93 thoughts on “ISC DHCPd: Dynamic DNS updates against secure Microsoft DNS”

1. Charles Tryon 2012-01-25 at 19:54

   I just loaded the DNS tools under the Remote Server Admin pack on my Windows7 client. Looking at the security settings for my domain, members of the DnsAdmins group should have sufficient permissions.

   One odd thing is that, DHCP now updates the A and PTR records. For the Windows machines though, I see in the system logs that THEY are trying to update their own records. Are those getting denied because I manually entered them (or, dhcpduser added them), so now the machines themselves don’t have permissions to change them???
2. Michael Kuron Post author2012-01-25 at 19:59

   @Charles, Good point: Records created by Windows clients themselves are owned by their computer account, records created by the DHCP server running my script are owned by the account it uses. Only the owner and (I assume) DnsAdmin members have permission to modify DNS records.
   I believe Microsoft has a solution that works the other way round (allow Windows clients to reclaim records owned by the DHCP server) that works by adding the DHCP server user to the DnsUpdateProxy group. However, that obviously won’t solve the problem you’re running into. You could use Group Policy to force the Windows clients not to update their DNS records themselves though.
3. Charles Tryon 2012-01-26 at 23:01

   (Does anyone actually want me to post my slightly modified scripts here? It seems like a lot of content, and I’m not sure how much it will add.)
4. Michael Kuron Post author2012-01-26 at 23:05

   Please do add it. Once both of you get it working properly, I’m going to clean up the comments a bit and maybe update the post with the solutions.
5. Charles Tryon 2012-01-26 at 23:21

   This is my version of the update script. Note that I have moved things to a directory only accessible by “dhcpd” user on the dhcp (Linux) server.

   
#!/bin/bash

   ## CONFIGURATION ##
   realm=BBAGGINS.NET
   principal=dhcpduser@$realm
   keytab=/etc/dhcpd/dhcpduser.keytab
   domain=bbaggins.net
   ns=samba.bbaggins.net

   export KRB5CCNAME="/etc/dhcpd/dhcp-dyndns.cc"

   # keytab can be generated using the Samba4 tool:
   # samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab --principal=dhcpduser

   ## VARIABLES ##
   action=$1
   ip=$2
   name=$(echo $3 | awk -F '.' '{print $1}')
   mac=$4

   usage()
   {
   echo "USAGE:"
   echo $0 add 192.0.2.123 testhost 00:11:22:33:44:55
   echo $0 add 192.168.0.127 "" 00:11:22:44:33:55
   echo $0 delete 192.0.2.123 testhost 00:11:22:33:44:55
   echo $0 delete 192.0.2.127 "" 00:11:22:44:33:55
   }

   if [ "$ip" = "" ]; then
   echo "IP missing"
   usage
   exit 101
   fi
   if [ "$name" = "" ]; then
   name=$(echo $ip | awk -F '.' '{print "dhcp-"$1"-"$2"-"$3"-"$4}')

   if [ "$action" = "delete" ]; then
   name=$(host $ip | awk '{print $5}' | awk -F '.' '{print $1}')

   echo $name | grep NXDOMAIN 2>$1 >/dev/null
   if [ "$?" = "0" ]; then
   exit 0;
   fi
   fi
   fi

   ptr=$(echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')

   ## KERBEROS ##
   klist 2>&1 | grep $realm | grep '/' > /dev/null
   if [ "$?" = 1 ]; then
   expiration=0
   else
   expiration=$(klist | grep $realm | grep '/' | awk -F ' ' '{system ("date -d \""$2"\" +%s")}' | sort | head -n 1)
   fi

   now=$(date +%s)
   if [ "$now" -ge "$expiration" ]; then
   echo "Getting new ticket, old one expired $expiration, now is $now"
   kinit -F -k -t $keytab $principal
   fi

   ## NSUPDATE ##
   case "$action" in
   add)
   echo "Setting $name.$domain to $ip on $ns ($ptr)"

   oldname=$(host $ip $ns | grep "domain name pointer" | awk '{print $5}' | awk -F '.' '{print $1}')
   if [ "$oldname" = "" ]; then
   oldname=$name
   elif [ "$oldname" = "$name" ]; then
   oldname=$name
   else
   echo "Also deleting $oldname A record"
   fi

   nsupdate -g \<\<UPDATE
   server $ns
   realm $realm
   update delete $oldname.$domain 3600 A
   update delete $name.$domain 3600 A
   update add $name.$domain 3600 A $ip
   send
   UPDATE
   result1=$?
   nsupdate -g \<\<UPDATE
   server $ns
   realm $realm
   update delete $ptr 3600 PTR
   update add $ptr 3600 PTR $name.$domain
   send
   UPDATE
   result2=$?
   ;;

   delete)
   echo "Deleting $name.$domain to $ip on $ns"
   nsupdate -g \<\<UPDATE
   server $ns
   realm $realm
   update delete $name.$domain 3600 A
   send
   UPDATE
   result1=$?
   nsupdate -g \<\<UPDATE
   server $ns
   realm $realm
   update delete $ptr 3600 PTR
   send
   UPDATE
   result2=$?
   ;;
   *)
   echo "Invalid action specified"
   exit 103
   ;;
   esac

   result=$result1$result2
   if [ "$result" != "00" ]; then
   echo "DHCP-DNS Update failed: $result"
   logger "DHCP-DNS Update failed: $result"
   fi

   exit $result

6. Sergey Urushkin 2012-02-28 at 19:15

   There is a security hole in your configuration: anyone who can connect network device to your network can take domain name of any another machine by sending dhcp request with hostname of attaked machine (which domain name has been published by dhcpd). To close this hole you should use rfc4701 (for every dns update special TXT record is added which contain hash of a DHCID and fqdn of a host), isc-dhcpd uses similar logic to secure ddns updates. I also upgrade your script to use logic similar to this RFC and rewrite it to minimize sys resources used for updates (no needless forks, bash -> sh). I can publish it if you need.
7. Michael Kuron Post author2012-02-28 at 19:31

   Hi Sergey,

   I am aware of that issue, but never considered it worth mentioning since Microsoft’s DHCP Server (which we’re trying to emulate with this method) has the exact same issue, as do most other DHCP servers that do dynamic DNS. As far as I can tell, even RFC 4701 is susceptible to spoofed MAC addresses (and probably other scenarios), so I wouldn’t give too much thought to it. I suppose we could do stuff like pinging a DNS record’s IP address and only update the DNS record if we don’t get replies (to check whether somebody is trying to steal another client’s name), but that’s not fully secure either.

   The take-home message should probably be: always use static DNS records for your servers etc. (dhcpd doesn’t have permission to overwrite those) and don’t use clients’ dynamic DNS records for critical stuff. If you need optimum security, do not run dynamic DNS with your DHCP server at all, but instead have your clients take care of updating their own DNS records (authenticated by their Kerberos machine accounts).

   However, please do post your updated script, I’d be interested to see how you solved it. Thanks for optimizing it — it was a quick solution that works nicely, but as you said, it doesn’t optimally use system resources.
8. Sergey Urushkin 2012-02-29 at 08:22

   You are right, Michael, but using TXT records seems more secure to me. Anyway, you can disable creating and checking TXT RRs at the top of my script.
   http://pastebin.com/GY333pmr

   CHANGES:
   * You can choose: use similar to RFC 4701 algorithm or not
   * bash -> sh – no reason for using heavy bash; compatibility
   * DNS server failover
   * use simplified kinit logic (you can choose heimdal/mit)
   * DNS RRs TTL can be changed
   * no adding records for hosts that don’t send hostname – I can’t find any reason for doing it
   * since it uses TXT RRs, no secure “on expiry” event could be done, so if you use TXT RRs, remove “on expiry” event from your dhcpd.conf. Also, args order is changed:
   on commit {
   set ClientIP = binary-to-ascii(10, 8, “.”, leased-address);
   set ClientDHCID = binary-to-ascii(16, 8, “:”, hardware);
   set ClientName = pick-first-value(option host-name, host-decl-name);
   execute(“/etc/dhcp/dhcp-krbnsupdate.sh”, “add”, ClientIP, ClientDHCID, ClientName);
   }

   on release {
   set ClientIP = binary-to-ascii(10, 8, “.”, leased-address);
   set ClientDHCID = binary-to-ascii(16, 8, “:”, hardware);
   execute(“/etc/dhcp/dhcp-krbnsupdate.sh”, “delete”, ClientIP, ClientDHCID);
   }

   * some other changes and optimizations
9. Michael Kuron Post author2012-02-29 at 08:58

   I mirrored Sergey’s version of the script here.
10. Bill Smith 2012-02-29 at 21:43

    I am beginning to think i am the only one who cant get this to work 🙁
11. Sergey Urushkin 2012-03-01 at 12:37

    Hi, Michael.

    Here is my improved script:
    http://pastebin.com/cNeVQdh3

    CHANGES:
    * the main part of the script runs in the background by default (it’s about your EDIT 2011-11-17), but you can manually run it in the foreground by using “-d” as the first argument (see _usage)
    * now all results of an update are logged via logger (if no -d option)
    * some other bugfixes and improvements
12. Michael Kuron Post author2012-03-01 at 12:39

    Thanks, mirrored here.
13. Bill Smith 2012-03-01 at 15:55

    ok i am going to try this one more time but, before I do, can I just ask (to make sure):

    1) The Windows AD server is 2008 R2?
    2) Nothing has been done to Windows with regards to Kerberos Authentication?
    3) The Windows User Account used is an ordinary account i.e. it is not an administrator nor is it mapped to a service?
    4) The keytab is generated on the Windows server?
    5) The DHCP server is just a DHCP server – it is not running BIND or SAMBA?
    6) The DHCP Server is not a member of the Windows Domain?
    7) The Windows DNS server is in Secure Update Only mode?

    Cheers

    Bill
14. Michael Kuron Post author2012-03-01 at 16:30

    Yes to all except for 4. I used ktutil on Linux to write the keytab (as documented in the comments at the top of my script).
15. Mario 2012-04-26 at 22:44

    Hi, Please, Could you give me a hand with this issue?

    When a I use “nsupdate -g” option I get this error

    “nsupdate: cannot specify -g or -o, program not linked with GSS API Library”

    Do you have any idea what is happening?

    Thanks in advance.!

    Mario
16. Michael Kuron Post author2012-04-27 at 07:32

    @Mario: what the message says: you need to recompile nsupdate with the proper build option so that it links to the Kerberos library, which you also need to install.
17. Patrick Emer 2012-09-19 at 22:19

    Try this:

    set ClientIP = binary-to-ascii(10, 8, “.”, leased-address);
    set ClientMac = binary-to-ascii(16, 8, “:”, substring(hardware, 1, 6));
    set ClientAltname = “none”;
    set ClientName = pick-first-value( host-decl-name, ClientAltname) ;
    log(debug, concat(“Commit: IP: “, ClientIP, ” Mac: “, ClientMac, “Name:”, ClientName));
    execute(“/usr/bin/test_dhcp”, “commit”, ClientIP, ClientMac, ClientName);
18. Domz 2012-10-21 at 01:11

    Thanks a lot for posting this it helped me a lot.

    I think the contents in dhcp-dyndns.sh should be updated to be

    $(dirname $0)/dhcp-dyndns-real.sh $@ 2>&1 | logger &
    ^^

    instead of

    $(dirname $0)/dhcp-dyndns.sh $@ 2>&1 | logger &
19. Daniele 2012-12-20 at 10:00

    Hi, I’m trying to set up isc-dhcp-server with samba4 internal dns but it seems that I cant get ig working due to some TSIG failures.

    I created dhcpduser with samba-tool user add dhcpduser PaSsWoRd –use-username-as-cn
    I exported the keytab with samba-tool domain exportkeytab /etc/dhcp/dhcpduser.keytab –principal=dhcpduser and this is it’s content
    # ktutil -k /etc/dhcp/dhcpduser.keytab list
    /etc/dhcp/dhcpduser.keytab:

    Vno Type Principal Aliases
    1 des-cbc-crc dhcpduser@SAITEL.LOC
    1 des-cbc-md5 dhcpduser@SAITEL.LOC
    1 arcfour-hmac-md5 dhcpduser@SAITEL.LOC

    # export KRB5CCNAME=/tmp/dhcpd.krb5cc
    # kinit -k -t /etc/dhcp/dhcpduser.keytab dhcpduser
    # klist
    Credentials cache: FILE:/tmp/dhcpd.krb5cc
    Principal: dhcpduser@SAITEL.LOC

    Issued Expires Principal
    Dec 20 09:55:08 Dec 20 19:55:08 krbtgt/SAITEL.LOC@SAITEL.LOC

    Trying to run manually the script I get this
    # ./dhcp-krbnsupdate.sh -d add 192.168.12.149 1:0:22:43:1b:9f:b2 alaska
    dns_tkey_negotiategss: TKEY is unacceptable
    ; TSIG error with server: tsig verify failure
    ; TSIG error with server: tsig verify failure
    DDNS: adding records for 192.168.12.149 (alaska.saitel.loc) FAILED: nsupdate status 2

    running again klist it has changed
    # klist
    Credentials cache: FILE:/tmp/dhcpd.krb5cc
    Principal: dhcpduser@SAITEL.LOC

    Issued Expires Principal
    Dec 20 09:55:08 Dec 20 19:55:08 krbtgt/SAITEL.LOC@SAITEL.LOC
    Dec 20 09:56:36 Dec 20 19:55:08 DNS/kdc02.saitel.loc@SAITEL.LOC

    Can you please help me in solving this issue?

    Thanks,
    Daniele
20. Robert 2013-02-05 at 14:45

    Just an hint for someone else who stumbles across the same problem, if you’re using Samba 4 as an AD DC, then kinit with the keytab created in the script instructions above won’t work as samba4 doesn’t seem to like the encryption type. Use

    -e arcfour-hmac-md5 with the addent command instead.
21. Oleg Sh 2013-11-15 at 08:17

    That`s very interesting problem. Got some similar situation with Samba 4.08 …. how affairs are with a work of that decision?
22. Oleg Sh 2013-11-18 at 08:15

    Hi to all!
    I`m testing the idea on FreeBSD 9.2 + Samba 4.08 system and the script returned the error:

    # ./dhcp-krbnsupdate.sh add 192.168.0.8 ee:0c:f9:6f:7c:b2 tester
    ./dhcp-krbnsupdate.sh: sha256sum: not found
    nsupdate: cannot specify -g or -o, program not linked with GSS API Library
    GSS-TSIG DNS update failed: 1

    But the value of environ NSUPDFLAGS=”-g”
    What must i do for a register nsupdate on to GSS API Library? And what must i do with a sha256sum….

    Hope for a help
23. Oleg Sh 2013-11-18 at 08:43

    I am sorry for my importunity….
    Try to use another version of the script (that mirrored here
    http://www.kuron-germany.de/michael/blog/wp-content/uploads/2012/03/dhcpdns-sergey2.txt )
    And received almost same error
    root@Dn:/usr/local/etc/dhcp # ./dhcp-krbnsupdate.sh add 192.168.0.8 ee:0c:f9:6f:7c:b2 tester
    root@Dn:/usr/local/etc/dhcp # nsupdate: cannot specify -g or -o, program not linked with GSS API Library
    dhcpd: DDNS: adding records for 192.168.0.8 (tester.smbdomain.local) FAILED: nsupdate status 1
24. Michael Kuron Post author2013-11-18 at 08:51

    Recompile Bind (which includes nsupdate) with Kerberos/GSSAPI support.
25. Oleg Sh 2013-11-25 at 13:49

    Thanks. I recompiled Bind
    BIND 9.9.4 (Extended Support Version) built with ‘–disable-chroot’ ‘–with-gssapi=/usr/local/gssapi’ ‘–with-dlopen=yes’ ‘–with-dlz-bdb’
    using OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
    using libxml2 version: 2.8.0

    But now, got an errors:
    Nov 23 18:30:41 Dn named[40240]: samba_dlz: ldb: module schema_load initialization failed : No such object
    Nov 23 18:30:41 Dn named[40240]: samba_dlz: ldb: module rootdse initialization failed : No such object
    Nov 23 18:30:41 Dn named[40240]: samba_dlz: ldb: module samba_dsdb initialization failed : No such object
    Nov 23 18:30:41 Dn named[40240]: samba_dlz: ldb: Unable to load modules for /var/db/samba4/private/dns/sam.ldb: (null)
    Nov 23 18:30:41 Dn named[40240]: samba_dlz: Failed to connect to /var/db/samba4/private/dns/sam.ldb

    The LDAP service is on, and ldapsearch returns the correct reply
    I didn’t find some documentation about this question for FreeBSD. I think that a problem in wrappers of daemons…. But what must i do?
26. Michael Kuron Post author2013-11-25 at 13:53

    Looks like the Bind you compiled now doesn’t include the Samba 4 stuff. Sorry, I can’t help with that, having never used Samba 4. May you can keep the nsupdate binary from your recompiled Bind but revert to the original Bind with working Samba support.
27. Nerijus Baliunas 2013-11-29 at 02:06

    I created dhcpd.keytab:
    # ktutil
    ktutil: addent -password -p dhcpduser@EXAMPLE.LT -k 1 -e aes256-cts-hmac-sha1-96
    Password for dhcpduser@EXAMPLE.LT:
    ktutil: wkt dhcpd.keytab
    ktutil: q

    But the script fails at:
    kinit -k -t /etc/dhcp/dhcpd.keytab -c /tmp/krb5cc_0 dhcpduser@EXAMPLE.LT
    kinit: Generic preauthentication failure while getting initial credentials

    The following works after I enter correct password:
    # kinit dhcpduser@EXAMPLE.LT
    Password for dhcpduser@EXAMPLE.LT:
28. Nerijus Baliunas 2013-11-29 at 02:16

    Oops, sorry, I uncommented the following (I use Sergey’s script):
    # Use MIT kerberos args instead of heimdal.
    KRB5MIT=”YES”

    and the script worked until:
    + KLISTARG=-s
    + klist -s
    + for NSRV in ‘$NSRVS’
    + nsupdate -g
    ; TSIG error with server: tsig verify failure

    CentOS 6.4, bind 9.8.2, krb5 1.10.3, Windows 2003 server.
29. Nerijus Baliunas 2013-11-29 at 02:45

    Oops for the 2nd time, actually I had “Nonsecure and secure” set for Dynamic updates in Windows DNS server settings. After setting “Secure only” everything works! Thanks a lot.
30. Nico Speelman 2014-01-08 at 15:48

    I’ve adapted Sergey’s script to also be able to handle IPv6, but it still defaults to IPv4. I’ve also adapted the input. Usage now is:

    dns-krbnsupdate.sh add ip-address -h hostname [-m dhcid|mac-address] [-p IP version | –ipv4 | –ipv6] [-t dns-ttl] [-d]
    dns-krbnsupdate.sh delete ip-address [-m dhcid|mac-address] [-p IP version | –ipv4 | –ipv6]

    The MAC address/DHCID will only be mandatory when NOTXTRRS is set to NO.

    http://pastebin.com/wmWuXqdE
31. Nico Speelman 2014-01-08 at 15:50

    ps. I forgot to mention that Samba4 with a Bind backend at this moment cancels the deletion of AAAA records. This is likely a Samba or Bind bug, but I have not been able to track this down to the specific piece of software.
32. Olivier PIETREMONT 2014-07-04 at 17:27

    Hi,

    I have a little problem with the Sergey’s script ! When I run manualy the script, like ./dhcp-dyndns.sh add 10.82.120.130 aa:bb:cc:dd:ee:ff test2, I have a bad return :
    Check your Kerberos ticket, it may have expired.
    dhcpd: DDNS: adding records for 10.82.120.130 (test2.my.lan) FAILED: nsupdate status 1

    So I check the part about nsupdate and I have this :
    server server.my.lan
    realm MY.LAN
    update delete test2.my.lan. 3600 A
    ;update delete test2.my.lan. 3600 TXT
    ;update add test2.my.lan. 3600 TXT
    update add test2.my.lan. 3600 A 10.82.120.130
    send
    update delete 130.120.82.10.in-addr.arpa. 3600 PTR
    update add 130.120.82.10.in-addr.arpa. 3600 PTR test2.my.lan.
    send
    (obviously the domain MY.LAN and the server is not the real value).

    I use it manualy with nsupdate -g and I have no error, my new record appear in my DNS server.

    What’s the problem ?

    Configuration :
    _DHCP server : Debian
    _DNS server : Windows 2008R2
    _dnsutils with gss support : Ok.
    _kinit with dhcpduser : Ok.

    Thank for your help.

    Olivier.
33. Olivier PIETREMONT 2014-07-07 at 17:40

    Hi,

    I solved my problem, I didn’t use the right path for the ticket cache.
    So I take the path show with klist.

    bye,

    Olivier.
34. Ilsa Loving 2014-08-15 at 22:31

    Has anybody been able to get this working with selinux? As it stands, the script will not execute properly because none of the contexts are set, and you end up with strange ‘permission denied’ errors.

    I’m trying to figure out what needs to be done, but if someone else has already crossed that bridge I would be greatful.
35. Richard Limanowski 2015-01-23 at 08:18

    I am trying to let dnsmasq update samba4 DNS with nsupdate
    from a WR1043N/ND v2 box running OpenWrt Barrier Breaker 14.07 / LuCI Trunk (0.12+svn-r10530)
    but get “program not linked with GSS API Library” 😐
    Does anybody have suiting nsupdate version or at least config file to make the OpenWrt image?

36. Pingback: Wildcard DNS entries for DHCP leases

37. Trevor Seward 2016-03-24 at 00:43

    I have this working great for non-domain joined clients (DHCP piece works for domain-joined, too), although using Sergey Urushkin’s script as I need IPv6 support. In a Windows environment, the DHCP Client service on Windows will attempt to register DNS with AD DNS directly, thus the client computer account owns the record, rather than the proxy user specified in the keytab. I don’t want to disable the client computers from updating their own records, but is there a way to prevent the script from attempting to update these records? It’s more or less about syslog spam, not critical for functionality.

    Another question I have is when the ticket expires for the user within the keytab, is it updated automatically, or is that a separate process that must be put in place? If so, how?
38. 3ronco 2016-09-18 at 00:06

    nice! thx … that script was exactly what i was looking.

    It sets forward and reverse records and optionally TXT records but another case could be a dumb forward only record when you aren’t authoritative for reverse entries eg. receiving an IP via DHCP from your provider’s WAN interface and giving your gateway a useful name inside your local net then the forward update works but on the reverse entry nsupdate gives you: “response to SOA query was unsuccessful” and that’s logically expectable, so i extended the “add)” case by:

    […]
    ## NSUPDATE ##
    case “${ACTION}” in
    add|add-forward-only)
    […]

    and when “add-forward-only” is selected then only forward updates are sent:

    […]
    NOPTR=””
    [ “${ACTION}” == “add-forward-only” ] && NOPTR=”;”

    for NSRV in ${NSRVS}; do
nsupdate -g ${NSUPDFLAGS} << UPDATE


    server ${NSRV}
    realm ${REALM}
    ${NOTXTRRS}update delete ${RRPTR}. ${RRTTL} TXT
    ${NOTXTRRS}update add ${RRPTR}. ${RRTTL} TXT ${RRTXT}
    ${NOTXTRRS}send
    update delete ${RRPTR}. ${RRTTL} ${RECNAME}
    update add ${RRPTR}. ${RRTTL} ${RECNAME} ${IP}
    send
    ${NOPTR}update delete ${RRPTRNAME}. ${RRTTL} PTR
    ${NOPTR}update add ${RRPTRNAME}. ${RRTTL} PTR ${NAME}.${DOMAIN}.
    ${NOPTR}send
    UPDATE
    […]

    Another thing is the ktutil util setup described in ## CONFIGURATION ## which didn’t work for me, so i used another approach which works too, to get a principal do on the windows PDC in a shell prompt:

    ktpass -princ SERVICENAME/[HOST].[FQDN]@REALM -mapuser DOMAIN\AD_USER -pass password -out DESIRED_FILENAME.keytab -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

    where SERVICENAME=”DNS” which is obvious and [HOST].[FQDN] is the machine that is executing the script and DOMAIN\AD_USER is the user who is allowed to do dns update on the windows dns server.

39. Pingback: Using a BIND DNS server in an Active Directory Environment | Michael Kuron's Blog

40. CyberIT 2017-09-13 at 14:23

    Unable to add reverse map from x.x.x.x.in-addr.arpa to server.example.com: tsig verify failure

    not understanding why Im getting tsig verify failure.
41. CyberIT 2017-09-13 at 21:26

    principal=dhcpduser@$realm is this an actual user on the domain?

42. Pingback: Samba4 internal DNS and isc-dhcp zone update – Blog SatoHost

43. Pingback: Can I run a Ubuntu and Windows DHCP / DNS Server together in the same network? – Config9.com