BIND DNS and DHCP can be integrated to automatically update DNS records when IP addresses are leased.
Here’s a look at BIND and DHCP working together to manage DNS records dynamically.
{
"dhcpd.conf": {
"global-options": [
"ddns-update-style interim;"
],
"subnet 192.168.1.0/24": {
"range dynamic-bootp-lease-only 192.168.1.100 192.168.1.200;",
"option domain-name \"example.com\";",
"option domain-name-servers 192.168.1.5;",
"ddns-domainname \"example.com\";"
}
},
"named.conf.local": {
"zone \"example.com\" IN {": {
"type master;",
"file \"db.example.com\";": {
"allow-update { 192.168.1.0/24; };"
}
},
"zone \"1.168.192.in-addr.arpa\" IN {": {
"type master;",
"file \"db.192.168.1\";": {
"allow-update { 192.168.1.0/24; };"
}
}
}
}
This configuration allows DHCP clients to register their hostname and IP address with BIND DNS automatically. When a client requests an IP address from the DHCP server, the DHCP server tells BIND to create or update the corresponding A (for forward lookup) and PTR (for reverse lookup) records.
The ddns-update-style interim; directive in dhcpd.conf tells the DHCP server to use the interim update method, which is a common and robust way to handle dynamic DNS updates. The allow-update { 192.168.1.0/24; }; directive in BIND’s zone definitions specifies which IP address ranges are allowed to send update requests to the DNS server.
Internally, when a DHCP client successfully obtains an IP address, the DHCP server constructs a DNS update message. This message contains the FQDN of the client and its assigned IP address. The DHCP server then sends this update request to the BIND DNS server. BIND validates the request against its allow-update rules and, if valid, modifies the appropriate zone files to reflect the new or updated DNS record.
A key detail often overlooked is the role of the TSIG (Transaction Signature) key. While not strictly required for basic interim updates, using TSIG keys greatly enhances security by ensuring that only authorized DHCP servers can update BIND. Without TSIG, any client on the allowed subnet could potentially spoof an update, leading to DNS poisoning. To implement TSIG, you’d generate a shared secret key, configure both DHCP and BIND to use it, and specify the key name in the allow-update directive.
The actual update process is more nuanced than a simple "create record." BIND’s dynamic update protocol allows for adding, deleting, or even replacing specific RRs (Resource Records) within a zone. This flexibility is crucial for managing IP address changes, client reboots, and other events that might necessitate DNS record updates.
The next challenge is often managing DNSSEC signing with dynamically updated zones.