OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: Radek on April 13, 2021, 09:52:38 am

Title: Static mapping priority over dynamic DHCP mapping in DNS registration
Post by: Radek on April 13, 2021, 09:52:38 am: We activated following two functionalities in our Unbound settings:

Register DHCP leases
Register DHCP static mappings

As we would like to use both, we still need to give higher priority to the static mapping, so in case some evil colleague use some name for which we already have static mapping (such as jenkinsserver) on his desktop, the legitimate server does not get overridden by the dynamic DHCP lease.

We tried to work around it, by adding the static mappings also as the Unbound overrides, but that did not help as described here
https://forum.opnsense.org/index.php?topic=20185.0 or https://forum.opnsense.org/index.php?topic=21757.0

Any ideas what else to try?

Thanks,
Radek
Title: Re: Static mapping priority over dynamic DHCP mapping in DNS registration
Post by: kosta on April 13, 2021, 10:03:30 am: Can you please support this with some details like IP addresses and usage scenarios? I am really having trouble understanding what you want to accomplish.

Basically, if I understand it correctly, these two functions override anything you have set anywhere. So you can't use Overrides to override what these checkboxes do.
So, for instance, I have overrides for HAProxy, so I have to turn off static mapping, otherwise those don't work afaik. So I settled only for first checkbox.
So if you have computers which have fixed IP addresses (static mappings, usually servers), you either have to check the box or do fixed overrides.
Title: Re: Static mapping priority over dynamic DHCP mapping in DNS registration
Post by: Radek on April 13, 2021, 10:42:10 am: sure - let's give it a try

DHCP configuration
opnsense IP address 10.0.0.1
jenkinserver - static mapping based on MAC - IP address 10.0.0.20
DHCP pool 10.0.0.100 - 10.0.0.200

Unbound server configuration:
Register DHCP leases = yes
Register DHCP static mappings = yes

Environment out of control
Good employee install his computer and name it radek-desktop and it get's IP address 10.0.0.100
Evil employee install his computer and name it jenkinsserver and it get's IP address 10.0.0.101

Actual behavior
1) nslookup radek-desktop returns 10.0.0.100 as expected - correct

2) nslookup jenkinsserver returns following - wrong
Code: [Select]
$ nslookup jenkinsserver 10.0.0.1 Server: 10.0.0.1 Address: 10.0.0.1#53 Name: jenkinsserver.xyz Address: 10.0.0.101 Name: jenkinsserver.xyz Address: 10.0.0.20
Expected behavior
1) nslookup radek-desktop returns 10.0.0.100 as expected

2) nslookup jenkinsserver returns following
Code: [Select]
$ nslookup jenkinsserver 10.0.0.1 Server: 10.0.0.1 Address: 10.0.0.1#53 Name: jenkinsserver.xyz Address: 10.0.0.20
Title: Re: Static mapping priority over dynamic DHCP mapping in DNS registration
Post by: Radek on April 15, 2021, 11:21:06 am: The best sollution/work-around from the German discussion seems to be to create two separate sub domains and in DHCP configure the services domain to higher priority.

employees:
my-cool-mac.lan.firma.com

services
jenkinsserver.services.firma.com

Details in German here: https://forum.opnsense.org/index.php?topic=21757.msg107715#msg107715