# DHCPD + DNS dynamic updates



## urello (Mar 25, 2014)

Hi,
I'm trying to setup DNS updates from dhcpd. Right now it doesn't work. 
Also I tried to do "manual" dynamic zone update using /usr/bin/nsupdate binary - it works fine, so I assume the problem is in dhcpd.conf. Here it is:

```
option domain-name-servers 192.168.1.100, 8.8.8.8, 95.67.0.252;
option domain-name "tatem.local";
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
ignore client-updates;
ddns-updates on;
ddns-domainname "tatem.local.";
ddns-rev-domainname "1.168.192.in-addr.arpa.";
ddns-update-style interim;
range 192.168.1.55 192.168.1.99;
range 192.168.1.101 192.168.1.189;
range 192.168.1.191 192.168.1.245;
option routers 192.168.1.100;
}

key DHCP_UPDATER_TERMIT {
        algorithm hmac-md5;
        secret "secret key removed";
}

local-address 127.0.0.1;

zone tatem.local. {
        primary 127.0.0.1;
        key DHCP_UPDATER_TERMIT;
}

zone 1.168.192.in-addr.arpa. {
        primary 127.0.0.1;
        key DHCP_UPDATER_TERMIT;
}

#Reserved IPs
host lemon {
  hardware ethernet c8:2a:14:57:58:1e;
  fixed-address 192.168.1.190;
}
```
Furthermore the content of /var/log/dhcpd.log is meager:

```
[root@freegtw /usr/local/etc]# cat /var/log/dhcpd.log
Mar 24 20:32:17 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 24 20:32:17 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 24 20:40:47 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 24 20:40:47 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 24 22:01:17 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 24 22:01:17 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 25 14:11:22 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 25 14:11:22 <daemon.info> freegtw dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Mar 25 14:13:15 <daemon.info> freegtw last message repeated 2 times
```


```
[root@freegtw /usr/local/etc]# grep dhcp /etc/syslog.conf
!dhcpd
*.*                                             /var/log/dhcpd.log
```

Could someone advise what is wrong with my /usr/local/etc/dhcpd.conf and/or how to get more verbose output from dhcpd?


----------



## SirDice (Mar 25, 2014)

I don't think the issue is with your dhcpd.conf, the issue may be with named(8). Can you post the relevant portion of the configuration?


----------



## urello (Mar 25, 2014)

Dynamic updates via /usr/bin/nsupdate is going fine. Futhermore i used /usr/sbin/named-checkconf and /usr/sbin/named-checkzone for validating my conf and zone files. I'm pretty sure the problem is in dhcp. Here is my named.conf:

```
options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";


        forwarders {
                95.67.0.252;
                95.67.0.253;
                8.8.8.8;
        };


};

include "/etc/namedb/default.zones";

key "DHCP_UPDATER_TERMIT" {
algorithm hmac-md5;
secret "secret key removed";
};


zone "tatem.local" {
        type master;
        file "/etc/namedb/dynamic/tatem.local";
        allow-update { key DHCP_UPDATER_TERMIT; };
        notify no;
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/namedb/dynamic/1.168.192.in-addr.arpa";
        allow-update { key DHCP_UPDATER_TERMIT; };
        notify no;
};
logging {
            channel update_debug {
                 file "/var/log/update-debug.log";
                 severity  debug 3;
                 print-category yes;
                 print-severity yes;
                 print-time     yes;
            };
            channel security_info    {
                 file "/var/log/named-auth.info";
                 severity  info;
                 print-category yes;
                 print-severity yes;
                 print-time     yes;
            };

            category update { update_debug; };
            category security { security_info; };
       };
```


----------



## SirDice (Mar 25, 2014)

At first glance everything seems to be in order. Here's my (working) configuration:
dhcpd.conf:

```
option domain-name "dicelan.home.";
option domain-name-servers 192.168.10.1;
option ntp-servers 192.168.10.1;

default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style interim;
log-facility local7;
ignore client-updates;
#ddns-ttl 600;

do-forward-updates true;

key DHCP {
        algorithm HMAC-MD5;
        secret "MyBigSecret";
}

zone dicelan.home. {
        primary 127.0.0.1;
        key DHCP;
}

zone 10.168.192.in-addr.arpa. {
        primary 127.0.0.1;
        key DHCP;
}

subnet 192.168.10.0 netmask 255.255.255.0 {
        range 192.168.10.20 192.168.10.100;
        option routers 192.168.10.1;
}
```
And (parts of) named.conf:

```
key DHCP {
        algorithm HMAC-MD5;
        secret "MyBigSecret";
};

        zone "dicelan.home." {
                type master;
                notify no;
                file "/etc/namedb/dynamic/dicelan.home";
                allow-update { 127.0.0.1; key DHCP; };
        };

        zone "10.168.192.in-addr.arpa." {
                type master;
                notify no;
                file "/etc/namedb/dynamic/10.168.192.in-addr.arpa";
                allow-update { 127.0.0.1; key DHCP; };
        };
```

Make sure the @bind user is able to write to /etc/named/dynamic/.


----------



## wblock@ (Mar 25, 2014)

It looks weird to declare local-address way down near the end of dhcpd.conf.  Probably not the problem, but worth moving to the top with the rest of the global declarations.

In named.conf, you have

```
allow-update { key DHCP_UPDATER_TERMIT; };
```

@SirDice also has 127.0.0.1; in that section, allowing updates from the localhost in addition to with the secret key.  Similarly, mine has localhost;.


----------



## urello (Mar 25, 2014)

I have managed to turn logging on. The log is full with following snippets

```
Mar 25 17:42:02 <local7.err> freegtw dhcpd: send_packet: Can't assign requested address
Mar 25 17:42:02 <local7.err> freegtw dhcpd: dhcp.c:3269: Failed to send 300 byte long packet over fallback interface.
```


----------



## SirDice (Mar 26, 2014)

That could mean a firewall is blocking access or dhcpd isn't being bound to an interface. Do you have something like this in rc.conf?


```
dhcpd_enable="YES"                          # dhcpd enabled?
dhcpd_flags="-q"                            # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf"      # configuration file
dhcpd_ifaces="vlan10"                          # ethernet interface(s)
```
Adjust dhcpd_ifaces to your interface.


----------



## urello (Mar 26, 2014)

SirDice said:
			
		

> That could mean a firewall is blocking access or dhcpd isn't being bound to an interface. Do you have something like this in rc.conf?
> 
> 
> ```
> ...



Yes, all these variables are defined in my rc.conf.
I've just noticed that both daemons are chrooted. As they communicate each other via tcp/ip this could barely cause a problem. Or am i wrong?
Here is my dhcpd settings in rc.conf :

```
dhcpd_enable="YES"                          # dhcpd enabled?
dhcpd_flags="-q"                            # command option(s)
dhcpd_conf="/usr/local/etc/dhcpd.conf"      # configuration file
dhcpd_ifaces="em0"                             # ethernet interface(s)
dhcpd_withumask="022"                       # file creation mask
dhcpd_chuser_enable="YES"           # runs w/o privileges?
dhcpd_withuser="dhcpd"              # user name to run as
dhcpd_withgroup="dhcpd"             # group name to run as
dhcpd_chroot_enable="YES"           # runs chrooted?
dhcpd_devfs_enable="YES"            # use devfs if available?
dhcpd_rootdir="/var/db/dhcpd"       # directory to run in
```


----------



## junovitch@ (Mar 26, 2014)

Does it send the packet if it's not in a chroot?  Does it work if you comment it out?  I know DHCPD is supposed to need the /dev/bpf when it is run in a jail and the same would apply for a chroot.  I don't know if it uses it to do both send and receive or just receive


----------



## SirDice (Mar 27, 2014)

Definitely try it without the chroot. I don't have it enabled and it is working. I'd try it to see what happens, if only to narrow down the possible issues.


----------



## urello (Apr 4, 2014)

Well I tried various combinations with/without chroot and with/without root privileges. It doesn't work. dhcpd doesn't send packets to named and tcpdump confirms this assumption


----------



## junovitch@ (Apr 4, 2014)

urello said:
			
		

> Well i tried various combinations with/without chroot and with/without root privileges. It doesn't work. dhcpd doesn't send packets to named and tcpdump confirms this assumption



Is this true for all hosts?  Or is this just true for the "lemon" host you have a reservation for?


----------



## urello (Apr 5, 2014)

This is true for all hosts.


----------



## junovitch@ (Apr 6, 2014)

The reason I asked is updates for static hosts requires an extra config line.  DHCP won't update those automatically.   This is the line.  

```
update-static-leases on;
```

I've only seen DDNS declared globally.  Try these lines at the top of your config, outside of the subnet block:

```
ddns-updates on;
ddns-update-style interim;
allow client-updates;
update-static-leases on;
```


----------



## Ajax (Jun 27, 2014)

To avoid a new topic about the same — how does one force ISC DHCP to use the host name from host declaration?
The dhcpd.conf is correct, according to the manual and properly updates DNS running on the same machine, but it *always* sends hostnames defined by client and this is crap when it comes to have two simultaneous connections — via Ethernet and Wi-Fi — as it tries to register two IP addresses with the same hostname. How to heck force it to use hostnames from host definitions??

```
log-facility local7;
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
ignore client-updates;
authoritative;
one-lease-per-client on;
key dhcpupdater {
    algorithm hmac-md5;
    secret "SECRET==";
}
group {
	use-host-decl-names on;
	host mbp-ethr { hardware ethernet xx:xx:xx:xx:xx:xx; fixed-address 10.10.1.50; }
	host mbp-wifi { hardware ethernet xx:xx:xx:xx:xx:xx; fixed-address 10.10.1.51; }
	host win8-pc1 { hardware ethernet xx:xx:xx:xx:xx:xx; }
}
shared-network SHARD {
	subnet 10.10.1.0 netmask 255.255.255.0 {
		allow booting;
		allow bootp;
		authoritative;
		ddns-updates on;
		ddns-update-style interim;
		ddns-domainname "home.lan.";
		ddns-rev-domainname "in-addr.arpa.";
		option broadcast-address 10.10.1.255;
		option domain-name "home.lan";
		option domain-name-servers 10.10.1.254;
		option routers 10.10.1.254;
		option subnet-mask 255.255.255.0;
		filename "boot/pxeboot";
		option root-path "10.10.1.254:/usr/data/netboot";
		update-static-leases on;
		ignore client-updates;
		deny unknown-clients;
		pool {
			default-lease-time 600;
			max-lease-time 1800;
			range 10.10.1.100 10.10.1.200;
			allow known-clients;
		}
	}
}
zone home.lan. {
	primary localhost;
	key dhcpupdater;
}
zone 1.10.10.in-addr.arpa. {
	primary localhost;
	key dhcpupdater;
}
```


----------



## SirDice (Jun 27, 2014)

There should only be one interface active. Having two interfaces active in the same subnet is going to cause problems. Not so much on the DHCP/DNS side but on the client.


----------



## Ajax (Jun 27, 2014)

I've one interface yet it has two IP from different subnets. You meant to discard second subnet?


----------



## SirDice (Jun 27, 2014)

Ajax said:
			
		

> I've one interface yet it has two IP from different subnets.


No, the interfaces are both in the same subnet:

```
host mbp-ethr { hardware ethernet xx:xx:xx:xx:xx:xx; fixed-address 10.10.1.50; }
   host mbp-wifi { hardware ethernet xx:xx:xx:xx:xx:xx; fixed-address 10.10.1.51; }
```

They're both in the same 10.10.1.0/24 subnet. That's going to cause problems on the client side when both are active.


----------



## Ajax (Jun 27, 2014)

But this is not a problem at all! Either in static or dynamic config (via DHCP) both works well and generally should do so — one interface, one MAC, one request and one IP in response. The only problem is that somehow DHCP server ignores my settings and accept host-name from client, so one client with more than one interface makes problems; if I'd found how to make DHCPd properly take hostname from description, problem is solved — I've different names in hosts description.


----------

