09-11-2018 11:05 AM
I am working on testing DNS functionality on Infoblox in a test environment with infoblox (TE-1425 virtual), a domain controller and a test server running on a windows 2016 Hyper-V host.The domain controller is not running DNS and has infoblox configured as its primary DNS in its network settings.A test domain say D has been created on it and it has been promoted.Infoblox is authoritative for the test zone D.
I made the below observations during the course of my testing:
1) I assigned a static IP address to the test VM in my setup, pointed its DNS to Infoblox and added it to the domain D. I was expecting an A record to be created for it in zone D but that doesn't happen until I add the IP address into Grid DNS Properties-> Updates-> ACL entry.
2) When I configure DHCP on the infoblox VM and allow the test VM to get an IP from the DHCP server (Infoblox VM) , I see an A record is automatically added for the test server in the zone D on Infoblox.
My questions are:
1) Does this mean an A record for a machine would be created in my zone on Infoblox only when its getting an IP address from the DHCP server (as in that case the DHCP server updates the DNS server, I had configured DDNS from dhcp to dns) and in the case where I assign a static IP to my server, an A record will not be automatically created?
2) I was told that if I assign static IP to my test server but enable GSS-TSIG, an A record will be automatically created in the zone on Infoblox.I enabled GSS-TSIG in my setup, removed and readded the test VM to the domain D, but no A record was automatically added to the zone. Is GSS-TSIG a solution in this case?
09-11-2018 11:20 AM
DDNS is not enabled by default. One important note is that it is best practice to NOT allow DHCP clients to update zones. While DNS scavenging is available, this is a good way to end up with stale or missing records with no real way to identify why (since you are dependant on the client to maintain these updates).
To enable the DHCP server to update DNS for clients (which is recommended), you will find the setting for this in the IPv4 DDNS section in the DHCP properties and this can be set at multiple levels, starting at the Grid level. You can find helpful information regarding this process in the chapter titled "Configuring DDNS Updates" in the NIOS Administrators Guide. You can find the Administrators Guide through the Help panel in your Grid Manager GUI, or through the Tech Docs section on the Infoblox Support portal (https://support.infoblox.com/). This chapter will also provide you with details regarding GSS-TSIG support (which would work similarly to the way you got things working already, but with the benefit of using GSS-TSIG to authenticate the client and being slightly more secure.
09-11-2018 12:31 PM
Thank you for responding.
So the part where I configure the DHCP server to send DDNS updates to DNS is working fine and as expected.
My concern is we have servers in our environment that are configured with static IP addresses/we don't use the DHCP server to allocate IPs to these.How will the A record for such servers be added to the DNS zone? How will that DDNS update reach the DNS server?
I was told by my sales representative that configuring GSS-TSIG will help in this case and an A record will automatically be added to the DNS zone but I did not witness that in my testing when I enabled GSS-TSIG ( i used infoblox admin guide for configuration) and I believe its only a means to send secure DDNS updates to the DNS server. Will using GSS-TSIG create an A record for the server with a static IP address in the DNS zone?
09-11-2018 01:04 PM
Not a problem at all. For that specific use case then yes, you would use the GSS-TSIG for dynamic updates, or the Updates ACL like you did in your previous test.
Just the act of enabling these options does not create the records in question. These options enable your clients (in this case, the non-DHCP systems) to update their records in DNS dynamically. If they fail to do so, then you would need to:
- Verify that they are attempting to send their DDNS updates
- If they are, are they resolving the mname (the primary name server) for the zone to the correct DNS server?
- If they are not, are they enabled to update DNS?
- Check the system logs on the primary name server for any update attempts from the client(s) in question.
- Run a Traffic Capture/network sniffer to see the activity that is taking place
Hope this helps. For any more specific troubleshooting, you may want to consult with Infoblox Support.
09-11-2018 01:44 PM
I just looked at the logs and it looks like the test device is attempting to update DNS but is denied with the below error:
192.168.200.254#63044: GSS-TSIG authentication failed for (DNS/infobloxvmtst.D.com@D.COM, kvno 3, arcfour-hmac-md5): unknown principal
Any pointers as to why this error is seen?
09-11-2018 01:59 PM
There are specific requirements for the keytab which can vary depending on your AD version. While not the exact same error, you can find some helpful information in this thread:
Infoblox Support should be able to help you troubleshoot that further.