhcpd 88492 Removed forward map from device.local.domain to 192.168.10.12 Sep 2 00:10:51 dhcpd 88492 DHCPACK on 192.168.25.24 to *** MAC ADDRESS *** (pop-os) via lagg0.25 Sep 2 00:10:51 dhcpd 88492 DHCPREQUEST for 192.168.25.24 (192.168.25.254) from 0*** MAC ADDRESS *** (pop-os) via lagg0.25 Sep 2 00:10:51 dhcpd 88492 DHCPOFFER on 192.168.25.24 to *** MAC ADDRESS *** (pop-os) via lagg0.25 Sep 2 00:10:50 dhcpd 88492 DHCPDISCOVER from *** MAC ADDRESS *** via lagg0.25
dhcp.conf
option domain-name "local.domain"; option ldap-server code 95 = text; option domain-search-list code 119 = text; option arch code 93 = unsigned integer 16; # RFC4578 default-lease-time 7200; max-lease-time 86400; log-facility local7; one-lease-per-client true; deny duplicates; update-conflict-detection false; authoritative; class "s_lan" { match pick-first-value (option dhcp-client-identifier, hardware); } subnet 192.168.15.0 netmask 255.255.255.0 { pool { option domain-name-servers 192.168.15.252,192.168.15.251; ddns-update-style interim; range 192.168.15.1 192.168.15.200; } option routers 192.168.15.254; option domain-name "local.domain"; ddns-domainname "local.domain"; allow client-updates; option domain-name-servers 192.168.15.252,192.168.15.251; ping-check true; option ntp-servers 192.168.15.252,192.168.15.251; } host s_lan_0 { hardware ethernet *** MAC ADDRESS ***; option host-name "another-device"; } subclass "s_lan" 1:00:18:dd:23:31:d8; host s_lan_1 { hardware ethernet *** MAC ADDRESS ***; fixed-address 192.168.15.203; option host-name "device"; } subclass "s_lan" 1:dc:a6:32:ae:9a:96; host s_lan_2 { hardware ethernet *** MAC ADDRESS ***; fixed-address 192.168.15.251; option host-name "ipa-replica"; } subclass "s_lan" 1:52:54:00:b6:ba:5d; host s_lan_3 { hardware ethernet *** MAC ADDRESS ***; fixed-address 192.168.15.252; option host-name "ipa"; } subclass "s_lan" 1:52:54:00:d6:5d:5e; key "dhcp-key" { algorithm hmac-sha256; secret *** BASE64 KEY ***; } class "s_opt1" { match pick-first-value (option dhcp-client-identifier, hardware); } subnet 192.168.10.0 netmask 255.255.255.0 { pool { option domain-name-servers 192.168.15.252,192.168.15.251; ddns-update-style interim; range 192.168.10.1 192.168.10.200; } option routers 192.168.10.254; option domain-name "local.domain"; ddns-domainname "local.domain"; allow client-updates; option domain-name-servers 192.168.15.252,192.168.15.251; ping-check true; option ntp-servers 192.168.15.252,192.168.15.251; } key "dhcp-key" { algorithm hmac-sha256; secret *** BASE64 KEY ***; } class "s_opt3" { match pick-first-value (option dhcp-client-identifier, hardware); } subnet 192.168.25.0 netmask 255.255.255.0 { pool { option domain-name-servers 8.8.8.8,8.8.4.4; range 192.168.25.1 192.168.25.200; } option routers 192.168.25.254; option domain-name-servers 8.8.8.8,8.8.4.4; ping-check true; option ntp-servers 192.168.25.254; } class "s_opt2" { match pick-first-value (option dhcp-client-identifier, hardware); } subnet 192.168.20.0 netmask 255.255.255.0 { pool { option domain-name-servers 8.8.8.8,8.8.4.4; range 192.168.20.1 192.168.20.200; } option routers 192.168.20.254; option domain-name-servers 8.8.8.8,8.8.4.4; ping-check true; option ntp-servers 192.168.20.254; } ddns-update-style interim; update-static-leases on; zone local.domain. { primary 192.168.15.252; secondary 192.168.15.251; key "dhcp-key"; } zone 15.168.192.in-addr.arpa. { primary 192.168.15.252; secondary 192.168.15.251; key "dhcp-key"; } zone 10.168.192.in-addr.arpa. { primary 192.168.15.252; secondary 192.168.15.251; key "dhcp-key"; }
Interface 1 DHCPv4 Dynamic DNS config (interface 2 looks the same so wont upload two of the same
Interface 4 DHCPv4 Dynamic DNS config
Based on the config in the GUI and the resulting dhcp.conf file I believe theirs a bug in the GUI/web interface resulting in a incorrectly configured dhcp.conf???