Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

DDNS-Updates to external MS-DNS Server not working with NOTAUTH message

[ Edited ]
Techie
Posts: 6
9178     0

We're currently planning a DHCP-Migration from MS DHCP-Server to Infoblox.

DNS will - for now - stay on the extisting MS-DNS Server (AD-Integrated).

These Microsoft DNS-Server are running Windows Server 2008, as far as i know.

Infoblox is running 8.4.4.

 

For Testpurpose we have already moved one DHCP-Scope to Infoblox, and also configured DDNS so that Infoblox updates the affected A- and PTR-Records - if needed - on the Micosoft DNS-Servers on behalf of the enddevices.

 

But we still get these Error-Messages on Infoblox for the A- and PTR-Records:

  • bind update on <ip end device> from xxxxxx (1581495196ps) rejected: incoming update is less critical than outgoing update
  • Unable to add forward map from <hostname end device> to <ip end device>: NOTAUTH
  • Reverse map update for <ip end device> abandoned because of non-retryable failure: NOTAUTH
  • Forward map update for <ip end device> abandoned because of non-retryable failure: NOTAUTH

 

These are our current DDNS settings in Infoblox:

 

Grid DHCP DDNS Setting

  • DNS Updates: “Enable DDNS Updates” enabled
  • DDNS Update Method: Interim
  • Lease Renewal Update: “Update DNS on DHCP Lease Renewal” enabled
  • Generate Hostname: “Generate Hostname if not Sent by Client” enabled
  • Fixed Address Updates: “Update Fixed Addresses” enabled
  • TXT (DHCID) Record Handling: ISC

Data Management – DHCP – Configure DDNS - DNS UPDATES TO EXTERNAL ZONES

  • Forward- und Reverse-Mapping Zones added
  • Security: None

We have also played with different settings (e.g. for TXT Record Handling) but right now we are not able to get DDNS working.

 

Can anybody tell me where those NOTAUTH Log-Messages come from and what could be the reason why DDNS is not working ?

Re: DDNS-Updates to external MS-DNS Server not working with NOTAUTH message

Expert
Posts: 185
9178     0

Hey, I am working on a very similar project at the moment, migrating MS DHCP to Infoblox but keeping MS DNS on AD. I am setting up GSS-TSIG to update the MS DNS servers as they have "secure only" updates enabled.

 

But your problem seems more simple, you are getting a NOTAUTH error. I can never remember if this means not authoritative or not authorised. 

 

It sounds like you are not using GSS-TSIG, have you checked the zone security in AD? Do you have them set to "Nonsecure and secure" - if you have it set to "Secure only" then you will need to set up GSS-TSIG.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: DDNS-Updates to external MS-DNS Server not working with NOTAUTH message

Techie
Posts: 6
9178     0

We were now able to fix this problem. It had nothing to do with a secure connection between Infoblox and Microsoft as both sides had security disabled.Instead we used the wrong zone-name in Infoblox for the external zone on the Microsoft server.

 

On Micorosft DNS-Server we have a zone "zone.com" with a folder/grooup below "group).

This results in a complete FQDN "hostname.group.zone.com".

 

So we used the following zone name on Infoblox in "DNS Updates to external Zones":

group.zone.com

 

And this did not work as this was not a valid zone on Microsoft, and therefore Microsoft sent a NOAUTH message back (verified with packet capture on Infoblox).

 

After we changed the zone name on Infoblox to "zone.com" DDNS was working fine without any NOAUTH message.

s.Re: DDNS-Updates to external MS-DNS Server not working with NOTAUTH message

Superuser
Posts: 105
9178     0

Hi Paul,

 

I also work in near similar project like yours, could you inform in which side should be configure the GSS-TSIG. is it on infoblox or in AD. since AD team said that they have no configuration like GSS-TSIG on AD.

 

Please your advice.

 

Thanks in advance

Re: s.Re: DDNS-Updates to external MS-DNS Server not working with NOTAUTH message

Expert
Posts: 185
9178     0

You need to get someone on your AD team to run the ktpass command and send you the keytab file, you then load the keytab file into Infoblox to enable GSS-TSIG. The command is detailed in the admin guide, or you can try and decipher this post here: https://community.infoblox.com/t5/DNS-DHCP-IPAM/DDNS-to-Windows-server-Failed-TGT/td-p/8821

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Did you mean: 

Recommended for You