Multiple subnets on isc-dhcp-server using ddns with bind9

Question

On my network I have two subnets:

10.100.1.0/24 -> Wired/wireless
10.100.7.0/24 -> VPN

Both subnets are served by isc-dhcp-server running on a Debian VM. This same VM runs bind9 for my DNS. ISC-DHCP-SERVER is configured to use DDNS and update BIND9 with hosts/IPs.

Everything runs great until a device drops off the wired/wireless network and pops onto the VPN. When connecting on the VPN, a DHCP lease is handed out on the new subnet but DDNS does not update BIND9. Since the device has A/TXT/PTR records it appears ISC-DHCP-SERVER won't switch them to the new IP. The logs show:

Connect to wireless:

Nov  6 20:55:13 core-server named[2417]: client 127.0.0.1#57697: updating zone 'internal.mydomain.com/IN': adding an RR at 'demo-iphone.internal.mydomain.com' A
Nov  6 20:55:13 core-server named[2417]: client 127.0.0.1#57697: updating zone 'internal.mydomain.com/IN': adding an RR at 'demo-iphone.internal.mydomain.com' TXT
Nov  6 20:55:13 core-server dhcpd: DHCPACK on 10.100.1.160 to FF:FF:FF:FF:FF:FF (demo-iphone) via eth0
Nov  6 20:55:13 core-server dhcpd: Added new forward map from demo-iphone.internal.mydomain.com to 10.100.1.160
Nov  6 20:55:13 core-server dhcpd: Added reverse map from 160.49.21.172.in-addr.arpa. to demo-iphone.internal.mydomain.com

Switch to VPN:

Nov  6 20:56:34 core-server dhcpd: DHCPOFFER on 10.100.7.101 to BB:BB:BB:BB:BB:BB (demo-iphone) via 10.100.7.0
Nov  6 20:56:34 core-server named[2417]: client 127.0.0.1#57697: updating zone 'internal.mydomain.com/IN': update unsuccessful: demo-iphone.internal.mydomain.com: 'name not in use' prerequisite not satisfied (YXDOMAIN)
Nov  6 20:56:34 core-server dhcpd: DHCPREQUEST for 10.100.7.101 (10.100.1.2) from BB:BB:BB:BB:BB:BB (demo-iphone) via 10.100.7.0
Nov  6 20:56:34 core-server dhcpd: DHCPACK on 10.100.7.101 to BB:BB:BB:BB:BB:BB (demo-iphone) via 10.100.7.0
Nov  6 20:56:34 core-server named[2417]: client 127.0.0.1#57697: updating zone 'internal.mydomain.com/IN': update unsuccessful: demo-iphone.internal.mydomain.com/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Nov  6 20:56:34 core-server dhcpd: Forward map from demo-iphone.internal.mydomain.com to 10.100.7.101 FAILED: Has an address record but no DHCID, not mine.

One thing to note is that the MAC of the device when connecting via VPN is the MAC of my Cisco ASA5512X and not the actual device. The ASA is relaying the DHCP request from the VPN client to the VM running ISC-DHCP-SERVER.

Is there a way to get DDNS working in this scenario?

score 1 · Answer 1 · answered Feb 18 '15 at 15:55

The lease times should only be for the dynamic address reservation. The record should be updated regardless of the lease time when a different lease for the same device is presented.

DDNS should update the records when the new address is presented by the DHCP server.

The following errors are showing the real issue:

Nov  6 20:56:34 core-server named[2417]: client 127.0.0.1#57697: updating zone 'internal.mydomain.com/IN': update unsuccessful: demo-iphone.internal.mydomain.com/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)

Nov  6 20:56:34 core-server dhcpd: Forward map from demo-iphone.internal.mydomain.com to 10.100.7.101 FAILED: Has an address record but no DHCID, not mine.

Is resulting from the lack of information showing that the record was made by the DHCP server. This is in place to prevent records from being removed that weren't created by the DHCP server. A case could be multiple DHCP servers updating a single zone file.

Try freezing the zone and manually removing the records, A and TXT, for the client. Increment your serial number. Unfreeze the zone. Try having the client renew the lease. Then have the client connect to the other network and renew the lease there.

If that doesn't work there is a chance that something else is going on, but that would be where I would start.

score 0 · Answer 2 · answered Nov 11 '13 at 07:13

0

Based on your logs one can see that the same dns hostname (demo-iphone.internal.mydomain.com) is bind to different IPs (ip1=10.100.1.160, ip2=10.100.7.101).

It looks like you are trying to leverage dhcp+ddns to get a dns-level failover. I am not sure that ISC-DHCP-SERVER is designed to work in a such way.

Bind multi-homed host interfaces to different dns names and I hope it helps.

answered Nov 11 '13 at 07:13

Veniamin

853
6
11

The goal would be for DHCP to tell DNS that the old IP (10.100.1.160) is no longer used, this host has moved to a new IP (10.100.7.101) and update DNS accordingly. Leaving one DNS entry for demo-iphone.internal.mydomain.com for forward and one for reverse. – some_guy_long_gone Nov 11 '13 at 12:16
You can try setting short max-lease-time and default-lease-time. After 10.100.1.160 will finally die and 10.100.7.101 will issue dhcp request again it will have a good chance for success. – Veniamin Nov 12 '13 at 14:24

Multiple subnets on isc-dhcp-server using ddns with bind9

2 Answers2