[Samba] Samba - Bind9 DNS - ISC-DHCP - obsolete DNS entries

Martin Krämer mk.maddin at gmail.com
Wed Jan 2 11:16:47 UTC 2019 

Hi everyone,

I have setup a Samba domain with BIND9 dns backend.
Using ISC-DHCP-Server and procedure/script described in samba wiki I have
configured dynamic dns updates.
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

In my network I am using PXE to deploy new debian machines.
Booting a nfsroot and then using chroot to install my new system, for each
machine there are two dns entries "dhcp-<pxe>-<device>-<ip>-<address>"
created,
both having their own IP (I assume one for nfsroot and one for chroot
environment).
Furthermore during the setup process I change the hostname and use
"dhclient -r && dhclient" to be able to resolve the hostname correctly.
This is causing an additional dns entry for the correct hostname using the
same IP as my chroot environment.

After restarting my newly installed client this means I end up with three
dns entries for the same machine, one correct and two incorrect.
Even after a longer time schedule (I have waited up to 49 hours of the
client being turned off) the wrong dns entries do not disappear.

My question now is how can I make sure that the wrong dns entries are not
created / get updated correctly / disappear after a short amount of time?
I would like to end up with only one correct dns entry for one client (NIC).

Below you can find some details about the samba, bind9 & isc-dhcp versions
and configuration I use.
"location-000001.example.corp" is my samba, bind & dhcp server.
c9f2cbf9fc26c.example.corp is one client that I installed using PXE.
dhcp-192-168-33-26.example.corp was nfsroot dhcp assigned hostname of the
client and
dhcp-192-168-33-27.example.corp was chroot dhcp assigned hostname of the
client which changed during installation to c9f2cbf9fc26c.example.corp.

Thank you for any help / advice in advance :)
________________________________________________
*root at location-000001:~# samba -V*
*Version 4.5.12-Debian*
*root at location-000001:~# dhcpd -h*
*Internet Systems Consortium DHCP Server 4.3.5*
*Copyright 2004-2016 Internet Systems Consortium.*
*All rights reserved.*
*Unknown command -h*
*Usage: dhcpd [-p <UDP port #>] [-f] [-d] [-q] [-t|-T]*
*             [-4|-6] [-cf config-file] [-lf lease-file]*
*             [-user user] [-group group] [-chroot dir]*
*             [-tf trace-output-file]*
*             [-play trace-input-file]*
*             [-pf pid-file] [--no-pid] [-s server]*
*             [if0 [...ifN]]*

*If you think you have received this message due to a bug rather*
*than a configuration issue please read the section on submitting*
*bugs on either our web page at www.isc.org <http://www.isc.org> or in the
README file*
*before submitting a bug.  These pages explain the proper*
*process and the information we find helpful for debugging..*

*exiting.*
*root at location-000001:~# named -V*
*BIND 9.10.3-P4-Debian <id:ebd72b3>*
*built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--libdir=/usr/lib/x86_64-linux-gnu' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-gost=no' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa'
'--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-zVMG3I/bind9-9.10.3.dfsg.P4=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'*
*compiled by GCC 6.3.0 20170516*
*compiled with OpenSSL version: OpenSSL 1.0.2l  25 May 2017*
*linked to OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018*
*compiled with libxml2 version: 2.9.4*
*linked to libxml2 version: 20904*
*root at location-000001:~# host -l example.corp*
*example.corp name server location-000001.example.corp.*
*example.corp has address 192.168.33.251*
*_msdcs.example.corp name server location-000001.example.corp.*
*c9f2cbf9fc26c.example.corp has address 192.168.33.27*
*ForestDnsZones.example.corp has address 192.168.33.251*
*DomainDnsZones.example.corp has address 192.168.33.251*
*location-000001.example.corp has address 192.168.33.251*
*dhcp-192-168-33-27.example.corp has address 192.168.33.27*
*dhcp-192-168-33-26.example.corp has address 192.168.33.26*
*root at location-000001:~# cat /etc/dhcp/dhcpd.conf*
*##configuration file for isc-dhcp-server*
*authoritative;*
*allow unknown-clients;*
*use-host-decl-names on;*
*default-lease-time 86400;*
*max-lease-time 86400;*
*log-facility local7;*
*subnet 192.168.33.0 netmask 255.255.255.0 {*
* next-server 192.168.33.251;*
* option domain-name "example.corp";*
* option domain-name-servers 192.168.33.251, 8.8.4.4;*
* option routers 192.168.33.1;*
* option subnet-mask 255.255.255.0 ;*
* range 192.168.33.26 192.168.33.229;*
*}*
*class "legacy" {*
* match if substring(option vendor-class-identifier, 0, 20) =
"PXEClient:Arch:00000";*
* if exists user-class and option user-class = "iPXE" {filename
"/legacy_menu.ipxe";}*
* else {filename "/undionly.kpxe";}*
* option vendor-encapsulated-options "PXE boot";*
*}*
*on commit {*
* set noname = concat("dhcp-", binary-to-ascii(10, 8, "-",
leased-address));*
* set ClientIP = binary-to-ascii(10, 8, ".", leased-address);*
* set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);*
* set ClientName = pick-first-value(option host-name,
config-option-host-name, client-name, noname);*
* log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ",
ClientName));*
* execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID,
ClientName);*
*}*
*on release {*
* set ClientIP = binary-to-ascii(10, 8, ".", leased-address);*
* set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);*
* log(concat("Release: IP: ", ClientIP));*
* execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP,
ClientDHCID);*
*}*
*on expiry {*
* set ClientIP = binary-to-ascii(10, 8, ".", leased-address);*
* log(concat("Expired: IP: ", ClientIP));*
* execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");*
*}*
*root at location-000001:~# cat /etc/bind/named.conf*
*// This is the primary configuration file for the BIND DNS server named.*
*//*
*// Please read /usr/share/doc/bind9/README.Debian.gz for information on
the *
*// structure of BIND configuration files in Debian, *BEFORE* you
customize *
*// this configuration file.*
*//*
*// If you are just adding zones, please do that in
/etc/bind/named.conf.local*

*include "/etc/bind/named.conf.options";*
*include "/etc/bind/named.conf.local";*
*include "/etc/bind/named.conf.default-zones";*
*root at location-000001:~# cat /etc/bind/named.conf.options *
*options {*
* tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";*
* allow-recursion { all-networks; 127.0.0.1/32 <http://127.0.0.1/32>; };*
* allow-query { all-networks; 127.0.0.1/32 <http://127.0.0.1/32>; };*
* empty-zones-enable no;*
* notify no;*
* listen-on port 53 { thisserverip; 127.0.0.1; };*
* forwarders { 8.8.4.4; };*
* version "0.0.7";*
* directory "/var/cache/bind";*

* // If there is a firewall between you and nameservers you want*
* // to talk to, you may need to fix the firewall to allow multiple*
* // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
<http://www.kb.cert.org/vuls/id/800113>*

* // If your ISP provided one or more IP addresses for stable *
* // nameservers, you probably want to use them as forwarders.  *
* // Uncomment the following block, and insert the addresses replacing *
* // the all-0's placeholder.*

* // forwarders {*
* // 0.0.0.0;*
* // };*

*
//========================================================================*
* // If BIND logs error messages about the root key being expired,*
* // you will need to update your keys.  See https://www.isc.org/bind-keys
<https://www.isc.org/bind-keys>*
*
//========================================================================*
* dnssec-validation no;*

* auth-nxdomain yes; # conform to RFC1035=no but we are the Authoritive
server*
* listen-on-v6 { none; };*
*};*

*acl thisserverip {*
* 192.168.33.251; *
*};*
*acl all-networks {*
* 192.168.33.0/24 <http://192.168.33.0/24>; *
*};*
*include "/etc/bind/rndc.key";*
*controls {*
* inet 127.0.0.1 allow { localhost; } keys { rndc-key;};*
*};*
*root at location-000001:~# cat /etc/bind/named.conf.local*
*//*
*// Do any local configuration here*
*//*

*// Consider adding the 1918 zones here, if they are not used in your*
*// organization*
*//include "/etc/bind/zones.rfc1918";*

*include "/var/lib/samba/private/named.conf"; *
*root at location-000001:~# cat /var/lib/samba/private/named.conf*
*# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
support.*
*#*
*# This file should be included in your main BIND configuration file*
*#*
*# For example with*
*# include "/var/lib/samba/private/named.conf";*

*#*
*# This configures dynamically loadable zones (DLZ) from AD schema*
*# Uncomment only single database line, depending on your BIND version*
*#*
*dlz "AD DNS Zone" {*
*    # For BIND 9.8.x*
*    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";*

*    # For BIND 9.9.x*
*    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";*

*    # For BIND 9.10.x*
*     database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";*

*    # For BIND 9.11.x*
*    # database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";*
*};*

*root at location-000001:~# cat /etc/bind/named.conf.default-zones*
*// prime the server with knowledge of the root servers*
*zone "." {*
* type hint;*
* file "/etc/bind/db.root";*
*};*

*// be authoritative for the localhost forward and reverse zones, and for*
*// broadcast zones as per RFC 1912*

*zone "localhost" {*
* type master;*
* file "/etc/bind/db.local";*
*};*

*zone "127.in-addr.arpa" {*
* type master;*
* file "/etc/bind/db.127";*
*};*

*zone "0.in-addr.arpa" {*
* type master;*
* file "/etc/bind/db.0";*
*};*

*zone "255.in-addr.arpa" {*
* type master;*
* file "/etc/bind/db.255";*
*};*


*root at location-000001:~# *

More information about the samba mailing list