[Samba] Odd behavior with "allow dns updates" (+dhcp_dyndns.sh)

Kris Lou klou at themusiclink.net
Wed Jan 23 19:04:24 UTC 2019


All,

I'm hoping somebody could help explain this:  with the Wiki dhcp_dyndns.sh
script and "allow dns updates = secure and nonsecure", I have the following
log snippet for a  single machine:

Jan 22 13:37:35 DC1 dhcpd: Commit: IP: 172.250.250.19 DHCID:
> 1:be:a9:c5:4f:5f:cd Name: SERVER
> <stuff>
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 dhcpd: Sending update to 127.0.0.1#53
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=dhcpduser\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr=127.0.0.1
> type=A key=4007768441.sig-DC1.SAMDOM.biz/160/0
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=dhcpduser\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr=127.0.0.1
> type=A key=4007768441.sig-DC1.SAMDOM.biz/160/0
> Jan 22 13:37:35 DC1 named[20138]: client 127.0.0.1#35779/key dhcpduser\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': deleting rrset at '
> SERVER.SAMDOM.biz' A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0111200#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: client 127.0.0.1#35779/key dhcpduser\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': adding an RR at '
> SERVER.SAMDOM.biz' A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0113600#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SAMDOM.biz 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
> hostmaster.SAMDOM.biz. 110321 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset SAMDOM.biz
> 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz. hostmaster.SAMDOM.biz.
> 110322 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: committed transaction on zone
> SAMDOM.biz
> <more stuff>
> Jan 22 13:37:35 DC1 dhcpd: DHCP-DNS Update succeeded
> Jan 22 13:37:35 DC1 dhcpd: DHCPREQUEST for 172.250.250.19 from
> be:a9:c5:4f:5f:cd via enp1s0
> Jan 22 13:37:35 DC1 dhcpd: DHCPACK on 172.250.250.19 to be:a9:c5:4f:5f:cd
> via enp1s0
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: client 172.250.250.19#62633: update
> 'SAMDOM.biz/IN' denied
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=SERVER\$\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr= type=A
> key=1228-ms-7.6-670dfe0.7abd8ab6-1d92-11e9-0081-bea9c54f5fcd/160/0
> Jan 22 13:37:35 DC1 named[20138]: client 172.250.250.19#57017/key
> SERVER\$\@SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': deleting an RR at
> SERVER.SAMDOM.biz A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0113600#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SAMDOM.biz 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
> hostmaster.SAMDOM.biz. 110322 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset SAMDOM.biz
> 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz. hostmaster.SAMDOM.biz.
> 1103250 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: committed transaction on zone
> SAMDOM.biz


>From what I can tell, the DHCP update script is running successfully and
then the client is attempting to update its own DNS immediately
afterwards.

However, it is denied once, but allowed the 2nd time, after which it
deletes the A record and the SOA record, but only adds back the SOA record.

Looking at successful client-driven updates, they all are initially denied
but are allowed on the 2nd transactions, similar to above.  Does anybody
have any ideas why it would behave like this?  (/etc/named.conf included at
bottom)

For the time being, I've set "allow dns updates = none", and the same
client hasn't tried to update itself.  Successful "disallows" or refusals
look like this:

Jan 23 01:27:39 DC1 named[16390]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: client 172.250.30.9#51801: update
> 'SAMDOM.biz/IN' denied
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: disallowing update of
> signer=SERVER2\$\@SAMDOM.BIZ name=SERVER2.SAMDOM.biz type=AAAA
> error=insufficient access rights
> Jan 23 01:27:39 DC1 named[16390]: client 172.250.30.9#52948/key SERVER2\$\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': update failed: rejected by
> secure update (REFUSED)
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz


2nd Question:  What do you all generally see as the OWNER of a host's A
record (from Windows)?  I've seen a mix of $Client, SYSTEM, and dhcpduser
(from the script), but think that this could have something to do with the
differing behaviors.

/etc/named.conf

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";

    # Begin Custom Config
    auth-nxdomain yes;
        notify no;
        empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

        # IP addresses and network ranges allowed to query the DNS server:
        allow-query {
               Any;
        };

        # IP addresses and network ranges allowed to run recursive queries:
        # (Zones not served by this DNS server)
        allow-recursion {
            Any;
        };

        # Forward queries that can not be answered from own zones
        # to these DNS servers:
        forwarders {
            172.250.250.35;
        };

        # Disable zone transfers
        allow-transfer {
            none;
        };

        # Add any subnets or hosts you want to allow dynamic updates from
        allow-update {
            172.250.0.0/16;
        };
    # End Custom Config

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to
enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST
enable access
       control to limit queries to your legitimate users. Failing to do so
will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    #recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dlz "SAMDOM.biz" {
    # For BIND 9.9.0
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so -d 3";
};



Kris Lou
klou at themusiclink.net


More information about the samba mailing list