Can pfSense's DHCP server update Microsoft DNS?

sofakng

Yeah, I think that AD might be overkill but my goal was to be able to synchronize UIDs and GIDs across my different VM servers.

Here's a list of my machines:

Windows PC (gaming, physical machine)
MacBook (physical machine)
Router (pfSense, physical machine)
ESXi (physical machine)

On my ESXi box, I have lots of virtual machines:

File Server (VT-d passthrough of HBA cards and 16x HDDs, shares using NFS and SMB)
Media Server (Plex, AirVideo, etc)
Download Server (Nzbget, etc)
Web Server (Nginx)
Build Server (OSX project building)

I thought that Active Directory might be nice to synchronize my username/password across all machines but should be looking at something else maybe?

Should I maybe look into FreeIPA or something even simpler?

johnpoz

what user names are you going to sync?  How are you going to sync say username on pfsense to your AD?  Might be simpler to just setup a radius or ldap server and use that login to your different devices.  Freeipa might be a solution for you sure.

I do believe freeipa can have window machines auth with use of ksetup on the windows machine.  You could use pGina on your windows machine as well to point to different auth methods vs just local accounts so you could use something that all your devices support.

Not sure about esxi, while it does support AD login I do believe you need the non free license to do that, since you would have to use vserver vs just the client to manage your host.

layla

@sofakng said in Can pfSense's DHCP server update Microsoft DNS?:

Inside pfSense under the DHCP Server options, it looks like it's able to send a dynamic DNS update to a DNS server.

It has the following options (in pfSense's DHCP server):

Enable registration of DHCP client names in DNS.
Enter the dynamic DNS domain which will be used to register client names in the DNS server.
Enter the primary domain name server IP address for the dynamic domain name.
Enter the dynamic DNS domain key name which will be used to register client names in the DNS server.
Enter the dynamic DNS domain key secret which will be used to register client names in the DNS server. 

Can anybody point me in the right direction on how to get this working so pfSense's DHCP registers the hostnames in a Microsoft DNS server?

I'd like to know the exact answers to these questions, and I hate that this thread goes off topic about a whole different way of solving the problem instead of at a bare minimum, answering the question.

There are reasons to want to have external DCHP servers (e.g. you have many networks distributed across the country, and not all of them are Microsoft networks, and some of them have local DHCP servers, but you still want all of that feeding back into your centralized MS AD DS and DNS.

Anyway, this time, somebody please answer the question instead of trying to talk me out of what I'm doing. Which key(s) are supposed to be used in this scenario? The KSK? The ZSK? Some other key(s)? Thanks in advance for any help!

johnpoz

@layla

The answer is NO.. Is that direct enough for you..

layla

@johnpoz It's a pretty dickish way to say it, but yes, it's the answer you should have posted 5 years ago if that's indeed the case.

The rest of the internet is not clear about this. Microsoft DNS supports RFC 2136, and even supports unsecure updates, so it should be possible. It seems dhcpd won't even try if the update is not secure? This is also unclear from the documentation, but may be the case.

johnpoz

Your clients will update the SOA of the domain.. Have them do that..

layla

@johnpoz Though, you STILL didn't answer the actual other question about "which keys are supposed to be used in this approach" I'll answer that here for future people on the internet, since this forum is supposed to be useful and provide answers:

This page answers the question of where the key comes from (e.g. on Linux with bind9) and how to generate it and apply it:
https://archyslife.blogspot.com/2018/02/dynamic-dns-with-bind-and-isc-dhcp.html

And this page answers the question w.r.t. PowerDNS:
https://doc.powerdns.com/authoritative/dnsupdate.html

Even if Microsoft DNS doesn't support the secure key, it should still support insecure updates, so I'm going to keep trying to understand what is needed to make dhcpd and Microsoft DNS communicate in that scenario. Unfortunately here be dragons because it seems either not documented or nearly impossible to find with a google/duckduckgo search.

layla

@johnpoz Linux clients don't do that by default. I presume you suggest that I should join all of my Linux clients to the domain? But that's part of the thing - I don't want to join hundreds of Linux servers to the AD DS domain (first and foremost because it's a pain to do, and not easily scalable, and second because it involves installing a lot of extra software [samba, kerberos, etc.] on the linux machines which I don't really want them to have). I just want DNS to know about them, but for them to stay otherwise in a separate Linux universe.

See the issue? It should be solvable via RFC 2136 via a DHCP server - but it does not seem documented how (unless you're using an Microsoft DNS server, and then it is documented how - at this link: https://ephemeralelectrons.wordpress.com/2017/07/19/dynamic-registration-of-dns-for-linux-devices-in-an-active-directory-environment-with-windows-dns-server/).

layla

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-ddns

@layla This article from Azure documents how to do secure updates with bind9 and MS DNS using the linux version of nsupdate (the using -g with the keys mentioned above for bind9 and -k with kerberos for MS DNS (though again, this goes back to basically enrolling into the domain for the MS DNS case.)

It also talks about insecure updates from linux directly with nsupdate during ifup/ifdown via scripting. This could sort of work, but it's so much less elegant to modify hundreds of linux machines (particularly where they need to be changed in different ways because e.g. Ubuntu 18.04 LTS does things differently than Ubuntu 20.04 LTS, etc.)...

So again, if nsupdate can do it (insecurely), why can't dhcpd? It sure seems like it should be possible. But does seem not documented... :/

slm

This tutorial seems like pretty much what you're looking for with an external DNS server being told about DHCP lease IPs + names - https://freeipa-users.redhat.narkive.com/xJVbXRdO/pfsense-dhcp-to-ipa-s-bind-dynamic-updates-success.

helviojr

@layla I know this is old, but could you come up with a solution. I made some research here, hoping one could configure Windows DNS server to accept unsecure update from just one source. That would help a little, as long as pfSense could send unsecure updates on behalf of the clients (I'm not sure it can). Anyway, it seems we can't limit that in Windows.

On the other hand, it would be interesting if we could configure those DNS Domain Key and DNS Domain Key Secret on Windows DNS Server. It seems it is a no go, also, right?

helviojr

I just saw the new KEA DHCP server implementation doesn't even have the DNS update feature. The KEA has a separate daemon for that, the DHCP-DDNS server. I'm not sure if it is available for pfSense (the package list is not being updated on my systems right now). I know it can do unsecure updates.

Gertjan

@helviojr

The "25.07.1" (and probably 2.8.1) Kea can do 'DDNS' just fine. Everything is already there, it's just not yet made avaible in the pfSense GUI.

You want to read this : ISC DHCP Dynamic DNS feature and Kea DHCP where I demonstrated a IPv6 DDNS update. I was updating against a "bind9 domain name server".
It worked pretty well, although I was only updating IPv6 IPs, as updating IPv4 RFC1918 (!) IPs into the domain name server doesn't make any sense ^^
Just remember : if you reboot your pfSense you have to start the kea-ddns process manually. The config files aren't touched by pfSense.

edit : instead of editing 'system files' as suggested in the thread mentioned, you can now use :

to add the needed dhcp(v6) extra config settings.

helviojr

@Gertjan Thank you. I see KEA is in implementing process yet. I miss the custom DHCP options that would be very helpful. I could do it hard-coded in the config generation script, but I'm sure it will be available in GUI soon enough.

On the DDNS, I actually was looking for Windows AD DNS update, but it seems it lacks of a way to set custom authentication keys or ACLs to permit specific non secure updates, and I cannot change it to accept insecure updates globally, of course. So I'll keep the DDNS on hold for now.

Gertjan

@helviojr said in Can pfSense's DHCP server update Microsoft DNS?:

I miss the custom DHCP options that would be very helpful. I could do it hard-coded in the config generation script, but I'm sure it will be available in GUI soon enough.

Which DHCP option ?
Read again the page where ISC announced they stopped the famous 'dhcp' project, and restarted form scratch, rebuilding the DHCP server again.
On the non-official page you'll find the reason : over the years, options were added. thousands of them. Some were written, debugged, and stable since. Some were changing all the time. Hardware vendors didn't stop adding and modifying them ....
It had became a software-maintenance hell.
( a bit like the openvpn project, or have a look at the absolute champion : postfix - or the black angel, freeradius : that one is just frighting).

So, they created a framework and a manual, and left it up to 'us' the user (a very special user : it's us, the admin users, so we need to admin stuff ones in a while, and this includes type in stuff) to know what option data is needed, and place it in a nice JSON format (yet another text file format with a very precis syntax, probably more strict as XML), test it ... and forget it.
Believe me : it isn't that hard ....
A (pfSense) GUI facility for every option would be best, of course, but I don't think Netgate will fall in this rabbit hole.

Writing a GUI (pfSense or not) that handles all the DHCP option ? (and does all the verification and checking of consistency etc ..) ... you might be waiting a long time.

Right now, imho, the kea v4 and v6 pfSense implementation is rock solid.
Some support for DNS registration, static leases and even HA is possible.
The option I needed were - surprise - asked in pfSense redmine, and examples were proposed. From there on, as I sa working examples, I made some of my own.

Anyway, I know, I'm rambling a bit. Just saying : you can do it ^^