DNS Updates from foreign DHCP Server

[Sysadminfromhell]

Hey there,

I´m using a pfSense Firewall where I have my DHCP Server (v4 and v6). I have currently the difficulty that my DNS Servers (TechnitiumDNS) doesn't know the IP Adresses of my DHCP Clients. In pfSense I can configure DHCP DDNS Settings for the Clients to update theire FQDN+IP Adress but for this I need the Domain Key function as in BIND9. Is there any way to do that or is this on the upcomming features list?

Kind regards,

[ShreyasZare]

Thanks for the post. Technitium DNS server currently does not support dynamic DNS. This is a planned feature and will come up in future. This will allow any 3rd party DHCP server to update the DNS records.

Right now the only way available is to use the HTTP API.

[Sysadminfromhell]

How do I do that? Is there`re any python script I could use? I can use custom Python scripts in the DHCP Section of pfSense.

[ShreyasZare]

There is no script available. If you can make one that uses the HTTP API then it is possible to achieve it in current release.

[Sysadminfromhell]

Where I can find the HTTP API Documentation?

[ShreyasZare]

Where I can find the HTTP API Documentation?

You will find it here: https://github.com/TechnitiumSoftware/DnsServer/blob/master/APIDOCS.md

[Hemsby]

Where I can find the HTTP API Documentation?

https://github.com/TechnitiumSoftware/DnsServer/blob/master/APIDOCS.md

[Sysadminfromhell]

So i tested a few things but even with the help of the Developers i cannot re-run a shell which could call the API in the Firewall. Is they`re a way to use the DHCP on Technitium DNS which allows different Agent IDs so I can use the Firewall with a DHCP relay Agent and can have 2 different Subnet setup for my different LANs? Or do I really have to have 2 Network interfaces on the maschine then?

[Sysadminfromhell]

I wanted to re-run the shell always when the DHCP-Server wants to give out a lease but its not working properly when a lease gets renewed/extended.

[ShreyasZare]

So i tested a few things but even with the help of the Developers i cannot re-run a shell which could call the API in the Firewall. Is they`re a way to use the DHCP on Technitium DNS which allows different Agent IDs so I can use the Firewall with a DHCP relay Agent and can have 2 different Subnet setup for my different LANs? Or do I really have to have 2 Network interfaces on the maschine then?

Yes, you can configure DHCP relay agent on your firewall and create a new scope for that network in Technitium DHCP. Just make sure that the Technitium DHCP server is accessible from the client's subnet. Create a DHCP scope for each of the networks that you have the DHCP relay agent configured.

[Sysadminfromhell]

So its possible to have 2 Scopes? Because everytime I try to activate it, it always blocks the second activation because the interface is in use:

[ShreyasZare]

So its possible to have 2 Scopes? Because everytime I try to activate it, it always blocks the second activation because the interface is in use:

Post the error message you see in the logs which will tell the reason for this.

[Sysadminfromhell]

I found this:

[2022-07-18 13:33:53 Local] DHCP Server failed to activate scope: VMNET DnsServerCore.Dhcp.DhcpServerException: DHCP Server requires static IP address to work correctly but the network interface was found to have a dynamic IP address [172.16.24.117] assigned by another DHCP server: 172.16.24.1 at DnsServerCore.Dhcp.Scope.FindInterface() in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dhcp\Scope.cs:line 565 at DnsServerCore.Dhcp.DhcpServer.ActivateScopeAsync(Scope scope, Boolean waitForInterface) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dhcp\DhcpServer.cs:line 991

but this doesnt make any sense, the server has a fixed IP:

allow-hotplug ens18 iface ens18 inet static address 172.16.24.117/24 gateway 172.16.24.1 dns-nameservers 172.16.24.118 dns-domain fritz.box

[Sysadminfromhell]

Do I have to deactivate the DHCP Server on the pfsense first?

[ShreyasZare]

I found this:

[2022-07-18 13:33:53 Local] DHCP Server failed to activate scope: VMNET DnsServerCore.Dhcp.DhcpServerException: DHCP Server requires static IP address to work correctly but the network interface was found to have a dynamic IP address [172.16.24.117] assigned by another DHCP server: 172.16.24.1 at DnsServerCore.Dhcp.Scope.FindInterface() in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dhcp\Scope.cs:line 565 at DnsServerCore.Dhcp.DhcpServer.ActivateScopeAsync(Scope scope, Boolean waitForInterface) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dhcp\DhcpServer.cs:line 991

but this doesnt make any sense, the server has a fixed IP:

allow-hotplug ens18 iface ens18 inet static address 172.16.24.117/24 gateway 172.16.24.1 dns-nameservers 172.16.24.118 dns-domain fritz.box

It looks related to another issue for which this fix should work. Try it out and let me know.

[Sysadminfromhell]

This did the trick, now i can activate it. Thanks

[Sysadminfromhell]

Looks like everything is working now, my Client gets and DHCP from the LAN Scope. I will test VM later and let you know but it looks like its working.

[Sysadminfromhell]

You can set this on solved, my test were successfully. The VM got an Address from the VMNET Scope. Thank you very much for your help.

[ShreyasZare]

You can set this on solved, my test were successfully. The VM got an Address from the VMNET Scope. Thank you very much for your help.

You're welcome. Thanks for confirming,

[ShreyasZare]

Version 9.1 is now released that supports Dynamic Updates [RFC 2136]. Do update and let me know your feedback.

[Sysadminfromhell]

Version 9.1 is now released that supports Dynamic Updates [RFC 2136]. Do update and let me know your feedback.

Sorry for the super late answer. I cant get it to work on pfSense 23.01. May someone has experience?

Kind regards,

[Sysadminfromhell]

Im not quiet sure if this is right or not.

[ShreyasZare]

Sorry for the super late answer. I cant get it to work on pfSense 23.01. May someone has experience?

Thanks for the screenshots. The Dynamic Updates feature uses TSIG for authentication where the client must use the exact same key name that you have configured in the DNS server.

In your case, you have the TSIG key name on the DNS server as firewall whereas you are using fritz.box as the "DNS Domain Key" on your pfSense. So just change the "DNS Domain Key" to firewall and it should work.

Also check for the DNS logs from the panel which will log any auth errors related to the update that will give you some clues if things don't work.

[Sysadminfromhell]

All I get in the log is: [2023-06-19 18:01:29 Local] [172.16.24.1:49429] [UDP] DNS Server received a zone UPDATE request for zone: fritz.box [2023-06-19 18:01:29 Local] [172.16.24.1:49429] [UDP] DNS Server refused a zone UPDATE request due to Dynamic Updates Security Policy for zone: fritz.box

[Sysadminfromhell]

Okay I got it to get an actual error:

[2023-06-19 18:05:07 Local] [172.16.24.1:61416] [UDP] DNS Server received a request that failed TSIG signature verification (RCODE: NotAuth; TSIG Error: BADKEY) [2023-06-19 18:05:42 Local] [172.16.24.1:50733] [UDP] DNS Server received a request that failed TSIG signature verification (RCODE: NotAuth; TSIG Error: BADKEY)

But I put the right key, or is it on the wrong space:

[Sysadminfromhell]

Its the same preshared key, I even exchanged it a few times and recreated a new one. It cannot be a BADKEY. Same Algorithm, same Key.

[ShreyasZare]

Its the same preshared key, I even exchanged it a few times and recreated a new one. It cannot be a BADKEY. Same Algorithm, same Key.

Have you entered FireWallDHCPDNSUpdate as the shared secret in the Settings > TSIG section of the DNS Server? In that case, you have to use the exact string literal in your pfsense config too OR update the shared secret in the DNS server to be in base64 format.

Other suggestion is to let the DNS server generate the shared secret randomly by setting an empty shared secret while saving the settings. Then use the generated shared secret which will be in base64 format with your pfsense config.