ISC DHCPd is capable of Dynamic DNS updates against servers like BIND that support shared-key authentication or any other server that supports unauthenticated updates (such as BIND or Microsoft DNS with secure updates disabled).
So, what to do if you want to run ISC DHCPd on your Windows network, which is obviously running Microsoft’s DNS server? BIND’s nsupdate tool supports Microsoft’s Kerberos authentication scheme when using the -g flag (the -o flag is only necessary for Windows 2000 Server, but not anymore for Windows Server 2008 R2), and DHCPd supports on commit/release/expiry blocks that let you run scripts upon these events. So here is my script:
#!/bin/bash
## CONFIGURATION ##
realm=EXAMPLE.COM
principal=dhcpduser@$realm
keytab=/root/dhcpduser.keytab
domain=example.com
ns=example-domain01.example.com
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
# keytab can be generated using
# $ ktutil
# ktutil: addent -password -p dhcpduser@EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
# Password for dhcpduser@EXAMPLE.COM:
# ktutil: wkt dhcpduser.keytab
# ktutil: quit
## VARIABLES ##
action=$1
ip=$2
name=$(echo $3 | awk -F '.' '{print $1}')
mac=$4
usage()
{
echo "USAGE:"
echo $0 add 192.0.2.123 testhost 00:11:22:33:44:55
echo $0 add 192.168.0.127 "" 00:11:22:44:33:55
echo $0 delete 192.0.2.123 testhost 00:11:22:33:44:55
echo $0 delete 192.0.2.127 "" 00:11:22:44:33:55
}
if [ "$ip" = "" ]; then
echo "IP missing"
usage
exit 101
fi
if [ "$name" = "" ]; then
#echo "name missing"
#usage
#exit 102
name=$(echo $ip | awk -F '.' '{print "dhcp-"$1"-"$2"-"$3"-"$4}')
if [ "$action" = "delete" ]; then
name=$(host $ip | awk '{print $5}' | awk -F '.' '{print $1}')
echo $name | grep NXDOMAIN 2>$1 >/dev/null
if [ "$?" = "0" ]; then
exit 0;
fi
fi
fi
ptr=$(echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
## KERBEROS ##
#export LD_LIBRARY_PATH=/usr/local/krb5-1.7/lib
#export PATH=/usr/local/krb5-1.7/bin:$PATH
klist 2>&1 | grep $realm | grep '/' > /dev/null
if [ "$?" = 1 ]; then
expiration=0
else
expiration=$(klist | grep $realm | grep '/' | awk -F ' ' '{system ("date -d \""$2"\" +%s")}' | sort | head -n 1)
fi
now=$(date +%s)
if [ "$now" -ge "$expiration" ]; then
echo "Getting new ticket, old one expired $expiration, now is $now"
kinit -F -k -t $keytab $principal
fi
## NSUPDATE ##
case "$action" in
add)
echo "Setting $name.$domain to $ip on $ns"
oldname=$(host $ip $ns | grep "domain name pointer" | awk '{print $5}' | awk -F '.' '{print $1}')
if [ "$oldname" = "" ]; then
oldname=$name
elif [ "$oldname" = "$name" ]; then
oldname=$name
else
echo "Also deleting $oldname A record"
fi
nsupdate -g <
server $ns
realm $realm
update delete $oldname.$domain 3600 A
update delete $name.$domain 3600 A
update add $name.$domain 3600 A $ip
send
UPDATE
result1=$?
nsupdate -g <
server $ns
realm $realm
update delete $ptr 3600 PTR
update add $ptr 3600 PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
echo "Deleting $name.$domain to $ip on $ns"
nsupdate -g <
server $ns
realm $realm
update delete $name.$domain 3600 A
send
UPDATE
result1=$?
nsupdate -g <
server $ns
realm $realm
update delete $ptr 3600 PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result=$result1$result2
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
fi
exit $result
and here is the relevant part of my dhcpd.conf:
on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
set ClientName = pick-first-value(option host-name, host-decl-name, config-option host-name, noname);
log(concat("Commit: IP: ", ClientIP, " Mac: ", ClientMac, " Name: ", ClientName));
execute("/root/dhcp-dyndns.sh", "add", ClientIP, ClientName, ClientMac);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
log(concat("Release: IP: ", ClientIP, " Mac: ", ClientMac));
# cannot get a ClientName here, for some reason that always fails
execute("/root/dhcp-dyndns.sh", "delete", ClientIP, "", ClientMac);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/root/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}
Figuring this all out took me several afternoons because Kerberos 5 1.8 has a bug where forwardable tickets (which is the default on Debian) are incompatible with nsupdate. Manually compiling 1.7 or getting 1.9 from the experimental Debian branch helps, as does adding the -F flag to kinit (which I did in the script above) to make the ticket non-forwardable.
I filed a bug with Debian (#611906) and Sam Hartman (thanks!) helped me track it down.
EDIT 2011-11-17:
I recently ran into the issue that if the AD server could not be reached, dhcpd would stall (and not respond to DHCP requests during that time) until nsupdate reached its timeout. The fix is simple: rename dhcp-dyndns.sh to dhcp-dyndns-real.sh and create dhcp-dyndns.sh with the following contents to fork off the real script into the background:
#!/bin/bash
$(dirname $0)/dhcp-dyndns.sh $@ 2>&1 | logger &
Also, I updated the on commit section in the dhcpd.conf excerpt above to compose a fallback name from the IP address if the client provides no hostname. This fixes the issue that nsupdate tries to register a record based on the name and fails.
I just loaded the DNS tools under the Remote Server Admin pack on my Windows7 client. Looking at the security settings for my domain, members of the DnsAdmins group should have sufficient permissions.
One odd thing is that, DHCP now updates the A and PTR records. For the Windows machines though, I see in the system logs that THEY are trying to update their own records. Are those getting denied because I manually entered them (or, dhcpduser added them), so now the machines themselves don’t have permissions to change them???
@Charles, Good point: Records created by Windows clients themselves are owned by their computer account, records created by the DHCP server running my script are owned by the account it uses. Only the owner and (I assume) DnsAdmin members have permission to modify DNS records.
I believe Microsoft has a solution that works the other way round (allow Windows clients to reclaim records owned by the DHCP server) that works by adding the DHCP server user to the DnsUpdateProxy group. However, that obviously won’t solve the problem you’re running into. You could use Group Policy to force the Windows clients not to update their DNS records themselves though.
(Does anyone actually want me to post my slightly modified scripts here? It seems like a lot of content, and I’m not sure how much it will add.)
Please do add it. Once both of you get it working properly, I’m going to clean up the comments a bit and maybe update the post with the solutions.
This is my version of the update script. Note that I have moved things to a directory only accessible by “dhcpd” user on the dhcp (Linux) server.
#!/bin/bash
## CONFIGURATION ##
realm=BBAGGINS.NET
principal=dhcpduser@$realm
keytab=/etc/dhcpd/dhcpduser.keytab
domain=bbaggins.net
ns=samba.bbaggins.net
export KRB5CCNAME="/etc/dhcpd/dhcp-dyndns.cc"
# keytab can be generated using the Samba4 tool:
# samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab --principal=dhcpduser
## VARIABLES ##
action=$1
ip=$2
name=$(echo $3 | awk -F '.' '{print $1}')
mac=$4
usage()
{
echo "USAGE:"
echo $0 add 192.0.2.123 testhost 00:11:22:33:44:55
echo $0 add 192.168.0.127 "" 00:11:22:44:33:55
echo $0 delete 192.0.2.123 testhost 00:11:22:33:44:55
echo $0 delete 192.0.2.127 "" 00:11:22:44:33:55
}
if [ "$ip" = "" ]; then
echo "IP missing"
usage
exit 101
fi
if [ "$name" = "" ]; then
name=$(echo $ip | awk -F '.' '{print "dhcp-"$1"-"$2"-"$3"-"$4}')
if [ "$action" = "delete" ]; then
name=$(host $ip | awk '{print $5}' | awk -F '.' '{print $1}')
echo $name | grep NXDOMAIN 2>$1 >/dev/null
if [ "$?" = "0" ]; then
exit 0;
fi
fi
fi
ptr=$(echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
## KERBEROS ##
klist 2>&1 | grep $realm | grep '/' > /dev/null
if [ "$?" = 1 ]; then
expiration=0
else
expiration=$(klist | grep $realm | grep '/' | awk -F ' ' '{system ("date -d \""$2"\" +%s")}' | sort | head -n 1)
fi
now=$(date +%s)
if [ "$now" -ge "$expiration" ]; then
echo "Getting new ticket, old one expired $expiration, now is $now"
kinit -F -k -t $keytab $principal
fi
## NSUPDATE ##
case "$action" in
add)
echo "Setting $name.$domain to $ip on $ns ($ptr)"
oldname=$(host $ip $ns | grep "domain name pointer" | awk '{print $5}' | awk -F '.' '{print $1}')
if [ "$oldname" = "" ]; then
oldname=$name
elif [ "$oldname" = "$name" ]; then
oldname=$name
else
echo "Also deleting $oldname A record"
fi
nsupdate -g \<\<UPDATE
server $ns
realm $realm
update delete $oldname.$domain 3600 A
update delete $name.$domain 3600 A
update add $name.$domain 3600 A $ip
send
UPDATE
result1=$?
nsupdate -g \<\<UPDATE
server $ns
realm $realm
update delete $ptr 3600 PTR
update add $ptr 3600 PTR $name.$domain
send
UPDATE
result2=$?
;;
delete)
echo "Deleting $name.$domain to $ip on $ns"
nsupdate -g \<\<UPDATE
server $ns
realm $realm
update delete $name.$domain 3600 A
send
UPDATE
result1=$?
nsupdate -g \<\<UPDATE
server $ns
realm $realm
update delete $ptr 3600 PTR
send
UPDATE
result2=$?
;;
*)
echo "Invalid action specified"
exit 103
;;
esac
result=$result1$result2
if [ "$result" != "00" ]; then
echo "DHCP-DNS Update failed: $result"
logger "DHCP-DNS Update failed: $result"
fi
exit $result
There is a security hole in your configuration: anyone who can connect network device to your network can take domain name of any another machine by sending dhcp request with hostname of attaked machine (which domain name has been published by dhcpd). To close this hole you should use rfc4701 (for every dns update special TXT record is added which contain hash of a DHCID and fqdn of a host), isc-dhcpd uses similar logic to secure ddns updates. I also upgrade your script to use logic similar to this RFC and rewrite it to minimize sys resources used for updates (no needless forks, bash -> sh). I can publish it if you need.
Hi Sergey,
I am aware of that issue, but never considered it worth mentioning since Microsoft’s DHCP Server (which we’re trying to emulate with this method) has the exact same issue, as do most other DHCP servers that do dynamic DNS. As far as I can tell, even RFC 4701 is susceptible to spoofed MAC addresses (and probably other scenarios), so I wouldn’t give too much thought to it. I suppose we could do stuff like pinging a DNS record’s IP address and only update the DNS record if we don’t get replies (to check whether somebody is trying to steal another client’s name), but that’s not fully secure either.
The take-home message should probably be: always use static DNS records for your servers etc. (dhcpd doesn’t have permission to overwrite those) and don’t use clients’ dynamic DNS records for critical stuff. If you need optimum security, do not run dynamic DNS with your DHCP server at all, but instead have your clients take care of updating their own DNS records (authenticated by their Kerberos machine accounts).
However, please do post your updated script, I’d be interested to see how you solved it. Thanks for optimizing it — it was a quick solution that works nicely, but as you said, it doesn’t optimally use system resources.
You are right, Michael, but using TXT records seems more secure to me. Anyway, you can disable creating and checking TXT RRs at the top of my script.
http://pastebin.com/GY333pmr
CHANGES:
* You can choose: use similar to RFC 4701 algorithm or not
* bash -> sh – no reason for using heavy bash; compatibility
* DNS server failover
* use simplified kinit logic (you can choose heimdal/mit)
* DNS RRs TTL can be changed
* no adding records for hosts that don’t send hostname – I can’t find any reason for doing it
* since it uses TXT RRs, no secure “on expiry” event could be done, so if you use TXT RRs, remove “on expiry” event from your dhcpd.conf. Also, args order is changed:
on commit {
set ClientIP = binary-to-ascii(10, 8, “.”, leased-address);
set ClientDHCID = binary-to-ascii(16, 8, “:”, hardware);
set ClientName = pick-first-value(option host-name, host-decl-name);
execute(“/etc/dhcp/dhcp-krbnsupdate.sh”, “add”, ClientIP, ClientDHCID, ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, “.”, leased-address);
set ClientDHCID = binary-to-ascii(16, 8, “:”, hardware);
execute(“/etc/dhcp/dhcp-krbnsupdate.sh”, “delete”, ClientIP, ClientDHCID);
}
* some other changes and optimizations
I mirrored Sergey’s version of the script here.
I am beginning to think i am the only one who cant get this to work
Hi, Michael.
Here is my improved script:
http://pastebin.com/cNeVQdh3
CHANGES:
* the main part of the script runs in the background by default (it’s about your EDIT 2011-11-17), but you can manually run it in the foreground by using “-d” as the first argument (see _usage)
* now all results of an update are logged via logger (if no -d option)
* some other bugfixes and improvements
Thanks, mirrored here.
ok i am going to try this one more time but, before I do, can I just ask (to make sure):
1) The Windows AD server is 2008 R2?
2) Nothing has been done to Windows with regards to Kerberos Authentication?
3) The Windows User Account used is an ordinary account i.e. it is not an administrator nor is it mapped to a service?
4) The keytab is generated on the Windows server?
5) The DHCP server is just a DHCP server – it is not running BIND or SAMBA?
6) The DHCP Server is not a member of the Windows Domain?
7) The Windows DNS server is in Secure Update Only mode?
Cheers
Bill
Yes to all except for 4. I used ktutil on Linux to write the keytab (as documented in the comments at the top of my script).
Hi, Please, Could you give me a hand with this issue?
When a I use “nsupdate -g” option I get this error
“nsupdate: cannot specify -g or -o, program not linked with GSS API Library”
Do you have any idea what is happening?
Thanks in advance.!
Mario
@Mario: what the message says: you need to recompile nsupdate with the proper build option so that it links to the Kerberos library, which you also need to install.
Try this:
set ClientIP = binary-to-ascii(10, 8, “.”, leased-address);
set ClientMac = binary-to-ascii(16, 8, “:”, substring(hardware, 1, 6));
set ClientAltname = “none”;
set ClientName = pick-first-value( host-decl-name, ClientAltname) ;
log(debug, concat(“Commit: IP: “, ClientIP, ” Mac: “, ClientMac, “Name:”, ClientName));
execute(“/usr/bin/test_dhcp”, “commit”, ClientIP, ClientMac, ClientName);
Thanks a lot for posting this it helped me a lot.
I think the contents in dhcp-dyndns.sh should be updated to be
$(dirname $0)/dhcp-dyndns-real.sh $@ 2>&1 | logger &
^^
instead of
$(dirname $0)/dhcp-dyndns.sh $@ 2>&1 | logger &
Just an hint for someone else who stumbles across the same problem, if you’re using Samba 4 as an AD DC, then kinit with the keytab created in the script instructions above won’t work as samba4 doesn’t seem to like the encryption type. Use
-e arcfour-hmac-md5 with the addent command instead.