Discussion:
DDNS updates for secondary DNS server
Kraishak Mahtha
2021-04-27 07:33:50 UTC
Permalink
Hi All,

zone example.com.
{
primary 192.168.0.45;
secondary 192.168.0.47;
}
I have noticed that DHCP is not sending any DDNS updates to the secondary
DNS server(192.168.0.47) of the zone when the primary is down for some
reason, is this the expected behavior?

Getting below error
Unable to add forward map from n54c5-000001.example.com to 192.168.0.86:
NOTIMP

Does any one have any idea/experience of DDNS flow when primary DNS server
is down

Thanks in Advance
Kraishak
g***@uniq.com.au
2021-04-27 08:06:11 UTC
Permalink
Hi Kraishak

My understanding is that each time the DHCP server renews a lease it
will try to update the DNS server if the record does not exist. So this
could take some time to catch up if the DNS server is down. I don't
think it tries to ever update the secondary - this is the job of the
primary. For this reason a lot of sites implement the dhcp server on the
same box as the dns server.

Also looks like something in your DNS config may not be quite right. In
dhcp your primary is 192.168.0.45, but it is trying to update
192.168.0.86 and gets an error. Can you check through both the dhcp and
dns configuration to see if you mention 192.168.0.86 anywhere?

regards,
Glenn
Post by Kraishak Mahtha
Hi All,
zone example.com [1].
{
primary 192.168.0.45;
secondary 192.168.0.47;
}
I have noticed that DHCP is not sending any DDNS updates to the
secondary DNS server(192.168.0.47) of the zone when the primary is
down for some reason, is this the expected behavior?
Getting below error
Unable to add forward map from n54c5-000001.example.com [2] to
192.168.0.86 [3]: NOTIMP
Does any one have any idea/experience of DDNS flow when primary DNS
server is down
Thanks in Advance
Kraishak
------
[1] http://example.com
[2] http://n54c5-000001.example.com
[3] http://192.168.0.86
_______________________________________________
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
dhcp-users mailing list
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
kraishak
2021-04-27 09:30:01 UTC
Permalink
Hi Glenn

Thanks for reply,
zone example.com.
{
primary 192.168.0.45;
secondary 192.168.0.47;
}

I don't, think it tries to ever update the secondary
-----> So in a sample zone section adding secondary statement is of no
significant even if we add the valid secondary DNS server it will send
updated only to primary and if primary is down it will throw exceptions
unable to add forward/reverse map but it won't use the secondary server
definition from the zone section in dhcpd.conf, Please correct me if I am
wrong.

Also looks like something in your DNS config may not be quite right. In
dhcp your primary is 192.168.0.45, but it is trying to update
192.168.0.86 and gets an error.
----> 192.168.0.86 was the client IP which the DHCP server gave to the
client from scope range

In a valid case when the primary is up, I am getting messages like below

Added new forward map from n0001-000001.example.com to 192.168.0.97 where
192.168.0.97 was the client IP

so I guess it is not issue with config


Thanks
Kraishak







--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
g***@uniq.com.au
2021-04-28 00:42:09 UTC
Permalink
Hi Kraishak

I had a look in the dhcpd.conf man page, and the description there is a
bit ambiguous, so I don't know what it meant to happen:

The primary statement specifies the IP address of the name
server
whose zone information is to be updated. In addition to the primary
statement there are also the primary6 , secondary and secondary6
statements.
The primary6 statement specifies an IPv6 address for the name
server.
The secondaries provide for additional addresses for name servers to
be used if the primary does not respond.

Some suggestions of things you could try:

- Check your secondary is configured to accept updates from the dhcp
server.
- Turn on logging of updates on the secondary to see if anything is
sent.
- Run a packet trace on the secondary to look at network traffic to see
if anything is sent to it.

I think the next step after that is to have a look at the dhcpd source
and see what the code actually does in this case.

It may also be worth asking the question on one of the BIND9 mailing
lists about whether a secondary can accept dynamic updates and what
configuration options are required to do this. There is also the BIND 9
Administrator Reference Manual which may be useful.

Also something to think about is the scenario where the primary is down
and the secondary receives an update. What happens when the primary
returns? It won't have the update and either it will overwrite the
secondary's zone file with the primary (removing the updated record) or
it won't but then the primary won't have that record and the secondary
will. This means where the primary and secondary have different values
for the same record or one of them does not have the record.

regards,
Glenn
Post by kraishak
Hi Glenn
Thanks for reply,
zone example.com.
{
primary 192.168.0.45;
secondary 192.168.0.47;
}
I don't, think it tries to ever update the secondary
-----> So in a sample zone section adding secondary statement is of no
significant even if we add the valid secondary DNS server it will send
updated only to primary and if primary is down it will throw exceptions
unable to add forward/reverse map but it won't use the secondary server
definition from the zone section in dhcpd.conf, Please correct me if I am
wrong.
Also looks like something in your DNS config may not be quite right. In
dhcp your primary is 192.168.0.45, but it is trying to update
192.168.0.86 and gets an error.
----> 192.168.0.86 was the client IP which the DHCP server gave to the
client from scope range
In a valid case when the primary is up, I am getting messages like below
Added new forward map from n0001-000001.example.com to 192.168.0.97 where
192.168.0.97 was the client IP
so I guess it is not issue with config
Thanks
Kraishak
--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
dhcp-users mailing list
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
kraishak
2021-04-29 06:24:23 UTC
Permalink
Hi Gelnn,

- Check your secondary is configured to accept updates from the dhcp
server.
-----> yes it is working fine when I flip the secondary as primary and
primary as secondary and respective changes on the dhcpd.conf also, By this
I guess there is no issue with secondary server receiving updates from DHCP
server

- Turn on logging of updates on the secondary to see if anything is
sent.
- Run a packet trace on the secondary to look at network traffic to see
if anything is sent to it.
-------> Here I am using the Windows servers as DNS, but when I searched in
forums some of them suggest saying to have an allow-update-forwarding option
on slave zone which can update primary,

I am checking if we have any equivalent on the windows server

Thanks
Kraishak





--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
g***@uniq.com.au
2021-04-29 07:26:59 UTC
Permalink
Can you run tcpdump or wireshark on the dhcp server looking for packets
between the dhcp server and the dns servers?

regards,
Glenn
Post by kraishak
Hi Gelnn,
- Check your secondary is configured to accept updates from the dhcp
server.
-----> yes it is working fine when I flip the secondary as primary and
primary as secondary and respective changes on the dhcpd.conf also, By this
I guess there is no issue with secondary server receiving updates from DHCP
server
- Turn on logging of updates on the secondary to see if anything is
sent.
- Run a packet trace on the secondary to look at network traffic to see
if anything is sent to it.
-------> Here I am using the Windows servers as DNS, but when I searched in
forums some of them suggest saying to have an allow-update-forwarding option
on slave zone which can update primary,
I am checking if we have any equivalent on the windows server
Thanks
Kraishak
--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
dhcp-users mailing list
https://lists.isc.org/mailman/listinfo/dhcp-users
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
kraishak
2021-04-29 09:56:19 UTC
Permalink
I tried tcpdump, I can see lot of other traffic when I was searching to
filter DDNS packets I found the below one
" tcpdump 'udp[0xa] & 0x78 = 0x28'"

Case1) when both primary and secondary DNS server are up and running
I see the packets flowing from my DHCP server to DNS primary server

tcpdump 'udp[0xa] & 0x78 = 0x28'
09:36:25.836650 IP dhcpremote.36057 > 192.168.0.45.domain: 32269 update [1a]
[2n] SOA? tst.com. (113)
09:36:25.838185 IP 192.168.0.45.domain > dhcpremote.36057: 32269 update-
1/2/0 (Class 254) ANY (113)
09:36:25.840153 IP dhcpremote.36057 > 192.168.0.45.domain: 37754 update [1a]
[2n] SOA? tst.com. (113)
09:36:25.840716 IP 192.168.0.45.domain > dhcpremote.36057: 37754 update-
1/2/0 (Class 254) ANY (113)
09:36:25.842929 IP dhcpremote.36057 > 192.168.0.45.domain: 50378 update [1a]
[2n] SOA? tst.com. (113)
09:36:25.843558 IP 192.168.0.45.domain > dhcpremote.36057: 50378 update-
1/2/0 (Class 254) ANY (113)
09:36:25.935787 IP dhcpremote.36057 > 192.168.0.45.domain: 45452 update [1a]
[2n] SOA? tst.com. (113)
09:36:25.936482 IP 192.168.0.45.domain > dhcpremote.36057: 45452 update-
1/2/0 (Class 254) ANY (113)
09:36:25.937238 IP dhcpremote.36057 > 192.168.0.45.domain: 57717 update [1a]
[2n] SOA? tst.com. (113)
09:36:25.937644 IP 192.168.0.45.domain > dhcpremote.36057: 57717 update-
1/2/0 (Class 254) ANY (113)
I can see DNS records get added to the zone on primary DNS server

Case2)I stopped primary DNS server and only secondary is running
At this time initially I saw the traffic trying to communicate to primary
and later it tried to communicate to secondary also but on the secondary
server I don't see any updates for that zone

9:47:50.448729 IP dhcpremote.36057 > 192.168.0.45.domain: 28079 update [1a]
[2n] SOA? tst.com. (113)
09:47:50.450722 IP dhcpremote.36057 > 192.168.0.45.domain: 56210 update [1a]
[2n] SOA? tst.com. (113)
09:47:50.452350 IP dhcpremote.36057 > 192.168.0.45.domain: 35555 update [1a]
[2n] SOA? tst.com. (113)
09:47:50.454332 IP dhcpremote.36057 > 192.168.0.45.domain: 6159 update [1a]
[2n] SOA? tst.com. (113)
09:47:50.456659 IP dhcpremote.36057 > 192.168.0.45.domain: 46788 update [1a]
[2n] SOA? tst.com. (113)
09:47:53.451803 IP dhcpremote.36057 > 192.168.0.45.domain: 28079 update [1a]
[2n] SOA? tst.com. (113)
09:47:53.451882 IP dhcpremote.36057 > 192.168.0.45.domain: 56210 update [1a]
[2n] SOA? tst.com. (113)
09:47:53.452444 IP dhcpremote.36057 > 192.168.0.45.domain: 35555 update [1a]
[2n] SOA? tst.com. (113)
09:47:53.454400 IP dhcpremote.36057 > 192.168.0.45.domain: 6159 update [1a]
[2n] SOA? tst.com. (113)
09:47:53.456731 IP dhcpremote.36057 > 192.168.0.45.domain: 46788 update [1a]
[2n] SOA? tst.com. (113)
09:47:56.452149 IP dhcpremote.36057 > 192.168.0.45.domain: 28079 update [1a]
[2n] SOA? tst.com. (113)
09:47:56.452188 IP dhcpremote.36057 > 192.168.0.45.domain: 56210 update [1a]
[2n] SOA? tst.com. (113)
09:47:56.452542 IP dhcpremote.36057 > 192.168.0.45.domain: 35555 update [1a]
[2n] SOA? tst.com. (113)
09:47:56.454501 IP dhcpremote.36057 > 192.168.0.45.domain: 6159 update [1a]
[2n] SOA? tst.com. (113)
09:47:56.456806 IP dhcpremote.36057 > 192.168.0.45.domain: 46788 update [1a]
[2n] SOA? tst.com. (113)
09:47:59.455189 IP dhcpremote.36057 > 192.168.0.45.domain: 56210 update [1a]
[2n] SOA? tst.com. (113)
09:47:59.455220 IP dhcpremote.36057 > 192.168.0.45.domain: 28079 update [1a]
[2n] SOA? tst.com. (113)
09:47:59.455229 IP dhcpremote.36057 > 192.168.0.45.domain: 35555 update [1a]
[2n] SOA? tst.com. (113)
09:47:59.455241 IP dhcpremote.36057 > 192.168.0.45.domain: 6159 update [1a]
[2n] SOA? tst.com. (113)
09:47:59.456869 IP dhcpremote.36057 > 192.168.0.45.domain: 46788 update [1a]
[2n] SOA? tst.com. (113)
09:48:02.458314 IP dhcpremote.36057 > 192.168.0.47.domain: 2904 update [1a]
[2n] SOA? tst.com. (113)
09:48:02.458409 IP dhcpremote.36057 > 192.168.0.47.domain: 51837 update [1a]
[2n] SOA? tst.com. (113)
09:48:02.458463 IP dhcpremote.36057 > 192.168.0.47.domain: 33836 update [1a]
[2n] SOA? tst.com. (113)
09:48:02.458501 IP dhcpremote.36057 > 192.168.0.47.domain: 64762 update [1a]
[2n] SOA? tst.com. (113)
09:48:02.458578 IP dhcpremote.36057 > 192.168.0.47.domain: 58373 update [1a]
[2n] SOA? tst.com. (113)
09:48:02.461798 IP 192.168.0.47.domain > dhcpremote.36057: 2904 update
NotImp- 1/2/0 (Class 254) ANY (113)
09:48:02.462583 IP 192.168.0.47.domain > dhcpremote.36057: 33836 update
NotImp- 1/2/0 (Class 254) ANY (113)
09:48:02.463148 IP 192.168.0.47.domain > dhcpremote.36057: 64762 update
NotImp- 1/2/0 (Class 254) ANY (113)
09:48:02.463678 IP 192.168.0.47.domain > dhcpremote.36057: 58373 update
NotImp- 1/2/0 (Class 254) ANY (113)
09:48:02.464209 IP 192.168.0.47.domain > dhcpremote.36057: 51837 update
NotImp- 1/2/0 (Class 254) ANY (113)


While it is trying to communicate to secondary I can see some different in
packet like "update NotImp " not sure if that means anything to debug





--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
Rob Janssen
2021-04-29 11:42:54 UTC
Permalink
When you think the normal updating mechanism is not working according to
your preferences, you can always disable it and instead configure "on
commit", "on release" and "on expiry" actions that execute an external
script that does exactly what you want.
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
kraishak
2021-04-29 13:46:54 UTC
Permalink
Hi Rob Janssen-2,

Thanks for reply,

The normal flow like sending the DDNS updates for the primary DNS server is
working fine, the issue if the primary is down I don't see the update on the
secondary server, by seeing the tcpdump traffic I guess the DHCP server is
trying to communicate to secondary DNS but in secondary it is not getting
received, I am thinking I might be missing the piece for this fix, Just want
to check if some one already faced a situation and overcome it,

Actually I am not good at that scripting level

But again, Thanks for Suggestion





--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
dhcp-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

Loading...