[Samba] Odd behavior with "allow dns updates" (+dhcp_dyndns.sh)
Kris Lou
klou at themusiclink.net
Wed Jan 23 19:04:24 UTC 2019
All,
I'm hoping somebody could help explain this: with the Wiki dhcp_dyndns.sh
script and "allow dns updates = secure and nonsecure", I have the following
log snippet for a single machine:
Jan 22 13:37:35 DC1 dhcpd: Commit: IP: 172.250.250.19 DHCID:
> 1:be:a9:c5:4f:5f:cd Name: SERVER
> <stuff>
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 dhcpd: Sending update to 127.0.0.1#53
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=dhcpduser\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr=127.0.0.1
> type=A key=4007768441.sig-DC1.SAMDOM.biz/160/0
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=dhcpduser\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr=127.0.0.1
> type=A key=4007768441.sig-DC1.SAMDOM.biz/160/0
> Jan 22 13:37:35 DC1 named[20138]: client 127.0.0.1#35779/key dhcpduser\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': deleting rrset at '
> SERVER.SAMDOM.biz' A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0111200#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: client 127.0.0.1#35779/key dhcpduser\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': adding an RR at '
> SERVER.SAMDOM.biz' A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0113600#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SAMDOM.biz 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
> hostmaster.SAMDOM.biz. 110321 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset SAMDOM.biz
> 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz. hostmaster.SAMDOM.biz.
> 110322 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: committed transaction on zone
> SAMDOM.biz
> <more stuff>
> Jan 22 13:37:35 DC1 dhcpd: DHCP-DNS Update succeeded
> Jan 22 13:37:35 DC1 dhcpd: DHCPREQUEST for 172.250.250.19 from
> be:a9:c5:4f:5f:cd via enp1s0
> Jan 22 13:37:35 DC1 dhcpd: DHCPACK on 172.250.250.19 to be:a9:c5:4f:5f:cd
> via enp1s0
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: client 172.250.250.19#62633: update
> 'SAMDOM.biz/IN' denied
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: allowing update of
> signer=SERVER\$\@SAMDOM.BIZ name=SERVER.SAMDOM.biz tcpaddr= type=A
> key=1228-ms-7.6-670dfe0.7abd8ab6-1d92-11e9-0081-bea9c54f5fcd/160/0
> Jan 22 13:37:35 DC1 named[20138]: client 172.250.250.19#57017/key
> SERVER\$\@SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': deleting an RR at
> SERVER.SAMDOM.biz A
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SERVER.SAMDOM.biz
> 'SERVER.SAMDOM.biz.#0113600#011IN#011A#011172.250.250.19'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: subtracted rdataset
> SAMDOM.biz 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz.
> hostmaster.SAMDOM.biz. 110322 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: added rdataset SAMDOM.biz
> 'SAMDOM.biz.#0113600#011IN#011SOA#011DC1.SAMDOM.biz. hostmaster.SAMDOM.biz.
> 1103250 900 600 86400 3600'
> Jan 22 13:37:35 DC1 named[20138]: samba_dlz: committed transaction on zone
> SAMDOM.biz
>From what I can tell, the DHCP update script is running successfully and
then the client is attempting to update its own DNS immediately
afterwards.
However, it is denied once, but allowed the 2nd time, after which it
deletes the A record and the SOA record, but only adds back the SOA record.
Looking at successful client-driven updates, they all are initially denied
but are allowed on the 2nd transactions, similar to above. Does anybody
have any ideas why it would behave like this? (/etc/named.conf included at
bottom)
For the time being, I've set "allow dns updates = none", and the same
client hasn't tried to update itself. Successful "disallows" or refusals
look like this:
Jan 23 01:27:39 DC1 named[16390]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: client 172.250.30.9#51801: update
> 'SAMDOM.biz/IN' denied
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: starting transaction on zone
> SAMDOM.biz
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: disallowing update of
> signer=SERVER2\$\@SAMDOM.BIZ name=SERVER2.SAMDOM.biz type=AAAA
> error=insufficient access rights
> Jan 23 01:27:39 DC1 named[16390]: client 172.250.30.9#52948/key SERVER2\$\@
> SAMDOM.BIZ: updating zone 'SAMDOM.biz/NONE': update failed: rejected by
> secure update (REFUSED)
> Jan 23 01:27:39 DC1 named[16390]: samba_dlz: cancelling transaction on
> zone SAMDOM.biz
2nd Question: What do you all generally see as the OWNER of a host's A
record (from Windows)? I've seen a mix of $Client, SYSTEM, and dhcpduser
(from the script), but think that this could have something to do with the
differing behaviors.
/etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
# Begin Custom Config
auth-nxdomain yes;
notify no;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
Any;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
Any;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
172.250.250.35;
};
# Disable zone transfers
allow-transfer {
none;
};
# Add any subnets or hosts you want to allow dynamic updates from
allow-update {
172.250.0.0/16;
};
# End Custom Config
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable access
control to limit queries to your legitimate users. Failing to do so
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
#recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dlz "SAMDOM.biz" {
# For BIND 9.9.0
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so -d 3";
};
Kris Lou
klou at themusiclink.net
More information about the samba
mailing list