How to configure DHCP server to update DNS zone

Hi,

I noticed the flag(?) “dynamic-dns-update” within the dhcp-server configuration.
I assume it’s a start in order to configure the DHCP server to keep a DNS server updated… but how?

Even if that parameter is not what I think, I’d like to know if there is a way to have the DHCP server of VyOS to update an external DNS server zone with the addresses leased to the DHCP clients.

Thanks in advance for your help

Hello @Matwolf,

With option dynamic-dns-update dhcp-server will update /etc/hosts file on your VyOS router when clients obtaining/renewing IP addresses.
Maybe you can modify dhcp-scripts commands to update your DNS records if it supports it via API. Try to check show log tail 300 when a client trying to obtain IP address

Hi,
Are you talking about RFC 2136 dynamic dns updates to something like BIND or Knot? I had the same problem when I used an EdgeRouter-X for a short time and this is what I came up with: https://gist.github.com/helushune/1abc37b0e3c90f01300e7ce4c40fe6ab. I have not tested it on VyOS yet but I see that the same command path exists. I was recently in a car collision and am still recovering or I would lab this out for you because I am curious if it works as well.
Edit: If you have any questions about my example, please feel free to ask. It was sending updates for the zone “home.local” with RDNS for 10.1.x.x to a BIND 9 server at 10.1.2.2.

Hi @helushune

I’m referring to updates to a DNS zone (managed by a BIND server) adding hosts which receives IPs from the VyOS dhcp server.

I’ll definitely look into your solution and let you know.

Thanks

Hey @Matwolf

I was able to get some time to lab this out today. I’m pleased to say that my solution for EdgeOS also works on VyOS with some minor modifications. Some caveats:

  • The order of setting the parameters matters. The RNDC key must be declared before the statements that reference it or dhcpd will fail to load.
  • You must use hmac-md5 as the rndc algorithm or the ddns update will fail with "No tsec for use with key ". There’s this bug from 2016 in the CentOS 7 tracker about it but no comments or progress. There may be a workaround for this, I didn’t dig too much in to it. I initially tried to use hmac-sha256, ran in to the tsec error, found that bug, switched to hmac-md5, and everything was peachy.

The topology I used:

VyOS conf delta-

interfaces {
    ethernet eth1 {
        address 10.0.0.1/24
    }
}
service {
    dhcp-server {
        dynamic-dns-update
        global-parameters "key rndc-key { algorithm hmac-md5; secret <key>; };"
        global-parameters "zone server.test. { primary 10.0.0.5; key rndc-key; }"
        global-parameters "ddns-domainname &quot;server.test.&quot;;"
        global-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
        global-parameters "zone 0.10.in-addr.arpa. { primary 10.0.0.5; key rndc-key; }"
        shared-network-name SERVER-TEST {
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.5
                domain-name server.test
                domain-search server.test
                range RANGE0 {
                    start 10.0.0.100
                    stop 10.0.0.200
                }
            }
        }
    }
}

Which is sending RFC 2136 updates to 10.0.0.5; FreeBSD 12.1-RELEASE VM running BIND 9.16.9.
In /usr/local/etc/namedb/named.conf:

key "rndc-key" {
 algorithm hmac-md5;
 secret <key>;
};

zone "server.test" {
 type master;
 file "/usr/local/etc/namedb/dynamic/db.server.test";
 allow-update {
  key rndc-key;
 };
};

zone "0.10.in-addr.arpa" {
 type master;
 file "/usr/local/etc/namedb/dynamic/db.0.10";
 allow-update {
  key rndc-key;
 };
};

Both forward and reverse zones are updated appropriately:

It might be possible to also set under these following stanza and not set globally:
service dhcp-server shared-network-name <name> shared-network-parameters

1 Like

Curiosity got the best of me and I wanted to know if it was possible to set this up using shared-network-parameters. Yes, it can. This would allow you to configure multiple different RNDC keys and send RFC 2136 updates to different servers per subnet.

To add to the caveat list, service dhcp-server dynamic-dns-update must be set or isc-dhcpd does not attempt to update the forward/reverse mapping.

I tried both 1.2.6 and 1.3-rolling-202010231135.

VyOS config delta-
This config is similar to the one I pasted previously but I moved the RFC 2136 parameters under shared-network-parameters from global-parameters and then created another subnet.

interfaces {
    ethernet eth1 {
        address 10.0.0.1/24
    }
    ethernet eth2 {
        address 172.16.0.1/24
    }
}
service {
    dhcp-server {
        dynamic-dns-update
        shared-network-name SERVER-TEST {
            authoritative
            shared-network-parameters "key rndc-key { algorithm hmac-md5; secret DJaP3k6VvQa4nZW4UTkN0Q==; };"
            shared-network-parameters "ddns-domainname &quot;server.test.&quot;;"
            shared-network-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
            shared-network-parameters "zone server.test. { primary 10.0.0.5; key rndc-key; }"
            shared-network-parameters "zone 0.10.in-addr.arpa. { primary 10.0.0.5; key rndc-key; }"
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.5
                domain-name server.test
                domain-search server.test
                range RANGE0 {
                    start 10.0.0.100
                    stop 10.0.0.200
                }
            }
        }
        shared-network-name SERVER-TEST2-172 {
            authoritative
            shared-network-parameters "key oneseventwo-key { algorithm hmac-md5; secret ZnQmJVW11vVUcX3vlKAY7w==; };"
            shared-network-parameters "ddns-domainname &quot;test2.org.&quot;;"
            shared-network-parameters "ddns-rev-domainname &quot;in-addr.arpa.&quot;;"
            shared-network-parameters "zone test2.org. { primary 10.0.0.5; key oneseventwo-key; }"
            shared-network-parameters "zone 16.172.in-addr.arpa. { primary 10.0.0.5; key oneseventwo-key; }"
            subnet 172.16.0.0/24 {
                default-router 172.16.0.1
                dns-server 10.0.0.5
                domain-name test2.org
                domain-search test2.org
                range RANGE0 {
                    start 172.16.0.100
                    stop 172.16.0.200
                }
            }
        }
    }
}

VyOS correctly handles RFC 2136 for both subnets-

Dec 14 19:54:16 vyos isc-dhcp-server[4519]: Starting ISC DHCP server: dhcpd.
Dec 14 19:55:14 vyos dhcpd: DHCPREQUEST for 172.16.0.100 from 0c:c5:f6:1b:95:00 (freebsd) via eth2
Dec 14 19:55:14 vyos dhcpd: DHCPACK on 172.16.0.100 to 0c:c5:f6:1b:95:00 (temp2) via eth2
Dec 14 19:55:14 vyos dhcpd: Added new forward map from temp2.server.test. to 172.16.0.100
Dec 14 19:55:14 vyos dhcpd: Added reverse map from 100.0.16.172.in-addr.arpa. to temp2.server.test.
----
Dec 14 20:11:44 vyos dhcpd: DHCPDISCOVER from 0c:c5:f6:26:08:00 via eth2
Dec 14 20:11:45 vyos dhcpd: DHCPOFFER on 172.16.0.102 to 0c:c5:f6:26:08:00 (temp3) via eth2
Dec 14 20:11:48 vyos dhcpd: DHCPREQUEST for 172.16.0.102 (172.16.0.1) from 0c:c5:f6:26:08:00 (temp3) via eth2
Dec 14 20:11:48 vyos dhcpd: DHCPACK on 172.16.0.102 to 0c:c5:f6:26:08:00 (temp3) via eth2
Dec 14 20:11:48 vyos dhcpd: Added new forward map from temp3.test2.org. to 172.16.0.102
Dec 14 20:11:48 vyos dhcpd: Added reverse map from 102.0.16.172.in-addr.arpa. to temp3.test2.org.
----
Dec 14 22:16:44 vyos dhcpd: DHCPREQUEST for 10.0.0.100 from 0c:c5:f6:7d:87:00 (freebsd) via eth1
Dec 14 22:16:44 vyos dhcpd: DHCPACK on 10.0.0.100 to 0c:c5:f6:7d:87:00 (freebsdone) via eth1
Dec 14 22:16:44 vyos dhcpd: Removed forward map from freebsd.server.test. to 10.0.0.100
Dec 14 22:16:44 vyos dhcpd: Removed reverse map on 100.0.0.10.in-addr.arpa.
Dec 14 22:16:44 vyos dhcpd: Added new forward map from freebsdone.server.test. to 10.0.0.100
Dec 14 22:16:44 vyos dhcpd: Added reverse map from 100.0.0.10.in-addr.arpa. to freebsdone.server.test.