Dynamic DNS for PTR Records with External BIND Server

Started by kozistan, February 09, 2024, 10:53:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2024, 10:53:40 PM Last Edit: February 10, 2024, 09:27:55 AM by kozistan
I am in need of some guidance for a specific configuration challenge in our network. We operate in a mixed network environment with Unix, Windows, and Linux devices. Currently, A records are updated via a samba-ad-dc controller for domain devices. However, we are encountering a significant issue: the PTR records for our Unix devices are not being updated as needed.

The core of the issue seems to be related to how the OPNsense DHCP server handles record updates. When it attempts to send A record updates, these requests are refused.

Code Select
client @0x7f04994a6768 10.10.0.253#56955/key updater: updating zone 'domain/NONE': update failed: rejected by secure update (REFUSED)

This refusal then appears to prevent the completion of the subsequent PTR record updates, which are critical for our Unix systems.

Once im doing the update manually with nsupdate it works.

Code Select
# nsupdate -k /tmp/rndc.key
> server 10.10.0.12
> zone 0.10.10.in-addr.arpa
> update add 124.0.10.10.in-addr.arpa. 3600 PTR host.domain.name.
> send

Code Select
09-Feb-2024 22:50:56.541 update: info: client @0x7f0499a65768 10.10.0.253#53295/key updater: updating zone '0.10.10.in-addr.arpa/IN': adding an RR at '124.0.10.10.in-addr.arpa' PTR host.domain.name.

I am looking to configure the OPNsense DHCP server to only send PTR record updates to an external BIND server, bypassing the issue with the A records entirely. Is this configuration possible within OPNsense?

Thank you in advance for your time and help!
February 10, 2024, 08:15:13 PM #1
As somebody that also does this, I've noticed it is strongly advised to use /24 subnets, reverse DNS w/less than a /24 requires very very custom/unique reverse DNS stanzas.

Outside of this... I've made sure to use "$ORIGIN" more and my external BIND doesn't seem to favor it, as well as making sure I only put "PTR" not "PTR IN" for the reverse, again BIND seems to favor the PTR IN, and OPNSense DHCP seems to favor the PTR.

You are doing AD/DC BIND? Not doing this myself, so, not sure how that would change the 'dance' if you will. Best of luck!!
Custom: ASRock 970 Extreme3 R2.0 / AMD FX-8320E / 32 GB DDR3 1866 / X520 & I350 / 500GB SATA
February 11, 2024, 07:42:51 AM #2
I'm on /24 subnets. With the $ORIGIN zone prefix did not worked out, so tried another way.

Made a cron job to periodically (1min) execute script with PTR nsupdate to the bind server and it's working now.

You are doing AD/DC BIND? > correct, ad looks like fully functional now, A records signed by samba-ad-dc for domain devices, PTR updated from OPNsense dhcp on bind.

Anyway, thanks a lot for your comment, really appreciate!
Print
Go Up Pages1
User actions