HA setup, client hostname request not added to DNS
-
I am sharing with you a problem with redundant dhcp on a pfsense with HA enabled and what I did to fix it (for me).
Setup:
two identical pfsense (7100 by netgate) firewalls, using multiple vlans. dhcp, static and dynamic work fine. failover works fine.However, when a client requested a dhcp lease AND offered its hostname, then for some reason the backup dhcp server answered and entered the name to ip mapping into the backup DNS lists of unbound. I verified that this is happening and the name shows in the /var/unbound/dhcpleases_entries.conf on the backup FW only. A previous suggestion to stop dhcp and restart later did not fix it. My solution is to put a fw rule on that interface blocking udp port 67 to the LAN address (not the carp ip). this way only the dhcp server that owns the CARP ip gets the requests. I understand that the base and skew values should be honored by dhcp but there is no way to tell it to listen on that if and it probably does not read the carp config nor does it know about it. just using the carp ip as GW and dns would not tell dhcp that info either. The point of using peer ip in the dhcp config is also not helping there and while the dhcp info gets synced between the dhcp instances on master and backup, the DNS info did not in the case that a client requested a particular hostname. Unless I made a config error, there is, in my opinion, a bug in the operation of carp/dhcp/dns/hostname-request.
-
I just read your question and noticed it is related to the one I asked here about DHCP in a CARP setup.
We appear to have an identical setup (XG7100s, multiple VLANs, dynamic and static DHCP).
I raised my questions because I noticed that the DHCP server shown on clients when using ipconfig/all was the secondary CARP interface and not the VIP.
My understanding from a previously asked question here is that it is normal for the secondary DHCP server to reply. This is apparently how the ISC DHCP server works, although I don't actually understand the details.
Can I clarify that you are saying that you have noticed an issue with automatic DNS mappings from DHCP leases when the secondary replies? Are you saying that the automatic DNS mapping is registered in the secondary but not sync'd to the primary?
How does this issue manifest? Do DNS lookups then fail?
We are not using the feature that registers all DHCP lease hosts in DNS. We are only registering static DHCP mappings. Our DNS lookups are working with no issue, even though the DHCP client is showing as the secondary CARP address. However, I haven't actually checked the state of the mappings.
-
Thanks for contacting me. We did mostly static reservations but then it got too much overhead with devices coming online.
And yes, when the backup dhcp answers it registers with unbound on the backup DNS where I can see the entry. but the backup DNS does not sync back to the master, and when there is an update from the master the entry in the backup gets wiped (i think, didn't verify).
I thought I had a solution by blocking dhcp from 0.0.0.0 to lan-address:67 which gets propagated to the backup. and dhcp traffic is only received via the carp address. That seemed to work but then I found a client with which it did not work haven't found why.
The proper way is to turn DDNS and have a separate DNS server to take the registration from either dhcp server. This will also solve one deficiency of pfsense where it can not resolve/access DNS servers on the other side of an ipsec tunnel (if you have branch offices) We had to resort to having a second caching DNS server for that purpose to forward inquiries too.