Eprs_Admin
asked on
dynamic dns update on linux server
Hi Experts,
we have a DNS Server with Windows 2019.
Some other servers are LINUX servers.
There is one user in AD which should make DNS updates, this user is member of DNSAdmins.
But the user on the linux Server gets this error:
The selected DNS Zone is alredy set for dynamic updates -> Secure only.
Do you have any ideas why we get this error on the linux side ?
we have a DNS Server with Windows 2019.
Some other servers are LINUX servers.
There is one user in AD which should make DNS updates, this user is member of DNSAdmins.
But the user on the linux Server gets this error:
; TSIG error with server: tsig verify failure
update failed: NOTIMP
The selected DNS Zone is alredy set for dynamic updates -> Secure only.
Do you have any ideas why we get this error on the linux side ?
The simple + zero setup time fix - use dnsmasq as a local caching server, then point to any public forwarders, like...
Or if you're serving your own zones, then you'll point to your Windows zone servers.
1.1.1.1
8.8.8.8
8.8.4.4
Or if you're serving your own zones, then you'll point to your Windows zone servers.
ASKER
I just want to know why this happens ?
; TSIG error with server: tsig verify failure
update failed: NOTIMP
No DHCP or Time problem.
; TSIG error with server: tsig verify failure
update failed: NOTIMP
No DHCP or Time problem.
A)
Many Windows networks have the clients update the DNS server.
If the linux systems have integration with the AD
AND there is a NSupdate function in the DHCP Client
AND the NSupdate function can use kerberos tickets,
AND the timing is done right,
THEN a Linux system could update a DNS server inside the AD.
B)
In non windows networks most often the DHCP Server is the tool that updates the DNS server.
(Only the DHCP Server and the DNS Server need to know & trust each other and this can be fixed in a lot of ways
using separated VLAN's, IP-Filters, Authentication etc.).
A: Pro: Simple setup for unknowing users
Con: The DNS accumulates a lot of cruft in the form of stale record because systems are turned off, without removing their RR's.
B: Pro: Secure setup,
not only additions are added also revokes, (when the lease expires) etc. are removed from the DNS (no cruft)
Con: requires a bit of organizing [ aka a system manager needs to do some work, up front say about 10 minutes of work ].
Many Windows networks have the clients update the DNS server.
If the linux systems have integration with the AD
AND there is a NSupdate function in the DHCP Client
AND the NSupdate function can use kerberos tickets,
AND the timing is done right,
THEN a Linux system could update a DNS server inside the AD.
B)
In non windows networks most often the DHCP Server is the tool that updates the DNS server.
(Only the DHCP Server and the DNS Server need to know & trust each other and this can be fixed in a lot of ways
using separated VLAN's, IP-Filters, Authentication etc.).
A: Pro: Simple setup for unknowing users
Con: The DNS accumulates a lot of cruft in the form of stale record because systems are turned off, without removing their RR's.
B: Pro: Secure setup,
not only additions are added also revokes, (when the lease expires) etc. are removed from the DNS (no cruft)
Con: requires a bit of organizing [ aka a system manager needs to do some work, up front say about 10 minutes of work ].
I just want to know why this happens ?
@Noci is right.
But perhaps to put it a little more simply: Linux DNS servers are usually set up to be very picky about from which systems they will accept dynamic DNS (DDNS) updates. Typically they only accept from localhost, which is where the dhcp server resides.
When a client system makes a DHCP request, the dhcp server has enough information to update DDNS and does so. Subsequent attempts by the client system to do DDNS updates are superfluous and rejected.
Also in any DNS setup only ONE server is updated anyway. This should be the master for the domain. (as indicated in the SOA record).
Any slave will inherit all changes from it's master. If setup correctly (with update indications enabled on the master) this is done in a few seconds.
So if you need to update multiple DNS, then you need to update the master... The master will update the others.
A slave can be promoted to master if the master server falls over and dies.
btw, What DNS server are you rtying to update. Bind, PowerDNS, other?
Any slave will inherit all changes from it's master. If setup correctly (with update indications enabled on the master) this is done in a few seconds.
So if you need to update multiple DNS, then you need to update the master... The master will update the others.
A slave can be promoted to master if the master server falls over and dies.
btw, What DNS server are you rtying to update. Bind, PowerDNS, other?
ASKER
Hello,
we have Linux Servers with AD integration. And we use Windows DNS servers.
we have Linux Servers with AD integration. And we use Windows DNS servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Als i am not sure if the DHCP client can offer a Kerberos for the DNS update.
The SAFE and controlled way to update DNS is the header the DHCP server do the updates, and also the DELETES when a lease expires.
(Windows depends on unrelaiable clients to do housekeeping, and those environements are mostly left with lots of obsolete DNS records.)
Microsoft does have a help for this called scaveging... aka garbage collection, in the hop one doesn't delete active records....