How to configure DHCP server to update DNS zone

Hi,

I noticed the flag(?) “dynamic-dns-update” within the dhcp-server configuration.
I assume it’s a start in order to configure the DHCP server to keep a DNS server updated… but how?

Even if that parameter is not what I think, I’d like to know if there is a way to have the DHCP server of VyOS to update an external DNS server zone with the addresses leased to the DHCP clients.

Thanks in advance for your help

Hello @Matwolf,

With option dynamic-dns-update dhcp-server will update /etc/hosts file on your VyOS router when clients obtaining/renewing IP addresses.
Maybe you can modify dhcp-scripts commands to update your DNS records if it supports it via API. Try to check show log tail 300 when a client trying to obtain IP address

Hi,
Are you talking about RFC 2136 dynamic dns updates to something like BIND or Knot? I had the same problem when I used an EdgeRouter-X for a short time and this is what I came up with: https://gist.github.com/helushune/1abc37b0e3c90f01300e7ce4c40fe6ab. I have not tested it on VyOS yet but I see that the same command path exists. I was recently in a car collision and am still recovering or I would lab this out for you because I am curious if it works as well.
Edit: If you have any questions about my example, please feel free to ask. It was sending updates for the zone “home.local” with RDNS for 10.1.x.x to a BIND 9 server at 10.1.2.2.

Hi @helushune

I’m referring to updates to a DNS zone (managed by a BIND server) adding hosts which receives IPs from the VyOS dhcp server.

I’ll definitely look into your solution and let you know.

Thanks

Hey @Matwolf

I was able to get some time to lab this out today. I’m pleased to say that my solution for EdgeOS also works on VyOS with some minor modifications. Some caveats:

  • The order of setting the parameters matters. The RNDC key must be declared before the statements that reference it or dhcpd will fail to load.
  • You must use hmac-md5 as the rndc algorithm or the ddns update will fail with "No tsec for use with key ". There’s this bug from 2016 in the CentOS 7 tracker about it but no comments or progress. There may be a workaround for this, I didn’t dig too much in to it. I initially tried to use hmac-sha256, ran in to the tsec error, found that bug, switched to hmac-md5, and everything was peachy.

The topology I used:

VyOS conf delta-

interfaces {
    ethernet eth1 {
        address 10.0.0.1/24
    }
}
service {
    dhcp-server {
        dynamic-dns-update
        global-parameters "key rndc-key { algorithm hmac-md5; secret <key>; };"
        global-parameters "zone server.test. { primary 10.0.0.5; key rndc-key; }"
        global-parameters "ddns-domainname &quot;server.test.&quot;;"
        global-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
        global-parameters "zone 0.10.in-addr.arpa. { primary 10.0.0.5; key rndc-key; }"
        shared-network-name SERVER-TEST {
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.5
                domain-name server.test
                domain-search server.test
                range RANGE0 {
                    start 10.0.0.100
                    stop 10.0.0.200
                }
            }
        }
    }
}

Which is sending RFC 2136 updates to 10.0.0.5; FreeBSD 12.1-RELEASE VM running BIND 9.16.9.
In /usr/local/etc/namedb/named.conf:

key "rndc-key" {
 algorithm hmac-md5;
 secret <key>;
};

zone "server.test" {
 type master;
 file "/usr/local/etc/namedb/dynamic/db.server.test";
 allow-update {
  key rndc-key;
 };
};

zone "0.10.in-addr.arpa" {
 type master;
 file "/usr/local/etc/namedb/dynamic/db.0.10";
 allow-update {
  key rndc-key;
 };
};

Both forward and reverse zones are updated appropriately:

It might be possible to also set under these following stanza and not set globally:
service dhcp-server shared-network-name <name> shared-network-parameters

1 Like

Curiosity got the best of me and I wanted to know if it was possible to set this up using shared-network-parameters. Yes, it can. This would allow you to configure multiple different RNDC keys and send RFC 2136 updates to different servers per subnet.

To add to the caveat list, service dhcp-server dynamic-dns-update must be set or isc-dhcpd does not attempt to update the forward/reverse mapping.

I tried both 1.2.6 and 1.3-rolling-202010231135.

VyOS config delta-
This config is similar to the one I pasted previously but I moved the RFC 2136 parameters under shared-network-parameters from global-parameters and then created another subnet.

interfaces {
    ethernet eth1 {
        address 10.0.0.1/24
    }
    ethernet eth2 {
        address 172.16.0.1/24
    }
}
service {
    dhcp-server {
        dynamic-dns-update
        shared-network-name SERVER-TEST {
            authoritative
            shared-network-parameters "key rndc-key { algorithm hmac-md5; secret DJaP3k6VvQa4nZW4UTkN0Q==; };"
            shared-network-parameters "ddns-domainname &quot;server.test.&quot;;"
            shared-network-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
            shared-network-parameters "zone server.test. { primary 10.0.0.5; key rndc-key; }"
            shared-network-parameters "zone 0.10.in-addr.arpa. { primary 10.0.0.5; key rndc-key; }"
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.5
                domain-name server.test
                domain-search server.test
                range RANGE0 {
                    start 10.0.0.100
                    stop 10.0.0.200
                }
            }
        }
        shared-network-name SERVER-TEST2-172 {
            authoritative
            shared-network-parameters "key oneseventwo-key { algorithm hmac-md5; secret ZnQmJVW11vVUcX3vlKAY7w==; };"
            shared-network-parameters "ddns-domainname &quot;test2.org.&quot;;"
            shared-network-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
            shared-network-parameters "zone test2.org. { primary 10.0.0.5; key oneseventwo-key; }"
            shared-network-parameters "zone 16.172.in-addr.arpa. { primary 10.0.0.5; key oneseventwo-key; }"
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 10.0.0.5
                domain-name test2.org
                domain-search test2.org
                range RANGE0 {
                    start 172.16.0.100
                    stop 172.16.0.200
                }
            }
        }
    }
}

VyOS correctly handles RFC 2136 for both subnets-

Dec 14 19:54:16 vyos isc-dhcp-server[4519]: Starting ISC DHCP server: dhcpd.
Dec 14 19:55:14 vyos dhcpd: DHCPREQUEST for 172.16.0.100 from 0c:c5:f6:1b:95:00 (freebsd) via eth2
Dec 14 19:55:14 vyos dhcpd: DHCPACK on 172.16.0.100 to 0c:c5:f6:1b:95:00 (temp2) via eth2
Dec 14 19:55:14 vyos dhcpd: Added new forward map from temp2.server.test. to 172.16.0.100
Dec 14 19:55:14 vyos dhcpd: Added reverse map from 100.0.16.172.in-addr.arpa. to temp2.server.test.
----
Dec 14 20:11:44 vyos dhcpd: DHCPDISCOVER from 0c:c5:f6:26:08:00 via eth2
Dec 14 20:11:45 vyos dhcpd: DHCPOFFER on 172.16.0.102 to 0c:c5:f6:26:08:00 (temp3) via eth2
Dec 14 20:11:48 vyos dhcpd: DHCPREQUEST for 172.16.0.102 (172.16.0.1) from 0c:c5:f6:26:08:00 (temp3) via eth2
Dec 14 20:11:48 vyos dhcpd: DHCPACK on 172.16.0.102 to 0c:c5:f6:26:08:00 (temp3) via eth2
Dec 14 20:11:48 vyos dhcpd: Added new forward map from temp3.test2.org. to 172.16.0.102
Dec 14 20:11:48 vyos dhcpd: Added reverse map from 102.0.16.172.in-addr.arpa. to temp3.test2.org.
----
Dec 14 22:16:44 vyos dhcpd: DHCPREQUEST for 10.0.0.100 from 0c:c5:f6:7d:87:00 (freebsd) via eth1
Dec 14 22:16:44 vyos dhcpd: DHCPACK on 10.0.0.100 to 0c:c5:f6:7d:87:00 (freebsdone) via eth1
Dec 14 22:16:44 vyos dhcpd: Removed forward map from freebsd.server.test. to 10.0.0.100
Dec 14 22:16:44 vyos dhcpd: Removed reverse map on 100.0.0.10.in-addr.arpa.
Dec 14 22:16:44 vyos dhcpd: Added new forward map from freebsdone.server.test. to 10.0.0.100
Dec 14 22:16:44 vyos dhcpd: Added reverse map from 100.0.0.10.in-addr.arpa. to freebsdone.server.test.

Hi @helushune ,

Thanks for posting your lab test. Your explaination and the test result you have posted has been very helpful.

I do have one area which I can’t seem to figure out and its related to the RNDCKEY.

The secret key used in the above line. How was it generated? And does this key needs to be configured on the DNS server?

Thanks.

Hi there. There’s multiple ways you can generate the key, I typically use dnssec-keygen or rndc-confgen but anything that generates an HMAC-MD5 key should work.

Yes, the key needs to be present in both configs with the same name. Eg, I can’t call it “rndckey.” in VyOS but have it called “dhcpkey.” in Knot/BIND.

I hope this helps.

EDIT:
In this post I give an example of using the rndc-key with BIND’s config. If you’re using BIND, the stanzas are slightly different than the rest of the configuration format. In Knot, it’s standard YAML.

Hi @helushune ,

The additional info is really helpful. You have validated my thinking before I went into a rabbit hole.

Thanks.

1 Like

I finally found sometime to myself and got this working.

Thanks again.