- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
DHCPRELEASE and DDNS to AD DNS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-09-2020 09:13 AM
We have VPN appliances that are acting as DHCP Proxies for clients to our Infoblox DHCP servers. The VPN appliances both request and release leases when a client connects and disconnects from the VPN service.
We are trying to sort some issues with DNS updates and the DNS records in AD DNS with the clients. One issue that I am trying to look further into is if the Infoblox DHCP server sends a DDNS update to delete the DNS records associated with the client when a DHCPRELEASE is issued by the VPN appliance.
From all the logs I've reviewed to date, it doesn't appear that the server sends the request to AD DNS to update/remove the records. I have also been unable to find any documentation regarding how Infoblox DHCP/DDNS handles this or if there are configurable options. My understanding from various searches is that ISC-based DHCP is supposed to send this request as part of the DDNS service.
I figured I would ask here prior to opening a support case.
Cheers.
Solved! Go to Solution.
Re: DHCPRELEASE and DDNS to AD DNS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-11-2020 05:48 AM
If the IB DHCP boxes are sending the DDNS updates on lease issue then when the lease is released they should send the approprate update/delete.
Couple of counter questions;
1) Are the DHCP servers setup to use GSS TSIG to authenticate to the windows DNS servers?
2) Have you done any packet captures to ensure that your VPN appliances are in fact sending the DHCP RELEASES?
If 1) No and 2) Yea, then you are most probably runinng into a permission denied error on the DDNS Delete. I know it sound strange that the permissions on the MS DNS server will let an unautheenticated update happen but will prevent the deletes. However it happens all the time.
Once you start having to deal with security ACLS on MS DNS, it is just way easier in the long run to setup Gss Tsig, resecure the DNS server than be constantly tweaking the ACLS. Remember if this is the case then you could actualy have a pretty big DNS security problem. Because if the IB DHCP server can send unauthenticated updates... then any client windows/linux/whatever can too. They might not stick to updating their own DNS records. Just imagine if a rouge client came on your network and updated all the DC _msdc service records durring the middle of the day.
Re: DHCPRELEASE and DDNS to AD DNS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2020 12:16 PM
To answer your two questions:
1) Yes, we are using GSS-TSIG for our updates.
2) I have not done packet captures, but the DHCPRELEASE packets being logged by the DHCP server's SYSLOG indicate that they are being received.
That's why I was specifically asking, as there is nothing to indicate that post-release updates are being sent.
Re: DHCPRELEASE and DDNS to AD DNS
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2020 08:12 AM - edited 10-14-2020 08:13 AM
Try hunting down your dns.log file, I think it's usually in the windir\System32\Dns folder. It should list the dynamic updates that are being received. I had a problem a while back where the DNS server wouldn't process an update because it needed both forward and reverse zones to be present, it wouldn't work if one of the zones was missing, unfortunately I can't remember if it was an add or a delete, nor can I remember whether it was a forward or reverse zone that was missing, all I remember is that both had to be present for the dynamic update to work. This was all rather a long time ago now but hopefully the log file will point you in the right direction.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Re: DHCPRELEASE and DDNS to AD DNS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2020 01:45 PM
I decided to beat up my laptop a bit with releases, renews, and changing the Windows client DNS update settings.
What I found is that a DHCPRELEASE does in fact prompt the DHCP server to send a removal request to the AD DNS server. However, it only logs (shows up in SYSLOG) if the removal is successful. It does not appear to log at all if the removal is refused by AD DNS unlike adding records. If adding a record fails, it generates a SYSLOG message stating "Unable to add..." the record, but there is no counterpart for removal. This is a bit of a frustrating oversight in my opinion.
The root cause seems to be both clients and the DHCP servers updating the records. Looks like I have to work with our SA team to get the client updates disabled.
Re: DHCPRELEASE and DDNS to AD DNS
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2020 02:10 AM
Ah, yeah, what I've found in the past is that you need to decide whether to allow Windows clients to do their update themselves or whether the DHCP server does it. You can use option 81 to specify this, but even setting it so the DHCP server does the updates, I found that in some cases Windows clients still try to update DNS themselves. What I found is that on the initial DORA, the DHCP server would do the update but when the client does a renew at 50% of the lease time, the client would send a DDNS update itself, it kinda "forgets" that option 81 was supposed to switch that off. Again this was absolutely years ago when I discovered this, and may have been "fixed" by subsequent versions of Windows, but what it did to me is re-inforce the need for "allow-update" ACLs - so I always have an ACL now that prevents clients updating DNS and only allows DHCP servers and Windows Domain Controllers (and other servers like SQL that need to do DDNS).
What I do see now are thousands and thousands of "update denied" messages on the DNS servers, but I know that DHCP server is updating sucessfully so I don't really care if the client updates are being denied. Of course, if you have statically configured devices too (such as application servers), Windows by default will also be trying to register the host name every 24 hours regardless of option 81, so it makes sense to employ an ACL anyway.
If you have both Windows clients AND DHCP servers updating DNS then you will get into an awful mess. Windows is notorious for registering entries and not removing them, which is why Microsoft introduced DNS scavenging, but that causes yet more problems in environments where you have DDNS update optimisation enabled (so DNS record timestamps do not get updated and scavenging deletes valid records), I could go on and on and on about all of this as I've been doing this stuff for years! :-) Don't get me started on DHCIDs and docking stations.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE