• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trailing dot on DHCP DNS entries from Windows clients

Scheduled Pinned Locked Moved DHCP and DNS
8 Posts 5 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dataradical
    last edited by Jan 22, 2024, 6:09 PM

    Hi

    After moving to pfSense 2.7.2 and migrating from ISC to KEA, I noticed that Windows DHCP clients (Windows 11 mostly, plus a Brother printer) suddenly had their DNS entries listed with a trailing dot, resulting in DNS lookup not working.

    So a client asking for hostname windows11 ends up with an entry named windows11. in the DHCP leases, and if I configure the client with a domain (foo.bar) the DHCP leases entry becomes windows11.foo.bar.

    The DHCP server does give out an IP and registers the name as if all went well, but due to the trailing dot, neither forward nor reverse lookup works.

    This is different behavior from ISC, and only happens on Windows clients. Other DHCP clients running Linux or MacOS do not have this issue.

    It looks like the Windows clients request a DNS entry to the DHCP server with a trailing dot, both without a domain name defined and with a domain name defined, so it's definitely triggered by the client.

    Any idea on how to fix this, either on the client or by configuring KEA to behave like ISC who skipped the trailing dot ?

    J G 2 Replies Last reply Jan 22, 2024, 6:44 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @dataradical
      last edited by johnpoz Jan 22, 2024, 6:47 PM Jan 22, 2024, 6:44 PM

      @dataradical said in Trailing dot on DHCP DNS entries from Windows clients:

      The DHCP server does give out an IP and registers the name as if all went well,

      Huh where did you get the idea that KEA registers anything?

      https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#rn-2-7-1-kea
      kea.jpg

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      D 1 Reply Last reply Jan 23, 2024, 1:47 AM Reply Quote 0
      • D
        dataradical @johnpoz
        last edited by Jan 23, 2024, 1:47 AM

        @johnpoz You got a point there. Thanks for the reference. My bad due to not reading the 2.7.1 notes but just 2.7.2.

        So I had to switch back to ISC for the moment as I need this functionality.

        The interesting part is that it also differs in the KEA dhcp4.leases file compared to the ISC dhcpd.leases file, so without any connection to dynamic/static DNS updates not functioning in KEA (yet).

        When running ISC DHCP, I had a client-hostname entry in dhcpd.leases without the trailing dot, while in KEA dhcp4.leases I have this :

        [2.7.2-RELEASE][admin@pfSense.foo.bar]/var/lib/kea: grep -i windows11 dhcp4.leases | tail -1
        192.168.40.194,3e:9e:0e:e4:b1:fb,01:3e:9e:0e:e4:b1:fb,7200,1705979093,4,0,0,windows11.foo.bar.,0,,0
        

        So KEA picks up the trailing dot there already, while with ISC there no trailing dot.

        J 1 Reply Last reply Jan 23, 2024, 1:51 AM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @dataradical
          last edited by Jan 23, 2024, 1:51 AM

          @dataradical said in Trailing dot on DHCP DNS entries from Windows clients:

          So I had to switch back to ISC for the moment as I need this functionality.

          Yeah unless your just handing IPs to clients and that is it, KEA not really ready for anything else that this point.. I validated that it works, ie it does hand out IPs to dhcp clients. But I use options and register reservations, etc. I will continue to use isc until such time that the kea integration is complete, or at least much farther along than it is now.

          I also don't like the logging in kea.. currently - from the quick read over I did of the kea docs, it looks quite feature rich etc.. But just needs work on integrating it into the pfsense is all.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          D 1 Reply Last reply Nov 18, 2024, 10:57 PM Reply Quote 0
          • G
            Gertjan @dataradical
            last edited by Jan 23, 2024, 9:14 AM

            @dataradical said in Trailing dot on DHCP DNS entries from Windows clients:

            DNS entries listed with a trailing dot

            Host name are known like "foo.bar", but that's just for us, human.
            Technically correct is "foo.bar." - "foo.bar" isn't.
            The trailing dot means : go ask the root servers with this question : "List me the TLD server == "bar"".
            ( and then, after questioning one of the TLDs that handles "bar", you will get two are more domain name servers that handle "foo", and then you ask this domain server : what is the A record "www" etc)

            When you activate full DNS query details :

            c585fb51-522b-444a-b243-6945df8163be-image.png

            you will see (look at the resolver logs, that's where the answers are ) that your typical LAN device will ask :
            What is "foo.bar." and, if needed, also "what is "foo.bar"

            So, trailing dot or not, not an issue for the common mortals, our resolver will handle the good and bad host names.

            Example :

            I launch nslookup on my PC :

            Serveur par defaut :   pfSense.bhf.net
            Address:  2a01:dead:907:a6eb:92ec:77ff:fe29:392c
            
            > foo.bar
            Serveur :   pfSense.brit-hotel-fumel.net
            Address:  2a01:dead:907:a6eb:92ec:77ff:fe29:392c
            
            Nom :    foo.bar
            
            

            So, a request without the trailing dot.

            This shows up in my (other) DNS log - the one pfBlockerng :

            At first the resolver adds ( !!) the local domain == bhf.net.
            So the request becomes foo.bar/bhf.net.
            No (local) answer was found.

            Then (second two lines) the resolver resolver goes upstream (talking to the root servers etc) - but that was also a fail == no answer.

            DNS-reply,Jan 23 09:33:19,local,A,Unknown,Unk,foo.bar.bhf.net,2a01:dead:907:a6eb::c7,Unknown,unk
            DNS-reply,Jan 23 09:33:19,local,AAAA,Unknown,Unk,foo.bar.bhf.net,2a01:dead:907:a6eb::c7,Unknown,unk
            
            DNS-reply,Jan 23 09:33:20,reply,A,SOA,3600,foo.bar,2a01:dead:907:a6eb::c7,SOA,unk
            DNS-reply,Jan 23 09:33:20,reply,AAAA,SOA,3600,foo.bar,2a01:dead:907:a6eb::c7,SOA,unk
            

            When I ask for foo2.bar. (note the trailing dot)

            DNS-reply,Jan 23 10:12:34,reply,A,SOA,3600,foo2.bar,2a01:dead:907:a6eb::c7,SOA,unk
            DNS-reply,Jan 23 10:12:34,reply,AAAA,SOA,3600,foo2.bar,2a01:dead:907:a6eb::c7,SOA,unk
            

            the resolver contacts right away the root servers without looking for a local solution (it won't add the local domain name).

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            D 1 Reply Last reply Jan 24, 2024, 4:08 PM Reply Quote 0
            • D
              dataradical @Gertjan
              last edited by Jan 24, 2024, 4:08 PM

              @Gertjan Understood. The issue here was not whether the trailing dot was valid in DNS (it is). The problem was in the end that Kea (at the moment) doesn't update the DNS records at all, so the name I was looking for with nslookup/dig was not there but solely in the DHCP lease file, and I was assuming (not having read the 2.7.1 release notes) that Kea would dynamically update the DNS records just like ISC.

              As soon as I switched back to ISC, all worked again, dots or no dots in the DHCP lease file.

              1 Reply Last reply Reply Quote 0
              • D
                Draco @johnpoz
                last edited by Draco Nov 18, 2024, 11:07 PM Nov 18, 2024, 10:57 PM

                @johnpoz said in Trailing dot on DHCP DNS entries from Windows clients:

                So I had to switch back to ISC for the moment as I need this functionality.
                

                Yeah unless your just handing IPs to clients and that is it, KEA not really ready for anything else that this point.. I validated that it works, ie it does hand out IPs to dhcp clients. But I use options and register reservations, etc. I will continue to use isc until such time that the kea integration is complete, or at least much farther along than it is now.

                Oh wow so that is the cause? KEA not handing out the suffix set in the General menu (or overridden in the DHCP Server menu)? This has been driving me crazy because all of my internal server references were to "home.arpa" (e.g. "printer.home.arpa") with the "home.arpa" suffix appended by pfSense/ISC. And my self-signed certificates now blow chunks too because the DNS name registered for it is "printer.home.arpa" and the browser does not like it being referenced as just "printer".

                Netgate, please fix this in KEA! Note that I did submit a Redmine bug against this issue.

                1 Reply Last reply Reply Quote 0
                • B
                  blueh2o
                  last edited by Apr 24, 2025, 3:39 PM

                  I have a laptop with a mapping for both the wired and wireless MAC, but when it gets a lease, instead of, for example, "laptop" as the client ID, it is "laptop." and gets a pool address instead, even though the MAC matches the reservation. Very annoying.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received