Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

DNS DHCP IPAM

Reply
Highlighted

FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8166     0

Hi Guys,

 

For some reason some machines (based on their subnet?)  whose ip’s are delivered by infoblox are not updating their FDQN and records in DNS and so this impacts with some other solutions that will use pc names for resolution.

 

Thx,

Myky

Re: FDQN and records in DNS

Adviser
Posts: 200
8167     0
Can you provide more details?


1. Do you see attempts by the clients in the syslog of the primary master name server (PMNS) for the zone?

2. Are those attempts flagged as “refused”?

3. If there are no attempts being logged, you’ll need to check client level settings to determine if someone disabled the client from sending updates.

4. If these are DHCP clients, make sure the DHCP server is set to perform the updates on behalf of the client.

5. If the syslog messages say “refused,” then you have an ACL (on the server…probably at the zone level) blocking the updates from the clients.

Re: FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8167     0

1

Re: FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8167     0

2

Re: FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8167     0

Hello,

 

Thank you for helping with this. Below the answers on your questions:

 

1. Do you see attempts by the clients in the syslog of the primary master name server (PMNS) for the zone?

 

 Yes

 

2. Are those attempts flagged as “refused”?

 

Yes , hope this is the right logs:

 

  refused.png

 

 

 

3. If there are no attempts being logged, you’ll need to check client level settings to determine if someone disabled the client from sending updates.

 

Yes there are attempts being logged.

 

4. If these are DHCP clients, make sure the DHCP server is set to perform the updates on behalf of the client.

 

The infoblox is the dhcp server , and its set to do updates, but the authentication is not set

 

5. If the syslog messages say “refused,” then you have an ACL (on the server…probably at the zone level) blocking the updates from the clients.

 

We don’t think that this is the issue.

 

Thx,

Myky

Re: FDQN and records in DNS

Adviser
Posts: 200
8167     0

Those errors are not related to DDNS updates.  You would see a message more in line with...

 

Jan  8 19:05:16 gateway named[12349]: client 192.168.1.20#1069: update 'host1.company.com/IN' denied

 

 

The current format may be a little different (I just pulled this from an Internet search).  If you don't see those messages, then updates are NOT even being attempted by the client.  If the DHCP server is supposed to be doing the update, then you need to make sure you've (1) turned on DDNS updates and (2) specified a DNS zone to update in the settings at the network level (you can use inheritence and set the values at the Grid or member level if you desire).

 

The messages you are seeing now are likely related to an issue with Infoblox attempting to send syslog messages to a remote syslog server.  This is the "syslog forwarding" feature.

 

Re: FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8167     0

Hello Smith,

 

I have checked the syslog logs again and could see the following:

 

2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: info DHCPDISCOVER from e8:99:c4:6xxxx via 10.211.0.1 uid 01:e8:99:c4xxxxxxx
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.cc.uk dhcpd[21049]: info DHCPOFFER on 10.211.0.251 to e8:99:c4:6xxxx (android-589c3d13675fdc96) via eth2 relay 10.211.0.1 lease-duration 3598 offered-duration 3600 uid 01:e8:99:c4:xx:xx:xx
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: info DHCPREQUEST for 10.211.0.251 (10.132.1.200) from e8:99:c4xxxxx (android-589c3d13675fdc96) via 10.211.0.1 uid 01:e8:99:cxxxxxx (RENEW)
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: info DHCPACK on 10.211.0.251 to e8:99:c4:6xxxxx (android-589c3d13675fdc96) via eth2 relay 10.211.0.1 lease-duration 3600 (RENEW) uid 01:e8:99:c4xxxxxx
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: info DHCPINFORM from 10.210.0.151 via 10.210.0.1
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: info DHCPACK to 10.210.0.151 (84:3a:4b:xxxxx) via eth2
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: err DHCPDISCOVER from 00:c0:b7:xxxx via 10.18.2.254 : network 10.18.0.0/16: no free leases
2016-08-23T15:24:01+01:00 daemon infoblox.xxxxx.ccc.uk dhcpd[21049]: info DHCPINFORM from 10.210.1.229 via 10.210.0.1
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.ccc.uk dhcpd[21049]: info DHCPACK to 10.210.1.229 (e8:2a:ea:xxxxx) via eth2
2016-08-23T15:24:01+01:00 daemon infoblox.cccc.ccc.uk named[17539]: info client 10.133.1.116#24825 (*.xxx.xxxx.uk): query (cache) '*.xxx.xxxx.uk/A/IN' denied
2016-08-23T15:24:01+01:00 daemon infoblox.xxxx.cccc.uk named[17539]: info client 10.133.1.116#55218 (*.xxx.xxxx.uk): query (cache) '*.xxx.xxxx.uk/AAAA/IN' denied

 

Thx,

Myky

Re: FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8167     0

Some more l could see:

 

info client 10.133.1.116#60213 (*.xxx.xxxx.uk): query (cache) '*.xxx.xxxx.uk/A/IN' denied
2016-08-25T06:15:48+01:00 daemon infoblox.xxxx.xxxx.uk named[17539]: info client 10.133.1.116#37287 (*.xxx.xxxx.uk): query (cache) '*.xxx.xxxx.uk/AAAA/IN' denied
2016-08-25T06:15:49+01:00 daemon infoblox.xxxx.xxx.uk dhcpd[21049]: info Average 5/15/60/1440 dynamic DNS update latency: 0/0/0/0 micro seconds
2016-08-25T06:15:49+01:00 daemon infoblox.xxxx.xxx.uk dhcpd[21049]: info Dynamic DNS update timeout count in last 5/15/60/1440 minutes: 26/303/303/1675
2016-08-25T06:15:49+01:00 daemon infoblox.xxxx.xxxx.uk dhcpd[21049]: err DHCPDISCOVER from 00:c0:b7:c5:3c:ea via 10.18.2.254 : network 10.18.0.0/16: no free leases

Re: FDQN and records in DNS

Adviser
Posts: 200
8167     0

None of those log messages are relevant to this issue.  The "denied" messages you are seeing are queries...not updates.  All of the rest of the messages show that DHCP is working and handing out addresses.

 

What's still missing are any log messages related to DDNS activity.  If you don't see the word "update" in the named log message, it's likely not going to be helpful.  Look for ALL named (DNS) log messages that have "update" in them similar to the one example I provided earlier.

 

Also, make sure you're looking for messages on the primary master name server for the zone.  If it's the same appliance, you're good to go.  If you're looking instead at an authoritative (but non-primary master) or caching server, you won't see those messages.

 

Re: FDQN and records in DNS

[ Edited ]
Authority
Posts: 16
8167     0

Hi Smith,

 

The only logs l got with DDNS below:

 

2016-08-23T18:15:44+01:00 daemon infoblox.xxxxx.uk dhcpd[21049]: info Canceling asynchronous DNS operation for deferred DDNS.
2016-08-23T18:15:44+01:00 daemon infoblox.xxxxx.uk dhcpd[21049]: info lock_dddns_list_wait_for_no_current: Requesting cancellation of DNS update in progress
2016-08-23T18:15:44+01:00 daemon infoblox.xxxxx.uk dhcpd[21049]: info Canceling asynchronous DNS operation for deferred DDNS.
2016-08-23T18:15:44+01:00 daemon infoblox..xxxxx.uk dhcpd[21049]: info lock_dddns_list_wait_for_no_current: Requesting cancellation of DNS update in progress
2016-08-23T18:15:44+01:00 daemon infoblox.xxxxx.uk dhcpd[21049]: info Canceling asynchronous DNS operation for deferred DDNS.

 

Why it is requesting cancellation of DNS?

Again thanks for your help. 

 

Thx,

Myky

Re: FDQN and records in DNS

Adviser
Posts: 200
8167     0
It's likely you have a configuration issue. You'll need to go back and review the network and range properties on your zone and make sure you have everything configured correctly. I'd start with the range to see what values are inherited or explicitly set. This will tell you what the effective settings are at that level.

On the basic tab, make sure DDNS is enabled and that you have the correct domain name for a zone where the PMNS is either in Infoblox OR has been configured to allow updates from the DHCP server.

On the advanced tab, double check your settings here but it's really the first tab that matters most.

Again, those log messages are not messages for named (DNS) so they aren't what I was referring you. You need to look at the named messages on the PMNS...not the dhcpd (DHCP) messages. Start with DNS and work backwards. We haven't yet seen anything that tells us that updates are even being sent from any system at all. Troubleshooting DHCP at this stage may do absolutely nothing to resolve your original issue.

Re: FDQN and records in DNS

Authority
Posts: 16
8167     0

Hello Smith,

 

I appreciate your help. Let em review all config from the beginning.

I will get back to you soon with any update on this.

 

Regards, 

Myky 

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton